From 340ed90d8e3bee860d75c306d28bfa0636714138 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Sun, 10 Mar 2019 16:57:21 +0100 Subject: [PATCH] Update to 4.19.28 --- debian/changelog | 75 ++++++++++++++++++- ...xec-Fix-mem-leak-in-kernel_read_file.patch | 50 ------------- debian/patches/series | 1 - 3 files changed, 73 insertions(+), 53 deletions(-) delete mode 100644 debian/patches/bugfix/all/exec-Fix-mem-leak-in-kernel_read_file.patch diff --git a/debian/changelog b/debian/changelog index 46624b770..6e8ab3ca2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.19.27-1) UNRELEASED; urgency=medium +linux (4.19.28-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.21 @@ -599,6 +599,78 @@ linux (4.19.27-1) UNRELEASED; urgency=medium - hugetlbfs: fix races and page leaks during migration - [mips*] fix truncation in __cmpxchg_small for short values - [x86] uaccess: Don't leak the AC flag into __put_user() value evaluation + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.28 + - cpufreq: Use struct kobj_attribute instead of struct global_attr + - staging: erofs: fix mis-acted TAIL merging behavior + - USB: serial: option: add Telit ME910 ECM composition + - USB: serial: cp210x: add ID for Ingenico 3070 + - USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 + - [x86] staging: comedi: ni_660x: fix missing break in switch statement + - [x86, arm64, armhf] staging: android: ashmem: Don't call fallocate() with + ashmem_mutex held. + - [x86, arm64, armhf] staging: android: ashmem: Avoid range_alloc() + allocation with ashmem_mutex held. + - ip6mr: Do not call __IP6_INC_STATS() from preemptible context + - [arm64, armhf] net: dsa: mv88e6xxx: handle unknown duplex modes gracefully + in mv88e6xxx_port_set_duplex + - [arm64, armhf] net: dsa: mv88e6xxx: fix number of internal PHYs for + 88E6x90 family + - net: sched: put back q.qlen into a single location + - net-sysfs: Fix mem leak in netdev_register_kobject + - qmi_wwan: Add support for Quectel EG12/EM12 + - sctp: call iov_iter_revert() after sending ABORT + - sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 + - team: Free BPF filter when unregistering netdev + - tipc: fix RDM/DGRAM connect() regression + - bnxt_en: Drop oversize TX packets to prevent errors. + - geneve: correctly handle ipv6.disable module parameter + - [x86] hv_netvsc: Fix IP header checksum for coalesced packets + - ipv4: Add ICMPv6 support when parse route ipproto + - lan743x: Fix TX Stall Issue + - [arm64, armhf] net: dsa: mv88e6xxx: Fix statistics on mv88e6161 + - [arm64, armhf] net: dsa: mv88e6xxx: Fix u64 statistics + - net: netem: fix skb length BUG_ON in __skb_to_sgvec + - net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails + - net: phy: Micrel KSZ8061: link failure after cable connect + - [arm64, armhf] net: phy: phylink: fix uninitialized variable in + phylink_get_mac_state + - net: sit: fix memory leak in sit_init_net() + - net: socket: set sock->sk to NULL after calling proto_ops::release() + - tipc: fix race condition causing hung sendto + - tun: fix blocking read + - [x86, arm64, armhf] xen-netback: don't populate the hash cache on XenBus + disconnect + - [x86, arm64, armhf] xen-netback: fix occasional leak of grant ref mappings + under memory pressure + - tun: remove unnecessary memory barrier + - net: Add __icmp_send helper. + - ipv4: Return error for RTA_VIA attribute + - ipv6: Return error for RTA_VIA attribute + - mpls: Return error for RTA_GATEWAY attribute + - ipv4: Pass original device to ip_rcv_finish_core + - [arm64, armhf] net: dsa: mv88e6xxx: power serdes on/off for 10G interfaces + on 6390X + - [arm64, armhf] net: dsa: mv88e6xxx: prevent interrupt storm caused by + mv88e6390x_port_set_cmode + - net/sched: act_ipt: fix refcount leak when replace fails + - net/sched: act_skbedit: fix refcount leak when replace fails + - net: sched: act_tunnel_key: fix NULL pointer dereference during init + - [x86] CPU/AMD: Set the CPB bit unconditionally on F17h + - [x86] boot/compressed/64: Do not read legacy ROM on EFI system + - tracing: Fix event filters and triggers to handle negative numbers + - usb: xhci: Fix for Enabling USB ROLE SWITCH QUIRK on + INTEL_SUNRISEPOINT_LP_XHCI + - [x86, powerpc*] applicom: Fix potential Spectre v1 vulnerabilities + - [mips*] irq: Allocate accurate order pages for irq stack + - aio: Fix locking in aio_poll() + - xtensa: fix get_wchan + - gnss: sirf: fix premature wakeup interrupt enable + - USB: serial: cp210x: fix GPIO in autosuspend + - Bluetooth: btrtl: Restore old logic to assume firmware is already loaded + - Bluetooth: Fix locking in bt_accept_enqueue() for BH context + - exec: Fix mem leak in kernel_read_file (CVE-2019-8980) + - scsi: core: reset host byte in DID_NEXUS_FAILURE case + - bpf: fix sanitation rewrite in case of non-pointers [ Ben Hutchings ] * [sparc64] udeb: Use standard module list in nic-modules; add i2c-modules @@ -632,7 +704,6 @@ linux (4.19.27-1) UNRELEASED; urgency=medium [ Salvatore Bonaccorso ] * Btrfs: fix corruption reading shared and compressed extents after hole punching (Closes: #922306) - * exec: Fix mem leak in kernel_read_file (CVE-2019-8980) [ Vagrant Cascadian ] * [arm64] Add patch from v4.20 to enable device-tree for Pine64-LTS. diff --git a/debian/patches/bugfix/all/exec-Fix-mem-leak-in-kernel_read_file.patch b/debian/patches/bugfix/all/exec-Fix-mem-leak-in-kernel_read_file.patch deleted file mode 100644 index c66bec011..000000000 --- a/debian/patches/bugfix/all/exec-Fix-mem-leak-in-kernel_read_file.patch +++ /dev/null @@ -1,50 +0,0 @@ -From: YueHaibing -Date: Tue, 19 Feb 2019 10:10:38 +0800 -Subject: exec: Fix mem leak in kernel_read_file -Origin: https://git.kernel.org/linus/f612acfae86af7ecad754ae6a46019be9da05b8e -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-8980 - -syzkaller report this: -BUG: memory leak -unreferenced object 0xffffc9000488d000 (size 9195520): - comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) - hex dump (first 32 bytes): - ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 ................ - 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..........z..... - backtrace: - [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] - [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] - [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 - [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 - [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 - [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895 - [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 - [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe - [<00000000241f889b>] 0xffffffffffffffff - -It should goto 'out_free' lable to free allocated buf while kernel_read -fails. - -Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory") -Signed-off-by: YueHaibing -Signed-off-by: Al Viro ---- - fs/exec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/exec.c b/fs/exec.c -index fb72d36f7823..bcf383730bea 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -932,7 +932,7 @@ int kernel_read_file(struct file *file, void **buf, loff_t *size, - bytes = kernel_read(file, *buf + pos, i_size - pos, &pos); - if (bytes < 0) { - ret = bytes; -- goto out; -+ goto out_free; - } - - if (bytes == 0) --- -2.20.1 - diff --git a/debian/patches/series b/debian/patches/series index 8f06d3ac7..c166088eb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -143,7 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/exec-Fix-mem-leak-in-kernel_read_file.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch