time: Disable TIMER_STATS (CVE-2017-5967)
The upstream "fix" for this is to remove the feature, as it is redundant with tracing. I'd be quite happy to do that, but it introduces several conflicts with the PREEMPT_RT patch series. Unless and until those are resolved in 4.9-stable and 4.9-rt, disable it in our kconfig and add a dependency on BROKEN to ensure it's disabled in custom kernels too.
This commit is contained in:
parent
f32a03523e
commit
49c2b92937
|
@ -93,6 +93,7 @@ linux (4.9.13-1) UNRELEASED; urgency=medium
|
|||
(Closes: #856111)
|
||||
* [x86] kvm: fix page struct leak in handle_vmon (CVE-2017-2596)
|
||||
* ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669)
|
||||
* time: Disable TIMER_STATS (CVE-2017-5967)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sat, 18 Feb 2017 00:38:10 +0000
|
||||
|
||||
|
|
|
@ -5843,7 +5843,7 @@ CONFIG_SCHED_DEBUG=y
|
|||
CONFIG_SCHEDSTATS=y
|
||||
CONFIG_SCHED_STACK_END_CHECK=y
|
||||
# CONFIG_DEBUG_TIMEKEEPING is not set
|
||||
CONFIG_TIMER_STATS=y
|
||||
# CONFIG_TIMER_STATS is not set
|
||||
CONFIG_DEBUG_PREEMPT=y
|
||||
# CONFIG_DEBUG_RT_MUTEXES is not set
|
||||
# CONFIG_DEBUG_SPINLOCK is not set
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sun, 26 Feb 2017 21:01:50 +0000
|
||||
Subject: time: Mark TIMER_STATS as broken
|
||||
Forwarded: not-needed
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5967
|
||||
|
||||
This is a substitute for upstream commit dfb4357da6dd "time: Remove
|
||||
CONFIG_TIMER_STATS", which avoids the need to resolve conflicts with
|
||||
the PREEMPT_RT patch series.
|
||||
|
||||
---
|
||||
--- a/lib/Kconfig.debug
|
||||
+++ b/lib/Kconfig.debug
|
||||
@@ -964,6 +964,7 @@ config DEBUG_TIMEKEEPING
|
||||
config TIMER_STATS
|
||||
bool "Collect kernel timers statistics"
|
||||
depends on DEBUG_KERNEL && PROC_FS
|
||||
+ depends on BROKEN
|
||||
help
|
||||
If you say Y here, additional code will be inserted into the
|
||||
timer routines to collect statistics about kernel timers being
|
|
@ -110,6 +110,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
|
|||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
|
||||
bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
|
||||
debian/time-mark-timer_stats-as-broken.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue