Release linux (4.3.3-1).
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUAVnCT2+e/yOyVhhEJAQr+qw/9E5dEKfpAfOywx9lA0eQKKBx2yt2IkdGc 0k9UFJlJc5xpOwEH03WOlU3XktlrwNzaT6U0Qvu6MW4Y77G60fDbAB/J+1jlYatK 02CEUmBgrD5M6Cm/9J085mglIEt+5tq0RIZwAWx7iki53H/y1KQ6uski3oZwcguu Go5KP744Osen5cyJKgT+vV/VGHc+BJEMcNFNI1nlh71owTQKT2ZsLx8fd3ZIdGsB 8rTC3pIsE8YjTcaRhKcJ1t6a19fX/2fD7KsfZTo8YdfLReg29CZ6TlQF8clzh8yH 37RWnEEYZT3vDbLVFOr4RVj0/b5skJQmuC7Bs40dywPyjEK/OQHMUWdcw4ZAxsq1 kNL9DhShF4G+HW58VOCRZSMO+R4R2Cl7JIz4bjhhPIOka9X/vn0yk/QgR6z16g0J DHc2zx9+OHlUgk89KpCtDYdzHth7uQAmg6WIJemVU1Mt4jdaHKoEtAI4iNkEjdby 1LNnmYjukIixpTtb/NJGtyQPWSOOHnRQa7Cq36SngZoT4Gowb5hbDI9v+IrSQZUj ruEMqMl4Bcq3/R1HKdqcs0FK+obKceaHSoLH+ludH0U7UAjh3dqCotxHkX4DT+ws 0CJAM1PIiiXG6n+TQve/wepG/Fv2yuOJg1BEo32Qjy5RtzhZf4vgZEYKJFrCGxR3 oBYzz+yPcvg= =AlwC -----END PGP SIGNATURE----- Merge tag 'debian/4.3.3-1' Drop the ABI reference and ignored symbols. Drop most of the patches, as they're already upstream.
This commit is contained in:
Ben Hutchings
commit
70157abb7d
|
|
@ -21,6 +21,88 @@ linux (4.4~rc4-1~exp1) experimental; urgency=medium
|
|||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sun, 13 Dec 2015 16:25:45 +0000
|
||||
|
||||
linux (4.3.3-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.2
|
||||
- X.509: Fix the time validation [ver #2]
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.3
|
||||
- r8169: fix kasan reported skb use-after-free. (regression in 4.3)
|
||||
- af-unix: fix use-after-free with concurrent readers while splicing
|
||||
(regression in 4.2)
|
||||
- af_unix: don't append consumed skbs to sk_receive_queue
|
||||
(regression in 4.2)
|
||||
- af_unix: take receive queue lock while appending new skb
|
||||
(regression in 4.2)
|
||||
- af-unix: passcred support for sendpage (regression in 4.2)
|
||||
- ipv6: Avoid creating RTF_CACHE from a rt that is not managed by fib6 tree
|
||||
(regression in 4.2)
|
||||
- ipv6: Check expire on DST_NOCACHE route
|
||||
- ipv6: Check rt->dst.from for the DST_NOCACHE route (regression in 4.3)
|
||||
- Revert "ipv6: ndisc: inherit metadata dst when creating ndisc requests"
|
||||
(regression in 4.3)
|
||||
- packet: only allow extra vlan len on ethernet devices
|
||||
- packet: infer protocol from ethernet header if unset
|
||||
- packet: fix tpacket_snd max frame len
|
||||
- sctp: translate host order to network order when setting a hmacid
|
||||
- net/mlx5e: Added self loopback prevention (regression in 4.3)
|
||||
- net/mlx4_core: Fix sleeping while holding spinlock at rem_slave_counters
|
||||
(regression in 4.2)
|
||||
- ip_tunnel: disable preemption when updating per-cpu tstats
|
||||
- net/ip6_tunnel: fix dst leak (regression in 4.3)
|
||||
- tcp: disable Fast Open on timeouts after handshake
|
||||
- tcp: fix potential huge kmalloc() calls in TCP_REPAIR
|
||||
- tcp: initialize tp->copied_seq in case of cross SYN connection
|
||||
- net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds
|
||||
- net: ipmr: fix static mfc/dev leaks on table destruction
|
||||
- net: ip6mr: fix static mfc/dev leaks on table destruction
|
||||
- vrf: fix double free and memory corruption on register_netdevice failure
|
||||
- tipc: fix error handling of expanding buffer headroom (regression in 4.3)
|
||||
- ipv6: distinguish frag queues by device for multicast and link-local
|
||||
packets
|
||||
- bpf, array: fix heap out-of-bounds access when updating elements
|
||||
- ipv6: add complete rcu protection around np->opt
|
||||
- net/neighbour: fix crash at dumping device-agnostic proxy entries
|
||||
- ipv6: sctp: implement sctp_v6_destroy_sock()
|
||||
- openvswitch: fix hangup on vxlan/gre/geneve device deletion
|
||||
- net_sched: fix qdisc_tree_decrease_qlen() races
|
||||
- btrfs: fix resending received snapshot with parent (regression in 4.2)
|
||||
- Btrfs: fix file corruption and data loss after cloning inline extents
|
||||
- Btrfs: fix regression when running delayed references (regression in 4.2)
|
||||
- Btrfs: fix race leading to incorrect item deletion when dropping extents
|
||||
- Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow
|
||||
- Btrfs: fix race when listing an inode's xattrs
|
||||
- rbd: don't put snap_context twice in rbd_queue_workfn()
|
||||
- ext4 crypto: fix memory leak in ext4_bio_write_page()
|
||||
- ext4 crypto: fix bugs in ext4_encrypted_zeroout()
|
||||
- ext4: fix potential use after free in __ext4_journal_stop
|
||||
(regression in 4.2)
|
||||
- ext4, jbd2: ensure entering into panic after recording an error in
|
||||
superblock
|
||||
- nfsd: serialize state seqid morphing operations
|
||||
- nfsd: eliminate sending duplicate and repeated delegations
|
||||
- nfs4: start callback_ident at idr 1
|
||||
- nfs4: resend LAYOUTGET when there is a race that changes the seqid
|
||||
- nfs: if we have no valid attrs, then don't declare the attribute cache
|
||||
valid
|
||||
- ocfs2: fix umask ignored issue
|
||||
- block: fix segment split (regression in 4.3)
|
||||
- ceph: fix message length computation
|
||||
- Btrfs: fix regression running delayed references when using qgroups
|
||||
(regression in 4.2)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* net: add validation for the socket syscall protocol argument (CVE-2015-8543)
|
||||
* [armel/kirkwood] udeb: Override inclusion of gpio_keys in input-modules
|
||||
(fixes FTBFS)
|
||||
* vrf: Fix broken backport of "vrf: fix double free and memory corruption on
|
||||
register_netdevice failure" in 4.3.3
|
||||
* net: Ignore ABI changes due to "ipv6: add complete rcu protection around
|
||||
np->opt", which don't appear to affect out-of-tree modules
|
||||
* tipc: Fix kfree_skb() of uninitialised pointer (regression in 4.3.3)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 15 Dec 2015 21:25:26 +0000
|
||||
|
||||
linux (4.3.1-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
|
|||
|
|
@ -1 +1,3 @@
|
|||
#include <input-modules>
|
||||
# Moved to event-modules for use in network-console builds
|
||||
gpio_keys -
|
||||
|
|
|
|||
82
debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
vendored
Normal file
82
debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
vendored
Normal file
|
|
@ -0,0 +1,82 @@
|
|||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Subject: net: add validation for the socket syscall protocol argument
|
||||
Date: Mon, 14 Dec 2015 17:17:49 +0100
|
||||
Origin: http://article.gmane.org/gmane.linux.network/391482
|
||||
|
||||
郭永刚 reported that one could simply crash the kernel as root by
|
||||
using a simple program:
|
||||
|
||||
int socket_fd;
|
||||
struct sockaddr_in addr;
|
||||
addr.sin_port = 0;
|
||||
addr.sin_addr.s_addr = INADDR_ANY;
|
||||
addr.sin_family = 10;
|
||||
|
||||
socket_fd = socket(10,3,0x40000000);
|
||||
connect(socket_fd , &addr,16);
|
||||
|
||||
AF_INET, AF_INET6 sockets actually only support 8-bit protocol
|
||||
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
|
||||
thus larger protocol identifiers simply cut off the higher bits and
|
||||
store a zero in the protocol fields.
|
||||
|
||||
This could lead to e.g. NULL function pointer because as a result of
|
||||
the cut off inet_num is zero and we call down to inet_autobind, which
|
||||
is NULL for raw sockets.
|
||||
|
||||
kernel: Call Trace:
|
||||
kernel: [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
|
||||
kernel: [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
|
||||
kernel: [<ffffffff81645069>] SYSC_connect+0xd9/0x110
|
||||
kernel: [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
|
||||
kernel: [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
|
||||
kernel: [<ffffffff81645e0e>] SyS_connect+0xe/0x10
|
||||
kernel: [<ffffffff81779515>] tracesys_phase2+0x84/0x89
|
||||
|
||||
I found no particular commit which introduced this problem.
|
||||
|
||||
CVE: CVE-2015-8543
|
||||
Reported-by: 郭永刚 <guoyonggang@360.cn>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
---
|
||||
net/ipv4/af_inet.c | 3 +++
|
||||
net/ipv6/af_inet6.c | 3 +++
|
||||
net/socket.c | 3 +++
|
||||
3 files changed, 9 insertions(+)
|
||||
|
||||
--- a/net/ipv4/af_inet.c
|
||||
+++ b/net/ipv4/af_inet.c
|
||||
@@ -261,6 +261,9 @@ static int inet_create(struct net *net,
|
||||
int try_loading_module = 0;
|
||||
int err;
|
||||
|
||||
+ if (protocol >= IPPROTO_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
sock->state = SS_UNCONNECTED;
|
||||
|
||||
/* Look for the requested type/protocol pair. */
|
||||
--- a/net/ipv6/af_inet6.c
|
||||
+++ b/net/ipv6/af_inet6.c
|
||||
@@ -109,6 +109,9 @@ static int inet6_create(struct net *net,
|
||||
int try_loading_module = 0;
|
||||
int err;
|
||||
|
||||
+ if (protocol >= IPPROTO_MAX)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
/* Look for the requested type/protocol pair. */
|
||||
lookup_protocol:
|
||||
err = -ESOCKTNOSUPPORT;
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -1105,6 +1105,9 @@ int __sock_create(struct net *net, int f
|
||||
return -EAFNOSUPPORT;
|
||||
if (type < 0 || type >= SOCK_MAX)
|
||||
return -EINVAL;
|
||||
+ /* upper bound should be tested by per-protocol .create callbacks */
|
||||
+ if (protocol < 0)
|
||||
+ return -EINVAL;
|
||||
|
||||
/* Compatibility.
|
||||
|
||||
|
|
@ -67,3 +67,4 @@ features/all/grsecurity/grkernsec_perf_harden.patch
|
|||
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
|
||||
bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch
|
||||
bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch
|
||||
bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue