debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Release linux (4.2.6-1). 

-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIVAwUAVkIVT+e/yOyVhhEJAQo9JxAAzMhh283CLxwNC9+oJKEpfD/ve+WLEcKI
 7TiyttUesYegG0/5JAPU//S8LyHOXeu+6vqEO0NzReCTGdQi4oXZTpUQA9KNzCTF
 TLsdFBa6z5mRYcRHeGVYjmhKr8MTVRumXv/3WTVSwp71t1W7dce4qTboMsFr/kmk
 c6rGv5GNTtpHpyjevIrLAkBq83rwdbPz6dtNnBAna38awY61a7snFPr81WUvNu3I
 uVD5Dcm+efAzL/tPSxwdZRhQ7Qi5SnqUgP/c/3keDYeCLgj87FxdXK4vlJvkgmQs
 VGX/D9VyCQvFbtWmEtAdOJHqu2LuYd0ZljFvx3Fo59KHDm6GV60jsHaGYjc8a6o1
 F7r6vaRGMLDtZhjFeYwVgJYCcHmQ8RO0fuKe4hslaiItg1rKLV738SrVRzl/oTq+
 l/HwdWxyeEbqMi1rc8bzwnFaet2Av+eArEfsla4uul1ZgNwkGbV/qZjDW/lIHcLS
 7cIYdiiv719AVU9rRR1JZR+92k4MsDaqerKNUl72yHr6F8YMY0T10GY5ddlyzAjD
 gbOkqcAIxlwVdxzXjzVUdA6T2R7edEbGnVtSaqKdFJUgRuGMqqGlcQ5xsK3CN4LC
 YlbHa2y90BpOro6E6d4Tt4dLBvq49PQ2QJio8JJNtIrpAEjN41xIXUD1AOsLvC56
 S737q+9MAIg=
 =Bxdo
 -----END PGP SIGNATURE-----

Merge tag 'debian/4.2.6-1'

Refresh some patches.
This commit is contained in:
Ben Hutchings 2015-11-10 16:12:32 +00:00
parent 868f3e2704 2d9a6bc222
commit b531af6929
7 changed files with 298 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
debian/changelog vendored
View File

@ -71,6 +71,96 @@ linux (4.3~rc3-1~exp1) experimental; urgency=medium
-- Ben Hutchings <ben@decadent.org.uk> Sun, 27 Sep 2015 21:02:54 +0100
linux (4.2.6-1) unstable; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.6
- mmc: core: Fix init_card in 52Mhz (regression in 4.2)
- rtlwifi: rtl8821ae: Fix system lockups on boot (regression in 4.2)
- iwlwifi: mvm: init card correctly on ctkill exit check
(regression in 3.18)
- iwlwifi: mvm: flush fw_dump_wk when mvm fails to start
(regression in 3.18)
- [x86] iommu/vt-d: fix range computation when making room for large pages
- [x86] iommu/amd: Fix BUG when faulting a PROT_NONE VMA
- [x86] iommu/amd: Don't clear DTE flags when modifying it
- drm: fix mutex leak in drm_dp_get_mst_branch_device
- drm: Correct arguments to list_tail_add in create blob ioctl
- drm: crtc: integer overflow in drm_property_create_blob()
- rtl28xxu: fix control message flaws (regression in 4.0)
- ALSA: hda - Fix deadlock at error in building PCM
- [x86] ioapic: Prevent NULL pointer dereference in setup_ioapic_dest()
(regression in 4.2.4)
- mm: make sendfile(2) killable
- drm/radeon/dpm: don't add pwm attributes if DPM is disabled
(regression in 4.0)
- [x86] drm/i915: Restore lost DPLL register write on gen2-4
(regression in 3.18)
- [x86] drm/i915: Deny wrapping an userptr into a framebuffer
- drm/radeon: don't try to recreate sysfs entries on resume
(regression in 4.2.5)
- drm/radeon: fix dpms when driver backlight control is disabled
(regression in 4.2.4)
- drm/radeon: move bl encoder assignment into bl init
- rbd: require stable pages if message data CRCs are enabled
- rbd: don't leak parent_spec in rbd_dev_probe_parent()
- rbd: prevent kernel stack blow up on rbd map
- [armhf] EXYNOS: Fix double of_node_put() when parsing child power domains
(regression in 4.2)
- [armhf] dts: Fix audio card detection on Peach boards (regression in 4.1)
- [arm64] Revert "ARM64: unwind: Fix PC calculation"
- block: don't release bdi while request_queue has live references
(regression in 4.2)
- dm btree remove: fix a bug when rebalancing nodes after removal
- dm cache: the CLEAN_SHUTDOWN flag was not being set
- dm btree: fix leak of bufio-backed block in btree_split_beneath error path
- Revert "serial: 8250_dma: don't bother DMA with small transfers"
(regression in 4.0)
- [armel] i2c: mv64xxx: really allow I2C offloading (regression in 3.19)
- clkdev: fix clk_add_alias() with a NULL alias device name
(regression in 4.2)
- fbcon: initialize blink interval before calling fb_set_par
(regression in 4.2)
- PCI: Prevent out of bounds access in numa_node override
- ovl: free stack of paths in ovl_fill_super (regression in 4.0)
- ovl: free lower_mnt array in ovl_put_super (regression in 4.0)
- ovl: fix dentry reference leak
- ovl: fix open in stacked overlay (regression in 4.2)
- [x86] Input: alps - only the Dell Latitude D420/430/620/630 have separate
stick button bits (regression in 4.1)
- crypto: api - Only abort operations on fatal signal
- md/raid1: submit_bio_wait() returns 0 on success (regression in 3.10)
- md/raid10: submit_bio_wait() returns 0 on success (regression in 3.10)
- md/raid5: fix locking in handle_stripe_clean_event() (regression in 3.13)
- Revert "md: allow a partially recovered device to be hot-added to an
array." (regression in 3.14)
- [amd64] EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs()
(regression in 4.2)
- mvsas: Fix NULL pointer dereference in mvs_slot_task_free
- netfilter: ipset: Fix sleeping memory allocation in atomic context
(regression in 4.2)
- btrfs: fix possible leak in btrfs_ioctl_balance() (regression in 4.2.5)
- kvm: irqchip: fix memory leak (regression in 4.2)
- [armhf] thermal: exynos: Fix register read in TMU (regression in 4.2)
- blk-mq: fix use-after-free in blk_mq_free_tag_set() (regression in 4.2)
- IB/cm: Fix rb-tree duplicate free and use-after-free
- sched/deadline: Fix migration of SCHED_DEADLINE tasks (regression in 4.2)
- [arm64] compat: fix stxr failure case in SWP emulation
- NVMe: Fix memory leak on retried commands
- [x86] drm/vmwgfx: Fix up user_dmabuf refcounting
- thp: use is_zero_pfn() only after pte_present() check (regression in 4.1)
- xen: fix backport of previous kexec patch
[ Ben Hutchings ]
* usbvision: fix overflow of interfaces array (CVE-2015-7833)
* RDS: fix race condition when sending a message on unbound socket
(CVE-2015-7990)
* media/vivid-osd: fix info leak in ioctl (CVE-2015-7884)
* [x86] KVM: Intercept #AC to avoid guest->host denial-of-service
(CVE-2015-5307)
-- Ben Hutchings <ben@decadent.org.uk> Tue, 10 Nov 2015 14:35:05 +0000
linux (4.2.5-1) unstable; urgency=medium
* New upstream stable update:

31
debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch vendored Normal file
View File

@ -0,0 +1,31 @@
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
Date: Wed, 7 Oct 2015 07:09:26 -0300
Subject: [media] media/vivid-osd: fix info leak in ioctl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/eda98796aff0d9bf41094b06811f5def3b4c333c
The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
struct fb_vblank after the ->hcount member. Add an explicit
memset(0) before filling the structure to avoid the info leak.
Signed-off-by: Salva Peiró <speirofr@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
---
drivers/media/platform/vivid/vivid-osd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
index 084d346..e15eef6 100644
--- a/drivers/media/platform/vivid/vivid-osd.c
+++ b/drivers/media/platform/vivid/vivid-osd.c
@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
case FBIOGET_VBLANK: {
struct fb_vblank vblank;
+ memset(&vblank, 0, sizeof(vblank));
vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
FB_VBLANK_HAVE_VSYNC;
vblank.count = 0;

69
debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch vendored Normal file
View File

@ -0,0 +1,69 @@
From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Subject: RDS: fix race condition when sending a message on unbound socket.
Date: Fri, 16 Oct 2015 17:11:42 +0200
Origin: https://lkml.org/lkml/2015/10/16/530
Sasha's found a NULL pointer dereference in the RDS connection code when
sending a message to an apparently unbound socket. The problem is caused
by the code checking if the socket is bound in rds_sendmsg(), which checks
the rs_bound_addr field without taking a lock on the socket. This opens a
race where rs_bound_addr is temporarily set but where the transport is not
in rds_bind(), leading to a NULL pointer dereference when trying to
dereference 'trans' in __rds_conn_create().
Vegard wrote a reproducer for this issue, so kindly ask him to share if
you're interested.
I cannot reproduce the NULL pointer dereference using Vegard's reproducer
with this patch, whereas I could without.
Complete earlier incomplete fix to CVE-2015-6937:
74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Chien Yen <chien.yen@oracle.com>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: stable@vger.kernel.org
---
net/rds/connection.c | 6 ------
net/rds/send.c | 4 +++-
2 files changed, 3 insertions(+), 7 deletions(-)
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -190,12 +190,6 @@ new_conn:
}
}
- if (trans == NULL) {
- kmem_cache_free(rds_conn_slab, conn);
- conn = ERR_PTR(-ENODEV);
- goto out;
- }
-
conn->c_trans = trans;
ret = trans->conn_alloc(conn, gfp);
--- a/net/rds/send.c
+++ b/net/rds/send.c
@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket *sock, str
release_sock(sk);
}
- /* racing with another thread binding seems ok here */
+ lock_sock(sk);
if (daddr == 0 || rs->rs_bound_addr == 0) {
+ release_sock(sk);
ret = -ENOTCONN; /* XXX not a great errno */
goto out;
}
+ release_sock(sk);
if (payload_len > rds_sk_sndbuf(rs)) {
ret = -EMSGSIZE;

31
debian/patches/bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch vendored Normal file
View File

@ -0,0 +1,31 @@
From: Oliver Neukum <oneukum@suse.com>
Date: Tue, 27 Oct 2015 12:42:38 +0100
Subject: usbvision fix overflow of interfaces array
Origin: https://bugzilla.novell.com/attachment.cgi?id=653350
This fixes the crash reported in:
http://seclists.org/bugtraq/2015/Oct/35
The interface number needs a sanity check.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
[bwh: Backported to 4.2: adjust context]
---
drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1533,6 +1533,13 @@ static int usbvision_probe(struct usb_in
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);
+ /*
+ * this is a security check.
+ * an exploit using an incorrect bInterfaceNumber is known
+ */
+ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
+ return -ENODEV;
+
if (usbvision_device_data[model].interface >= 0)
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
else

38
debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch vendored Normal file
View File

@ -0,0 +1,38 @@
Subject: KVM x86 SVM: intercept #AC to avoid guest->host exploit
---
M arch/x86/kvm/svm.c
1 file changed, 8 insertions(+), 0 deletions(-)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1106,6 +1106,7 @@ static void init_vmcb(struct vcpu_svm *s
set_exception_intercept(svm, PF_VECTOR);
set_exception_intercept(svm, UD_VECTOR);
set_exception_intercept(svm, MC_VECTOR);
+ set_exception_intercept(svm, AC_VECTOR);
set_intercept(svm, INTERCEPT_INTR);
set_intercept(svm, INTERCEPT_NMI);
@@ -1795,6 +1796,12 @@ static int ud_interception(struct vcpu_s
return 1;
}
+static int ac_interception(struct vcpu_svm *svm)
+{
+ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
+ return 1;
+}
+
static void svm_fpu_activate(struct kvm_vcpu *vcpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
@@ -3369,6 +3376,7 @@ static int (*const svm_exit_handlers[])(
[SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
[SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
[SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
+ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
[SVM_EXIT_INTR] = intr_interception,
[SVM_EXIT_NMI] = nmi_interception,
[SVM_EXIT_SMI] = nop_on_interception,

34
debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch vendored Normal file
View File

@ -0,0 +1,34 @@
From: Eric Northup <digitaleric@google.com>
Date: Thu Sep 10 11:36:28 2015 -0700
Subject: KVM x86 vmx: avoid guest->host DOS by intercepting #AC
A pathological (or malicious) guest can hang a host core by
mis-configuring its GDT/IDT and enabling alignment checks.
[bwh: Forward-ported to 4.2: AC_VECTOR is already defined so don't add it]
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(stru
u32 eb;
eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
- (1u << NM_VECTOR) | (1u << DB_VECTOR);
+ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
if ((vcpu->guest_debug &
(KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
(KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
@@ -5146,6 +5146,13 @@ static int handle_exception(struct kvm_v
kvm_run->debug.arch.pc = vmcs_readl(GUEST_CS_BASE) + rip;
kvm_run->debug.arch.exception = ex_no;
break;
+ case AC_VECTOR:
+ /*
+ * We have already enabled interrupts and pre-emption, so
+ * it's OK to loop here if that is what will happen.
+ */
+ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
+ return 1;
default:
kvm_run->exit_reason = KVM_EXIT_EXCEPTION;
kvm_run->ex.exception = ex_no;

5
debian/patches/series vendored
View File

@ -85,3 +85,8 @@ bugfix/all/selftests-kprobe-choose-an-always-defined-function-t.patch
bugfix/all/selftests-make-scripts-executable.patch
bugfix/all/selftests-vm-try-harder-to-allocate-huge-pages.patch
bugfix/all/selftests-breakpoints-actually-build-it.patch
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch