Release linux (4.2.6-1).
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUAVkIVT+e/yOyVhhEJAQo9JxAAzMhh283CLxwNC9+oJKEpfD/ve+WLEcKI 7TiyttUesYegG0/5JAPU//S8LyHOXeu+6vqEO0NzReCTGdQi4oXZTpUQA9KNzCTF TLsdFBa6z5mRYcRHeGVYjmhKr8MTVRumXv/3WTVSwp71t1W7dce4qTboMsFr/kmk c6rGv5GNTtpHpyjevIrLAkBq83rwdbPz6dtNnBAna38awY61a7snFPr81WUvNu3I uVD5Dcm+efAzL/tPSxwdZRhQ7Qi5SnqUgP/c/3keDYeCLgj87FxdXK4vlJvkgmQs VGX/D9VyCQvFbtWmEtAdOJHqu2LuYd0ZljFvx3Fo59KHDm6GV60jsHaGYjc8a6o1 F7r6vaRGMLDtZhjFeYwVgJYCcHmQ8RO0fuKe4hslaiItg1rKLV738SrVRzl/oTq+ l/HwdWxyeEbqMi1rc8bzwnFaet2Av+eArEfsla4uul1ZgNwkGbV/qZjDW/lIHcLS 7cIYdiiv719AVU9rRR1JZR+92k4MsDaqerKNUl72yHr6F8YMY0T10GY5ddlyzAjD gbOkqcAIxlwVdxzXjzVUdA6T2R7edEbGnVtSaqKdFJUgRuGMqqGlcQ5xsK3CN4LC YlbHa2y90BpOro6E6d4Tt4dLBvq49PQ2QJio8JJNtIrpAEjN41xIXUD1AOsLvC56 S737q+9MAIg= =Bxdo -----END PGP SIGNATURE----- Merge tag 'debian/4.2.6-1' Refresh some patches.
This commit is contained in:
commit
b531af6929
|
@ -71,6 +71,96 @@ linux (4.3~rc3-1~exp1) experimental; urgency=medium
|
|||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sun, 27 Sep 2015 21:02:54 +0100
|
||||
|
||||
linux (4.2.6-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.2.6
|
||||
- mmc: core: Fix init_card in 52Mhz (regression in 4.2)
|
||||
- rtlwifi: rtl8821ae: Fix system lockups on boot (regression in 4.2)
|
||||
- iwlwifi: mvm: init card correctly on ctkill exit check
|
||||
(regression in 3.18)
|
||||
- iwlwifi: mvm: flush fw_dump_wk when mvm fails to start
|
||||
(regression in 3.18)
|
||||
- [x86] iommu/vt-d: fix range computation when making room for large pages
|
||||
- [x86] iommu/amd: Fix BUG when faulting a PROT_NONE VMA
|
||||
- [x86] iommu/amd: Don't clear DTE flags when modifying it
|
||||
- drm: fix mutex leak in drm_dp_get_mst_branch_device
|
||||
- drm: Correct arguments to list_tail_add in create blob ioctl
|
||||
- drm: crtc: integer overflow in drm_property_create_blob()
|
||||
- rtl28xxu: fix control message flaws (regression in 4.0)
|
||||
- ALSA: hda - Fix deadlock at error in building PCM
|
||||
- [x86] ioapic: Prevent NULL pointer dereference in setup_ioapic_dest()
|
||||
(regression in 4.2.4)
|
||||
- mm: make sendfile(2) killable
|
||||
- drm/radeon/dpm: don't add pwm attributes if DPM is disabled
|
||||
(regression in 4.0)
|
||||
- [x86] drm/i915: Restore lost DPLL register write on gen2-4
|
||||
(regression in 3.18)
|
||||
- [x86] drm/i915: Deny wrapping an userptr into a framebuffer
|
||||
- drm/radeon: don't try to recreate sysfs entries on resume
|
||||
(regression in 4.2.5)
|
||||
- drm/radeon: fix dpms when driver backlight control is disabled
|
||||
(regression in 4.2.4)
|
||||
- drm/radeon: move bl encoder assignment into bl init
|
||||
- rbd: require stable pages if message data CRCs are enabled
|
||||
- rbd: don't leak parent_spec in rbd_dev_probe_parent()
|
||||
- rbd: prevent kernel stack blow up on rbd map
|
||||
- [armhf] EXYNOS: Fix double of_node_put() when parsing child power domains
|
||||
(regression in 4.2)
|
||||
- [armhf] dts: Fix audio card detection on Peach boards (regression in 4.1)
|
||||
- [arm64] Revert "ARM64: unwind: Fix PC calculation"
|
||||
- block: don't release bdi while request_queue has live references
|
||||
(regression in 4.2)
|
||||
- dm btree remove: fix a bug when rebalancing nodes after removal
|
||||
- dm cache: the CLEAN_SHUTDOWN flag was not being set
|
||||
- dm btree: fix leak of bufio-backed block in btree_split_beneath error path
|
||||
- Revert "serial: 8250_dma: don't bother DMA with small transfers"
|
||||
(regression in 4.0)
|
||||
- [armel] i2c: mv64xxx: really allow I2C offloading (regression in 3.19)
|
||||
- clkdev: fix clk_add_alias() with a NULL alias device name
|
||||
(regression in 4.2)
|
||||
- fbcon: initialize blink interval before calling fb_set_par
|
||||
(regression in 4.2)
|
||||
- PCI: Prevent out of bounds access in numa_node override
|
||||
- ovl: free stack of paths in ovl_fill_super (regression in 4.0)
|
||||
- ovl: free lower_mnt array in ovl_put_super (regression in 4.0)
|
||||
- ovl: fix dentry reference leak
|
||||
- ovl: fix open in stacked overlay (regression in 4.2)
|
||||
- [x86] Input: alps - only the Dell Latitude D420/430/620/630 have separate
|
||||
stick button bits (regression in 4.1)
|
||||
- crypto: api - Only abort operations on fatal signal
|
||||
- md/raid1: submit_bio_wait() returns 0 on success (regression in 3.10)
|
||||
- md/raid10: submit_bio_wait() returns 0 on success (regression in 3.10)
|
||||
- md/raid5: fix locking in handle_stripe_clean_event() (regression in 3.13)
|
||||
- Revert "md: allow a partially recovered device to be hot-added to an
|
||||
array." (regression in 3.14)
|
||||
- [amd64] EDAC, sb_edac: Fix TAD presence check for sbridge_mci_bind_devs()
|
||||
(regression in 4.2)
|
||||
- mvsas: Fix NULL pointer dereference in mvs_slot_task_free
|
||||
- netfilter: ipset: Fix sleeping memory allocation in atomic context
|
||||
(regression in 4.2)
|
||||
- btrfs: fix possible leak in btrfs_ioctl_balance() (regression in 4.2.5)
|
||||
- kvm: irqchip: fix memory leak (regression in 4.2)
|
||||
- [armhf] thermal: exynos: Fix register read in TMU (regression in 4.2)
|
||||
- blk-mq: fix use-after-free in blk_mq_free_tag_set() (regression in 4.2)
|
||||
- IB/cm: Fix rb-tree duplicate free and use-after-free
|
||||
- sched/deadline: Fix migration of SCHED_DEADLINE tasks (regression in 4.2)
|
||||
- [arm64] compat: fix stxr failure case in SWP emulation
|
||||
- NVMe: Fix memory leak on retried commands
|
||||
- [x86] drm/vmwgfx: Fix up user_dmabuf refcounting
|
||||
- thp: use is_zero_pfn() only after pte_present() check (regression in 4.1)
|
||||
- xen: fix backport of previous kexec patch
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* usbvision: fix overflow of interfaces array (CVE-2015-7833)
|
||||
* RDS: fix race condition when sending a message on unbound socket
|
||||
(CVE-2015-7990)
|
||||
* media/vivid-osd: fix info leak in ioctl (CVE-2015-7884)
|
||||
* [x86] KVM: Intercept #AC to avoid guest->host denial-of-service
|
||||
(CVE-2015-5307)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 10 Nov 2015 14:35:05 +0000
|
||||
|
||||
linux (4.2.5-1) unstable; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
31
debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
vendored
Normal file
31
debian/patches/bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
vendored
Normal file
|
@ -0,0 +1,31 @@
|
|||
From: =?UTF-8?q?Salva=20Peir=C3=B3?= <speirofr@gmail.com>
|
||||
Date: Wed, 7 Oct 2015 07:09:26 -0300
|
||||
Subject: [media] media/vivid-osd: fix info leak in ioctl
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/eda98796aff0d9bf41094b06811f5def3b4c333c
|
||||
|
||||
The vivid_fb_ioctl() code fails to initialize the 16 _reserved bytes of
|
||||
struct fb_vblank after the ->hcount member. Add an explicit
|
||||
memset(0) before filling the structure to avoid the info leak.
|
||||
|
||||
Signed-off-by: Salva Peiró <speirofr@gmail.com>
|
||||
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/platform/vivid/vivid-osd.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
|
||||
index 084d346..e15eef6 100644
|
||||
--- a/drivers/media/platform/vivid/vivid-osd.c
|
||||
+++ b/drivers/media/platform/vivid/vivid-osd.c
|
||||
@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
|
||||
case FBIOGET_VBLANK: {
|
||||
struct fb_vblank vblank;
|
||||
|
||||
+ memset(&vblank, 0, sizeof(vblank));
|
||||
vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
|
||||
FB_VBLANK_HAVE_VSYNC;
|
||||
vblank.count = 0;
|
69
debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
vendored
Normal file
69
debian/patches/bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
vendored
Normal file
|
@ -0,0 +1,69 @@
|
|||
From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
|
||||
Subject: RDS: fix race condition when sending a message on unbound socket.
|
||||
Date: Fri, 16 Oct 2015 17:11:42 +0200
|
||||
Origin: https://lkml.org/lkml/2015/10/16/530
|
||||
|
||||
Sasha's found a NULL pointer dereference in the RDS connection code when
|
||||
sending a message to an apparently unbound socket. The problem is caused
|
||||
by the code checking if the socket is bound in rds_sendmsg(), which checks
|
||||
the rs_bound_addr field without taking a lock on the socket. This opens a
|
||||
race where rs_bound_addr is temporarily set but where the transport is not
|
||||
in rds_bind(), leading to a NULL pointer dereference when trying to
|
||||
dereference 'trans' in __rds_conn_create().
|
||||
|
||||
Vegard wrote a reproducer for this issue, so kindly ask him to share if
|
||||
you're interested.
|
||||
|
||||
I cannot reproduce the NULL pointer dereference using Vegard's reproducer
|
||||
with this patch, whereas I could without.
|
||||
|
||||
Complete earlier incomplete fix to CVE-2015-6937:
|
||||
|
||||
74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")
|
||||
|
||||
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
|
||||
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
|
||||
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
|
||||
Cc: Vegard Nossum <vegard.nossum@oracle.com>
|
||||
Cc: Sasha Levin <sasha.levin@oracle.com>
|
||||
Cc: Chien Yen <chien.yen@oracle.com>
|
||||
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
|
||||
Cc: David S. Miller <davem@davemloft.net>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
net/rds/connection.c | 6 ------
|
||||
net/rds/send.c | 4 +++-
|
||||
2 files changed, 3 insertions(+), 7 deletions(-)
|
||||
|
||||
--- a/net/rds/connection.c
|
||||
+++ b/net/rds/connection.c
|
||||
@@ -190,12 +190,6 @@ new_conn:
|
||||
}
|
||||
}
|
||||
|
||||
- if (trans == NULL) {
|
||||
- kmem_cache_free(rds_conn_slab, conn);
|
||||
- conn = ERR_PTR(-ENODEV);
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
conn->c_trans = trans;
|
||||
|
||||
ret = trans->conn_alloc(conn, gfp);
|
||||
--- a/net/rds/send.c
|
||||
+++ b/net/rds/send.c
|
||||
@@ -1009,11 +1009,13 @@ int rds_sendmsg(struct socket *sock, str
|
||||
release_sock(sk);
|
||||
}
|
||||
|
||||
- /* racing with another thread binding seems ok here */
|
||||
+ lock_sock(sk);
|
||||
if (daddr == 0 || rs->rs_bound_addr == 0) {
|
||||
+ release_sock(sk);
|
||||
ret = -ENOTCONN; /* XXX not a great errno */
|
||||
goto out;
|
||||
}
|
||||
+ release_sock(sk);
|
||||
|
||||
if (payload_len > rds_sk_sndbuf(rs)) {
|
||||
ret = -EMSGSIZE;
|
|
@ -0,0 +1,31 @@
|
|||
From: Oliver Neukum <oneukum@suse.com>
|
||||
Date: Tue, 27 Oct 2015 12:42:38 +0100
|
||||
Subject: usbvision fix overflow of interfaces array
|
||||
Origin: https://bugzilla.novell.com/attachment.cgi?id=653350
|
||||
|
||||
This fixes the crash reported in:
|
||||
http://seclists.org/bugtraq/2015/Oct/35
|
||||
The interface number needs a sanity check.
|
||||
|
||||
Signed-off-by: Oliver Neukum <oneukum@suse.com>
|
||||
[bwh: Backported to 4.2: adjust context]
|
||||
---
|
||||
drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
--- a/drivers/media/usb/usbvision/usbvision-video.c
|
||||
+++ b/drivers/media/usb/usbvision/usbvision-video.c
|
||||
@@ -1533,6 +1533,13 @@ static int usbvision_probe(struct usb_in
|
||||
printk(KERN_INFO "%s: %s found\n", __func__,
|
||||
usbvision_device_data[model].model_string);
|
||||
|
||||
+ /*
|
||||
+ * this is a security check.
|
||||
+ * an exploit using an incorrect bInterfaceNumber is known
|
||||
+ */
|
||||
+ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
|
||||
+ return -ENODEV;
|
||||
+
|
||||
if (usbvision_device_data[model].interface >= 0)
|
||||
interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
|
||||
else
|
38
debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
vendored
Normal file
38
debian/patches/bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
vendored
Normal file
|
@ -0,0 +1,38 @@
|
|||
Subject: KVM x86 SVM: intercept #AC to avoid guest->host exploit
|
||||
|
||||
---
|
||||
M arch/x86/kvm/svm.c
|
||||
1 file changed, 8 insertions(+), 0 deletions(-)
|
||||
|
||||
|
||||
--- a/arch/x86/kvm/svm.c
|
||||
+++ b/arch/x86/kvm/svm.c
|
||||
@@ -1106,6 +1106,7 @@ static void init_vmcb(struct vcpu_svm *s
|
||||
set_exception_intercept(svm, PF_VECTOR);
|
||||
set_exception_intercept(svm, UD_VECTOR);
|
||||
set_exception_intercept(svm, MC_VECTOR);
|
||||
+ set_exception_intercept(svm, AC_VECTOR);
|
||||
|
||||
set_intercept(svm, INTERCEPT_INTR);
|
||||
set_intercept(svm, INTERCEPT_NMI);
|
||||
@@ -1795,6 +1796,12 @@ static int ud_interception(struct vcpu_s
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static int ac_interception(struct vcpu_svm *svm)
|
||||
+{
|
||||
+ kvm_queue_exception_e(&svm->vcpu, AC_VECTOR, 0);
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
static void svm_fpu_activate(struct kvm_vcpu *vcpu)
|
||||
{
|
||||
struct vcpu_svm *svm = to_svm(vcpu);
|
||||
@@ -3369,6 +3376,7 @@ static int (*const svm_exit_handlers[])(
|
||||
[SVM_EXIT_EXCP_BASE + PF_VECTOR] = pf_interception,
|
||||
[SVM_EXIT_EXCP_BASE + NM_VECTOR] = nm_interception,
|
||||
[SVM_EXIT_EXCP_BASE + MC_VECTOR] = mc_interception,
|
||||
+ [SVM_EXIT_EXCP_BASE + AC_VECTOR] = ac_interception,
|
||||
[SVM_EXIT_INTR] = intr_interception,
|
||||
[SVM_EXIT_NMI] = nmi_interception,
|
||||
[SVM_EXIT_SMI] = nop_on_interception,
|
34
debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
vendored
Normal file
34
debian/patches/bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
vendored
Normal file
|
@ -0,0 +1,34 @@
|
|||
From: Eric Northup <digitaleric@google.com>
|
||||
Date: Thu Sep 10 11:36:28 2015 -0700
|
||||
Subject: KVM x86 vmx: avoid guest->host DOS by intercepting #AC
|
||||
|
||||
A pathological (or malicious) guest can hang a host core by
|
||||
mis-configuring its GDT/IDT and enabling alignment checks.
|
||||
|
||||
[bwh: Forward-ported to 4.2: AC_VECTOR is already defined so don't add it]
|
||||
|
||||
--- a/arch/x86/kvm/vmx.c
|
||||
+++ b/arch/x86/kvm/vmx.c
|
||||
@@ -1567,7 +1567,7 @@ static void update_exception_bitmap(stru
|
||||
u32 eb;
|
||||
|
||||
eb = (1u << PF_VECTOR) | (1u << UD_VECTOR) | (1u << MC_VECTOR) |
|
||||
- (1u << NM_VECTOR) | (1u << DB_VECTOR);
|
||||
+ (1u << NM_VECTOR) | (1u << DB_VECTOR) | (1u << AC_VECTOR);
|
||||
if ((vcpu->guest_debug &
|
||||
(KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP)) ==
|
||||
(KVM_GUESTDBG_ENABLE | KVM_GUESTDBG_USE_SW_BP))
|
||||
@@ -5146,6 +5146,13 @@ static int handle_exception(struct kvm_v
|
||||
kvm_run->debug.arch.pc = vmcs_readl(GUEST_CS_BASE) + rip;
|
||||
kvm_run->debug.arch.exception = ex_no;
|
||||
break;
|
||||
+ case AC_VECTOR:
|
||||
+ /*
|
||||
+ * We have already enabled interrupts and pre-emption, so
|
||||
+ * it's OK to loop here if that is what will happen.
|
||||
+ */
|
||||
+ kvm_queue_exception_e(vcpu, AC_VECTOR, error_code);
|
||||
+ return 1;
|
||||
default:
|
||||
kvm_run->exit_reason = KVM_EXIT_EXCEPTION;
|
||||
kvm_run->ex.exception = ex_no;
|
|
@ -85,3 +85,8 @@ bugfix/all/selftests-kprobe-choose-an-always-defined-function-t.patch
|
|||
bugfix/all/selftests-make-scripts-executable.patch
|
||||
bugfix/all/selftests-vm-try-harder-to-allocate-huge-pages.patch
|
||||
bugfix/all/selftests-breakpoints-actually-build-it.patch
|
||||
bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch
|
||||
bugfix/all/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch
|
||||
bugfix/all/media-media-vivid-osd-fix-info-leak-in-ioctl.patch
|
||||
bugfix/x86/kvm-x86-vmx-avoid-guest-host-dos-by-intercepting-ac.patch
|
||||
bugfix/x86/kvm-x86-svm-intercept-ac-to-avoid-guest-host-exploit.patch
|
||||
|
|
Loading…
Reference in New Issue