time: Disable TIMER_STATS (CVE-2017-5967)

The upstream "fix" for this is to remove the feature, as it is redundant with tracing. I'd be quite happy to do that, but it introduces several conflicts with the PREEMPT_RT patch series. Unless and until those are resolved in 4.9-stable and 4.9-rt, disable it in our kconfig and add a dependency on BROKEN to ensure it's disabled in custom kernels too.
2017-02-26 21:05:05 +00:00 · 2017-02-26 21:05:05 +00:00 · 49c2b92937
parent f32a03523e
commit 49c2b92937
4 changed files with 24 additions and 1 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -93,6 +93,7 @@ linux (4.9.13-1) UNRELEASED; urgency=medium
    (Closes: #856111)
  * [x86] kvm: fix page struct leak in handle_vmon (CVE-2017-2596)
  * ipc/shm: Fix shmat mmap nil-page protection (CVE-2017-5669)
+  * time: Disable TIMER_STATS (CVE-2017-5967)

 -- Ben Hutchings <ben@decadent.org.uk>  Sat, 18 Feb 2017 00:38:10 +0000

--- a/debian/config/config
+++ b/debian/config/config
@ -5843,7 +5843,7 @@ CONFIG_SCHED_DEBUG=y
 CONFIG_SCHEDSTATS=y
 CONFIG_SCHED_STACK_END_CHECK=y
 # CONFIG_DEBUG_TIMEKEEPING is not set
-CONFIG_TIMER_STATS=y
+# CONFIG_TIMER_STATS is not set
 CONFIG_DEBUG_PREEMPT=y
 # CONFIG_DEBUG_RT_MUTEXES is not set
 # CONFIG_DEBUG_SPINLOCK is not set
--- a/debian/patches/debian/time-mark-timer_stats-as-broken.patch
+++ b/debian/patches/debian/time-mark-timer_stats-as-broken.patch
@ -0,0 +1,21 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 26 Feb 2017 21:01:50 +0000
+Subject: time: Mark TIMER_STATS as broken
+Forwarded: not-needed
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5967
+
+This is a substitute for upstream commit dfb4357da6dd "time: Remove
+CONFIG_TIMER_STATS", which avoids the need to resolve conflicts with
+the PREEMPT_RT patch series.
+
+---
+--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
+@@ -964,6 +964,7 @@ config DEBUG_TIMEKEEPING
+ config TIMER_STATS
+ 	bool "Collect kernel timers statistics"
+ 	depends on DEBUG_KERNEL && PROC_FS
+	depends on BROKEN
+ 	help
+ 	  If you say Y here, additional code will be inserted into the
+ 	  timer routines to collect statistics about kernel timers being
--- a/debian/patches/series
+++ b/debian/patches/series
@ -110,6 +110,7 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
 bugfix/all/ipc-shm-fix-shmat-mmap-nil-page-protection.patch
+debian/time-mark-timer_stats-as-broken.patch

 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch