Release linux (4.19.67-2+deb10u1).
-----BEGIN PGP SIGNATURE----- iQKmBAABCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl2EsyhfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89ErG0QAKEp2inuWb4xyie24D6ZDbpTWi/37uWW 2E8bYiMguHGv3tJgqBKkz0YQ0BdPYcSk8Jxx9SrHNPvA6TQ8eUup17a9lrPucruj TcLGyK+d5RG8YX+8ssyrGuC6uG+tO4oYUf4y/Tb+jYH1VOTBasUs3RF0l0bVq33e BvGJZ4ITkkITmuPv+0/EJs5cbhxtshZ0g63Ojkq1KkcpJI9ZORhgYeOEzMca3qkN 3OkPvl2AcGE027aXQpigvPxfg0S2MpdGLf0aqmpifZbfB69G0f8QihmJ0PEaX72w 1cxFqePBV/noLq9acXOVtdWts2Ufldm8ytn7/BMu+s5utX/jQU/WVCorBWNCVN58 yYLBiLE6hatjhShKDvj20g4aiF8hHzErdlyrs+3jtkElvKvQhw/h8MDyNsvVD70H UhQH8kdMf3VJ0y4J/PkWXKiBvQJAbUosGFz0LRJUuhoys7CQEP0CGB/iJsIbLMZ9 eRovrwxM2zJNtPFE0R80pZXsb0e2WJHsPY9Ta2OHZHaDEGP2wwnD/wvWo+zIFx9K YJNYDsnChGwqWqIEvpf3nJVObUfQFOkpWuG3QeFRr3xAujIjOsHMjH8UGdRQMNen 8w0mGMcbnclAHZ7zk3GEHp83qsyH7tCFj37W0ZO8YHj2nMrFMc9D3RGPjvoZ//jM gRJoAn5pdfE+ =QEEi -----END PGP SIGNATURE----- Merge tag 'debian/4.19.67-2+deb10u1' into buster Release linux (4.19.67-2+deb10u1).
This commit is contained in:
commit
63680f3314
|
@ -1,12 +1,23 @@
|
|||
linux (4.19.67-3) UNRELEASED; urgency=medium
|
||||
|
||||
[ Romain Perier ]
|
||||
* [armel/rpi] Enable CONFIG_BRCMFMAC_SDIO (Closes: #940530)
|
||||
|
||||
-- Romain Perier <romain.perier@gmail.com> Wed, 28 Aug 2019 13:28:09 +0200
|
||||
|
||||
linux (4.19.67-2+deb10u1) buster-security; urgency=high
|
||||
|
||||
[ Romain Perier ]
|
||||
* ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit (CVE-2019-15117)
|
||||
* ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
|
||||
(CVE-2019-15118)
|
||||
* [armel/rpi] Enable CONFIG_BRCMFMAC_SDIO (Closes: #940530)
|
||||
|
||||
-- Romain Perier <romain.perier@gmail.com> Wed, 28 Aug 2019 13:28:09 +0200
|
||||
[ Salvatore Bonaccorso ]
|
||||
* vhost: make sure log_num < in_num (CVE-2019-14835)
|
||||
* [x86] ptrace: fix up botched merge of spectrev1 fix (CVE-2019-15902)
|
||||
* KVM: coalesced_mmio: add bounds checking (CVE-2019-14821)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 20 Sep 2019 12:51:55 +0200
|
||||
|
||||
linux (4.19.67-2) buster; urgency=medium
|
||||
|
||||
|
|
|
@ -0,0 +1,79 @@
|
|||
From: Matt Delco <delco@chromium.org>
|
||||
Date: Mon, 16 Sep 2019 14:16:54 -0700
|
||||
Subject: KVM: coalesced_mmio: add bounds checking
|
||||
Origin: https://git.kernel.org/linus/b60fe990c6b07ef6d4df67bc0530c7c90a62623a
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14821
|
||||
|
||||
The first/last indexes are typically shared with a user app.
|
||||
The app can change the 'last' index that the kernel uses
|
||||
to store the next result. This change sanity checks the index
|
||||
before using it for writing to a potentially arbitrary address.
|
||||
|
||||
This fixes CVE-2019-14821.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: 5f94c1741bdc ("KVM: Add coalesced MMIO support (common part)")
|
||||
Signed-off-by: Matt Delco <delco@chromium.org>
|
||||
Signed-off-by: Jim Mattson <jmattson@google.com>
|
||||
Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
|
||||
[Use READ_ONCE. - Paolo]
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
[Salvatore Bonaccorso: backport to 4.19: Adjust for context changes, cherry-pick
|
||||
commit from stable-queue for 4.19.75]
|
||||
---
|
||||
virt/kvm/coalesced_mmio.c | 17 ++++++++++-------
|
||||
1 file changed, 10 insertions(+), 7 deletions(-)
|
||||
|
||||
--- a/virt/kvm/coalesced_mmio.c
|
||||
+++ b/virt/kvm/coalesced_mmio.c
|
||||
@@ -40,7 +40,7 @@ static int coalesced_mmio_in_range(struc
|
||||
return 1;
|
||||
}
|
||||
|
||||
-static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev)
|
||||
+static int coalesced_mmio_has_room(struct kvm_coalesced_mmio_dev *dev, u32 last)
|
||||
{
|
||||
struct kvm_coalesced_mmio_ring *ring;
|
||||
unsigned avail;
|
||||
@@ -52,7 +52,7 @@ static int coalesced_mmio_has_room(struc
|
||||
* there is always one unused entry in the buffer
|
||||
*/
|
||||
ring = dev->kvm->coalesced_mmio_ring;
|
||||
- avail = (ring->first - ring->last - 1) % KVM_COALESCED_MMIO_MAX;
|
||||
+ avail = (ring->first - last - 1) % KVM_COALESCED_MMIO_MAX;
|
||||
if (avail == 0) {
|
||||
/* full */
|
||||
return 0;
|
||||
@@ -67,24 +67,27 @@ static int coalesced_mmio_write(struct k
|
||||
{
|
||||
struct kvm_coalesced_mmio_dev *dev = to_mmio(this);
|
||||
struct kvm_coalesced_mmio_ring *ring = dev->kvm->coalesced_mmio_ring;
|
||||
+ __u32 insert;
|
||||
|
||||
if (!coalesced_mmio_in_range(dev, addr, len))
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
spin_lock(&dev->kvm->ring_lock);
|
||||
|
||||
- if (!coalesced_mmio_has_room(dev)) {
|
||||
+ insert = READ_ONCE(ring->last);
|
||||
+ if (!coalesced_mmio_has_room(dev, insert) ||
|
||||
+ insert >= KVM_COALESCED_MMIO_MAX) {
|
||||
spin_unlock(&dev->kvm->ring_lock);
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
/* copy data in first free entry of the ring */
|
||||
|
||||
- ring->coalesced_mmio[ring->last].phys_addr = addr;
|
||||
- ring->coalesced_mmio[ring->last].len = len;
|
||||
- memcpy(ring->coalesced_mmio[ring->last].data, val, len);
|
||||
+ ring->coalesced_mmio[insert].phys_addr = addr;
|
||||
+ ring->coalesced_mmio[insert].len = len;
|
||||
+ memcpy(ring->coalesced_mmio[insert].data, val, len);
|
||||
smp_wmb();
|
||||
- ring->last = (ring->last + 1) % KVM_COALESCED_MMIO_MAX;
|
||||
+ ring->last = (insert + 1) % KVM_COALESCED_MMIO_MAX;
|
||||
spin_unlock(&dev->kvm->ring_lock);
|
||||
return 0;
|
||||
}
|
|
@ -0,0 +1,54 @@
|
|||
From: yongduan <yongduan@tencent.com>
|
||||
Date: Wed, 11 Sep 2019 17:44:24 +0800
|
||||
Subject: vhost: make sure log_num < in_num
|
||||
Origin: https://git.kernel.org/linus/060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14835
|
||||
|
||||
The code assumes log_num < in_num everywhere, and that is true as long as
|
||||
in_num is incremented by descriptor iov count, and log_num by 1. However
|
||||
this breaks if there's a zero sized descriptor.
|
||||
|
||||
As a result, if a malicious guest creates a vring desc with desc.len = 0,
|
||||
it may cause the host kernel to crash by overflowing the log array. This
|
||||
bug can be triggered during the VM migration.
|
||||
|
||||
There's no need to log when desc.len = 0, so just don't increment log_num
|
||||
in this case.
|
||||
|
||||
Fixes: 3a4d5c94e959 ("vhost_net: a kernel-level virtio server")
|
||||
Cc: stable@vger.kernel.org
|
||||
Reviewed-by: Lidong Chen <lidongchen@tencent.com>
|
||||
Signed-off-by: ruippan <ruippan@tencent.com>
|
||||
Signed-off-by: yongduan <yongduan@tencent.com>
|
||||
Acked-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
|
||||
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
|
||||
---
|
||||
drivers/vhost/vhost.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c
|
||||
index 34ea219936e3..acabf20b069e 100644
|
||||
--- a/drivers/vhost/vhost.c
|
||||
+++ b/drivers/vhost/vhost.c
|
||||
@@ -2180,7 +2180,7 @@ static int get_indirect(struct vhost_virtqueue *vq,
|
||||
/* If this is an input descriptor, increment that count. */
|
||||
if (access == VHOST_ACCESS_WO) {
|
||||
*in_num += ret;
|
||||
- if (unlikely(log)) {
|
||||
+ if (unlikely(log && ret)) {
|
||||
log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
|
||||
log[*log_num].len = vhost32_to_cpu(vq, desc.len);
|
||||
++*log_num;
|
||||
@@ -2321,7 +2321,7 @@ int vhost_get_vq_desc(struct vhost_virtqueue *vq,
|
||||
/* If this is an input descriptor,
|
||||
* increment that count. */
|
||||
*in_num += ret;
|
||||
- if (unlikely(log)) {
|
||||
+ if (unlikely(log && ret)) {
|
||||
log[*log_num].addr = vhost64_to_cpu(vq, desc.addr);
|
||||
log[*log_num].len = vhost32_to_cpu(vq, desc.len);
|
||||
++*log_num;
|
||||
--
|
||||
2.23.0
|
||||
|
44
debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
vendored
Normal file
44
debian/patches/bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
vendored
Normal file
|
@ -0,0 +1,44 @@
|
|||
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
Date: Wed, 4 Sep 2019 12:27:18 +0200
|
||||
Subject: x86/ptrace: fix up botched merge of spectrev1 fix
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=69f692bb7e684592aaba779299bc576626d414b4
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-15902
|
||||
|
||||
I incorrectly merged commit 31a2fbb390fe ("x86/ptrace: Fix possible
|
||||
spectre-v1 in ptrace_get_debugreg()") when backporting it, as was
|
||||
graciously pointed out at
|
||||
https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
|
||||
|
||||
Resolve the upstream difference with the stable kernel merge to properly
|
||||
protect things.
|
||||
|
||||
Reported-by: Brad Spengler <spender@grsecurity.net>
|
||||
Cc: Dianzhang Chen <dianzhangchen0@gmail.com>
|
||||
Cc: Thomas Gleixner <tglx@linutronix.de>
|
||||
Cc: <bp@alien8.de>
|
||||
Cc: <hpa@zytor.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
arch/x86/kernel/ptrace.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
|
||||
index 8d20fb09722c..7f377f8792aa 100644
|
||||
--- a/arch/x86/kernel/ptrace.c
|
||||
+++ b/arch/x86/kernel/ptrace.c
|
||||
@@ -651,11 +651,10 @@ static unsigned long ptrace_get_debugreg(struct task_struct *tsk, int n)
|
||||
{
|
||||
struct thread_struct *thread = &tsk->thread;
|
||||
unsigned long val = 0;
|
||||
- int index = n;
|
||||
|
||||
if (n < HBP_NUM) {
|
||||
+ int index = array_index_nospec(n, HBP_NUM);
|
||||
struct perf_event *bp = thread->ptrace_bps[index];
|
||||
- index = array_index_nospec(index, HBP_NUM);
|
||||
|
||||
if (bp)
|
||||
val = bp->hw.info.address;
|
||||
--
|
||||
2.23.0
|
||||
|
|
@ -164,6 +164,9 @@ debian/ntfs-mark-it-as-broken.patch
|
|||
bugfix/all/netfilter-conntrack-use-consistent-ct-id-hash-calcul.patch
|
||||
bugfix/all/ALSA-usb-audio-Fix-an-OOB-bug-in-parse_audio_mixer_unit.patch
|
||||
bugfix/all/ALSA-usb-audio-Fix-a-stack-buffer-overflow-bug-in-check_input_term.patch
|
||||
bugfix/all/vhost-make-sure-log_num-in_num.patch
|
||||
bugfix/x86/x86-ptrace-fix-up-botched-merge-of-spectrev1-fix.patch
|
||||
bugfix/all/KVM-coalesced_mmio-add-bounds-checking.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue