diff --git a/debian/changelog b/debian/changelog index 802eae766..7a023d86e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,334 @@ -linux (4.13.4-3) UNRELEASED; urgency=medium +linux (4.13.9-1) UNRELEASED; urgency=medium + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.5 + - cifs: check rsp for NULL before dereferencing in SMB2_open + - cifs: release cifs root_cred after exit_cifs + - cifs: release auth_key.response for reconnect. + - nvme-pci: fix host memory buffer allocation fallback + - nvme-pci: use appropriate initial chunk size for HMB allocation + - nvme-pci: propagate (some) errors from host memory buffer setup + - dax: remove the pmem_dax_ops->flush abstraction + - dm integrity: do not check integrity for failed read operations + - mmc: block: Fix incorrectly initialized requests + - fs/proc: Report eip/esp in /prod/PID/stat for coredumping + - scsi: scsi_transport_fc: fix NULL pointer dereference in + fc_bsg_job_timeout + - cifs: SMB3: Add support for multidialect negotiate (SMB2.1 and later) + - mac80211: fix VLAN handling with TXQs + - mac80211_hwsim: Use proper TX power + - mac80211: flush hw_roc_start work before cancelling the ROC + - genirq: Make sparse_irq_lock protect what it should protect + - genirq/msi: Fix populating multiple interrupts + - genirq: Fix cpumask check in __irq_startup_managed() + - [powerpc*] KVM: Book3S HV: Hold kvm->lock around call to + kvmppc_update_lpcr + - [powerpc*] KVM: Book3S HV: Fix bug causing host SLB to be restored + incorrectly + - [powerpc*] KVM: PPC: Book3S HV: Don't access XIVE PIPR register using + byte accesses + - tracing: Fix trace_pipe behavior for instance traces + - tracing: Erase irqsoff trace with empty write + - tracing: Remove RCU work arounds from stack tracer + - md/raid5: fix a race condition in stripe batch + - md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list + - scsi: aacraid: Fix 2T+ drives on SmartIOC-2000 + - scsi: aacraid: Add a small delay after IOP reset + - [armhf] drm/exynos: Fix locking in the suspend/resume paths + - [x86] drm/i915/gvt: Fix incorrect PCI BARs reporting + - Revert "drm/i915/bxt: Disable device ready before shutdown command" + - drm/amdgpu: revert tile table update for oland + - drm/radeon: disable hard reset in hibernate for APUs + - crypto: drbg - fix freeing of resources + - security/keys: properly zero out sensitive key material in big_key + - security/keys: rewrite all of big_key crypto + - KEYS: fix writing past end of user-supplied buffer in keyring_read() + - KEYS: prevent creating a different user's keyrings + - [x86] libnvdimm, namespace: fix btt claim class crash + - [powerpc*] eeh: Create PHB PEs after EEH is initialized + - [powerpc*] pseries: Fix parent_dn reference leak in add_dt_node() + - [powerpc*] tm: Flush TM only if CPU has TM feature + - [mips*] Fix perf event init + - [s390x] perf: fix bug when creating per-thread event + - [s390x] mm: make pmdp_invalidate() do invalidation only + - [s390x] mm: fix write access check in gup_huge_pmd() + - PM: core: Fix device_pm_check_callbacks() + - Revert "IB/ipoib: Update broadcast object if PKey value was changed in + index 0" + - cifs: Fix SMB3.1.1 guest authentication to Samba + - cifs: SMB3: Fix endian warning + - cifs: SMB3: Warn user if trying to sign connection that authenticated as + guest + - cifs: SMB: Validate negotiate (to protect against downgrade) even if + signing off + - cifs: SMB3: handle new statx fields + - cifs: SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags + - vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets + - libceph: don't allow bidirectional swap of pg-upmap-items + - brd: fix overflow in __brd_direct_access + - gfs2: Fix debugfs glocks dump + - bsg-lib: don't free job in bsg_prepare_job + - iw_cxgb4: drop listen destroy replies if no ep found + - iw_cxgb4: remove the stid on listen create failure + - iw_cxgb4: put ep reference in pass_accept_req() + - rcu: Allow for page faults in NMI handlers + - mmc: sdhci-pci: Fix voltage switch for some Intel host controllers + - extable: Consolidate *kernel_text_address() functions + - extable: Enable RCU if it is not watching in kernel_text_address() + - seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() + - [arm64] Make sure SPsel is always set + - [arm64] mm: Use READ_ONCE when dereferencing pointer to pte table + - [arm64] fault: Route pte translation faults via do_translation_fault + - [x86] KVM: VMX: extract __pi_post_block + - [x86] KVM: VMX: avoid double list add with VT-d posted interrupts + - [x86] KVM: VMX: simplify and fix vmx_vcpu_pi_load + - [x86] KVM: nVMX: fix HOST_CR3/HOST_CR4 cache + - [x86] kvm: Handle async PF in RCU read-side critical sections + - xfs: validate bdev support for DAX inode flag + - sched/sysctl: Check user input value of sysctl_sched_time_avg + - irq/generic-chip: Don't replace domain's name + - mtd: Fix partition alignment check on multi-erasesize devices + - [armhf] etnaviv: fix submit error path + - [armhf] etnaviv: fix gem object list corruption + - futex: Fix pi_state->owner serialization + - md: fix a race condition for flush request handling + - md: separate request handling + - PCI: Fix race condition with driver_override + - btrfs: fix NULL pointer dereference from free_reloc_roots() + - btrfs: clear ordered flag on cleaning up ordered extents + - btrfs: finish ordered extent cleaning if no progress is found + - btrfs: propagate error to btrfs_cmp_data_prepare caller + - btrfs: prevent to set invalid default subvolid + - [x86] platform: fujitsu-laptop: Don't oops when FUJ02E3 is not presnt + - PM / OPP: Call notifier without holding opp_table->lock + - [x86] mm: Fix fault error path using unsafe vma pointer + - [x86] fpu: Don't let userspace set bogus xcomp_bv + - [x86] KVM: VMX: do not change SN bit in vmx_update_pi_irte() + - [x86] KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt + - [x86] KVM: VMX: use cmpxchg64 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.6 + - [armhf,arm64] usb: dwc3: ep0: fix DMA starvation by assigning req->trb on + ep0 + - mlxsw: spectrum: Fix EEPROM access in case of SFP/SFP+ + - net: bonding: Fix transmit load balancing in balance-alb mode if + specified by sysfs + - openvswitch: Fix an error handling path in + 'ovs_nla_init_match_and_action()' + - net: bonding: fix tlb_dynamic_lb default value + - net_sched: gen_estimator: fix scaling error in bytes/packets samples + - net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker + - sctp: potential read out of bounds in sctp_ulpevent_type_enabled() + - tcp: update skb->skb_mstamp more carefully + - bpf/verifier: reject BPF_ALU64|BPF_END + - tcp: fix data delivery rate + - udpv6: Fix the checksum computation when HW checksum does not apply + - ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header + - net: phy: Fix mask value write on gmii2rgmii converter speed register + - ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline + - net/sched: cls_matchall: fix crash when used with classful qdisc + - 8139too: revisit napi_complete_done() usage + - bpf: do not disable/enable BH in bpf_map_free_id() + - tcp: fastopen: fix on syn-data transmit failure + - [powerpc*] net: emac: Fix napi poll list corruption + - net: ipv6: fix regression of no RTM_DELADDR sent after DAD failure + - packet: hold bind lock when rebinding to fanout hook + - net: change skb->mac_header when Generic XDP calls adjust_head + - net_sched: always reset qdisc backlog in qdisc_reset() + - [armhf,arm64] net: stmmac: Cocci spatch "of_table" + - [arm64] net: qcom/emac: specify the correct size when mapping a DMA buffer + - vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit + - l2tp: fix race condition in l2tp_tunnel_delete + - tun: bail out from tun_get_user() if the skb is empty + - [armhf,arm64] net: dsa: mv88e6xxx: Allow dsa and cpu ports in multiple + vlans + - [armhf,arm64] net: dsa: Fix network device registration order + - packet: in packet_do_bind, test fanout with bind_lock held + - packet: only test po->has_vnet_hdr once in packet_snd + - [armhf,arm64] net: dsa: mv88e6xxx: lock mutex when freeing IRQs + - net: Set sk_prot_creator when cloning sockets to the right proto + - net/mlx5e: IPoIB, Fix access to invalid memory address + - netlink: do not proceed if dump's start() errs + - ip6_gre: ip6gre_tap device should keep dst + - ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path + - IPv4: early demux can return an error code + - tipc: use only positive error codes in messages + - l2tp: fix l2tp_eth module loading + - socket, bpf: fix possible use after free + - net: rtnetlink: fix info leak in RTM_GETSTATS call + - [amd64] bpf: fix bpf_tail_call() x64 JIT + - usb: gadget: core: fix ->udc_set_speed() logic + - USB: gadgetfs: Fix crash caused by inadequate synchronization + - USB: gadgetfs: fix copy_to_user while holding spinlock + - usb: gadget: udc: atmel: set vbus irqflags explicitly + - usb-storage: unusual_devs entry to fix write-access regression for + Seagate external drives + - usb-storage: fix bogus hardware error messages for ATA pass-thru devices + - ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor + - usb: pci-quirks.c: Corrected timeout values used in handshake + - USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse + - USB: dummy-hcd: fix connection failures (wrong speed) + - USB: dummy-hcd: fix infinite-loop resubmission bug + - USB: dummy-hcd: Fix erroneous synchronization change + - USB: devio: Prevent integer overflow in proc_do_submiturb() + - USB: devio: Don't corrupt user memory + - USB: g_mass_storage: Fix deadlock when driver is unbound + - USB: uas: fix bug in handling of alternate settings + - USB: core: harden cdc_parse_cdc_header + - usb: Increase quirk delay for USB devices + - USB: fix out-of-bounds in usb_set_configuration + - usb: xhci: Free the right ring in xhci_add_endpoint() + - xhci: fix finding correct bus_state structure for USB 3.1 hosts + - xhci: fix wrong endpoint ESIT value shown in tracing + - usb: host: xhci-plat: allow sysdev to inherit from ACPI + - xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround + - xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor + - [x86] Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts" + - [armhf] iio: adc: twl4030: Fix an error handling path in + 'twl4030_madc_probe()' + - [armhf] iio: adc: twl4030: Disable the vusb3v1 rugulator in the error + handling path of 'twl4030_madc_probe()' + - iio: core: Return error for failed read_reg + - uwb: properly check kthread_run return value + - uwb: ensure that endpoint is interrupt + - ksm: fix unlocked iteration over vmas in cmp_and_merge_page() + - mm, hugetlb, soft_offline: save compound page order before page migration + - mm, oom_reaper: skip mm structs with mmu notifiers + - mm: fix RODATA_TEST failure "rodata_test: test data was not read only" + - mm: avoid marking swap cached page as lazyfree + - mm: fix data corruption caused by lazyfree page + - userfaultfd: non-cooperative: fix fork use after free + - ALSA: compress: Remove unused variable + - Revert "ALSA: echoaudio: purge contradictions between dimension matrix + members and total number of members" + - ALSA: usx2y: Suppress kernel warning at page allocation failures + - [powerpc*] powernv: Increase memory block size to 1GB on radix + - [powerpc*] Fix action argument for cpufeatures-based TLB flush + - percpu: make this_cpu_generic_read() atomic w.r.t. interrupts + - [x86] intel_th: pci: Add Lewisburg PCH support + - driver core: platform: Don't read past the end of "driver_override" buffer + - cgroup: Reinit cgroup_taskset structure before cgroup_migrate_execute() + returns + - [x86] Drivers: hv: fcopy: restore correct transfer length + - [x86] vmbus: don't acquire the mutex in vmbus_hvsock_device_unregister() + - ftrace: Fix kmemleak in unregister_ftrace_graph + - ovl: fix error value printed in ovl_lookup_index() + - ovl: fix dput() of ERR_PTR in ovl_cleanup_index() + - ovl: fix dentry leak in ovl_indexdir_cleanup() + - ovl: fix missing unlock_rename() in ovl_do_copy_up() + - ovl: fix regression caused by exclusive upper/work dir protection + - [arm64] dt marvell: Fix AP806 system controller size + - [arm64] Ensure the instruction emulation is ready for userspace + - HID: rmi: Make sure the HID device is opened on resume + - HID: i2c-hid: allocate hid buffers for real worst case + - HID: wacom: leds: Don't try to control the EKR's read-only LEDs + - HID: wacom: Properly report negative values from Intuos Pro 2 Bluetooth + - HID: wacom: Correct coordinate system of touchring and pen twist + - HID: wacom: generic: Send MSC_SERIAL and ABS_MISC when leaving prox + - HID: wacom: generic: Clear ABS_MISC when tool leaves proximity + - HID: wacom: Always increment hdev refcount within wacom_get_hdev_data + - HID: wacom: bits shifted too much for 9th and 10th buttons + - btrfs: avoid overflow when sector_t is 32 bit + - Btrfs: fix overlap of fs_info::flags values + - dm crypt: reject sector_size feature if device length is not aligned to it + - dm ioctl: fix alignment of event number in the device list + - dm crypt: fix memory leak in crypt_ctr_cipher_old() + - [powerpc*] KVM: Book3S: Fix server always zero from kvmppc_xive_get_xive() + - [x86] kvm: Avoid async PF preempting the kernel incorrectly + - iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD + - scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP + - scsi: sd: Do not override max_sectors_kb sysfs setting + - brcmfmac: setup passive scan if requested by user-space + - [x86] drm/i915: always update ELD connector type after get modes + - [x86] drm/i915/bios: ignore HDMI on port A + - bsg-lib: fix use-after-free under memory-pressure + - nvme-pci: Use PCI bus address for data/queues in CMB + - mmc: core: add driver strength selection when selecting hs400es + - nl80211: Define policy for packet pattern attributes + - [armhf] clk: samsung: exynos4: Enable VPLL and EPLL clocks for + suspend/resume cycle + - udp: perform source validation for mcast early demux + - udp: fix bcast packet reception + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.7 + - watchdog: Revert "iTCO_wdt: all versions count down twice" + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.8 + - USB: dummy-hcd: Fix deadlock caused by disconnect detection + - [mips*] math-emu: Remove pr_err() calls from fpu_emu() + - [mips*] bpf: Fix uninitialised target compiler error + - [x86] mei: always use domain runtime pm callbacks. + - [armhf] dmaengine: edma: Align the memcpy acnt array size with the + transfer + - [armhf] dmaengine: ti-dma-crossbar: Fix possible race condition with + dma_inuse + - NFS: Fix uninitialized rpc_wait_queue + - nfs/filelayout: fix oops when freeing filelayout segment + - HID: usbhid: fix out-of-bounds bug + - crypto: skcipher - Fix crash on zero-length input + - crypto: shash - Fix zero-length shash ahash digest crash + - [x86] KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit + - [x86] pinctrl/amd: Fix build dependency on pinmux code + - [x86] iommu/amd: Finish TLB flush in amd_iommu_unmap() + - device property: Track owner device of device property + - Revert "vmalloc: back off when the current task is killed" + - fs/mpage.c: fix mpage_writepage() for pages with buffers + - ALSA: usb-audio: Kill stray URB at exiting + - ALSA: seq: Fix copy_from_user() call inside lock + - ALSA: caiaq: Fix stray URB at probe error path + - ALSA: line6: Fix NULL dereference at podhd_disconnect() + - ALSA: line6: Fix missing initialization before error path + - ALSA: line6: Fix leftover URB at error-path during probe + - drm/atomic: Unref duplicated drm_atomic_state in + drm_atomic_helper_resume() + - [x86] drm/i915/edp: Get the Panel Power Off timestamp after panel is off + - [x86] drm/i915: Read timings from the correct transcoder in + intel_crtc_mode_get() + - [x86] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP + AUX channel + - [x86] drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check + - usb: gadget: configfs: Fix memory leak of interface directory data + - usb: gadget: composite: Fix use-after-free in + usb_composite_overwrite_options + - [arm64] PCI: aardvark: Move to struct pci_host_bridge IRQ mapping + functions + - [armhf,armhf] Revert "PCI: tegra: Do not allocate MSI target memory" + - direct-io: Prevent NULL pointer access in submit_page_section + - fix unbalanced page refcounting in bio_map_user_iov + - more bio_map_user_iov() leak fixes + - bio_copy_user_iov(): don't ignore ->iov_offset + - perf script: Add missing separator for "-F ip,brstack" (and brstackoff) + - genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs + - genirq/cpuhotplug: Add sanity check for effective affinity mask + - USB: serial: cp210x: fix partnum regression + - USB: serial: console: fix use-after-free on disconnect + - USB: serial: console: fix use-after-free after failed setup + - RAS/CEC: Use the right length for "cec_disable" + - [x86] alternatives: Fix alt_max_short macro to really be a max() + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.9 + - [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on CPUs + without the feature + - [x86] apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on + hypervisors + - [armhf,arm64] perf pmu: Unbreak perf record for arm/arm64 with events + with explicit PMU + - mm: page_vma_mapped: ensure pmd is loaded with READ_ONCE outside of lock + - HID: hid-elecom: extend to fix descriptor for HUGE trackball + - [x86] Drivers: hv: vmbus: Fix rescind handling issues + - [x86] Drivers: hv: vmbus: Fix bugs in rescind handling + - [x86] vmbus: simplify hv_ringbuffer_read + - [x86] vmbus: refactor hv_signal_on_read + - [x86] vmbus: eliminate duplicate cached index + - [x86] vmbus: more host signalling avoidance + + [ Ben Hutchings ] * [arm64] brcmfmac: Enable BRCMFMAC_SDIO (Closes: #877911) * Update build dependencies on libbabeltrace[,-ctf}-dev * linux-kbuild: Include scripts/ld-version.sh, needed for powerpc 64-bit modules + * dax: Avoid most ABI changes in 4.13.5 + * SCSI: Avoid ABI change in 4.13.6 + * [x86] kvm: Ignore ABI change in 4.13.6 + * seq-virmidi: Ignore ABI change in 4.13.8 + * Revert "bpf: one perf event close won't free bpf program attached ..." + to avoid an ABI change -- Ben Hutchings Wed, 18 Oct 2017 20:03:01 +0100 diff --git a/debian/config/defines b/debian/config/defines index 2eaeb0eb9..74152f6c1 100644 --- a/debian/config/defines +++ b/debian/config/defines @@ -4,7 +4,9 @@ ignore-changes: __cpuhp_* bpf_analyzer cxl_* + dax_flush iommu_device_* + kvm_async_pf_task_wait mm_iommu_* perf_* register_cxl_calls @@ -30,6 +32,7 @@ ignore-changes: module:fs/nfs/** module:net/ceph/libceph module:net/l2tp/l2tp_core + module:sound/core/seq/snd-seq-virmidi module:sound/firewire/snd-firewire-lib # btree library is only selected by few drivers so not useful OOT btree_* diff --git a/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch b/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch deleted file mode 100644 index f9026ce22..000000000 --- a/debian/patches/bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch +++ /dev/null @@ -1,141 +0,0 @@ -From: Takashi Iwai -Date: Mon, 9 Oct 2017 11:09:20 +0200 -Subject: ALSA: seq: Fix use-after-free at creating a port -Origin: https://git.kernel.org/linus/71105998845fb012937332fe2e806d443c09e026 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15265 - -There is a potential race window opened at creating and deleting a -port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates -a port object and returns its pointer, but it doesn't take the -refcount, thus it can be deleted immediately by another thread. -Meanwhile, snd_seq_ioctl_create_port() still calls the function -snd_seq_system_client_ev_port_start() with the created port object -that is being deleted, and this triggers use-after-free like: - - BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1 - ============================================================================= - BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected - ----------------------------------------------------------------------------- - INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511 - ___slab_alloc+0x425/0x460 - __slab_alloc+0x20/0x40 - kmem_cache_alloc_trace+0x150/0x190 - snd_seq_create_port+0x94/0x9b0 [snd_seq] - snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq] - snd_seq_do_ioctl+0x11c/0x190 [snd_seq] - snd_seq_ioctl+0x40/0x80 [snd_seq] - do_vfs_ioctl+0x54b/0xda0 - SyS_ioctl+0x79/0x90 - entry_SYSCALL_64_fastpath+0x16/0x75 - INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717 - __slab_free+0x204/0x310 - kfree+0x15f/0x180 - port_delete+0x136/0x1a0 [snd_seq] - snd_seq_delete_port+0x235/0x350 [snd_seq] - snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq] - snd_seq_do_ioctl+0x11c/0x190 [snd_seq] - snd_seq_ioctl+0x40/0x80 [snd_seq] - do_vfs_ioctl+0x54b/0xda0 - SyS_ioctl+0x79/0x90 - entry_SYSCALL_64_fastpath+0x16/0x75 - Call Trace: - [] dump_stack+0x63/0x82 - [] print_trailer+0xfb/0x160 - [] object_err+0x34/0x40 - [] kasan_report.part.2+0x223/0x520 - [] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] - [] __asan_report_load1_noabort+0x2e/0x30 - [] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] - [] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq] - [] ? taskstats_exit+0xbc0/0xbc0 - [] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] - [] snd_seq_ioctl+0x40/0x80 [snd_seq] - [] ? acct_account_cputime+0x63/0x80 - [] do_vfs_ioctl+0x54b/0xda0 - ..... - -We may fix this in a few different ways, and in this patch, it's fixed -simply by taking the refcount properly at snd_seq_create_port() and -letting the caller unref the object after use. Also, there is another -potential use-after-free by sprintf() call in snd_seq_create_port(), -and this is moved inside the lock. - -This fix covers CVE-2017-15265. - -Reported-and-tested-by: Michael23 Yu -Suggested-by: Linus Torvalds -Cc: -Signed-off-by: Takashi Iwai ---- - sound/core/seq/seq_clientmgr.c | 6 +++++- - sound/core/seq/seq_ports.c | 7 +++++-- - 2 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c -index ea2d0ae85bd3..6c9cba2166d9 100644 ---- a/sound/core/seq/seq_clientmgr.c -+++ b/sound/core/seq/seq_clientmgr.c -@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg) - struct snd_seq_port_info *info = arg; - struct snd_seq_client_port *port; - struct snd_seq_port_callback *callback; -+ int port_idx; - - /* it is not allowed to create the port for an another client */ - if (info->addr.client != client->number) -@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg) - return -ENOMEM; - - if (client->type == USER_CLIENT && info->kernel) { -- snd_seq_delete_port(client, port->addr.port); -+ port_idx = port->addr.port; -+ snd_seq_port_unlock(port); -+ snd_seq_delete_port(client, port_idx); - return -EINVAL; - } - if (client->type == KERNEL_CLIENT) { -@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(struct snd_seq_client *client, void *arg) - - snd_seq_set_port_info(port, info); - snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port); -+ snd_seq_port_unlock(port); - - return 0; - } -diff --git a/sound/core/seq/seq_ports.c b/sound/core/seq/seq_ports.c -index 0a7020c82bfc..d21ece9f8d73 100644 ---- a/sound/core/seq/seq_ports.c -+++ b/sound/core/seq/seq_ports.c -@@ -122,7 +122,9 @@ static void port_subs_info_init(struct snd_seq_port_subs_info *grp) - } - - --/* create a port, port number is returned (-1 on failure) */ -+/* create a port, port number is returned (-1 on failure); -+ * the caller needs to unref the port via snd_seq_port_unlock() appropriately -+ */ - struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, - int port) - { -@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, - snd_use_lock_init(&new_port->use_lock); - port_subs_info_init(&new_port->c_src); - port_subs_info_init(&new_port->c_dest); -+ snd_use_lock_use(&new_port->use_lock); - - num = port >= 0 ? port : 0; - mutex_lock(&client->ports_mutex); -@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, - list_add_tail(&new_port->list, &p->list); - client->num_ports++; - new_port->addr.port = num; /* store the port number in the port */ -+ sprintf(new_port->name, "port-%d", num); - write_unlock_irqrestore(&client->ports_lock, flags); - mutex_unlock(&client->ports_mutex); -- sprintf(new_port->name, "port-%d", num); - - return new_port; - } --- -2.11.0 - diff --git a/debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch b/debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch deleted file mode 100644 index e34ea9bf0..000000000 --- a/debian/patches/bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch +++ /dev/null @@ -1,81 +0,0 @@ -From: Eric Biggers -Date: Mon, 18 Sep 2017 11:37:23 -0700 -Subject: KEYS: prevent KEYCTL_READ on negative key -Origin: https://git.kernel.org/linus/37863c43b2c6464f252862bf2e9768264e961678 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12192 - -Because keyctl_read_key() looks up the key with no permissions -requested, it may find a negatively instantiated key. If the key is -also possessed, we went ahead and called ->read() on the key. But the -key payload will actually contain the ->reject_error rather than the -normal payload. Thus, the kernel oopses trying to read the -user_key_payload from memory address (int)-ENOKEY = 0x00000000ffffff82. - -Fortunately the payload data is stored inline, so it shouldn't be -possible to abuse this as an arbitrary memory read primitive... - -Reproducer: - keyctl new_session - keyctl request2 user desc '' @s - keyctl read $(keyctl show | awk '/user: desc/ {print $1}') - -It causes a crash like the following: - BUG: unable to handle kernel paging request at 00000000ffffff92 - IP: user_read+0x33/0xa0 - PGD 36a54067 P4D 36a54067 PUD 0 - Oops: 0000 [#1] SMP - CPU: 0 PID: 211 Comm: keyctl Not tainted 4.14.0-rc1 #337 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014 - task: ffff90aa3b74c3c0 task.stack: ffff9878c0478000 - RIP: 0010:user_read+0x33/0xa0 - RSP: 0018:ffff9878c047bee8 EFLAGS: 00010246 - RAX: 0000000000000001 RBX: ffff90aa3d7da340 RCX: 0000000000000017 - RDX: 0000000000000000 RSI: 00000000ffffff82 RDI: ffff90aa3d7da340 - RBP: ffff9878c047bf00 R08: 00000024f95da94f R09: 0000000000000000 - R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000 - R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 - FS: 00007f58ece69740(0000) GS:ffff90aa3e200000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 00000000ffffff92 CR3: 0000000036adc001 CR4: 00000000003606f0 - Call Trace: - keyctl_read_key+0xac/0xe0 - SyS_keyctl+0x99/0x120 - entry_SYSCALL_64_fastpath+0x1f/0xbe - RIP: 0033:0x7f58ec787bb9 - RSP: 002b:00007ffc8d401678 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa - RAX: ffffffffffffffda RBX: 00007ffc8d402800 RCX: 00007f58ec787bb9 - RDX: 0000000000000000 RSI: 00000000174a63ac RDI: 000000000000000b - RBP: 0000000000000004 R08: 00007ffc8d402809 R09: 0000000000000020 - R10: 0000000000000000 R11: 0000000000000206 R12: 00007ffc8d402800 - R13: 00007ffc8d4016e0 R14: 0000000000000000 R15: 0000000000000000 - Code: e5 41 55 49 89 f5 41 54 49 89 d4 53 48 89 fb e8 a4 b4 ad ff 85 c0 74 09 80 3d b9 4c 96 00 00 74 43 48 8b b3 20 01 00 00 4d 85 ed <0f> b7 5e 10 74 29 4d 85 e4 74 24 4c 39 e3 4c 89 e2 4c 89 ef 48 - RIP: user_read+0x33/0xa0 RSP: ffff9878c047bee8 - CR2: 00000000ffffff92 - -Fixes: 61ea0c0ba904 ("KEYS: Skip key state checks when checking for possession") -Cc: [v3.13+] -Signed-off-by: Eric Biggers -Signed-off-by: David Howells ---- - security/keys/keyctl.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c -index aa1d11a29136..365ff85d7e27 100644 ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -766,6 +766,11 @@ long keyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) - - key = key_ref_to_ptr(key_ref); - -+ if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { -+ ret = -ENOKEY; -+ goto error2; -+ } -+ - /* see if we can read it directly */ - ret = key_permission(key_ref, KEY_NEED_READ); - if (ret == 0) --- -2.15.0.rc0 - diff --git a/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch b/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch deleted file mode 100644 index 0ada34861..000000000 --- a/debian/patches/bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Arend Van Spriel -Date: Tue, 12 Sep 2017 10:47:53 +0200 -Subject: brcmfmac: add length check in brcmf_cfg80211_escan_handler() -Origin: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0786 - -Upon handling the firmware notification for scans the length was -checked properly and may result in corrupting kernel heap memory -due to buffer overruns. This fix addresses CVE-2017-0786. - -Cc: stable@vger.kernel.org # v4.0.x -Cc: Kevin Cernekee -Reviewed-by: Hante Meuleman -Reviewed-by: Pieter-Paul Giesberts -Reviewed-by: Franky Lin -Signed-off-by: Arend van Spriel -Signed-off-by: Kalle Valo ---- - .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -index aaed4ab503ad..26a0de371c26 100644 ---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c -@@ -3162,6 +3162,7 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp, - struct brcmf_cfg80211_info *cfg = ifp->drvr->config; - s32 status; - struct brcmf_escan_result_le *escan_result_le; -+ u32 escan_buflen; - struct brcmf_bss_info_le *bss_info_le; - struct brcmf_bss_info_le *bss = NULL; - u32 bi_length; -@@ -3181,11 +3182,23 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp, - - if (status == BRCMF_E_STATUS_PARTIAL) { - brcmf_dbg(SCAN, "ESCAN Partial result\n"); -+ if (e->datalen < sizeof(*escan_result_le)) { -+ brcmf_err("invalid event data length\n"); -+ goto exit; -+ } - escan_result_le = (struct brcmf_escan_result_le *) data; - if (!escan_result_le) { - brcmf_err("Invalid escan result (NULL pointer)\n"); - goto exit; - } -+ escan_buflen = le32_to_cpu(escan_result_le->buflen); -+ if (escan_buflen > BRCMF_ESCAN_BUF_SIZE || -+ escan_buflen > e->datalen || -+ escan_buflen < sizeof(*escan_result_le)) { -+ brcmf_err("Invalid escan buffer length: %d\n", -+ escan_buflen); -+ goto exit; -+ } - if (le16_to_cpu(escan_result_le->bss_count) != 1) { - brcmf_err("Invalid bss_count %d: ignoring\n", - escan_result_le->bss_count); -@@ -3202,9 +3215,8 @@ brcmf_cfg80211_escan_handler(struct brcmf_if *ifp, - } - - bi_length = le32_to_cpu(bss_info_le->length); -- if (bi_length != (le32_to_cpu(escan_result_le->buflen) - -- WL_ESCAN_RESULTS_FIXED_SIZE)) { -- brcmf_err("Invalid bss_info length %d: ignoring\n", -+ if (bi_length != escan_buflen - WL_ESCAN_RESULTS_FIXED_SIZE) { -+ brcmf_err("Ignoring invalid bss_info length: %d\n", - bi_length); - goto exit; - } --- -2.11.0 - diff --git a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch deleted file mode 100644 index b713b3f06..000000000 --- a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch +++ /dev/null @@ -1,66 +0,0 @@ -From: Al Viro -Date: Fri, 29 Sep 2017 13:43:15 -0400 -Subject: fix infoleak in waitid(2) -Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954 - -kernel_waitid() can return a PID, an error or 0. rusage is filled in the first -case and waitid(2) rusage should've been copied out exactly in that case, *not* -whenever kernel_waitid() has not returned an error. Compat variant shares that -braino; none of kernel_wait4() callers do, so the below ought to fix it. - -Reported-and-tested-by: Alexander Potapenko -Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland") -Cc: stable@vger.kernel.org # v4.13 -Signed-off-by: Al Viro ---- - kernel/exit.c | 23 ++++++++++------------- - 1 file changed, 10 insertions(+), 13 deletions(-) - -diff --git a/kernel/exit.c b/kernel/exit.c -index 3481ababd06a..f2cd53e92147 100644 ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *, - struct waitid_info info = {.status = 0}; - long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL); - int signo = 0; -+ - if (err > 0) { - signo = SIGCHLD; - err = 0; -- } -- -- if (!err) { - if (ru && copy_to_user(ru, &r, sizeof(struct rusage))) - return -EFAULT; - } -@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid, - if (err > 0) { - signo = SIGCHLD; - err = 0; -- } -- -- if (!err && uru) { -- /* kernel_waitid() overwrites everything in ru */ -- if (COMPAT_USE_64BIT_TIME) -- err = copy_to_user(uru, &ru, sizeof(ru)); -- else -- err = put_compat_rusage(&ru, uru); -- if (err) -- return -EFAULT; -+ if (uru) { -+ /* kernel_waitid() overwrites everything in ru */ -+ if (COMPAT_USE_64BIT_TIME) -+ err = copy_to_user(uru, &ru, sizeof(ru)); -+ else -+ err = put_compat_rusage(&ru, uru); -+ if (err) -+ return -EFAULT; -+ } - } - - if (!infop) --- -2.14.2 - diff --git a/debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch b/debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch deleted file mode 100644 index 1a7fff92c..000000000 --- a/debian/patches/bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch +++ /dev/null @@ -1,151 +0,0 @@ -From: Johannes Berg -Date: Wed, 6 Sep 2017 15:01:42 +0200 -Subject: mac80211: fix deadlock in driver-managed RX BA session start -Origin: https://git.kernel.org/linus/bde59c475e0883e4c4294bcd9b9c7e08ae18c828 -Bug-Debian: https://bugs.debian.org/878092 - -When an RX BA session is started by the driver, and it has to tell -mac80211 about it, the corresponding bit in tid_rx_manage_offl gets -set and the BA session work is scheduled. Upon testing this bit, it -will call __ieee80211_start_rx_ba_session(), thus deadlocking as it -already holds the ampdu_mlme.mtx, which that acquires again. - -Fix this by adding ___ieee80211_start_rx_ba_session(), a version of -the function that requires the mutex already held. - -Cc: stable@vger.kernel.org -Fixes: 699cb58c8a52 ("mac80211: manage RX BA session offload without SKB queue") -Reported-by: Matteo Croce -Signed-off-by: Johannes Berg ---- - net/mac80211/agg-rx.c | 32 +++++++++++++++++++++----------- - net/mac80211/ht.c | 6 +++--- - net/mac80211/ieee80211_i.h | 4 ++++ - 3 files changed, 28 insertions(+), 14 deletions(-) - -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c -index 2b36eff5d97e..2849a1fc41c5 100644 ---- a/net/mac80211/agg-rx.c -+++ b/net/mac80211/agg-rx.c -@@ -245,10 +245,10 @@ static void ieee80211_send_addba_resp(struct ieee80211_sub_if_data *sdata, u8 *d - ieee80211_tx_skb(sdata, skb); - } - --void __ieee80211_start_rx_ba_session(struct sta_info *sta, -- u8 dialog_token, u16 timeout, -- u16 start_seq_num, u16 ba_policy, u16 tid, -- u16 buf_size, bool tx, bool auto_seq) -+void ___ieee80211_start_rx_ba_session(struct sta_info *sta, -+ u8 dialog_token, u16 timeout, -+ u16 start_seq_num, u16 ba_policy, u16 tid, -+ u16 buf_size, bool tx, bool auto_seq) - { - struct ieee80211_local *local = sta->sdata->local; - struct tid_ampdu_rx *tid_agg_rx; -@@ -267,7 +267,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta, - ht_dbg(sta->sdata, - "STA %pM requests BA session on unsupported tid %d\n", - sta->sta.addr, tid); -- goto end_no_lock; -+ goto end; - } - - if (!sta->sta.ht_cap.ht_supported) { -@@ -275,14 +275,14 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta, - "STA %pM erroneously requests BA session on tid %d w/o QoS\n", - sta->sta.addr, tid); - /* send a response anyway, it's an error case if we get here */ -- goto end_no_lock; -+ goto end; - } - - if (test_sta_flag(sta, WLAN_STA_BLOCK_BA)) { - ht_dbg(sta->sdata, - "Suspend in progress - Denying ADDBA request (%pM tid %d)\n", - sta->sta.addr, tid); -- goto end_no_lock; -+ goto end; - } - - /* sanity check for incoming parameters: -@@ -296,7 +296,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta, - ht_dbg_ratelimited(sta->sdata, - "AddBA Req with bad params from %pM on tid %u. policy %d, buffer size %d\n", - sta->sta.addr, tid, ba_policy, buf_size); -- goto end_no_lock; -+ goto end; - } - /* determine default buffer size */ - if (buf_size == 0) -@@ -311,7 +311,7 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta, - buf_size, sta->sta.addr); - - /* examine state machine */ -- mutex_lock(&sta->ampdu_mlme.mtx); -+ lockdep_assert_held(&sta->ampdu_mlme.mtx); - - if (test_bit(tid, sta->ampdu_mlme.agg_session_valid)) { - if (sta->ampdu_mlme.tid_rx_token[tid] == dialog_token) { -@@ -415,15 +415,25 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta, - __clear_bit(tid, sta->ampdu_mlme.unexpected_agg); - sta->ampdu_mlme.tid_rx_token[tid] = dialog_token; - } -- mutex_unlock(&sta->ampdu_mlme.mtx); - --end_no_lock: - if (tx) - ieee80211_send_addba_resp(sta->sdata, sta->sta.addr, tid, - dialog_token, status, 1, buf_size, - timeout); - } - -+void __ieee80211_start_rx_ba_session(struct sta_info *sta, -+ u8 dialog_token, u16 timeout, -+ u16 start_seq_num, u16 ba_policy, u16 tid, -+ u16 buf_size, bool tx, bool auto_seq) -+{ -+ mutex_lock(&sta->ampdu_mlme.mtx); -+ ___ieee80211_start_rx_ba_session(sta, dialog_token, timeout, -+ start_seq_num, ba_policy, tid, -+ buf_size, tx, auto_seq); -+ mutex_unlock(&sta->ampdu_mlme.mtx); -+} -+ - void ieee80211_process_addba_request(struct ieee80211_local *local, - struct sta_info *sta, - struct ieee80211_mgmt *mgmt, -diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c -index 4cba7fca10d4..d6d0b4201e40 100644 ---- a/net/mac80211/ht.c -+++ b/net/mac80211/ht.c -@@ -351,9 +351,9 @@ void ieee80211_ba_session_work(struct work_struct *work) - - if (test_and_clear_bit(tid, - sta->ampdu_mlme.tid_rx_manage_offl)) -- __ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid, -- IEEE80211_MAX_AMPDU_BUF, -- false, true); -+ ___ieee80211_start_rx_ba_session(sta, 0, 0, 0, 1, tid, -+ IEEE80211_MAX_AMPDU_BUF, -+ false, true); - - if (test_and_clear_bit(tid + IEEE80211_NUM_TIDS, - sta->ampdu_mlme.tid_rx_manage_offl)) -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h -index 2197c62a0a6e..9675814f64db 100644 ---- a/net/mac80211/ieee80211_i.h -+++ b/net/mac80211/ieee80211_i.h -@@ -1760,6 +1760,10 @@ void __ieee80211_start_rx_ba_session(struct sta_info *sta, - u8 dialog_token, u16 timeout, - u16 start_seq_num, u16 ba_policy, u16 tid, - u16 buf_size, bool tx, bool auto_seq); -+void ___ieee80211_start_rx_ba_session(struct sta_info *sta, -+ u8 dialog_token, u16 timeout, -+ u16 start_seq_num, u16 ba_policy, u16 tid, -+ u16 buf_size, bool tx, bool auto_seq); - void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta, - enum ieee80211_agg_stop_reason reason); - void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata, --- -2.15.0.rc0 - diff --git a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch b/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch deleted file mode 100644 index 6eab4bd50..000000000 --- a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Vladis Dronov -Date: Tue, 12 Sep 2017 22:21:21 +0000 -Subject: nl80211: check for the required netlink attributes presence -Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153 - -nl80211_set_rekey_data() does not check if the required attributes -NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing -NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by -users with CAP_NET_ADMIN privilege and may result in NULL dereference -and a system crash. Add a check for the required attributes presence. -This patch is based on the patch by bo Zhang. - -This fixes CVE-2017-12153. - -References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046 -Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload") -Cc: # v3.1-rc1 -Reported-by: bo Zhang -Signed-off-by: Vladis Dronov ---- - net/wireless/nl80211.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/wireless/nl80211.c -+++ b/net/wireless/nl80211.c -@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct - if (err) - return err; - -+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] || -+ !tb[NL80211_REKEY_DATA_KCK]) -+ return -EINVAL; - if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN) - return -ERANGE; - if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN) diff --git a/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch b/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch deleted file mode 100644 index 24c1553fd..000000000 --- a/debian/patches/bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch +++ /dev/null @@ -1,79 +0,0 @@ -From: Cyril Bur -Date: Thu, 17 Aug 2017 20:42:26 +1000 -Subject: powerpc/64s: Use emergency stack for kernel TM Bad Thing program - checks -Origin: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000255 - -When using transactional memory (TM), the CPU can be in one of six -states as far as TM is concerned, encoded in the Machine State -Register (MSR). Certain state transitions are illegal and if attempted -trigger a "TM Bad Thing" type program check exception. - -If we ever hit one of these exceptions it's treated as a bug, ie. we -oops, and kill the process and/or panic, depending on configuration. - -One case where we can trigger a TM Bad Thing, is when returning to -userspace after a system call or interrupt, using RFID. When this -happens the CPU first restores the user register state, in particular -r1 (the stack pointer) and then attempts to update the MSR. However -the MSR update is not allowed and so we take the program check with -the user register state, but the kernel MSR. - -This tricks the exception entry code into thinking we have a bad -kernel stack pointer, because the MSR says we're coming from the -kernel, but r1 is pointing to userspace. - -To avoid this we instead always switch to the emergency stack if we -take a TM Bad Thing from the kernel. That way none of the user -register values are used, other than for printing in the oops message. - -This is the fix for CVE-2017-1000255. - -Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace") -Cc: stable@vger.kernel.org # v4.9+ -Signed-off-by: Cyril Bur -[mpe: Rewrite change log & comments, tweak asm slightly] -Signed-off-by: Michael Ellerman ---- - arch/powerpc/kernel/exceptions-64s.S | 24 +++++++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - -diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S -index 48da0f5d2f7f..b82586c53560 100644 ---- a/arch/powerpc/kernel/exceptions-64s.S -+++ b/arch/powerpc/kernel/exceptions-64s.S -@@ -734,7 +734,29 @@ EXC_REAL(program_check, 0x700, 0x100) - EXC_VIRT(program_check, 0x4700, 0x100, 0x700) - TRAMP_KVM(PACA_EXGEN, 0x700) - EXC_COMMON_BEGIN(program_check_common) -- EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN) -+ /* -+ * It's possible to receive a TM Bad Thing type program check with -+ * userspace register values (in particular r1), but with SRR1 reporting -+ * that we came from the kernel. Normally that would confuse the bad -+ * stack logic, and we would report a bad kernel stack pointer. Instead -+ * we switch to the emergency stack if we're taking a TM Bad Thing from -+ * the kernel. -+ */ -+ li r10,MSR_PR /* Build a mask of MSR_PR .. */ -+ oris r10,r10,0x200000@h /* .. and SRR1_PROGTM */ -+ and r10,r10,r12 /* Mask SRR1 with that. */ -+ srdi r10,r10,8 /* Shift it so we can compare */ -+ cmpldi r10,(0x200000 >> 8) /* .. with an immediate. */ -+ bne 1f /* If != go to normal path. */ -+ -+ /* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack */ -+ andi. r10,r12,MSR_PR; /* Set CR0 correctly for label */ -+ /* 3 in EXCEPTION_PROLOG_COMMON */ -+ mr r10,r1 /* Save r1 */ -+ ld r1,PACAEMERGSP(r13) /* Use emergency stack */ -+ subi r1,r1,INT_FRAME_SIZE /* alloc stack frame */ -+ b 3f /* Jump into the macro !! */ -+1: EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN) - bl save_nvgprs - RECONCILE_IRQ_STATE(r10, r11) - addi r3,r1,STACK_FRAME_OVERHEAD --- -2.11.0 - diff --git a/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch b/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch deleted file mode 100644 index 083cbbee7..000000000 --- a/debian/patches/bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Gustavo Romero -Date: Tue, 22 Aug 2017 17:20:09 -0400 -Subject: powerpc/tm: Fix illegal TM state in signal handler -Origin: https://git.kernel.org/linus/044215d145a7a8a60ffa8fdc859d110a795fa6ea - -Currently it's possible that on returning from the signal handler -through the restore_tm_sigcontexts() code path (e.g. from a signal -caught due to a `trap` instruction executed in the middle of an HTM -block, or a deliberately constructed sigframe) an illegal TM state -(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets -implicitly the MSR register from SRR1 register on return to userspace -it causes a TM Bad Thing exception. - -That illegal state can be set (a) by a malicious user that disables -the TM bit by tweaking the bits in uc_mcontext before returning from -the signal handler or (b) by a sufficient number of context switches -occurring such that the load_tm counter overflows and TM is disabled -whilst in the signal handler. - -This commit fixes the illegal TM state by ensuring that TM bit is -always enabled before we return from restore_tm_sigcontexts(). A small -comment correction is made as well. - -Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace") -Cc: stable@vger.kernel.org # v4.9+ -Signed-off-by: Gustavo Romero -Signed-off-by: Breno Leitao -Signed-off-by: Cyril Bur -Signed-off-by: Michael Ellerman ---- - arch/powerpc/kernel/signal_64.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c -index c83c115858c1..b2c002993d78 100644 ---- a/arch/powerpc/kernel/signal_64.c -+++ b/arch/powerpc/kernel/signal_64.c -@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk, - if (MSR_TM_RESV(msr)) - return -EINVAL; - -- /* pull in MSR TM from user context */ -+ /* pull in MSR TS bits from user context */ - regs->msr = (regs->msr & ~MSR_TS_MASK) | (msr & MSR_TS_MASK); - -+ /* -+ * Ensure that TM is enabled in regs->msr before we leave the signal -+ * handler. It could be the case that (a) user disabled the TM bit -+ * through the manipulation of the MSR bits in uc_mcontext or (b) the -+ * TM bit was disabled because a sufficient number of context switches -+ * happened whilst in the signal handler and load_tm overflowed, -+ * disabling the TM bit. In either case we can end up with an illegal -+ * TM state leading to a TM Bad Thing when we return to userspace. -+ */ -+ regs->msr |= MSR_TM; -+ - /* pull in MSR LE from user context */ - regs->msr = (regs->msr & ~MSR_LE) | (msr & MSR_LE); - --- -2.11.0 - diff --git a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch deleted file mode 100644 index 2b63f46eb..000000000 --- a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Xin Long -Date: Sun, 27 Aug 2017 20:25:26 +0800 -Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly -Origin: https://patchwork.kernel.org/patch/9923803/ -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489 - -ChunYu found a kernel crash by syzkaller: - -[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled -[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access -[ 651.618731] general protection fault: 0000 [#1] SMP KASAN -[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32 -[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 -[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000 -[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590 -[...] -[ 651.627260] Call Trace: -[ 651.629156] skb_release_all+0x4f/0x60 -[ 651.629450] consume_skb+0x1a5/0x600 -[ 651.630705] netlink_unicast+0x505/0x720 -[ 651.632345] netlink_sendmsg+0xab2/0xe70 -[ 651.633704] sock_sendmsg+0xcf/0x110 -[ 651.633942] ___sys_sendmsg+0x833/0x980 -[ 651.637117] __sys_sendmsg+0xf3/0x240 -[ 651.638820] SyS_sendmsg+0x32/0x50 -[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2 - -It's caused by skb_shared_info at the end of sk_buff was overwritten by -ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx. - -During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh), -ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a -new value to skb_shinfo(SKB)->nr_frags by ev->type. - -This patch is to fix it by checking nlh->nlmsg_len properly there to -avoid over accessing sk_buff. - -Reported-by: ChunYu Wang -Signed-off-by: Xin Long -Acked-by: Chris Leech ---- - drivers/scsi/scsi_transport_iscsi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/scsi/scsi_transport_iscsi.c -+++ b/drivers/scsi/scsi_transport_iscsi.c -@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb) - uint32_t group; - - nlh = nlmsg_hdr(skb); -- if (nlh->nlmsg_len < sizeof(*nlh) || -+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) || - skb->len < nlh->nlmsg_len) { - break; - } diff --git a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch b/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch deleted file mode 100644 index 2d056c326..000000000 --- a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Vladis Dronov -Date: Mon, 4 Sep 2017 16:00:50 +0200 -Subject: video: fbdev: aty: do not leak uninitialized padding in clk to - userspace -Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156 - -'clk' is copied to a userland with padding byte(s) after 'vclk_post_div' -field unitialized, leaking data from the stack. Fix this ensuring all of -'clk' is initialized to zero. - -References: https://github.com/torvalds/linux/pull/441 -Reported-by: sohu0106 -Signed-off-by: Vladis Dronov -Signed-off-by: Bartlomiej Zolnierkiewicz ---- - drivers/video/fbdev/aty/atyfb_base.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/drivers/video/fbdev/aty/atyfb_base.c -+++ b/drivers/video/fbdev/aty/atyfb_base.c -@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i - #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT) - case ATYIO_CLKR: - if (M64_HAS(INTEGRATED)) { -- struct atyclk clk; -+ struct atyclk clk = { 0 }; - union aty_pll *pll = &par->pll; - u32 dsp_config = pll->ct.dsp_config; - u32 dsp_on_off = pll->ct.dsp_on_off; diff --git a/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch b/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch deleted file mode 100644 index 4872b377a..000000000 --- a/debian/patches/bugfix/all/waitid-Add-missing-access_ok-checks.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Kees Cook -Date: Mon, 9 Oct 2017 11:36:52 -0700 -Subject: waitid(): Add missing access_ok() checks -Origin: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5123 - -Adds missing access_ok() checks. - -CVE-2017-5123 - -Reported-by: Chris Salls -Signed-off-by: Kees Cook -Acked-by: Al Viro -Fixes: 4c48abe91be0 ("waitid(): switch copyout of siginfo to unsafe_put_user()") -Cc: stable@kernel.org # 4.13 -Signed-off-by: Linus Torvalds ---- - kernel/exit.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/kernel/exit.c b/kernel/exit.c -index f2cd53e92147..cf28528842bc 100644 ---- a/kernel/exit.c -+++ b/kernel/exit.c -@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *, - if (!infop) - return err; - -+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) -+ goto Efault; -+ - user_access_begin(); - unsafe_put_user(signo, &infop->si_signo, Efault); - unsafe_put_user(0, &infop->si_errno, Efault); -@@ -1735,6 +1738,9 @@ COMPAT_SYSCALL_DEFINE5(waitid, - if (!infop) - return err; - -+ if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop))) -+ goto Efault; -+ - user_access_begin(); - unsafe_put_user(signo, &infop->si_signo, Efault); - unsafe_put_user(0, &infop->si_errno, Efault); --- -2.15.0.rc0 - diff --git a/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch b/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch deleted file mode 100644 index 47cbead06..000000000 --- a/debian/patches/bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch +++ /dev/null @@ -1,83 +0,0 @@ -From: Ladi Prosek -Date: Thu, 5 Oct 2017 11:10:23 +0200 -Subject: KVM: MMU: always terminate page walks at level 1 -Origin: https://git.kernel.org/linus/829ee279aed43faa5cb1e4d65c0cad52f2426c53 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188 - -is_last_gpte() is not equivalent to the pseudo-code given in commit -6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect -value of last_nonleaf_level may override the result even if level == 1. - -It is critical for is_last_gpte() to return true on level == 1 to -terminate page walks. Otherwise memory corruption may occur as level -is used as an index to various data structures throughout the page -walking code. Even though the actual bug would be wherever the MMU is -initialized (as in the previous patch), be defensive and ensure here -that is_last_gpte() returns the correct value. - -This patch is also enough to fix CVE-2017-12188. - -Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2 -Cc: stable@vger.kernel.org -Cc: Andy Honig -Signed-off-by: Ladi Prosek -[Panic if walk_addr_generic gets an incorrect level; this is a serious - bug and it's not worth a WARN_ON where the recovery path might hide - further exploitable issues; suggested by Andrew Honig. - Paolo] -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/mmu.c | 14 +++++++------- - arch/x86/kvm/paging_tmpl.h | 3 ++- - 2 files changed, 9 insertions(+), 8 deletions(-) - -diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c -index 3c25f20115bc..7a69cf053711 100644 ---- a/arch/x86/kvm/mmu.c -+++ b/arch/x86/kvm/mmu.c -@@ -3974,19 +3974,19 @@ static inline bool is_last_gpte(struct kvm_mmu *mmu, - unsigned level, unsigned gpte) - { - /* -- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set -- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means -- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then. -- */ -- gpte |= level - PT_PAGE_TABLE_LEVEL - 1; -- -- /* - * The RHS has bit 7 set iff level < mmu->last_nonleaf_level. - * If it is clear, there are no large pages at this level, so clear - * PT_PAGE_SIZE_MASK in gpte if that is the case. - */ - gpte &= level - mmu->last_nonleaf_level; - -+ /* -+ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set -+ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means -+ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then. -+ */ -+ gpte |= level - PT_PAGE_TABLE_LEVEL - 1; -+ - return gpte & PT_PAGE_SIZE_MASK; - } - -diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h -index 86b68dc5a649..f18d1f8d332b 100644 ---- a/arch/x86/kvm/paging_tmpl.h -+++ b/arch/x86/kvm/paging_tmpl.h -@@ -334,10 +334,11 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker, - --walker->level; - - index = PT_INDEX(addr, walker->level); -- - table_gfn = gpte_to_gfn(pte); - offset = index * sizeof(pt_element_t); - pte_gpa = gfn_to_gpa(table_gfn) + offset; -+ -+ BUG_ON(walker->level < 1); - walker->table_gfn[walker->level - 1] = table_gfn; - walker->pte_gpa[walker->level - 1] = pte_gpa; - --- -2.11.0 - diff --git a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch b/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch deleted file mode 100644 index eefff5b4e..000000000 --- a/debian/patches/bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Ladi Prosek -Date: Thu, 5 Oct 2017 11:10:22 +0200 -Subject: KVM: nVMX: update last_nonleaf_level when initializing nested EPT -Origin: https://git.kernel.org/linus/fd19d3b45164466a4adce7cbff448ba9189e1427 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12188 - -The function updates context->root_level but didn't call -update_last_nonleaf_level so the previous and potentially wrong value -was used for page walks. For example, a zero value of last_nonleaf_level -would allow a potential out-of-bounds access in arch/x86/mmu/paging_tmpl.h's -walk_addr_generic function (CVE-2017-12188). - -Fixes: 155a97a3d7c78b46cef6f1a973c831bc5a4f82bb -Signed-off-by: Ladi Prosek -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/mmu.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c -index 106d4a029a8a..3c25f20115bc 100644 ---- a/arch/x86/kvm/mmu.c -+++ b/arch/x86/kvm/mmu.c -@@ -4555,6 +4555,7 @@ void kvm_init_shadow_ept_mmu(struct kvm_vcpu *vcpu, bool execonly, - - update_permission_bitmask(vcpu, context, true); - update_pkru_bitmask(vcpu, context, true); -+ update_last_nonleaf_level(vcpu, context); - reset_rsvds_bits_mask_ept(vcpu, context, execonly); - reset_ept_shadow_zero_bits_mask(vcpu, context, execonly); - } --- -2.11.0 - diff --git a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch b/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch deleted file mode 100644 index f82767d69..000000000 --- a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Jim Mattson -Date: Tue, 12 Sep 2017 13:02:54 -0700 -Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8 -Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154 - -If L1 does not specify the "use TPR shadow" VM-execution control in -vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store -exiting" VM-execution controls in vmcs02. Failure to do so will give -the L2 VM unrestricted read/write access to the hardware CR8. - -This fixes CVE-2017-12154. - -Signed-off-by: Jim Mattson -Reviewed-by: David Hildenbrand -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/vmx.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -10103,6 +10103,11 @@ static int prepare_vmcs02(struct kvm_vcp - if (exec_control & CPU_BASED_TPR_SHADOW) { - vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull); - vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold); -+ } else { -+#ifdef CONFIG_X86_64 -+ exec_control |= CPU_BASED_CR8_LOAD_EXITING | -+ CPU_BASED_CR8_STORE_EXITING; -+#endif - } - - /* diff --git a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch b/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch deleted file mode 100644 index 91c990c3f..000000000 --- a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= -Date: Thu, 7 Sep 2017 19:02:30 +0100 -Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252 - -The value of the guest_irq argument to vmx_update_pi_irte() is -ultimately coming from a KVM_IRQFD API call. Do not BUG() in -vmx_update_pi_irte() if the value is out-of bounds. (Especially, -since KVM as a whole seems to hang after that.) - -Instead, print a message only once if we find that we don't have a -route for a certain IRQ (which can be out-of-bounds or within the -array). - -This fixes CVE-2017-1000252. - -Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts") -Signed-off-by: Jan H. Schönherr -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/vmx.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - ---- a/arch/x86/kvm/vmx.c -+++ b/arch/x86/kvm/vmx.c -@@ -11377,7 +11377,7 @@ static int vmx_update_pi_irte(struct kvm - struct kvm_lapic_irq irq; - struct kvm_vcpu *vcpu; - struct vcpu_data vcpu_info; -- int idx, ret = -EINVAL; -+ int idx, ret = 0; - - if (!kvm_arch_has_assigned_device(kvm) || - !irq_remapping_cap(IRQ_POSTING_CAP) || -@@ -11386,7 +11386,12 @@ static int vmx_update_pi_irte(struct kvm - - idx = srcu_read_lock(&kvm->irq_srcu); - irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu); -- BUG_ON(guest_irq >= irq_rt->nr_rt_entries); -+ if (guest_irq >= irq_rt->nr_rt_entries || -+ hlist_empty(&irq_rt->map[guest_irq])) { -+ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n", -+ guest_irq, irq_rt->nr_rt_entries); -+ goto out; -+ } - - hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) { - if (e->type != KVM_IRQ_ROUTING_MSI) diff --git a/debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch b/debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch new file mode 100644 index 000000000..5da901b74 --- /dev/null +++ b/debian/patches/debian/dax-avoid-abi-change-in-4.13.5.patch @@ -0,0 +1,141 @@ +From: Ben Hutchings +Date: Thu, 26 Oct 2017 22:16:38 +0200 +Subject: dax: Avoid ABI change in 4.13.5 +Forwarded: not-needed + +Commit c3ca015fab6d ("dax: remove the pmem_dax_ops->flush +abstraction") removed dax_operations::flush and +target_type::dax_flush, resulting in an ABI change. Add these +operations back but don't restore any of the calls to them. To keep +existing callers working during an incomplete kernel upgrade, change +all the implementations to directly do arch_wb_cache_pmem(), just as +dax_flush() does in the new kernel. + +Don't change dax_flush() back; it shouldn't have any out-of-tree +callers. + +--- +--- a/drivers/md/dm-linear.c ++++ b/drivers/md/dm-linear.c +@@ -184,6 +184,14 @@ static size_t linear_dax_copy_from_iter( + return dax_copy_from_iter(dax_dev, pgoff, addr, bytes, i); + } + ++static void linear_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr, ++ size_t size) ++{ ++#ifdef CONFIG_ARCH_HAS_PMEM_API ++ arch_wb_cache_pmem(addr, size); ++#endif ++} ++ + static struct target_type linear_target = { + .name = "linear", + .version = {1, 4, 0}, +@@ -198,6 +206,7 @@ static struct target_type linear_target + .iterate_devices = linear_iterate_devices, + .direct_access = linear_dax_direct_access, + .dax_copy_from_iter = linear_dax_copy_from_iter, ++ .dax_flush = linear_dax_flush, + }; + + int __init dm_linear_init(void) +--- a/drivers/md/dm-stripe.c ++++ b/drivers/md/dm-stripe.c +@@ -458,6 +458,14 @@ static void stripe_io_hints(struct dm_ta + blk_limits_io_opt(limits, chunk_size * sc->stripes); + } + ++static void stripe_dax_flush(struct dm_target *ti, pgoff_t pgoff, void *addr, ++ size_t size) ++{ ++#ifdef CONFIG_ARCH_HAS_PMEM_API ++ arch_wb_cache_pmem(addr, size); ++#endif ++} ++ + static struct target_type stripe_target = { + .name = "striped", + .version = {1, 6, 0}, +@@ -472,6 +480,7 @@ static struct target_type stripe_target + .io_hints = stripe_io_hints, + .direct_access = stripe_dax_direct_access, + .dax_copy_from_iter = stripe_dax_copy_from_iter, ++ .dax_flush = stripe_dax_flush, + }; + + int __init dm_stripe_init(void) +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -993,6 +993,14 @@ static size_t dm_dax_copy_from_iter(stru + return ret; + } + ++static void dm_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff, void *addr, ++ size_t size) ++{ ++#ifdef CONFIG_ARCH_HAS_PMEM_API ++ arch_wb_cache_pmem(addr, size); ++#endif ++} ++ + /* + * A target may call dm_accept_partial_bio only from the map routine. It is + * allowed for all bio types except REQ_PREFLUSH. +@@ -2980,6 +2988,7 @@ static const struct block_device_operati + static const struct dax_operations dm_dax_ops = { + .direct_access = dm_dax_direct_access, + .copy_from_iter = dm_dax_copy_from_iter, ++ .flush = dm_dax_flush, + }; + + /* +--- a/drivers/nvdimm/pmem.c ++++ b/drivers/nvdimm/pmem.c +@@ -243,9 +243,16 @@ static size_t pmem_copy_from_iter(struct + return copy_from_iter_flushcache(addr, bytes, i); + } + ++static void pmem_dax_flush(struct dax_device *dax_dev, pgoff_t pgoff, ++ void *addr, size_t size) ++{ ++ arch_wb_cache_pmem(addr, size); ++} ++ + static const struct dax_operations pmem_dax_ops = { + .direct_access = pmem_dax_direct_access, + .copy_from_iter = pmem_copy_from_iter, ++ .flush = pmem_dax_flush, + }; + + static const struct attribute_group *pmem_attribute_groups[] = { +--- a/include/linux/dax.h ++++ b/include/linux/dax.h +@@ -19,6 +19,8 @@ struct dax_operations { + /* copy_from_iter: required operation for fs-dax direct-i/o */ + size_t (*copy_from_iter)(struct dax_device *, pgoff_t, void *, size_t, + struct iov_iter *); ++ /* flush: should be unused */ ++ void (*flush)(struct dax_device *, pgoff_t, void *, size_t); + }; + + extern struct attribute_group dax_attribute_group; +--- a/include/linux/device-mapper.h ++++ b/include/linux/device-mapper.h +@@ -134,6 +134,8 @@ typedef long (*dm_dax_direct_access_fn) + long nr_pages, void **kaddr, pfn_t *pfn); + typedef size_t (*dm_dax_copy_from_iter_fn)(struct dm_target *ti, pgoff_t pgoff, + void *addr, size_t bytes, struct iov_iter *i); ++typedef void (*dm_dax_flush_fn)(struct dm_target *ti, pgoff_t pgoff, void *addr, ++ size_t size); + #define PAGE_SECTORS (PAGE_SIZE / 512) + + void dm_error(const char *message); +@@ -184,6 +186,7 @@ struct target_type { + dm_io_hints_fn io_hints; + dm_dax_direct_access_fn direct_access; + dm_dax_copy_from_iter_fn dax_copy_from_iter; ++ dm_dax_flush_fn dax_flush; + + /* For internal device-mapper use. */ + struct list_head list; diff --git a/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch b/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch new file mode 100644 index 000000000..03555be35 --- /dev/null +++ b/debian/patches/debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch @@ -0,0 +1,40 @@ +From: Ben Hutchings +Date: Thu, 26 Oct 2017 22:38:57 +0200 +Subject: Revert "bpf: one perf event close won't free bpf program attached ..." +Forwarded: not-needed + +This reverts commit dcc738d393156dd29ed961ecefe13d96ed5f782f, which was +commit ec9dd352d591f0c90402ec67a317c1ed4fb2e638 upstream. It introduces +an ABI break that's not easily avoidable. The bug it fixes doesn't seem +to have any security impact. + +--- +--- a/include/linux/trace_events.h ++++ b/include/linux/trace_events.h +@@ -277,7 +277,6 @@ struct trace_event_call { + int perf_refcount; + struct hlist_head __percpu *perf_events; + struct bpf_prog *prog; +- struct perf_event *bpf_prog_owner; + + int (*perf_perm)(struct trace_event_call *, + struct perf_event *); +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8126,7 +8126,6 @@ static int perf_event_set_bpf_prog(struc + } + } + event->tp_event->prog = prog; +- event->tp_event->bpf_prog_owner = event; + + return 0; + } +@@ -8141,7 +8140,7 @@ static void perf_event_free_bpf_prog(str + return; + + prog = event->tp_event->prog; +- if (prog && event->tp_event->bpf_prog_owner == event) { ++ if (prog) { + event->tp_event->prog = NULL; + bpf_prog_put(prog); + } diff --git a/debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch b/debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch new file mode 100644 index 000000000..16ca95e48 --- /dev/null +++ b/debian/patches/debian/scsi-avoid-abi-change-in-4.13.6.patch @@ -0,0 +1,22 @@ +From: Ben Hutchings +Date: Thu, 26 Oct 2017 11:59:43 +0200 +Subject: SCSI: Avoid ABI change in 4.13.6 +Forwarded: not-needed + +Hide the new bitfield from genksyms, as it's using what used to be a +padding bit. + +--- +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -182,7 +182,10 @@ struct scsi_device { + unsigned no_dif:1; /* T10 PI (DIF) should be disabled */ + unsigned broken_fua:1; /* Don't set FUA bit */ + unsigned lun_in_cdb:1; /* Store LUN bits in CDB[1] */ ++#ifndef __GENKSYMS__ + unsigned unmap_limit_for_ws:1; /* Use the UNMAP limit for WRITE SAME */ ++ /* 19 unused bits */ ++#endif + + atomic_t disk_events_disable_depth; /* disable depth for disk events */ + diff --git a/debian/patches/series b/debian/patches/series index 408d18370..1f9d81a61 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -78,7 +78,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch -bugfix/all/mac80211-fix-deadlock-in-driver-managed-RX-BA-sessio.patch # Miscellaneous features @@ -114,27 +113,11 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch -bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch -bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch -bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch -bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch -bugfix/all/fix-infoleak-in-waitid-2.patch -bugfix/all/brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch -bugfix/all/powerpc-64s-Use-emergency-stack-for-kernel-TM-Bad-Th.patch -bugfix/all/powerpc-tm-Fix-illegal-TM-state-in-signal-handler.patch -bugfix/all/KEYS-prevent-KEYCTL_READ-on-negative-key.patch -bugfix/all/waitid-Add-missing-access_ok-checks.patch -bugfix/all/ALSA-seq-Fix-use-after-free-at-creating-a-port.patch -bugfix/x86/KVM-nVMX-update-last_nonleaf_level-when-initializing.patch -bugfix/x86/KVM-MMU-always-terminate-page-walks-at-level-1.patch # Fix exported symbol versions bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch bugfix/all/module-disable-matching-missing-version-crc.patch -# ABI maintenance - # Tools bug fixes bugfix/all/usbip-document-tcp-wrappers.patch bugfix/all/kbuild-fix-recordmcount-dependency.patch @@ -146,3 +129,8 @@ bugfix/all/tools-build-remove-bpf-run-time-check-at-build-time.patch bugfix/all/cpupower-bump-soname-version.patch bugfix/all/cpupower-fix-checks-for-cpu-existence.patch bugfix/all/tools-lib-lockdep-define-pr_cont.patch + +# ABI maintenance +debian/scsi-avoid-abi-change-in-4.13.6.patch +debian/dax-avoid-abi-change-in-4.13.5.patch +debian/revert-bpf-one-perf-event-close-won-t-free-bpf-program-atta.patch