From 540db7a99c6f9ffe7c431439a2119b735debfc6d Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Sun, 21 Oct 2018 21:02:34 +0200 Subject: [PATCH] Update to 4.18.14 This updates the debian changelog for listing changes of this stable update, including removal of cherry picked commits applied on upstream. --- debian/changelog | 39 +++++++++++- ...input-validation-in-xenvif_set_hash_.patch | 60 ------------------- debian/patches/series | 1 - 3 files changed, 38 insertions(+), 62 deletions(-) delete mode 100644 debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch diff --git a/debian/changelog b/debian/changelog index 1117ed895..ffa6908a2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.18.13-1) UNRELEASED; urgency=medium +linux (4.18.14-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11 @@ -389,6 +389,43 @@ linux (4.18.13-1) UNRELEASED; urgency=medium - ixgbe: check return value of napi_complete_done() - dm thin metadata: fix __udivdi3 undefined on 32-bit - Revert "drm/amd/pp: Send khz clock values to DC for smu7/8" + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.14 + - perf/core: Add sanity check to deal with pinned event failure + - mm: migration: fix migration of huge PMD shared pages + - mm, thp: fix mlocking THP page with migration enabled + - mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly + - [x86] KVM: fix L1TF's MMIO GFN calculation + - [x86] KVM: VMX: check for existence of secondary exec controls before + accessing + - blk-mq: I/O and timer unplugs are inverted in blktrace + - [powerpc*, mips*, arm64, x86, alpha, armhf] mmc: core: Fix debounce time + to use microseconds + - [powerpc*, mips*, arm64, x86, alpha, armhf] mmc: slot-gpio: Fix debounce + time to use miliseconds again + - mac80211: allocate TXQs for active monitor interfaces + - drm/amdgpu: Fix vce work queue was not cancelled when suspend + - [x86] vdso: Fix asm constraints on vDSO syscall fallbacks + - [x86] vdso: Only enable vDSO retpolines when enabled and supported + - [x86] vdso: Fix vDSO syscall fallback asm constraint regression + - [powerpc*, mips*, arm64, x86, s390x, armhf, sparc, hppa] PCI: Reprogram + bridge prefetch registers on resume + - mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys + - dm mpath: fix attached_handler_name leak and dangling hw_handler_name + pointer + - dm cache metadata: ignore hints array being too small during resize + - dm cache: fix resize crash if user doesn't reload cache table + - USB: serial: simple: add Motorola Tetra MTP6550 id + - USB: serial: option: improve Quectel EP06 detection + - USB: serial: option: add two-endpoints device-id flag + - usb: cdc_acm: Do not leak URB buffers + - tty: Drop tty->count on tty_reopen() failure + - [powerpc*] Avoid code patching freed init sections + - [powerpc*] lib: fix book3s/32 boot failure due to code patching + - f2fs: fix invalid memory access + - tipc: call start and done ops directly in __tipc_nl_compat_dumpit() + - ubifs: Check for name being NULL while mounting + - rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead + - ath10k: fix scan crash due to incorrect length calculation [ Ben Hutchings ] * linux-perf: Fix BPF feature detection diff --git a/debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch b/debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch deleted file mode 100644 index 1f51b3535..000000000 --- a/debian/patches/bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch +++ /dev/null @@ -1,60 +0,0 @@ -From: Jan Beulich -Date: Tue, 25 Sep 2018 02:12:30 -0600 -Subject: xen-netback: fix input validation in xenvif_set_hash_mapping() -Origin: https://git.kernel.org/linus/780e83c259fc33e8959fed8dfdad17e378d72b62 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-15471 - -Both len and off are frontend specified values, so we need to make -sure there's no overflow when adding the two for the bounds check. We -also want to avoid undefined behavior and hence use off to index into -->hash.mapping[] only after bounds checking. This at the same time -allows to take care of not applying off twice for the bounds checking -against vif->num_queues. - -It is also insufficient to bounds check copy_op.len, as this is len -truncated to 16 bits. - -This is XSA-270 / CVE-2018-15471. - -Reported-by: Felix Wilhelm -Signed-off-by: Jan Beulich -Reviewed-by: Paul Durrant -Tested-by: Paul Durrant -Cc: stable@vger.kernel.org [4.7 onwards] -Signed-off-by: David S. Miller ---- - drivers/net/xen-netback/hash.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c -index 3c4c58b9fe76..3b6fb5b3bdb2 100644 ---- a/drivers/net/xen-netback/hash.c -+++ b/drivers/net/xen-netback/hash.c -@@ -332,20 +332,22 @@ u32 xenvif_set_hash_mapping_size(struct xenvif *vif, u32 size) - u32 xenvif_set_hash_mapping(struct xenvif *vif, u32 gref, u32 len, - u32 off) - { -- u32 *mapping = &vif->hash.mapping[off]; -+ u32 *mapping = vif->hash.mapping; - struct gnttab_copy copy_op = { - .source.u.ref = gref, - .source.domid = vif->domid, -- .dest.u.gmfn = virt_to_gfn(mapping), - .dest.domid = DOMID_SELF, -- .dest.offset = xen_offset_in_page(mapping), -- .len = len * sizeof(u32), -+ .len = len * sizeof(*mapping), - .flags = GNTCOPY_source_gref - }; - -- if ((off + len > vif->hash.size) || copy_op.len > XEN_PAGE_SIZE) -+ if ((off + len < off) || (off + len > vif->hash.size) || -+ len > XEN_PAGE_SIZE / sizeof(*mapping)) - return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; - -+ copy_op.dest.u.gmfn = virt_to_gfn(mapping + off); -+ copy_op.dest.offset = xen_offset_in_page(mapping + off); -+ - while (len-- != 0) - if (mapping[off++] >= vif->num_queues) - return XEN_NETIF_CTRL_STATUS_INVALID_PARAMETER; diff --git a/debian/patches/series b/debian/patches/series index 817ef4f3f..55b9f8e2c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -145,7 +145,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch -bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch