Update to 4.9.26
Ignore changes to module:sound/firewire/snd-firewire-lib Ignore changes to module:net/l2tp/l2tp_core
This commit is contained in:
parent
f5fd64d72e
commit
3d18d55b64
|
@ -1,4 +1,61 @@
|
|||
linux (4.9.25-2) UNRELEASED; urgency=medium
|
||||
linux (4.9.26-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.26
|
||||
- [arm64] Revert "mmc: sdhci-msm: Enable few quirks"
|
||||
- ping: implement proper locking
|
||||
- [sparc64] kern_addr_valid regression
|
||||
- [sparc64] Fix kernel panic due to erroneous #ifdef surrounding
|
||||
pmd_write()
|
||||
- net: neigh: guard against NULL solicit() method
|
||||
- net: phy: handle state correctly in phy_stop_machine
|
||||
- bpf: improve verifier packet range checks
|
||||
- net/mlx5: Avoid dereferencing uninitialized pointer
|
||||
- l2tp: hold tunnel socket when handling control frames in l2tp_ip
|
||||
and l2tp_ip6
|
||||
- l2tp: purge socket queues in the .destruct() callback
|
||||
- net/packet: fix overflow in check for tp_frame_nr
|
||||
- net/packet: fix overflow in check for tp_reserve
|
||||
- l2tp: take reference on sessions being dumped
|
||||
- l2tp: fix PPP pseudo-wire auto-loading
|
||||
- net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
|
||||
- sctp: listen on the sock only when it's state is listening or
|
||||
closed
|
||||
- tcp: clear saved_syn in tcp_disconnect()
|
||||
- ipv6: Fix idev->addr_list corruption
|
||||
- net-timestamp: avoid use-after-free in ip_recv_error
|
||||
- net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule
|
||||
- dp83640: don't recieve time stamps twice
|
||||
- gso: Validate assumption of frag_list segementation
|
||||
- net: ipv6: RTF_PCPU should not be settable from userspace
|
||||
- netpoll: Check for skb->queue_mapping
|
||||
- ip6mr: fix notification device destruction
|
||||
- net/mlx5: Fix driver load bad flow when having fw
|
||||
initializing timeout
|
||||
- net/mlx5e: Fix small packet threshold
|
||||
- net/mlx5e: Fix ETHTOOL_GRXCLSRLALL handling
|
||||
- macvlan: Fix device ref leak when purging bc_queue
|
||||
- net: ipv6: regenerate host route if moved to gc list
|
||||
- net: phy: fix auto-negotiation stall due to unavailable interrupt
|
||||
- ipv6: check skb->protocol before lookup for nexthop
|
||||
- tcp: memset ca_priv data to 0 properly
|
||||
- ipv6: check raw payload size correctly in ioctl
|
||||
- ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d
|
||||
- ALSA: firewire-lib: fix inappropriate assignment between
|
||||
signed/unsigned type
|
||||
- ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
|
||||
- [mips*] KGDB: Use kernel context for sleeping threads
|
||||
- [mips*] Avoid BUG warning in arch_check_elf
|
||||
- p9_client_readdir() fix
|
||||
- [x86] ASoC: intel: Fix PM and non-atomic crash in bytcr drivers
|
||||
- Input: i8042 - add Clevo P650RS to the i8042 reset list
|
||||
- nfsd: check for oversized NFSv2/v3 arguments
|
||||
- nfsd4: minor NFSv2/v3 write decoding cleanup
|
||||
- nfsd: stricter decoding of write-like NFSv2/v3 ops
|
||||
- ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
|
||||
- macsec: avoid heap overflow in skb_to_sgvec
|
||||
- net: can: usb: gs_usb: Fix buffer on stack
|
||||
- [x86] ftrace: Fix triple fault with graph tracing and suspend-to-ram
|
||||
|
||||
[ Aurelien Jarno ]
|
||||
* [mips*/*-malta] Enable POWER_RESET and POWER_RESET_SYSCON.
|
||||
|
|
|
@ -21,6 +21,8 @@ ignore-changes:
|
|||
module:drivers/usb/host/**
|
||||
module:drivers/usb/musb/**
|
||||
module:net/ceph/libceph
|
||||
module:net/l2tp/l2tp_core
|
||||
module:sound/firewire/snd-firewire-lib
|
||||
# btree library is only selected by few drivers so not useful OOT
|
||||
btree_*
|
||||
visitor*
|
||||
|
|
|
@ -1,74 +0,0 @@
|
|||
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
|
||||
Date: Fri, 21 Apr 2017 23:14:48 +0200
|
||||
Subject: macsec: avoid heap overflow in skb_to_sgvec
|
||||
Origin: https://git.kernel.org/linus/4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7477
|
||||
|
||||
While this may appear as a humdrum one line change, it's actually quite
|
||||
important. An sk_buff stores data in three places:
|
||||
|
||||
1. A linear chunk of allocated memory in skb->data. This is the easiest
|
||||
one to work with, but it precludes using scatterdata since the memory
|
||||
must be linear.
|
||||
2. The array skb_shinfo(skb)->frags, which is of maximum length
|
||||
MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
|
||||
can point to different pages.
|
||||
3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
|
||||
which in turn can have data in either (1) or (2).
|
||||
|
||||
The first two are rather easy to deal with, since they're of a fixed
|
||||
maximum length, while the third one is not, since there can be
|
||||
potentially limitless chains of fragments. Fortunately dealing with
|
||||
frag_list is opt-in for drivers, so drivers don't actually have to deal
|
||||
with this mess. For whatever reason, macsec decided it wanted pain, and
|
||||
so it explicitly specified NETIF_F_FRAGLIST.
|
||||
|
||||
Because dealing with (1), (2), and (3) is insane, most users of sk_buff
|
||||
doing any sort of crypto or paging operation calls a convenient function
|
||||
called skb_to_sgvec (which happens to be recursive if (3) is in use!).
|
||||
This takes a sk_buff as input, and writes into its output pointer an
|
||||
array of scattergather list items. Sometimes people like to declare a
|
||||
fixed size scattergather list on the stack; othertimes people like to
|
||||
allocate a fixed size scattergather list on the heap. However, if you're
|
||||
doing it in a fixed-size fashion, you really shouldn't be using
|
||||
NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
|
||||
frag_list children arent't shared and then you check the number of
|
||||
fragments in total required.)
|
||||
|
||||
Macsec specifically does this:
|
||||
|
||||
size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
|
||||
tmp = kmalloc(size, GFP_ATOMIC);
|
||||
*sg = (struct scatterlist *)(tmp + sg_offset);
|
||||
...
|
||||
sg_init_table(sg, MAX_SKB_FRAGS + 1);
|
||||
skb_to_sgvec(skb, sg, 0, skb->len);
|
||||
|
||||
Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
|
||||
using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
|
||||
overflow the heap, and disaster ensues.
|
||||
|
||||
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Cc: security@kernel.org
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/net/macsec.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
|
||||
index ff0a5ed..dbab05a 100644
|
||||
--- a/drivers/net/macsec.c
|
||||
+++ b/drivers/net/macsec.c
|
||||
@@ -2716,7 +2716,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
|
||||
}
|
||||
|
||||
#define MACSEC_FEATURES \
|
||||
- (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
|
||||
+ (NETIF_F_SG | NETIF_F_HIGHDMA)
|
||||
static struct lock_class_key macsec_netdev_addr_lock_key;
|
||||
|
||||
static int macsec_dev_init(struct net_device *dev)
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
From: Andrey Konovalov <andreyknvl@google.com>
|
||||
Date: Wed, 29 Mar 2017 16:11:21 +0200
|
||||
Subject: net/packet: fix overflow in check for tp_frame_nr
|
||||
Origin: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
|
||||
|
||||
When calculating rb->frames_per_block * req->tp_block_nr the result
|
||||
can overflow.
|
||||
|
||||
Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
|
||||
|
||||
Since frames_per_block <= tp_block_size, the expression would
|
||||
never overflow.
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/packet/af_packet.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -4247,6 +4247,8 @@ static int packet_set_ring(struct sock *
|
||||
rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
|
||||
if (unlikely(rb->frames_per_block == 0))
|
||||
goto out;
|
||||
+ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
|
||||
+ goto out;
|
||||
if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
|
||||
req->tp_frame_nr))
|
||||
goto out;
|
|
@ -1,28 +0,0 @@
|
|||
From: Andrey Konovalov <andreyknvl@google.com>
|
||||
Date: Wed, 29 Mar 2017 16:11:22 +0200
|
||||
Subject: net/packet: fix overflow in check for tp_reserve
|
||||
Origin: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
|
||||
|
||||
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
|
||||
|
||||
Fix by checking that tp_reserve <= INT_MAX on assign.
|
||||
|
||||
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/packet/af_packet.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -3702,6 +3702,8 @@ packet_setsockopt(struct socket *sock, i
|
||||
return -EBUSY;
|
||||
if (copy_from_user(&val, optval, sizeof(val)))
|
||||
return -EFAULT;
|
||||
+ if (val > INT_MAX)
|
||||
+ return -EINVAL;
|
||||
po->tp_reserve = val;
|
||||
return 0;
|
||||
}
|
|
@ -1,104 +0,0 @@
|
|||
From: "J. Bruce Fields" <bfields@redhat.com>
|
||||
Date: Fri, 21 Apr 2017 16:10:18 -0400
|
||||
Subject: nfsd: check for oversized NFSv2/v3 arguments
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7645
|
||||
|
||||
A client can append random data to the end of an NFSv2 or NFSv3 RPC call
|
||||
without our complaining; we'll just stop parsing at the end of the
|
||||
expected data and ignore the rest.
|
||||
|
||||
Encoded arguments and replies are stored together in an array of pages,
|
||||
and if a call is too large it could leave inadequate space for the
|
||||
reply. This is normally OK because NFS RPC's typically have either
|
||||
short arguments and long replies (like READ) or long arguments and short
|
||||
replies (like WRITE). But a client that sends an incorrectly long reply
|
||||
can violate those assumptions. This was observed to cause crashes.
|
||||
|
||||
Also, several operations increment rq_next_page in the decode routine
|
||||
before checking the argument size, which can leave rq_next_page pointing
|
||||
well past the end of the page array, causing trouble later in
|
||||
svc_free_pages.
|
||||
|
||||
So, following a suggestion from Neil Brown, add a central check to
|
||||
enforce our expectation that no NFSv2/v3 call has both a large call and
|
||||
a large reply.
|
||||
|
||||
As followup we may also want to rewrite the encoding routines to check
|
||||
more carefully that they aren't running off the end of the page array.
|
||||
|
||||
We may also consider rejecting calls that have any extra garbage
|
||||
appended. That would be safer, and within our rights by spec, but given
|
||||
the age of our server and the NFS protocol, and the fact that we've
|
||||
never enforced this before, we may need to balance that against the
|
||||
possibility of breaking some oddball client.
|
||||
|
||||
Reported-by: Tuomas Haanpää <thaan@synopsys.com>
|
||||
Reported-by: Ari Kauppi <ari@synopsys.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Reviewed-by: NeilBrown <neilb@suse.com>
|
||||
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
|
||||
---
|
||||
fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 36 insertions(+)
|
||||
|
||||
diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
|
||||
index 31e1f95..59979f0 100644
|
||||
--- a/fs/nfsd/nfssvc.c
|
||||
+++ b/fs/nfsd/nfssvc.c
|
||||
@@ -747,6 +747,37 @@ static __be32 map_new_errors(u32 vers, __be32 nfserr)
|
||||
return nfserr;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * A write procedure can have a large argument, and a read procedure can
|
||||
+ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
|
||||
+ * reply that can both be larger than a page. The xdr code has taken
|
||||
+ * advantage of this assumption to be a sloppy about bounds checking in
|
||||
+ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
|
||||
+ * problem, we enforce these assumptions here:
|
||||
+ */
|
||||
+static bool nfs_request_too_big(struct svc_rqst *rqstp,
|
||||
+ struct svc_procedure *proc)
|
||||
+{
|
||||
+ /*
|
||||
+ * The ACL code has more careful bounds-checking and is not
|
||||
+ * susceptible to this problem:
|
||||
+ */
|
||||
+ if (rqstp->rq_prog != NFS_PROGRAM)
|
||||
+ return false;
|
||||
+ /*
|
||||
+ * Ditto NFSv4 (which can in theory have argument and reply both
|
||||
+ * more than a page):
|
||||
+ */
|
||||
+ if (rqstp->rq_vers >= 4)
|
||||
+ return false;
|
||||
+ /* The reply will be small, we're OK: */
|
||||
+ if (proc->pc_xdrressize > 0 &&
|
||||
+ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
|
||||
+ return false;
|
||||
+
|
||||
+ return rqstp->rq_arg.len > PAGE_SIZE;
|
||||
+}
|
||||
+
|
||||
int
|
||||
nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
|
||||
{
|
||||
@@ -759,6 +790,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
|
||||
rqstp->rq_vers, rqstp->rq_proc);
|
||||
proc = rqstp->rq_procinfo;
|
||||
|
||||
+ if (nfs_request_too_big(rqstp, proc)) {
|
||||
+ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
|
||||
+ *statp = rpc_garbage_args;
|
||||
+ return 1;
|
||||
+ }
|
||||
/*
|
||||
* Give the xdr decoder a chance to change this if it wants
|
||||
* (necessary in the NFSv4.0 compound case)
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
From: "J. Bruce Fields" <bfields@redhat.com>
|
||||
Date: Fri, 21 Apr 2017 15:26:30 -0400
|
||||
Subject: nfsd: stricter decoding of write-like NFSv2/v3 ops
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
|
||||
|
||||
The NFSv2/v3 code does not systematically check whether we decode past
|
||||
the end of the buffer. This generally appears to be harmless, but there
|
||||
are a few places where we do arithmetic on the pointers involved and
|
||||
don't account for the possibility that a length could be negative. Add
|
||||
checks to catch these.
|
||||
|
||||
Reported-by: Tuomas Haanpää <thaan@synopsys.com>
|
||||
Reported-by: Ari Kauppi <ari@synopsys.com>
|
||||
Reviewed-by: NeilBrown <neilb@suse.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
|
||||
---
|
||||
fs/nfsd/nfs3xdr.c | 4 ++++
|
||||
fs/nfsd/nfsxdr.c | 2 ++
|
||||
2 files changed, 6 insertions(+)
|
||||
|
||||
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
|
||||
index d18cfdd..4523346 100644
|
||||
--- a/fs/nfsd/nfs3xdr.c
|
||||
+++ b/fs/nfsd/nfs3xdr.c
|
||||
@@ -369,6 +369,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
args->count = ntohl(*p++);
|
||||
args->stable = ntohl(*p++);
|
||||
len = args->len = ntohl(*p++);
|
||||
+ if ((void *)p > head->iov_base + head->iov_len)
|
||||
+ return 0;
|
||||
/*
|
||||
* The count must equal the amount of data passed.
|
||||
*/
|
||||
@@ -472,6 +474,8 @@ nfs3svc_decode_symlinkargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
/* first copy and check from the first page */
|
||||
old = (char*)p;
|
||||
vec = &rqstp->rq_arg.head[0];
|
||||
+ if ((void *)old > vec->iov_base + vec->iov_len)
|
||||
+ return 0;
|
||||
avail = vec->iov_len - (old - (char*)vec->iov_base);
|
||||
while (len && avail && *old) {
|
||||
*new++ = *old++;
|
||||
diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
|
||||
index 59bd88a..de07ff6 100644
|
||||
--- a/fs/nfsd/nfsxdr.c
|
||||
+++ b/fs/nfsd/nfsxdr.c
|
||||
@@ -302,6 +302,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
* bytes.
|
||||
*/
|
||||
hdr = (void*)p - head->iov_base;
|
||||
+ if (hdr > head->iov_len)
|
||||
+ return 0;
|
||||
dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
|
||||
|
||||
/*
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,84 +0,0 @@
|
|||
From: "J. Bruce Fields" <bfields@redhat.com>
|
||||
Date: Tue, 25 Apr 2017 16:21:34 -0400
|
||||
Subject: nfsd4: minor NFSv2/v3 write decoding cleanup
|
||||
Origin: https://git.kernel.org/linus/db44bac41bbfc0c0d9dd943092d8bded3c9db19b
|
||||
|
||||
Use a couple shortcuts that will simplify a following bugfix.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
|
||||
---
|
||||
fs/nfsd/nfs3xdr.c | 9 +++++----
|
||||
fs/nfsd/nfsxdr.c | 8 ++++----
|
||||
2 files changed, 9 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/fs/nfsd/nfs3xdr.c b/fs/nfsd/nfs3xdr.c
|
||||
index dba2ff8..d18cfdd 100644
|
||||
--- a/fs/nfsd/nfs3xdr.c
|
||||
+++ b/fs/nfsd/nfs3xdr.c
|
||||
@@ -358,6 +358,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
{
|
||||
unsigned int len, v, hdr, dlen;
|
||||
u32 max_blocksize = svc_max_payload(rqstp);
|
||||
+ struct kvec *head = rqstp->rq_arg.head;
|
||||
+ struct kvec *tail = rqstp->rq_arg.tail;
|
||||
|
||||
p = decode_fh(p, &args->fh);
|
||||
if (!p)
|
||||
@@ -377,9 +379,8 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
* Check to make sure that we got the right number of
|
||||
* bytes.
|
||||
*/
|
||||
- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
|
||||
- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
|
||||
- + rqstp->rq_arg.tail[0].iov_len - hdr;
|
||||
+ hdr = (void*)p - head->iov_base;
|
||||
+ dlen = head->iov_len + rqstp->rq_arg.page_len + tail->iov_len - hdr;
|
||||
/*
|
||||
* Round the length of the data which was specified up to
|
||||
* the next multiple of XDR units and then compare that
|
||||
@@ -396,7 +397,7 @@ nfs3svc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
len = args->len = max_blocksize;
|
||||
}
|
||||
rqstp->rq_vec[0].iov_base = (void*)p;
|
||||
- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
|
||||
+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
|
||||
v = 0;
|
||||
while (len > rqstp->rq_vec[v].iov_len) {
|
||||
len -= rqstp->rq_vec[v].iov_len;
|
||||
diff --git a/fs/nfsd/nfsxdr.c b/fs/nfsd/nfsxdr.c
|
||||
index 41b468a..59bd88a 100644
|
||||
--- a/fs/nfsd/nfsxdr.c
|
||||
+++ b/fs/nfsd/nfsxdr.c
|
||||
@@ -280,6 +280,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
struct nfsd_writeargs *args)
|
||||
{
|
||||
unsigned int len, hdr, dlen;
|
||||
+ struct kvec *head = rqstp->rq_arg.head;
|
||||
int v;
|
||||
|
||||
p = decode_fh(p, &args->fh);
|
||||
@@ -300,9 +301,8 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
* Check to make sure that we got the right number of
|
||||
* bytes.
|
||||
*/
|
||||
- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
|
||||
- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
|
||||
- - hdr;
|
||||
+ hdr = (void*)p - head->iov_base;
|
||||
+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
|
||||
|
||||
/*
|
||||
* Round the length of the data which was specified up to
|
||||
@@ -316,7 +316,7 @@ nfssvc_decode_writeargs(struct svc_rqst *rqstp, __be32 *p,
|
||||
return 0;
|
||||
|
||||
rqstp->rq_vec[0].iov_base = (void*)p;
|
||||
- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
|
||||
+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
|
||||
v = 0;
|
||||
while (len > rqstp->rq_vec[v].iov_len) {
|
||||
len -= rqstp->rq_vec[v].iov_len;
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Fri, 24 Mar 2017 19:36:13 -0700
|
||||
Subject: ping: implement proper locking
|
||||
Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671
|
||||
|
||||
We got a report of yet another bug in ping
|
||||
|
||||
http://www.openwall.com/lists/oss-security/2017/03/24/6
|
||||
|
||||
->disconnect() is not called with socket lock held.
|
||||
|
||||
Fix this by acquiring ping rwlock earlier.
|
||||
|
||||
Thanks to Daniel, Alexander and Andrey for letting us know this problem.
|
||||
|
||||
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
|
||||
Reported-by: Solar Designer <solar@openwall.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/ping.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
|
||||
index 2af6244b83e2..ccfbce13a633 100644
|
||||
--- a/net/ipv4/ping.c
|
||||
+++ b/net/ipv4/ping.c
|
||||
@@ -156,17 +156,18 @@ int ping_hash(struct sock *sk)
|
||||
void ping_unhash(struct sock *sk)
|
||||
{
|
||||
struct inet_sock *isk = inet_sk(sk);
|
||||
+
|
||||
pr_debug("ping_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
|
||||
+ write_lock_bh(&ping_table.lock);
|
||||
if (sk_hashed(sk)) {
|
||||
- write_lock_bh(&ping_table.lock);
|
||||
hlist_nulls_del(&sk->sk_nulls_node);
|
||||
sk_nulls_node_init(&sk->sk_nulls_node);
|
||||
sock_put(sk);
|
||||
isk->inet_num = 0;
|
||||
isk->inet_sport = 0;
|
||||
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
|
||||
- write_unlock_bh(&ping_table.lock);
|
||||
}
|
||||
+ write_unlock_bh(&ping_table.lock);
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(ping_unhash);
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -105,14 +105,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
debian/time-mark-timer_stats-as-broken.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
|
||||
bugfix/all/ping-implement-proper-locking.patch
|
||||
bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
|
||||
bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
|
||||
bugfix/all/nfsd-check-for-oversized-NFSv2-v3-arguments.patch
|
||||
bugfix/all/nfsd4-minor-NFSv2-v3-write-decoding-cleanup.patch
|
||||
bugfix/all/nfsd-stricter-decoding-of-write-like-NFSv2-v3-ops.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue