From 997f08649d38fb9484fdd4114ccb8be2e0b7ce96 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Fri, 4 Jan 2013 05:10:47 +0000 Subject: [PATCH] Update to 3.2.36 svn path=/dists/sid/linux/; revision=19676 --- debian/changelog | 27 +++- ...ec-do-not-leave-bprm-interp-on-stack.patch | 115 ------------------ .../all/use-clamp_t-in-UNAME26-fix.patch | 32 ----- ...e-BIOS-initial-backlight-value-for-H.patch | 49 -------- ...opcode-oops-on-SET_SREGS-with-OSXSAV.patch | 71 ----------- debian/patches/series | 4 - 6 files changed, 26 insertions(+), 272 deletions(-) delete mode 100644 debian/patches/bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch delete mode 100644 debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch delete mode 100644 debian/patches/bugfix/x86/ACPI-video-ignore-BIOS-initial-backlight-value-for-H.patch delete mode 100644 debian/patches/bugfix/x86/KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch diff --git a/debian/changelog b/debian/changelog index c2c11ad6b..0fab3bc09 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,29 @@ -linux (3.2.35-3) UNRELEASED; urgency=low +linux (3.2.36-1) UNRELEASED; urgency=low + + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.36 + - freezer: PF_FREEZER_NOSIG should be cleared along with PF_NOFREEZE + (Closes: #697077) + - drm/i915: add Ivy Bridge GT2 Server entries (Closes: #684767) + - tmpfs: fix shared mempolicy leak + - virtio: 9p: correctly pass physical address to userspace for high pages + - virtio: force vring descriptors to be allocated from lowmem + - USB: EHCI: bugfix: urb->hcpriv should not be NULL + - rcu: Fix batch-limit size problem + - mvsas: fix undefined bit shift + - target/file: Fix 32-bit highmem breakage for SGL -> iovec mapping + - drm/i915: Close race between processing unpin task and queueing the flip + - SCSI: fix Null pointer dereference on disk error + - proc: pid/status: show all supplementary groups + - nfsd4: fix oops on unusual readlike compound + - ARM: missing ->mmap_sem around find_vma() in swp_emulate.c + - sctp: fix memory leak in sctp_datamsg_from_user() when copy from user + space fails + - ne2000: add the right platform device + - irda: sir_dev: Fix copy/paste typo + - ipv4: ip_check_defrag must not modify skb before unsharing + - telephony: ijx: buffer overflow in ixj_write_cid() + - udf: fix memory leak while allocating blocks during write [ Ben Hutchings ] * Input: wacom - fix touch support for Bamboo Fun CTH-461 diff --git a/debian/patches/bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch b/debian/patches/bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch deleted file mode 100644 index 45a4ac26b..000000000 --- a/debian/patches/bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch +++ /dev/null @@ -1,115 +0,0 @@ -From: Kees Cook -Date: Thu, 6 Dec 2012 17:00:21 +1100 -Subject: [1/2] exec: do not leave bprm->interp on stack - -commit 1e1b8374592f5fb347625e84d8a5f2f40d858a24 upstream. - -If a series of scripts are executed, each triggering module loading via -unprintable bytes in the script header, kernel stack contents can leak -into the command line. - -Normally execution of binfmt_script and binfmt_misc happens recursively. -However, when modules are enabled, and unprintable bytes exist in the -bprm->buf, execution will restart after attempting to load matching binfmt -modules. Unfortunately, the logic in binfmt_script and binfmt_misc does -not expect to get restarted. They leave bprm->interp pointing to their -local stack. This means on restart bprm->interp is left pointing into -unused stack memory which can then be copied into the userspace argv -areas. - -After additional study, it seems that both recursion and restart remains -the desirable way to handle exec with scripts, misc, and modules. As -such, we need to protect the changes to interp. - -This changes the logic to require allocation for any changes to the -bprm->interp. To avoid adding a new kmalloc to every exec, the default -value is left as-is. Only when passing through binfmt_script or -binfmt_misc does an allocation take place. - -For a proof of concept, see DoTest.sh from: -http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/ - -Signed-off-by: Kees Cook -Cc: halfdog -Cc: P J P -Cc: Alexander Viro -Signed-off-by: Andrew Morton ---- - fs/binfmt_misc.c | 5 ++++- - fs/binfmt_script.c | 4 +++- - fs/exec.c | 15 +++++++++++++++ - include/linux/binfmts.h | 1 + - 4 files changed, 23 insertions(+), 2 deletions(-) - -diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c -index b0b70fb..b0c1755 100644 ---- a/fs/binfmt_misc.c -+++ b/fs/binfmt_misc.c -@@ -176,7 +176,10 @@ static int load_misc_binary(struct linux_binprm *bprm) - goto _error; - bprm->argc ++; - -- bprm->interp = iname; /* for binfmt_script */ -+ /* Update interp in case binfmt_script needs it. */ -+ retval = bprm_change_interp(iname, bprm); -+ if (retval < 0) -+ goto _error; - - interp_file = open_exec (iname); - retval = PTR_ERR (interp_file); -diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c -index 8c95499..4834f2c 100644 ---- a/fs/binfmt_script.c -+++ b/fs/binfmt_script.c -@@ -82,7 +82,9 @@ static int load_script(struct linux_binprm *bprm) - retval = copy_strings_kernel(1, &i_name, bprm); - if (retval) return retval; - bprm->argc++; -- bprm->interp = interp; -+ retval = bprm_change_interp(interp, bprm); -+ if (retval < 0) -+ return retval; - - /* - * OK, now restart the process with the interpreter's dentry. -diff --git a/fs/exec.c b/fs/exec.c -index b71b08c..bf50973 100644 ---- a/fs/exec.c -+++ b/fs/exec.c -@@ -1175,9 +1175,24 @@ void free_bprm(struct linux_binprm *bprm) - mutex_unlock(¤t->signal->cred_guard_mutex); - abort_creds(bprm->cred); - } -+ /* If a binfmt changed the interp, free it. */ -+ if (bprm->interp != bprm->filename) -+ kfree(bprm->interp); - kfree(bprm); - } - -+int bprm_change_interp(char *interp, struct linux_binprm *bprm) -+{ -+ /* If a binfmt changed the interp, free it first. */ -+ if (bprm->interp != bprm->filename) -+ kfree(bprm->interp); -+ bprm->interp = kstrdup(interp, GFP_KERNEL); -+ if (!bprm->interp) -+ return -ENOMEM; -+ return 0; -+} -+EXPORT_SYMBOL(bprm_change_interp); -+ - /* - * install the new credentials for this executable - */ -diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h -index 2630c9b..7f0e297 100644 ---- a/include/linux/binfmts.h -+++ b/include/linux/binfmts.h -@@ -114,6 +114,7 @@ extern int setup_arg_pages(struct linux_binprm * bprm, - unsigned long stack_top, - int executable_stack); - extern int bprm_mm_init(struct linux_binprm *bprm); -+extern int bprm_change_interp(char *interp, struct linux_binprm *bprm); - extern int copy_strings_kernel(int argc, const char *const *argv, - struct linux_binprm *bprm); - extern int prepare_bprm_creds(struct linux_binprm *bprm); diff --git a/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch b/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch deleted file mode 100644 index 0f60973f9..000000000 --- a/debian/patches/bugfix/all/use-clamp_t-in-UNAME26-fix.patch +++ /dev/null @@ -1,32 +0,0 @@ -From: Kees Cook -Date: Fri, 19 Oct 2012 18:45:53 -0700 -Subject: [2/2] use clamp_t in UNAME26 fix - -commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream. - -The min/max call needed to have explicit types on some architectures -(e.g. mn10300). Use clamp_t instead to avoid the warning: - - kernel/sys.c: In function 'override_release': - kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default] - -Reported-by: Fengguang Wu -Signed-off-by: Kees Cook -Signed-off-by: Linus Torvalds ---- - kernel/sys.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/sys.c b/kernel/sys.c -index 01865c6..e6e0ece 100644 ---- a/kernel/sys.c -+++ b/kernel/sys.c -@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len) - rest++; - } - v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; -- copy = min(sizeof(buf), max_t(size_t, 1, len)); -+ copy = clamp_t(size_t, len, 1, sizeof(buf)); - copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); - ret = copy_to_user(release, buf, copy + 1); - } diff --git a/debian/patches/bugfix/x86/ACPI-video-ignore-BIOS-initial-backlight-value-for-H.patch b/debian/patches/bugfix/x86/ACPI-video-ignore-BIOS-initial-backlight-value-for-H.patch deleted file mode 100644 index 37eb140c3..000000000 --- a/debian/patches/bugfix/x86/ACPI-video-ignore-BIOS-initial-backlight-value-for-H.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Zhang Rui -Date: Tue, 4 Dec 2012 23:30:19 +0100 -Subject: ACPI / video: ignore BIOS initial backlight value for HP Folio - 13-2000 - -commit 129ff8f8d58297b04f47b5d6fad81aa2d08404e1 upstream. - -Or else the laptop will boot with a dimmed screen. - -References: https://bugzilla.kernel.org/show_bug.cgi?id=51141 -Tested-by: Stefan Nagy -Signed-off-by: Zhang Rui -Signed-off-by: Rafael J. Wysocki ---- - drivers/acpi/video.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c -index 0230cb6..ac9a69c 100644 ---- a/drivers/acpi/video.c -+++ b/drivers/acpi/video.c -@@ -389,6 +389,12 @@ static int __init video_set_bqc_offset(const struct dmi_system_id *d) - return 0; - } - -+static int video_ignore_initial_backlight(const struct dmi_system_id *d) -+{ -+ use_bios_initial_backlight = 0; -+ return 0; -+} -+ - static struct dmi_system_id video_dmi_table[] __initdata = { - /* - * Broken _BQC workaround http://bugzilla.kernel.org/show_bug.cgi?id=13121 -@@ -433,6 +439,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = { - DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 7720"), - }, - }, -+ { -+ .callback = video_ignore_initial_backlight, -+ .ident = "HP Folio 13-2000", -+ .matches = { -+ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "HP Folio 13 - 2000 Notebook PC"), -+ }, -+ }, - {} - }; - diff --git a/debian/patches/bugfix/x86/KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch b/debian/patches/bugfix/x86/KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch deleted file mode 100644 index b40317da5..000000000 --- a/debian/patches/bugfix/x86/KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 6d1068b3a98519247d8ba4ec85cd40ac136dbdf9 Mon Sep 17 00:00:00 2001 -From: Petr Matousek -Date: Tue, 6 Nov 2012 19:24:07 +0100 -Subject: [PATCH] KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit - set (CVE-2012-4461) - -On hosts without the XSAVE support unprivileged local user can trigger -oops similar to the one below by setting X86_CR4_OSXSAVE bit in guest -cr4 register using KVM_SET_SREGS ioctl and later issuing KVM_RUN -ioctl. - -invalid opcode: 0000 [#2] SMP -Modules linked in: tun ip6table_filter ip6_tables ebtable_nat ebtables -... -Pid: 24935, comm: zoog_kvm_monito Tainted: G D 3.2.0-3-686-pae -EIP: 0060:[] EFLAGS: 00210246 CPU: 0 -EIP is at kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] -EAX: 00000001 EBX: 000f387e ECX: 00000000 EDX: 00000000 -ESI: 00000000 EDI: 00000000 EBP: ef5a0060 ESP: d7c63e70 - DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 -Process zoog_kvm_monito (pid: 24935, ti=d7c62000 task=ed84a0c0 -task.ti=d7c62000) -Stack: - 00000001 f70a1200 f8b940a9 ef5a0060 00000000 00200202 f8769009 00000000 - ef5a0060 000f387e eda5c020 8722f9c8 00015bae 00000000 ed84a0c0 ed84a0c0 - c12bf02d 0000ae80 ef7f8740 fffffffb f359b740 ef5a0060 f8b85dc1 0000ae80 -Call Trace: - [] ? kvm_arch_vcpu_ioctl_set_sregs+0x2fe/0x308 [kvm] -... - [] ? syscall_call+0x7/0xb -Code: 89 e8 e8 14 ee ff ff ba 00 00 04 00 89 e8 e8 98 48 ff ff 85 c0 74 -1e 83 7d 48 00 75 18 8b 85 08 07 00 00 31 c9 8b 95 0c 07 00 00 <0f> 01 -d1 c7 45 48 01 00 00 00 c7 45 1c 01 00 00 00 0f ae f0 89 -EIP: [] kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] SS:ESP -0068:d7c63e70 - -QEMU first retrieves the supported features via KVM_GET_SUPPORTED_CPUID -and then sets them later. So guest's X86_FEATURE_XSAVE should be masked -out on hosts without X86_FEATURE_XSAVE, making kvm_set_cr4 with -X86_CR4_OSXSAVE fail. Userspaces that allow specifying guest cpuid with -X86_FEATURE_XSAVE even on hosts that do not support it, might be -susceptible to this attack from inside the guest as well. - -Allow setting X86_CR4_OSXSAVE bit only if host has XSAVE support. - -Signed-off-by: Petr Matousek -Signed-off-by: Marcelo Tosatti -[bwh: Backported to 3.2: both functions are in arch/x86/kvm/x86.c] ---- ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -578,6 +578,9 @@ static bool guest_cpuid_has_xsave(struct - { - struct kvm_cpuid_entry2 *best; - -+ if (!static_cpu_has(X86_FEATURE_XSAVE)) -+ return 0; -+ - best = kvm_find_cpuid_entry(vcpu, 1, 0); - return best && (best->ecx & bit(X86_FEATURE_XSAVE)); - } -@@ -6154,6 +6157,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct - int pending_vec, max_bits, idx; - struct desc_ptr dt; - -+ if (!guest_cpuid_has_xsave(vcpu) && (sregs->cr4 & X86_CR4_OSXSAVE)) -+ return -EINVAL; -+ - dt.size = sregs->idt.limit; - dt.address = sregs->idt.base; - kvm_x86_ops->set_idt(vcpu, &dt); diff --git a/debian/patches/series b/debian/patches/series index e47e3745d..592ac8788 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -403,7 +403,6 @@ debian/perf-hide-abi-change-in-3.2.30.patch debian/iwlwifi-do-not-request-unreleased-firmware.patch debian/hid-avoid-ABI-change-in-3.2.31.patch debian/xfrm-avoid-ABI-change-in-3.2.31.patch -bugfix/all/use-clamp_t-in-UNAME26-fix.patch debian/fs-writeback-avoid-ABI-change-in-3.2.32.patch bugfix/x86/asus-laptop-Do-not-call-HWRS-on-init.patch bugfix/x86/drm-i915-Only-kick-out-vesafb-if-we-takeover-the-fbc.patch @@ -422,14 +421,11 @@ features/all/xen/microcode-typo.patch bugfix/all/firmware_class-log-every-success-and-failure.patch bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch -bugfix/x86/ACPI-video-ignore-BIOS-initial-backlight-value-for-H.patch -bugfix/x86/KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch bugfix/all/usermodehelper-introduce-umh_complete.patch bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch bugfix/all/kmod-introduce-call_modprobe-helper.patch bugfix/all/kmod-make-__request_module-killable.patch -bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch bugfix/all/exec-use-ELOOP-for-max-recursion-depth.patch bugfix/all/megaraid_sas-fix-memory-leak-if-SGL-has-zero-length-entries.patch debian/audit-increase-AUDIT_NAMES.patch