Add some important fixes pending for 3.14.8

svn path=/dists/sid/linux/; revision=21433

debian/changelog

@@ -219,6 +219,10 @@ linux (3.14.7-1) UNRELEASED; urgency=medium
     - Temporarily disable zImage
     - powerpc/powernv: Add calls to support little endian host
     - Add 'ppc64le' (uname output) to bug/include-model script
+  * netfilter: ipv4: defrag: set local_df flag on defragmented skb
+    (regression in 3.14.5)
+  * [mips] asm: thread_info: Add _TIF_SECCOMP flag (Closes: #751417)
+  * auditsc: audit_krule mask accesses need bounds checking (CVE-2014-3917)
 
  -- Ian Campbell <ijc@hellion.org.uk>  Fri, 06 Jun 2014 18:18:41 +0100
 

debian/patches/bugfix/all/auditsc-audit_krule-mask-accesses-need-bounds-checki.patch

@@ -0,0 +1,80 @@
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Wed, 28 May 2014 23:09:58 -0400
+Subject: auditsc: audit_krule mask accesses need bounds checking
+Origin: https://git.kernel.org/linus/a3c54931199565930d6d84f4c3456f6440aefd41
+
+Fixes an easy DoS and possible information disclosure.
+
+This does nothing about the broken state of x32 auditing.
+
+eparis: If the admin has enabled auditd and has specifically loaded
+audit rules.  This bug has been around since before git.  Wow...
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: Eric Paris <eparis@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+ kernel/auditsc.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/kernel/auditsc.c
++++ b/kernel/auditsc.c
+@@ -720,6 +720,22 @@ static enum audit_state audit_filter_tas
+ 	return AUDIT_BUILD_CONTEXT;
+ }
+ 
++static int audit_in_mask(const struct audit_krule *rule, unsigned long val)
++{
++	int word, bit;
++
++	if (val > 0xffffffff)
++		return false;
++
++	word = AUDIT_WORD(val);
++	if (word >= AUDIT_BITMASK_SIZE)
++		return false;
++
++	bit = AUDIT_BIT(val);
++
++	return rule->mask[word] & bit;
++}
++
+ /* At syscall entry and exit time, this filter is called if the
+  * audit_state is not low enough that auditing cannot take place, but is
+  * also not high enough that we already know we have to write an audit
+@@ -737,11 +753,8 @@ static enum audit_state audit_filter_sys
+ 
+ 	rcu_read_lock();
+ 	if (!list_empty(list)) {
+-		int word = AUDIT_WORD(ctx->major);
+-		int bit  = AUDIT_BIT(ctx->major);
+-
+ 		list_for_each_entry_rcu(e, list, list) {
+-			if ((e->rule.mask[word] & bit) == bit &&
++			if (audit_in_mask(&e->rule, ctx->major) &&
+ 			    audit_filter_rules(tsk, &e->rule, ctx, NULL,
+ 					       &state, false)) {
+ 				rcu_read_unlock();
+@@ -761,20 +774,16 @@ static enum audit_state audit_filter_sys
+ static int audit_filter_inode_name(struct task_struct *tsk,
+ 				   struct audit_names *n,
+ 				   struct audit_context *ctx) {
+-	int word, bit;
+ 	int h = audit_hash_ino((u32)n->ino);
+ 	struct list_head *list = &audit_inode_hash[h];
+ 	struct audit_entry *e;
+ 	enum audit_state state;
+ 
+-	word = AUDIT_WORD(ctx->major);
+-	bit  = AUDIT_BIT(ctx->major);
+-
+ 	if (list_empty(list))
+ 		return 0;
+ 
+ 	list_for_each_entry_rcu(e, list, list) {
+-		if ((e->rule.mask[word] & bit) == bit &&
++		if (audit_in_mask(&e->rule, ctx->major) &&
+ 		    audit_filter_rules(tsk, &e->rule, ctx, n, &state, false)) {
+ 			ctx->current_state = state;
+ 			return 1;

debian/patches/bugfix/all/netfilter-ipv4-defrag-set-local_df-flag-on-defragmen.patch

@@ -0,0 +1,53 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 2 May 2014 15:32:16 +0200
+Subject: netfilter: ipv4: defrag: set local_df flag on defragmented skb
+Origin: https://git.kernel.org/linus/895162b1101b3ea5db08ca6822ae9672717efec0
+
+else we may fail to forward skb even if original fragments do fit
+outgoing link mtu:
+
+1. remote sends 2k packets in two 1000 byte frags, DF set
+2. we want to forward but only see '2k > mtu and DF set'
+3. we then send icmp error saying that outgoing link is 1500
+
+But original sender never sent a packet that would not fit
+the outgoing link.
+
+Setting local_df makes outgoing path test size vs.
+IPCB(skb)->frag_max_size, so we will still send the correct
+error in case the largest original size did not fit
+outgoing link mtu.
+
+Reported-by: Maxime Bizon <mbizon@freebox.fr>
+Suggested-by: Maxime Bizon <mbizon@freebox.fr>
+Fixes: 5f2d04f1f9 (ipv4: fix path MTU discovery with connection tracking)
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv4/netfilter/nf_defrag_ipv4.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
+index 12e13bd..f40f321 100644
+--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
++++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
+@@ -22,7 +22,6 @@
+ #endif
+ #include <net/netfilter/nf_conntrack_zones.h>
+ 
+-/* Returns new sk_buff, or NULL */
+ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
+ {
+ 	int err;
+@@ -33,8 +32,10 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
+ 	err = ip_defrag(skb, user);
+ 	local_bh_enable();
+ 
+-	if (!err)
++	if (!err) {
+ 		ip_send_check(ip_hdr(skb));
++		skb->local_df = 1;
++	}
+ 
+ 	return err;
+ }

debian/patches/bugfix/mips/MIPS-asm-thread_info-Add-_TIF_SECCOMP-flag.patch

@@ -0,0 +1,32 @@
+From: Markos Chandras <markos.chandras@imgtec.com>
+Date: Wed, 22 Jan 2014 14:40:00 +0000
+Subject: MIPS: asm: thread_info: Add _TIF_SECCOMP flag
+Origin: https://git.kernel.org/linus/137f7df8cead00688524c82360930845396b8a21
+
+Add _TIF_SECCOMP flag to _TIF_WORK_SYSCALL_ENTRY to indicate
+that the system call needs to be checked against a seccomp filter.
+
+Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
+Reviewed-by: Paul Burton <paul.burton@imgtec.com>
+Reviewed-by: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Patchwork: https://patchwork.linux-mips.org/patch/6405/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+---
+ arch/mips/include/asm/thread_info.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
+index 24846f9..e80ae50 100644
+--- a/arch/mips/include/asm/thread_info.h
++++ b/arch/mips/include/asm/thread_info.h
+@@ -136,7 +136,8 @@ static inline struct thread_info *current_thread_info(void)
+ #define _TIF_SYSCALL_TRACEPOINT	(1<<TIF_SYSCALL_TRACEPOINT)
+ 
+ #define _TIF_WORK_SYSCALL_ENTRY	(_TIF_NOHZ | _TIF_SYSCALL_TRACE |	\
+-				 _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT)
++				 _TIF_SYSCALL_AUDIT | \
++				 _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
+ 
+ /* work to do in syscall_trace_leave() */
+ #define _TIF_WORK_SYSCALL_EXIT	(_TIF_NOHZ | _TIF_SYSCALL_TRACE |	\

debian/patches/series

@@ -88,3 +88,6 @@ debian/sockdiag-avoid-abi-change-in-3.14.5.patch
 debian/target-avoid-abi-change-in-3.14.5.patch
 debian/netfilter-avoid-abi-change-in-3.14.5.patch
 bugfix/mips/MIPS-Fix-branch-emulation-of-branch-likely-instructi.patch
+bugfix/all/netfilter-ipv4-defrag-set-local_df-flag-on-defragmen.patch
+bugfix/mips/MIPS-asm-thread_info-Add-_TIF_SECCOMP-flag.patch
+bugfix/all/auditsc-audit_krule-mask-accesses-need-bounds-checki.patch