Add various security fixes
This commit is contained in:
parent
cb5ce6ce3b
commit
a18f05bb5b
|
@ -30,6 +30,16 @@ linux (4.12.13-1) UNRELEASED; urgency=medium
|
||||||
* scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)
|
* scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)
|
||||||
* Add ABI reference for 4.12.0-2
|
* Add ABI reference for 4.12.0-2
|
||||||
|
|
||||||
|
[ Ben Hutchings ]
|
||||||
|
* nl80211: check for the required netlink attributes presence (CVE-2017-12153)
|
||||||
|
* [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154)
|
||||||
|
* video: fbdev: aty: do not leak uninitialized padding in clk to userspace
|
||||||
|
(CVE-2017-14156)
|
||||||
|
* scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
|
||||||
|
(CVE-2017-14489)
|
||||||
|
* packet: Don't write vnet header beyond end of buffer (CVE-2017-14497)
|
||||||
|
* [x86] KVM: VMX: Do not BUG() on out-of-bounds guest IRQ (CVE-2017-1000252)
|
||||||
|
|
||||||
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 14 Sep 2017 06:25:04 +0200
|
-- Salvatore Bonaccorso <carnil@debian.org> Thu, 14 Sep 2017 06:25:04 +0200
|
||||||
|
|
||||||
linux (4.12.12-2) unstable; urgency=medium
|
linux (4.12.12-2) unstable; urgency=medium
|
||||||
|
|
36
debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
vendored
Normal file
36
debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
vendored
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
From: Vladis Dronov <vdronov@redhat.com>
|
||||||
|
Date: Tue, 12 Sep 2017 22:21:21 +0000
|
||||||
|
Subject: nl80211: check for the required netlink attributes presence
|
||||||
|
Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
|
||||||
|
|
||||||
|
nl80211_set_rekey_data() does not check if the required attributes
|
||||||
|
NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
|
||||||
|
NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
|
||||||
|
users with CAP_NET_ADMIN privilege and may result in NULL dereference
|
||||||
|
and a system crash. Add a check for the required attributes presence.
|
||||||
|
This patch is based on the patch by bo Zhang.
|
||||||
|
|
||||||
|
This fixes CVE-2017-12153.
|
||||||
|
|
||||||
|
References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
|
||||||
|
Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
|
||||||
|
Cc: <stable@vger.kernel.org> # v3.1-rc1
|
||||||
|
Reported-by: bo Zhang <zhangbo5891001@gmail.com>
|
||||||
|
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||||
|
---
|
||||||
|
net/wireless/nl80211.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
--- a/net/wireless/nl80211.c
|
||||||
|
+++ b/net/wireless/nl80211.c
|
||||||
|
@@ -10873,6 +10873,9 @@ static int nl80211_set_rekey_data(struct
|
||||||
|
if (err)
|
||||||
|
return err;
|
||||||
|
|
||||||
|
+ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
|
||||||
|
+ !tb[NL80211_REKEY_DATA_KCK])
|
||||||
|
+ return -EINVAL;
|
||||||
|
if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
|
||||||
|
return -ERANGE;
|
||||||
|
if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
|
68
debian/patches/bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch
vendored
Normal file
68
debian/patches/bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch
vendored
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
From: Benjamin Poirier <bpoirier@suse.com>
|
||||||
|
Date: Mon, 28 Aug 2017 14:29:41 -0400
|
||||||
|
Subject: packet: Don't write vnet header beyond end of buffer
|
||||||
|
Origin: https://git.kernel.org/linus/edbd58be15a957f6a760c4a514cd475217eb97fd
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14497
|
||||||
|
|
||||||
|
... which may happen with certain values of tp_reserve and maclen.
|
||||||
|
|
||||||
|
Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv")
|
||||||
|
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
|
||||||
|
Cc: Willem de Bruijn <willemb@google.com>
|
||||||
|
Acked-by: Willem de Bruijn <willemb@google.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
---
|
||||||
|
net/packet/af_packet.c | 12 +++++++++---
|
||||||
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
--- a/net/packet/af_packet.c
|
||||||
|
+++ b/net/packet/af_packet.c
|
||||||
|
@@ -2192,6 +2192,7 @@ static int tpacket_rcv(struct sk_buff *s
|
||||||
|
struct timespec ts;
|
||||||
|
__u32 ts_status;
|
||||||
|
bool is_drop_n_account = false;
|
||||||
|
+ bool do_vnet = false;
|
||||||
|
|
||||||
|
/* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
|
||||||
|
* We may add members to them until current aligned size without forcing
|
||||||
|
@@ -2242,8 +2243,10 @@ static int tpacket_rcv(struct sk_buff *s
|
||||||
|
netoff = TPACKET_ALIGN(po->tp_hdrlen +
|
||||||
|
(maclen < 16 ? 16 : maclen)) +
|
||||||
|
po->tp_reserve;
|
||||||
|
- if (po->has_vnet_hdr)
|
||||||
|
+ if (po->has_vnet_hdr) {
|
||||||
|
netoff += sizeof(struct virtio_net_hdr);
|
||||||
|
+ do_vnet = true;
|
||||||
|
+ }
|
||||||
|
macoff = netoff - maclen;
|
||||||
|
}
|
||||||
|
if (po->tp_version <= TPACKET_V2) {
|
||||||
|
@@ -2260,8 +2263,10 @@ static int tpacket_rcv(struct sk_buff *s
|
||||||
|
skb_set_owner_r(copy_skb, sk);
|
||||||
|
}
|
||||||
|
snaplen = po->rx_ring.frame_size - macoff;
|
||||||
|
- if ((int)snaplen < 0)
|
||||||
|
+ if ((int)snaplen < 0) {
|
||||||
|
snaplen = 0;
|
||||||
|
+ do_vnet = false;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
} else if (unlikely(macoff + snaplen >
|
||||||
|
GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
|
||||||
|
@@ -2274,6 +2279,7 @@ static int tpacket_rcv(struct sk_buff *s
|
||||||
|
if (unlikely((int)snaplen < 0)) {
|
||||||
|
snaplen = 0;
|
||||||
|
macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
|
||||||
|
+ do_vnet = false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
spin_lock(&sk->sk_receive_queue.lock);
|
||||||
|
@@ -2299,7 +2305,7 @@ static int tpacket_rcv(struct sk_buff *s
|
||||||
|
}
|
||||||
|
spin_unlock(&sk->sk_receive_queue.lock);
|
||||||
|
|
||||||
|
- if (po->has_vnet_hdr) {
|
||||||
|
+ if (do_vnet) {
|
||||||
|
if (virtio_net_hdr_from_skb(skb, h.raw + macoff -
|
||||||
|
sizeof(struct virtio_net_hdr),
|
||||||
|
vio_le(), true)) {
|
55
debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
vendored
Normal file
55
debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
vendored
Normal file
|
@ -0,0 +1,55 @@
|
||||||
|
From: Xin Long <lucien.xin@gmail.com>
|
||||||
|
Date: Sun, 27 Aug 2017 20:25:26 +0800
|
||||||
|
Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
|
||||||
|
Origin: https://patchwork.kernel.org/patch/9923803/
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
|
||||||
|
|
||||||
|
ChunYu found a kernel crash by syzkaller:
|
||||||
|
|
||||||
|
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
|
||||||
|
[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
|
||||||
|
[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
|
||||||
|
[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
|
||||||
|
[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
|
||||||
|
[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
|
||||||
|
[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
|
||||||
|
[...]
|
||||||
|
[ 651.627260] Call Trace:
|
||||||
|
[ 651.629156] skb_release_all+0x4f/0x60
|
||||||
|
[ 651.629450] consume_skb+0x1a5/0x600
|
||||||
|
[ 651.630705] netlink_unicast+0x505/0x720
|
||||||
|
[ 651.632345] netlink_sendmsg+0xab2/0xe70
|
||||||
|
[ 651.633704] sock_sendmsg+0xcf/0x110
|
||||||
|
[ 651.633942] ___sys_sendmsg+0x833/0x980
|
||||||
|
[ 651.637117] __sys_sendmsg+0xf3/0x240
|
||||||
|
[ 651.638820] SyS_sendmsg+0x32/0x50
|
||||||
|
[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
|
||||||
|
|
||||||
|
It's caused by skb_shared_info at the end of sk_buff was overwritten by
|
||||||
|
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
|
||||||
|
|
||||||
|
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
|
||||||
|
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
|
||||||
|
new value to skb_shinfo(SKB)->nr_frags by ev->type.
|
||||||
|
|
||||||
|
This patch is to fix it by checking nlh->nlmsg_len properly there to
|
||||||
|
avoid over accessing sk_buff.
|
||||||
|
|
||||||
|
Reported-by: ChunYu Wang <chunwang@redhat.com>
|
||||||
|
Signed-off-by: Xin Long <lucien.xin@gmail.com>
|
||||||
|
Acked-by: Chris Leech <cleech@redhat.com>
|
||||||
|
---
|
||||||
|
drivers/scsi/scsi_transport_iscsi.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/drivers/scsi/scsi_transport_iscsi.c
|
||||||
|
+++ b/drivers/scsi/scsi_transport_iscsi.c
|
||||||
|
@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
|
||||||
|
uint32_t group;
|
||||||
|
|
||||||
|
nlh = nlmsg_hdr(skb);
|
||||||
|
- if (nlh->nlmsg_len < sizeof(*nlh) ||
|
||||||
|
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
|
||||||
|
skb->len < nlh->nlmsg_len) {
|
||||||
|
break;
|
||||||
|
}
|
30
debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
vendored
Normal file
30
debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
vendored
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
From: Vladis Dronov <vdronov@redhat.com>
|
||||||
|
Date: Mon, 4 Sep 2017 16:00:50 +0200
|
||||||
|
Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
|
||||||
|
userspace
|
||||||
|
Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
|
||||||
|
|
||||||
|
'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
|
||||||
|
field unitialized, leaking data from the stack. Fix this ensuring all of
|
||||||
|
'clk' is initialized to zero.
|
||||||
|
|
||||||
|
References: https://github.com/torvalds/linux/pull/441
|
||||||
|
Reported-by: sohu0106 <sohu0106@126.com>
|
||||||
|
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
|
||||||
|
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
|
||||||
|
---
|
||||||
|
drivers/video/fbdev/aty/atyfb_base.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/drivers/video/fbdev/aty/atyfb_base.c
|
||||||
|
+++ b/drivers/video/fbdev/aty/atyfb_base.c
|
||||||
|
@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
|
||||||
|
#if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
|
||||||
|
case ATYIO_CLKR:
|
||||||
|
if (M64_HAS(INTEGRATED)) {
|
||||||
|
- struct atyclk clk;
|
||||||
|
+ struct atyclk clk = { 0 };
|
||||||
|
union aty_pll *pll = &par->pll;
|
||||||
|
u32 dsp_config = pll->ct.dsp_config;
|
||||||
|
u32 dsp_on_off = pll->ct.dsp_on_off;
|
34
debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
vendored
Normal file
34
debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
vendored
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
From: Jim Mattson <jmattson@google.com>
|
||||||
|
Date: Tue, 12 Sep 2017 13:02:54 -0700
|
||||||
|
Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
|
||||||
|
Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
|
||||||
|
|
||||||
|
If L1 does not specify the "use TPR shadow" VM-execution control in
|
||||||
|
vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
|
||||||
|
exiting" VM-execution controls in vmcs02. Failure to do so will give
|
||||||
|
the L2 VM unrestricted read/write access to the hardware CR8.
|
||||||
|
|
||||||
|
This fixes CVE-2017-12154.
|
||||||
|
|
||||||
|
Signed-off-by: Jim Mattson <jmattson@google.com>
|
||||||
|
Reviewed-by: David Hildenbrand <david@redhat.com>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
---
|
||||||
|
arch/x86/kvm/vmx.c | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
--- a/arch/x86/kvm/vmx.c
|
||||||
|
+++ b/arch/x86/kvm/vmx.c
|
||||||
|
@@ -10103,6 +10103,11 @@ static int prepare_vmcs02(struct kvm_vcp
|
||||||
|
if (exec_control & CPU_BASED_TPR_SHADOW) {
|
||||||
|
vmcs_write64(VIRTUAL_APIC_PAGE_ADDR, -1ull);
|
||||||
|
vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
|
||||||
|
+ } else {
|
||||||
|
+#ifdef CONFIG_X86_64
|
||||||
|
+ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
|
||||||
|
+ CPU_BASED_CR8_STORE_EXITING;
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
52
debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
vendored
Normal file
52
debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
vendored
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh@amazon.de>
|
||||||
|
Date: Thu, 7 Sep 2017 19:02:30 +0100
|
||||||
|
Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
|
||||||
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252
|
||||||
|
|
||||||
|
The value of the guest_irq argument to vmx_update_pi_irte() is
|
||||||
|
ultimately coming from a KVM_IRQFD API call. Do not BUG() in
|
||||||
|
vmx_update_pi_irte() if the value is out-of bounds. (Especially,
|
||||||
|
since KVM as a whole seems to hang after that.)
|
||||||
|
|
||||||
|
Instead, print a message only once if we find that we don't have a
|
||||||
|
route for a certain IRQ (which can be out-of-bounds or within the
|
||||||
|
array).
|
||||||
|
|
||||||
|
This fixes CVE-2017-1000252.
|
||||||
|
|
||||||
|
Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
|
||||||
|
Signed-off-by: Jan H. Schönherr <jschoenh@amazon.de>
|
||||||
|
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||||
|
---
|
||||||
|
arch/x86/kvm/vmx.c | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/arch/x86/kvm/vmx.c
|
||||||
|
+++ b/arch/x86/kvm/vmx.c
|
||||||
|
@@ -11377,7 +11377,7 @@ static int vmx_update_pi_irte(struct kvm
|
||||||
|
struct kvm_lapic_irq irq;
|
||||||
|
struct kvm_vcpu *vcpu;
|
||||||
|
struct vcpu_data vcpu_info;
|
||||||
|
- int idx, ret = -EINVAL;
|
||||||
|
+ int idx, ret = 0;
|
||||||
|
|
||||||
|
if (!kvm_arch_has_assigned_device(kvm) ||
|
||||||
|
!irq_remapping_cap(IRQ_POSTING_CAP) ||
|
||||||
|
@@ -11386,7 +11386,12 @@ static int vmx_update_pi_irte(struct kvm
|
||||||
|
|
||||||
|
idx = srcu_read_lock(&kvm->irq_srcu);
|
||||||
|
irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
|
||||||
|
- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
|
||||||
|
+ if (guest_irq >= irq_rt->nr_rt_entries ||
|
||||||
|
+ hlist_empty(&irq_rt->map[guest_irq])) {
|
||||||
|
+ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
|
||||||
|
+ guest_irq, irq_rt->nr_rt_entries);
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
|
||||||
|
if (e->type != KVM_IRQ_ROUTING_MSI)
|
|
@ -122,6 +122,12 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch
|
bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch
|
||||||
bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
|
bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch
|
||||||
|
bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
|
||||||
|
bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
|
||||||
|
bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
|
||||||
|
bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
|
||||||
|
bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch
|
||||||
|
bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
|
||||||
|
|
||||||
# Fix exported symbol versions
|
# Fix exported symbol versions
|
||||||
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
bugfix/alpha/alpha-restore-symbol-versions-for-symbols-exported-f.patch
|
||||||
|
|
Loading…
Reference in New Issue