Update to 4.19.28
This commit is contained in:
Romain Perier
parent
22610f2634
commit
340ed90d8e
|
|
@ -1,4 +1,4 @@
|
|||
linux (4.19.27-1) UNRELEASED; urgency=medium
|
||||
linux (4.19.28-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21
|
||||
|
|
@ -599,6 +599,78 @@ linux (4.19.27-1) UNRELEASED; urgency=medium
|
|||
- hugetlbfs: fix races and page leaks during migration
|
||||
- [mips*] fix truncation in __cmpxchg_small for short values
|
||||
- [x86] uaccess: Don't leak the AC flag into __put_user() value evaluation
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.28
|
||||
- cpufreq: Use struct kobj_attribute instead of struct global_attr
|
||||
- staging: erofs: fix mis-acted TAIL merging behavior
|
||||
- USB: serial: option: add Telit ME910 ECM composition
|
||||
- USB: serial: cp210x: add ID for Ingenico 3070
|
||||
- USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485
|
||||
- [x86] staging: comedi: ni_660x: fix missing break in switch statement
|
||||
- [x86, arm64, armhf] staging: android: ashmem: Don't call fallocate() with
|
||||
ashmem_mutex held.
|
||||
- [x86, arm64, armhf] staging: android: ashmem: Avoid range_alloc()
|
||||
allocation with ashmem_mutex held.
|
||||
- ip6mr: Do not call __IP6_INC_STATS() from preemptible context
|
||||
- [arm64, armhf] net: dsa: mv88e6xxx: handle unknown duplex modes gracefully
|
||||
in mv88e6xxx_port_set_duplex
|
||||
- [arm64, armhf] net: dsa: mv88e6xxx: fix number of internal PHYs for
|
||||
88E6x90 family
|
||||
- net: sched: put back q.qlen into a single location
|
||||
- net-sysfs: Fix mem leak in netdev_register_kobject
|
||||
- qmi_wwan: Add support for Quectel EG12/EM12
|
||||
- sctp: call iov_iter_revert() after sending ABORT
|
||||
- sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
|
||||
- team: Free BPF filter when unregistering netdev
|
||||
- tipc: fix RDM/DGRAM connect() regression
|
||||
- bnxt_en: Drop oversize TX packets to prevent errors.
|
||||
- geneve: correctly handle ipv6.disable module parameter
|
||||
- [x86] hv_netvsc: Fix IP header checksum for coalesced packets
|
||||
- ipv4: Add ICMPv6 support when parse route ipproto
|
||||
- lan743x: Fix TX Stall Issue
|
||||
- [arm64, armhf] net: dsa: mv88e6xxx: Fix statistics on mv88e6161
|
||||
- [arm64, armhf] net: dsa: mv88e6xxx: Fix u64 statistics
|
||||
- net: netem: fix skb length BUG_ON in __skb_to_sgvec
|
||||
- net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
|
||||
- net: phy: Micrel KSZ8061: link failure after cable connect
|
||||
- [arm64, armhf] net: phy: phylink: fix uninitialized variable in
|
||||
phylink_get_mac_state
|
||||
- net: sit: fix memory leak in sit_init_net()
|
||||
- net: socket: set sock->sk to NULL after calling proto_ops::release()
|
||||
- tipc: fix race condition causing hung sendto
|
||||
- tun: fix blocking read
|
||||
- [x86, arm64, armhf] xen-netback: don't populate the hash cache on XenBus
|
||||
disconnect
|
||||
- [x86, arm64, armhf] xen-netback: fix occasional leak of grant ref mappings
|
||||
under memory pressure
|
||||
- tun: remove unnecessary memory barrier
|
||||
- net: Add __icmp_send helper.
|
||||
- ipv4: Return error for RTA_VIA attribute
|
||||
- ipv6: Return error for RTA_VIA attribute
|
||||
- mpls: Return error for RTA_GATEWAY attribute
|
||||
- ipv4: Pass original device to ip_rcv_finish_core
|
||||
- [arm64, armhf] net: dsa: mv88e6xxx: power serdes on/off for 10G interfaces
|
||||
on 6390X
|
||||
- [arm64, armhf] net: dsa: mv88e6xxx: prevent interrupt storm caused by
|
||||
mv88e6390x_port_set_cmode
|
||||
- net/sched: act_ipt: fix refcount leak when replace fails
|
||||
- net/sched: act_skbedit: fix refcount leak when replace fails
|
||||
- net: sched: act_tunnel_key: fix NULL pointer dereference during init
|
||||
- [x86] CPU/AMD: Set the CPB bit unconditionally on F17h
|
||||
- [x86] boot/compressed/64: Do not read legacy ROM on EFI system
|
||||
- tracing: Fix event filters and triggers to handle negative numbers
|
||||
- usb: xhci: Fix for Enabling USB ROLE SWITCH QUIRK on
|
||||
INTEL_SUNRISEPOINT_LP_XHCI
|
||||
- [x86, powerpc*] applicom: Fix potential Spectre v1 vulnerabilities
|
||||
- [mips*] irq: Allocate accurate order pages for irq stack
|
||||
- aio: Fix locking in aio_poll()
|
||||
- xtensa: fix get_wchan
|
||||
- gnss: sirf: fix premature wakeup interrupt enable
|
||||
- USB: serial: cp210x: fix GPIO in autosuspend
|
||||
- Bluetooth: btrtl: Restore old logic to assume firmware is already loaded
|
||||
- Bluetooth: Fix locking in bt_accept_enqueue() for BH context
|
||||
- exec: Fix mem leak in kernel_read_file (CVE-2019-8980)
|
||||
- scsi: core: reset host byte in DID_NEXUS_FAILURE case
|
||||
- bpf: fix sanitation rewrite in case of non-pointers
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [sparc64] udeb: Use standard module list in nic-modules; add i2c-modules
|
||||
|
|
@ -632,7 +704,6 @@ linux (4.19.27-1) UNRELEASED; urgency=medium
|
|||
[ Salvatore Bonaccorso ]
|
||||
* Btrfs: fix corruption reading shared and compressed extents after hole
|
||||
punching (Closes: #922306)
|
||||
* exec: Fix mem leak in kernel_read_file (CVE-2019-8980)
|
||||
|
||||
[ Vagrant Cascadian ]
|
||||
* [arm64] Add patch from v4.20 to enable device-tree for Pine64-LTS.
|
||||
|
|
|
|||
|
|
@ -1,50 +0,0 @@
|
|||
From: YueHaibing <yuehaibing@huawei.com>
|
||||
Date: Tue, 19 Feb 2019 10:10:38 +0800
|
||||
Subject: exec: Fix mem leak in kernel_read_file
|
||||
Origin: https://git.kernel.org/linus/f612acfae86af7ecad754ae6a46019be9da05b8e
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-8980
|
||||
|
||||
syzkaller report this:
|
||||
BUG: memory leak
|
||||
unreferenced object 0xffffc9000488d000 (size 9195520):
|
||||
comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
|
||||
hex dump (first 32 bytes):
|
||||
ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................
|
||||
02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z.....
|
||||
backtrace:
|
||||
[<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
|
||||
[<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
|
||||
[<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
|
||||
[<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
|
||||
[<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
|
||||
[<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
|
||||
[<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
|
||||
[<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
|
||||
[<00000000241f889b>] 0xffffffffffffffff
|
||||
|
||||
It should goto 'out_free' lable to free allocated buf while kernel_read
|
||||
fails.
|
||||
|
||||
Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory")
|
||||
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/exec.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fs/exec.c b/fs/exec.c
|
||||
index fb72d36f7823..bcf383730bea 100644
|
||||
--- a/fs/exec.c
|
||||
+++ b/fs/exec.c
|
||||
@@ -932,7 +932,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size,
|
||||
bytes = kernel_read(file, *buf + pos, i_size - pos, &pos);
|
||||
if (bytes < 0) {
|
||||
ret = bytes;
|
||||
- goto out;
|
||||
+ goto out_free;
|
||||
}
|
||||
|
||||
if (bytes == 0)
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
@ -143,7 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/exec-Fix-mem-leak-in-kernel_read_file.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue