From 935de573c88161b11fdaa74a1c951abe033b9440 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 9 Jun 2013 13:38:03 +0000 Subject: [PATCH] Update to 3.9.5 svn path=/dists/sid/linux/; revision=20218 --- debian/changelog | 48 +++++++++++++- ...et-fix-heap-buffer-overflow-on-error.patch | 62 ------------------- debian/patches/series | 1 - 3 files changed, 47 insertions(+), 64 deletions(-) delete mode 100644 debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch diff --git a/debian/changelog b/debian/changelog index 57a08fd71..286be34c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,51 @@ -linux (3.9.4-2) UNRELEASED; urgency=low +linux (3.9.5-1) UNRELEASED; urgency=low + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.9.5 + - [arm] 7723/1: crypto: sha1-armv4-large.S: fix SP handling + - mac80211: use just spin_lock() in ieee80211_get_tkip_p2k() + - USB: cxacru: potential underflow in cxacru_cm_get_array() + - TTY: Fix tty miss restart after we turn off flow-control + (Closes: #465823) + - cifs: only set ops for inodes in I_NEW state + - drivers/char/random.c: fix priming of last_data + - random: fix accounting race condition with lockless irq entropy_count + update + - fat: fix possible overflow for fat_clusters + - tg3: Fix data corruption on 5725 with TSO + - ocfs2: goto out_unlock if ocfs2_get_clusters_nocache() failed in + ocfs2_fiemap() + - mm compaction: fix of improper cache flush in migration code + - klist: del waiter from klist_remove_waiters before wakeup waitting process + - wait: fix false timeouts when using wait_event_timeout() + - nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary + - mm: mmu_notifier: re-fix freed page still mapped in secondary MMU + - mm: memcg: remove incorrect VM_BUG_ON for swap cache pages in uncharge + - mm/pagewalk.c: walk_page_range should avoid VM_PFNMAP areas + - mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer + - module: don't unlink the module until we've removed all exposure. + - xfs: kill suid/sgid through the truncate path. + - SUNRPC: Prevent an rpc_task wakeup race + - cifs: fix potential buffer overrun when composing a new options string + - cgroup: initialize xattr before calling d_instantiate() + - [powerpc] 32bit:Store temporary result in r0 instead of r8 + - [powerpc] tm: Fix userspace stack corruption on signal delivery for active + transactions + - [powerpc] tm: Abort on emulation and alignment faults + - iscsi-target: fix heap buffer overflow on error + - KVM: fix sil/dil/bpl/spl in the mod/rm fields + - reiserfs: fix deadlock with nfs racing on create/lookup + - reiserfs: fix problems with chowning setuid file w/ xattrs + - reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry + - jfs: fix a couple races + - IB/iser: Return error to upper layers on EAGAIN registration failures + - fuse: fix readdirplus Oops in fuse_dentry_revalidate + - target: Re-instate sess_wait_list for target_wait_for_sess_cmds + - xen-netback: Fix regressions caused by fix for CVE-2013-0216 + + coalesce slots in TX path and fix regressions + + don't disconnect frontend when seeing oversize packet + + [ Ben Hutchings ] * [powerpcspe] Remove installer udebs (really fixes FTBFS) -- Ben Hutchings Sat, 08 Jun 2013 15:25:11 +0100 diff --git a/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch deleted file mode 100644 index 8df64f3b7..000000000 --- a/debian/patches/bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch +++ /dev/null @@ -1,62 +0,0 @@ -From: Kees Cook -Date: Thu, 23 May 2013 17:32:17 +0000 -Subject: iscsi-target: fix heap buffer overflow on error - -commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream. - -If a key was larger than 64 bytes, as checked by iscsi_check_key(), the -error response packet, generated by iscsi_add_notunderstood_response(), -would still attempt to copy the entire key into the packet, overflowing -the structure on the heap. - -Remote preauthentication kernel memory corruption was possible if a -target was configured and listening on the network. - -CVE-2013-2850 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: Nicholas Bellinger ---- -diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c -index c2185fc..e382221 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.c -+++ b/drivers/target/iscsi/iscsi_target_parameters.c -@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response( - } - INIT_LIST_HEAD(&extra_response->er_list); - -- strncpy(extra_response->key, key, strlen(key) + 1); -- strncpy(extra_response->value, NOTUNDERSTOOD, -- strlen(NOTUNDERSTOOD) + 1); -+ strlcpy(extra_response->key, key, sizeof(extra_response->key)); -+ strlcpy(extra_response->value, NOTUNDERSTOOD, -+ sizeof(extra_response->value)); - - list_add_tail(&extra_response->er_list, - ¶m_list->extra_response_list); -@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input( - - if (phase & PHASE_SECURITY) { - if (iscsi_check_for_auth_key(key) > 0) { -- char *tmpptr = key + strlen(key); -- *tmpptr = '='; - kfree(tmpbuf); - return 1; - } -diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h -index 915b067..a47046a 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.h -+++ b/drivers/target/iscsi/iscsi_target_parameters.h -@@ -1,8 +1,10 @@ - #ifndef ISCSI_PARAMETERS_H - #define ISCSI_PARAMETERS_H - -+#include -+ - struct iscsi_extra_response { -- char key[64]; -+ char key[KEY_MAXLEN]; - char value[32]; - struct list_head er_list; - } ____cacheline_aligned; diff --git a/debian/patches/series b/debian/patches/series index c3ef65f69..cd730a4ec 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -104,4 +104,3 @@ features/arm/imx53-qsb-usb-power.patch features/arm/0001-thermal-Add-driver-for-Armada-370-XP-SoC-thermal-man.patch features/arm/0001-ARM-mvebu-Add-thermal-support-to-Armada-XP-device-tr.patch -bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch