From 9a1fdd226024ff8d122e1294d9c5c64e3f612f4f Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 20 Mar 2013 23:44:51 +0000 Subject: [PATCH] Update to 3.8.4 svn path=/dists/trunk/linux/; revision=19922 --- debian/changelog | 8 ++ ...error-handling-in-snd_seq_timer_open.patch | 74 --------------- .../all/bridge-fix-mdb-info-leaks.patch | 59 ------------ ...dcbnl-fix-various-netlink-info-leaks.patch | 95 ------------------- .../all/ext3-fix-format-string-issues.patch | 48 ---------- ...ameter-size-for-sctp_get_assoc_stats.patch | 52 ---------- ...-size-allocated-by-rds_message_alloc.patch | 71 -------------- ...n-rtm_getlink-request-for-vf-devices.patch | 33 ------- ...l-always-clear-sa_restorer-on-execve.patch | 69 -------------- .../all/usb-cdc-wdm-fix-buffer-overflow.patch | 87 ----------------- debian/patches/series | 9 -- 11 files changed, 8 insertions(+), 597 deletions(-) delete mode 100644 debian/patches/bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch delete mode 100644 debian/patches/bugfix/all/bridge-fix-mdb-info-leaks.patch delete mode 100644 debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch delete mode 100644 debian/patches/bugfix/all/ext3-fix-format-string-issues.patch delete mode 100644 debian/patches/bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch delete mode 100644 debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch delete mode 100644 debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch delete mode 100644 debian/patches/bugfix/all/signal-always-clear-sa_restorer-on-execve.patch delete mode 100644 debian/patches/bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch diff --git a/debian/changelog b/debian/changelog index b9e697735..d583b1205 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +linux (3.8.4-1~experimental.1) UNRELEASED; urgency=low + + * New upstream stable update: + http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.8.4 + - atl1c: restore buffer state (Closes: #701189) + + -- Ben Hutchings Wed, 20 Mar 2013 23:32:20 +0000 + linux (3.8.3-1~experimental.1) experimental; urgency=high * New upstream stable update: diff --git a/debian/patches/bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch b/debian/patches/bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch deleted file mode 100644 index b33585d89..000000000 --- a/debian/patches/bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 66efdc71d95887b652a742a5dae51fa834d71465 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Fri, 8 Mar 2013 18:11:17 +0100 -Subject: ALSA: seq: Fix missing error handling in snd_seq_timer_open() - -From: Takashi Iwai - -commit 66efdc71d95887b652a742a5dae51fa834d71465 upstream. - -snd_seq_timer_open() didn't catch the whole error path but let through -if the timer id is a slave. This may lead to Oops by accessing the -uninitialized pointer. - - BUG: unable to handle kernel NULL pointer dereference at 00000000000002ae - IP: [] snd_seq_timer_open+0xe7/0x130 - PGD 785cd067 PUD 76964067 PMD 0 - Oops: 0002 [#4] SMP - CPU 0 - Pid: 4288, comm: trinity-child7 Tainted: G D W 3.9.0-rc1+ #100 Bochs Bochs - RIP: 0010:[] [] snd_seq_timer_open+0xe7/0x130 - RSP: 0018:ffff88006ece7d38 EFLAGS: 00010246 - RAX: 0000000000000286 RBX: ffff88007851b400 RCX: 0000000000000000 - RDX: 000000000000ffff RSI: ffff88006ece7d58 RDI: ffff88006ece7d38 - RBP: ffff88006ece7d98 R08: 000000000000000a R09: 000000000000fffe - R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 - R13: ffff8800792c5400 R14: 0000000000e8f000 R15: 0000000000000007 - FS: 00007f7aaa650700(0000) GS:ffff88007f800000(0000) GS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 00000000000002ae CR3: 000000006efec000 CR4: 00000000000006f0 - DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 - DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 - Process trinity-child7 (pid: 4288, threadinfo ffff88006ece6000, task ffff880076a8a290) - Stack: - 0000000000000286 ffffffff828f2be0 ffff88006ece7d58 ffffffff810f354d - 65636e6575716573 2065756575712072 ffff8800792c0030 0000000000000000 - ffff88006ece7d98 ffff8800792c5400 ffff88007851b400 ffff8800792c5520 - Call Trace: - [] ? trace_hardirqs_on+0xd/0x10 - [] snd_seq_queue_timer_open+0x29/0x70 - [] snd_seq_ioctl_set_queue_timer+0xda/0x120 - [] snd_seq_do_ioctl+0x9b/0xd0 - [] snd_seq_ioctl+0x10/0x20 - [] do_vfs_ioctl+0x522/0x570 - [] ? file_has_perm+0x83/0xa0 - [] ? trace_hardirqs_on+0xd/0x10 - [] sys_ioctl+0x5d/0xa0 - [] ? trace_hardirqs_on_thunk+0x3a/0x3f - [] system_call_fastpath+0x16/0x1b - -Reported-and-tested-by: Tommi Rantala -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman - ---- - sound/core/seq/seq_timer.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - ---- a/sound/core/seq/seq_timer.c -+++ b/sound/core/seq/seq_timer.c -@@ -290,10 +290,10 @@ int snd_seq_timer_open(struct snd_seq_qu - tid.device = SNDRV_TIMER_GLOBAL_SYSTEM; - err = snd_timer_open(&t, str, &tid, q->queue); - } -- if (err < 0) { -- snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err); -- return err; -- } -+ } -+ if (err < 0) { -+ snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err); -+ return err; - } - t->callback = snd_seq_timer_interrupt; - t->callback_data = q; diff --git a/debian/patches/bugfix/all/bridge-fix-mdb-info-leaks.patch b/debian/patches/bugfix/all/bridge-fix-mdb-info-leaks.patch deleted file mode 100644 index cfb076af3..000000000 --- a/debian/patches/bugfix/all/bridge-fix-mdb-info-leaks.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 9e989b12e61b81f93750f9eb5fb5aa147afb7cd9 Mon Sep 17 00:00:00 2001 -From: Mathias Krause -Date: Sat, 9 Mar 2013 05:52:19 +0000 -Subject: bridge: fix mdb info leaks - - -From: Mathias Krause - -[ Upstream commit c085c49920b2f900ba716b4ca1c1a55ece9872cc ] - -The bridging code discloses heap and stack bytes via the RTM_GETMDB -netlink interface and via the notify messages send to group RTNLGRP_MDB -afer a successful add/del. - -Fix both cases by initializing all unset members/padding bytes with -memset(0). - -Cc: Stephen Hemminger -Signed-off-by: Mathias Krause -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/bridge/br_mdb.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/net/bridge/br_mdb.c -+++ b/net/bridge/br_mdb.c -@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_bu - port = p->port; - if (port) { - struct br_mdb_entry e; -+ memset(&e, 0, sizeof(e)); - e.ifindex = port->dev->ifindex; - e.state = p->state; - if (p->addr.proto == htons(ETH_P_IP)) -@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *s - break; - - bpm = nlmsg_data(nlh); -+ memset(bpm, 0, sizeof(*bpm)); - bpm->ifindex = dev->ifindex; - if (br_mdb_fill_info(skb, cb, dev) < 0) - goto out; -@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struc - return -EMSGSIZE; - - bpm = nlmsg_data(nlh); -+ memset(bpm, 0, sizeof(*bpm)); - bpm->family = AF_BRIDGE; - bpm->ifindex = dev->ifindex; - nest = nla_nest_start(skb, MDBA_MDB); -@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *de - { - struct br_mdb_entry entry; - -+ memset(&entry, 0, sizeof(entry)); - entry.ifindex = port->dev->ifindex; - entry.addr.proto = group->proto; - entry.addr.u.ip4 = group->u.ip4; diff --git a/debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch b/debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch deleted file mode 100644 index ac1d43475..000000000 --- a/debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch +++ /dev/null @@ -1,95 +0,0 @@ -From d6f60f50fead5fb769f447c20aa5b80a1fd627f3 Mon Sep 17 00:00:00 2001 -From: Mathias Krause -Date: Sat, 9 Mar 2013 05:52:21 +0000 -Subject: dcbnl: fix various netlink info leaks - - -From: Mathias Krause - -[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ] - -The dcb netlink interface leaks stack memory in various places: -* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but - copied completely, -* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand, - so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes - for ieee_pfc structs, etc., -* the same is true for CEE -- no in-kernel driver fills the whole - struct, - -Prevent all of the above stack info leaks by properly initializing the -buffers/structures involved. - -Signed-off-by: Mathias Krause -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/dcb/dcbnl.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/net/dcb/dcbnl.c -+++ b/net/dcb/dcbnl.c -@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct n - if (!netdev->dcbnl_ops->getpermhwaddr) - return -EOPNOTSUPP; - -+ memset(perm_addr, 0, sizeof(perm_addr)); - netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr); - - return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr); -@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buf - - if (ops->ieee_getets) { - struct ieee_ets ets; -+ memset(&ets, 0, sizeof(ets)); - err = ops->ieee_getets(netdev, &ets); - if (!err && - nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets)) -@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buf - - if (ops->ieee_getmaxrate) { - struct ieee_maxrate maxrate; -+ memset(&maxrate, 0, sizeof(maxrate)); - err = ops->ieee_getmaxrate(netdev, &maxrate); - if (!err) { - err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE, -@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buf - - if (ops->ieee_getpfc) { - struct ieee_pfc pfc; -+ memset(&pfc, 0, sizeof(pfc)); - err = ops->ieee_getpfc(netdev, &pfc); - if (!err && - nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc)) -@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buf - /* get peer info if available */ - if (ops->ieee_peer_getets) { - struct ieee_ets ets; -+ memset(&ets, 0, sizeof(ets)); - err = ops->ieee_peer_getets(netdev, &ets); - if (!err && - nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets)) -@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buf - - if (ops->ieee_peer_getpfc) { - struct ieee_pfc pfc; -+ memset(&pfc, 0, sizeof(pfc)); - err = ops->ieee_peer_getpfc(netdev, &pfc); - if (!err && - nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc)) -@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff - /* peer info if available */ - if (ops->cee_peer_getpg) { - struct cee_pg pg; -+ memset(&pg, 0, sizeof(pg)); - err = ops->cee_peer_getpg(netdev, &pg); - if (!err && - nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg)) -@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff - - if (ops->cee_peer_getpfc) { - struct cee_pfc pfc; -+ memset(&pfc, 0, sizeof(pfc)); - err = ops->cee_peer_getpfc(netdev, &pfc); - if (!err && - nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc)) diff --git a/debian/patches/bugfix/all/ext3-fix-format-string-issues.patch b/debian/patches/bugfix/all/ext3-fix-format-string-issues.patch deleted file mode 100644 index aca0700f6..000000000 --- a/debian/patches/bugfix/all/ext3-fix-format-string-issues.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 8d0c2d10dd72c5292eda7a06231056a4c972e4cc Mon Sep 17 00:00:00 2001 -From: Lars-Peter Clausen -Date: Sat, 9 Mar 2013 15:28:44 +0100 -Subject: ext3: Fix format string issues - -From: Lars-Peter Clausen - -commit 8d0c2d10dd72c5292eda7a06231056a4c972e4cc upstream. - -ext3_msg() takes the printk prefix as the second parameter and the -format string as the third parameter. Two callers of ext3_msg omit the -prefix and pass the format string as the second parameter and the first -parameter to the format string as the third parameter. In both cases -this string comes from an arbitrary source. Which means the string may -contain format string characters, which will -lead to undefined and potentially harmful behavior. - -The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages -in ext3") and is fixed by this patch. - -Signed-off-by: Lars-Peter Clausen -Signed-off-by: Jan Kara -Signed-off-by: Greg Kroah-Hartman - ---- - fs/ext3/super.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/fs/ext3/super.c -+++ b/fs/ext3/super.c -@@ -353,7 +353,7 @@ static struct block_device *ext3_blkdev_ - return bdev; - - fail: -- ext3_msg(sb, "error: failed to open journal device %s: %ld", -+ ext3_msg(sb, KERN_ERR, "error: failed to open journal device %s: %ld", - __bdevname(dev, b), PTR_ERR(bdev)); - - return NULL; -@@ -887,7 +887,7 @@ static ext3_fsblk_t get_sb_block(void ** - /*todo: use simple_strtoll with >32bit ext3 */ - sb_block = simple_strtoul(options, &options, 0); - if (*options && *options != ',') { -- ext3_msg(sb, "error: invalid sb specification: %s", -+ ext3_msg(sb, KERN_ERR, "error: invalid sb specification: %s", - (char *) *data); - return 1; - } diff --git a/debian/patches/bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch b/debian/patches/bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch deleted file mode 100644 index 017503bbb..000000000 --- a/debian/patches/bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch +++ /dev/null @@ -1,52 +0,0 @@ -From e5f9811e44fcf067a0dbb8abf55bbad454a1688a Mon Sep 17 00:00:00 2001 -From: Guenter Roeck -Date: Wed, 27 Feb 2013 10:57:31 +0000 -Subject: net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS - - -From: Guenter Roeck - -commit 726bc6b092da4c093eb74d13c07184b18c1af0f1 upstream. - -Building sctp may fail with: - -In function ‘copy_from_user’, - inlined from ‘sctp_getsockopt_assoc_stats’ at - net/sctp/socket.c:5656:20: -arch/x86/include/asm/uaccess_32.h:211:26: error: call to - ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() - buffer size is not provably correct - -if built with W=1 due to a missing parameter size validation -before the call to copy_from_user. - -Signed-off-by: Guenter Roeck -Acked-by: Vlad Yasevich -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/sctp/socket.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/net/sctp/socket.c -+++ b/net/sctp/socket.c -@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(s - if (len < sizeof(sctp_assoc_t)) - return -EINVAL; - -+ /* Allow the struct to grow and fill in as much as possible */ -+ len = min_t(size_t, len, sizeof(sas)); -+ - if (copy_from_user(&sas, optval, len)) - return -EFAULT; - -@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(s - /* Mark beginning of a new observation period */ - asoc->stats.max_obs_rto = asoc->rto_min; - -- /* Allow the struct to grow and fill in as much as possible */ -- len = min_t(size_t, len, sizeof(sas)); -- - if (put_user(len, optlen)) - return -EFAULT; - diff --git a/debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch b/debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch deleted file mode 100644 index 106cfc220..000000000 --- a/debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 55c315e31dac6ebe4b66c630d2127cab52b02cc3 Mon Sep 17 00:00:00 2001 -From: Cong Wang -Date: Sun, 3 Mar 2013 16:18:11 +0000 -Subject: rds: limit the size allocated by rds_message_alloc() - - -From: Cong Wang - -[ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ] - -Dave Jones reported the following bug: - -"When fed mangled socket data, rds will trust what userspace gives it, -and tries to allocate enormous amounts of memory larger than what -kmalloc can satisfy." - -WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() -Hardware name: GA-MA78GM-S2H -Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s -Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 -Call Trace: - [] warn_slowpath_common+0x75/0xa0 - [] warn_slowpath_null+0x1a/0x20 - [] __alloc_pages_nodemask+0xa0d/0xbe0 - [] ? native_sched_clock+0x26/0x90 - [] ? trace_hardirqs_off_caller+0x28/0xc0 - [] ? trace_hardirqs_off+0xd/0x10 - [] alloc_pages_current+0xb8/0x180 - [] __get_free_pages+0x2a/0x80 - [] kmalloc_order_trace+0x3e/0x1a0 - [] __kmalloc+0x2f5/0x3a0 - [] ? local_bh_enable_ip+0x7c/0xf0 - [] rds_message_alloc+0x23/0xb0 [rds] - [] rds_sendmsg+0x2b1/0x990 [rds] - [] ? trace_hardirqs_off+0xd/0x10 - [] sock_sendmsg+0xb0/0xe0 - [] ? get_lock_stats+0x22/0x70 - [] ? put_lock_stats.isra.23+0xe/0x40 - [] sys_sendto+0x130/0x180 - [] ? trace_hardirqs_on+0xd/0x10 - [] ? _raw_spin_unlock_irq+0x3b/0x60 - [] ? sysret_check+0x1b/0x56 - [] ? trace_hardirqs_on_caller+0x115/0x1a0 - [] ? trace_hardirqs_on_thunk+0x3a/0x3f - [] system_call_fastpath+0x16/0x1b ----[ end trace eed6ae990d018c8b ]--- - -Reported-by: Dave Jones -Cc: Dave Jones -Cc: David S. Miller -Cc: Venkat Venkatsubra -Signed-off-by: Cong Wang -Acked-by: Venkat Venkatsubra -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/rds/message.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/net/rds/message.c -+++ b/net/rds/message.c -@@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(un - { - struct rds_message *rm; - -+ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message)) -+ return NULL; -+ - rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp); - if (!rm) - goto out; diff --git a/debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch b/debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch deleted file mode 100644 index 7399ad412..000000000 --- a/debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 322aa953dd5565d1029a18d5bda0bd25a0dbb4bb Mon Sep 17 00:00:00 2001 -From: Mathias Krause -Date: Sat, 9 Mar 2013 05:52:20 +0000 -Subject: rtnl: fix info leak on RTM_GETLINK request for VF devices - - -From: Mathias Krause - -[ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ] - -Initialize the mac address buffer with 0 as the driver specific function -will probably not fill the whole buffer. In fact, all in-kernel drivers -fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible -bytes. Therefore we currently leak 26 bytes of stack memory to userland -via the netlink interface. - -Signed-off-by: Mathias Krause -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - net/core/rtnetlink.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/net/core/rtnetlink.c -+++ b/net/core/rtnetlink.c -@@ -976,6 +976,7 @@ static int rtnl_fill_ifinfo(struct sk_bu - * report anything. - */ - ivi.spoofchk = -1; -+ memset(ivi.mac, 0, sizeof(ivi.mac)); - if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi)) - break; - vf_mac.vf = diff --git a/debian/patches/bugfix/all/signal-always-clear-sa_restorer-on-execve.patch b/debian/patches/bugfix/all/signal-always-clear-sa_restorer-on-execve.patch deleted file mode 100644 index fe57d94de..000000000 --- a/debian/patches/bugfix/all/signal-always-clear-sa_restorer-on-execve.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 2ca39528c01a933f6689cd6505ce65bd6d68a530 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 13 Mar 2013 14:59:33 -0700 -Subject: signal: always clear sa_restorer on execve - -From: Kees Cook - -commit 2ca39528c01a933f6689cd6505ce65bd6d68a530 upstream. - -When the new signal handlers are set up, the location of sa_restorer is -not cleared, leaking a parent process's address space location to -children. This allows for a potential bypass of the parent's ASLR by -examining the sa_restorer value returned when calling sigaction(). - -Based on what should be considered "secret" about addresses, it only -matters across the exec not the fork (since the VMAs haven't changed -until the exec). But since exec sets SIG_DFL and keeps sa_restorer, -this is where it should be fixed. - -Given the few uses of sa_restorer, a "set" function was not written -since this would be the only use. Instead, we use -__ARCH_HAS_SA_RESTORER, as already done in other places. - -Example of the leak before applying this patch: - - $ cat /proc/$$/maps - ... - 7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so - ... - $ ./leak - ... - 7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so - ... - 1 0 (nil) 0x7fb9f30b94a0 - 2 4000000 (nil) 0x7f278bcaa4a0 - 3 4000000 (nil) 0x7f278bcaa4a0 - 4 0 (nil) 0x7fb9f30b94a0 - ... - -[akpm@linux-foundation.org: use SA_RESTORER for backportability] -Signed-off-by: Kees Cook -Reported-by: Emese Revfy -Cc: Emese Revfy -Cc: PaX Team -Cc: Al Viro -Cc: Oleg Nesterov -Cc: "Eric W. Biederman" -Cc: Serge Hallyn -Cc: Julien Tinnes -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - kernel/signal.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct - if (force_default || ka->sa.sa_handler != SIG_IGN) - ka->sa.sa_handler = SIG_DFL; - ka->sa.sa_flags = 0; -+#ifdef SA_RESTORER -+ ka->sa.sa_restorer = NULL; -+#endif - sigemptyset(&ka->sa.sa_mask); - ka++; - } diff --git a/debian/patches/bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch b/debian/patches/bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch deleted file mode 100644 index e358b84fc..000000000 --- a/debian/patches/bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch +++ /dev/null @@ -1,87 +0,0 @@ -From c0f5ecee4e741667b2493c742b60b6218d40b3aa Mon Sep 17 00:00:00 2001 -From: Oliver Neukum -Date: Tue, 12 Mar 2013 14:52:42 +0100 -Subject: USB: cdc-wdm: fix buffer overflow - -From: Oliver Neukum - -commit c0f5ecee4e741667b2493c742b60b6218d40b3aa upstream. - -The buffer for responses must not overflow. -If this would happen, set a flag, drop the data and return -an error after user space has read all remaining data. - -Signed-off-by: Oliver Neukum -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++--- - 1 file changed, 20 insertions(+), 3 deletions(-) - ---- a/drivers/usb/class/cdc-wdm.c -+++ b/drivers/usb/class/cdc-wdm.c -@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids); - #define WDM_RESPONDING 7 - #define WDM_SUSPENDING 8 - #define WDM_RESETTING 9 -+#define WDM_OVERFLOW 10 - - #define WDM_MAX 16 - -@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb * - { - struct wdm_device *desc = urb->context; - int status = urb->status; -+ int length = urb->actual_length; - - spin_lock(&desc->iuspin); - clear_bit(WDM_RESPONDING, &desc->flags); -@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb * - } - - desc->rerr = status; -- desc->reslength = urb->actual_length; -- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength); -- desc->length += desc->reslength; -+ if (length + desc->length > desc->wMaxCommand) { -+ /* The buffer would overflow */ -+ set_bit(WDM_OVERFLOW, &desc->flags); -+ } else { -+ /* we may already be in overflow */ -+ if (!test_bit(WDM_OVERFLOW, &desc->flags)) { -+ memmove(desc->ubuf + desc->length, desc->inbuf, length); -+ desc->length += length; -+ desc->reslength = length; -+ } -+ } - skip_error: - wake_up(&desc->wait); - -@@ -435,6 +445,11 @@ retry: - rv = -ENODEV; - goto err; - } -+ if (test_bit(WDM_OVERFLOW, &desc->flags)) { -+ clear_bit(WDM_OVERFLOW, &desc->flags); -+ rv = -ENOBUFS; -+ goto err; -+ } - i++; - if (file->f_flags & O_NONBLOCK) { - if (!test_bit(WDM_READ, &desc->flags)) { -@@ -478,6 +493,7 @@ retry: - spin_unlock_irq(&desc->iuspin); - goto retry; - } -+ - if (!desc->reslength) { /* zero length read */ - dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__); - clear_bit(WDM_READ, &desc->flags); -@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_int - struct wdm_device *desc = wdm_find_device(intf); - int rv; - -+ clear_bit(WDM_OVERFLOW, &desc->flags); - clear_bit(WDM_RESETTING, &desc->flags); - rv = recover_from_urb_loss(desc); - mutex_unlock(&desc->wlock); diff --git a/debian/patches/series b/debian/patches/series index 559352d1f..15d31aff5 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -77,12 +77,3 @@ bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch bugfix/all/mm-Try-harder-to-allocate-vmemmap-blocks.patch features/all/alx/alx-update-for-3.8.patch bugfix/mips/mips-add-dependencies-for-have_arch_transparent_hugepage.patch -bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch -bugfix/all/signal-always-clear-sa_restorer-on-execve.patch -bugfix/all/ext3-fix-format-string-issues.patch -bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch -bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch -bugfix/all/bridge-fix-mdb-info-leaks.patch -bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch -bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch -bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch