Update to 4.19.100

Add CVE id reference for CVE-2020-8428 Drop "libertas: Fix two buffer overflows at parsing bss descriptor" Drop "do_last(): fetch directory ->i_mode and ->i_uid before it's too late" Cleanup debian/changelog file
2020-02-20 19:27:11 +01:00 · 2020-02-20 19:27:11 +01:00 · c2975cd055
parent 5454dfc211
commit c2975cd055
4 changed files with 78 additions and 139 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,4 +1,4 @@
-linux (4.19.99-1) UNRELEASED; urgency=medium
+linux (4.19.100-1) UNRELEASED; urgency=medium

  * New upstream stable update:
    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.99
@ -438,10 +438,85 @@ linux (4.19.99-1) UNRELEASED; urgency=medium
    - [armhf] dmaengine: ti: edma: fix missed failure handling
    - drm/radeon: fix bad DMA from INTERRUPT_CNTL2
    - [arm64] dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node
+    https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.100
+    - can, slip: Protect tty->disc_data in write_wakeup and close with RCU
+    - [x86] firestream: fix memory leaks
+    - gtp: make sure only SOCK_DGRAM UDP sockets are accepted
+    - ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions
+    - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM
+    - net: ip6_gre: fix moving ip6gre between namespaces
+    - net, ip6_tunnel: fix namespaces move
+    - net, ip_tunnel: fix namespaces move
+    - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()
+    - net_sched: fix datalen for ematch
+    - net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
+    - net-sysfs: fix netdev_queue_add_kobject() breakage
+    - net-sysfs: Call dev_hold always in netdev_queue_add_kobject
+    - net-sysfs: Call dev_hold always in rx_queue_add_kobject
+    - net-sysfs: Fix reference count leak
+    - net: usb: lan78xx: Add .ndo_features_check
+    - Revert "udp: do rmem bulk free even if the rx sk queue is empty"
+    - tcp_bbr: improve arithmetic division in bbr_update_bw()
+    - tcp: do not leave dangling pointers in tp->highest_sack
+    - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user()
+    - afs: Fix characters allowed into cell names
+    - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input
+    - hwmon: (core) Do not use device managed functions for memory allocations
+    - PCI: Mark AMD Navi14 GPU rev 0xc5 ATS as broken
+    - tracing: trigger: Replace unneeded RCU-list traversals
+    - Input: keyspan-remote - fix control-message timeouts
+    - [x86] Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus
+      transfers"
+    - [arm64,armhf] mmc: tegra: fix SDR50 tuning override
+    - mmc: sdhci: fix minimum clock rate for v3 controller
+    - Documentation: Document arm64 kpti control
+    - Input: sur40 - fix interface sanity checks
+    - Input: gtco - fix endpoint sanity check
+    - Input: aiptek - fix endpoint sanity check
+    - Input: pegasus_notetaker - fix endpoint sanity check
+    - [armhf] Input: sun4i-ts - add a check for
+      devm_thermal_zone_of_sensor_register
+    - netfilter: nft_osf: add missing check for DREG attribute
+    - hwmon: (nct7802) Fix voltage limits to wrong registers
+    - scsi: RDMA/isert: Fix a recently introduced regression related to logout
+    - do_last(): fetch directory ->i_mode and ->i_uid before it's too late
+      (CVE-2020-8428)
+    - sd: Fix REQ_OP_ZONE_REPORT completion handling
+    - [i386] crypto: geode-aes - switch to skcipher for cbc(aes) fallback
+    - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT
+    - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
+    - netfilter: ipset: use bitmap infrastructure completely
+    - netfilter: nf_tables: add __nft_chain_type_get()
+    - mm/memory_hotplug: make remove_memory() take the device_hotplug_lock
+    - mm, sparse: drop pgdat_resize_lock in sparse_add/remove_one_section()
+    - mm, sparse: pass nid instead of pgdat to sparse_add_one_section()
+    - drivers/base/memory.c: remove an unnecessary check on NR_MEM_SECTIONS
+    - mm, memory_hotplug: add nid parameter to arch_remove_memory
+    - mm/memory_hotplug: release memory resource after arch_remove_memory()
+    - drivers/base/memory.c: clean up relics in function parameters
+    - mm, memory_hotplug: update a comment in unregister_memory()
+    - mm/memory_hotplug: make unregister_memory_section() never fail
+    - mm/memory_hotplug: make __remove_section() never fail
+    - [powerpc*] mm: Fix section mismatch warning
+    - mm/memory_hotplug: make __remove_pages() and arch_remove_memory() never
+      fail
+    - [s390x] mm: implement arch_remove_memory()
+    - mm/memory_hotplug: allow arch_remove_memory() without
+      CONFIG_MEMORY_HOTREMOVE
+    - drivers/base/memory: pass a block_id to init_memory_block()
+    - mm/memory_hotplug: create memory block devices after arch_add_memory()
+    - mm/memory_hotplug: remove memory block devices before
+      arch_remove_memory()
+    - mm/memory_hotplug: make unregister_memory_block_under_nodes() never fail
+    - mm/memory_hotplug: remove "zone" parameter from
+      sparse_remove_one_section
+    - mm/hotplug: kill is_dev_zone() usage in __remove_pages()
+    - drivers/base/node.c: simplify unregister_memory_block_under_nodes()
+    - mm/memunmap: don't access uninitialized memmap in memunmap_pages()
+    - mm/memory_hotplug: fix try_offline_node()
+    - mm/memory_hotplug: shrink zones when offlining memory

  [ Salvatore Bonaccorso ]
-  * do_last(): fetch directory ->i_mode and ->i_uid before it's too late
-    (CVE-2020-8428)
  * vfs: fix do_last() regression
  * Refresh "Revert "objtool: Fix CONFIG_STACK_VALIDATION=y warning for
    out-of-tree modules"" for context changes in 4.19.99
--- a/debian/patches/bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch
+++ b/debian/patches/bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch
@ -1,70 +0,0 @@
-From: Al Viro <viro@zeniv.linux.org.uk>
-Date: Sun, 26 Jan 2020 09:29:34 -0500
-Subject: do_last(): fetch directory ->i_mode and ->i_uid before it's too late
-Origin: https://git.kernel.org/linus/d0cb50185ae942b03c4327be322055d622dc79f6
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-8428
-
-may_create_in_sticky() call is done when we already have dropped the
-reference to dir.
-
-Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-[Salvatore Bonaccorso: Backport to 4.19.98 for context changes]
---
- fs/namei.c | 17 ++++++++++-------
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
--- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -1009,7 +1009,8 @@ static int may_linkat(struct path *link)
-  * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
-  *			  should be allowed, or not, on files that already
-  *			  exist.
- * @dir: the sticky parent directory
-+ * @dir_mode: mode bits of directory
-+ * @dir_uid: owner of directory
-  * @inode: the inode of the file to open
-  *
-  * Block an O_CREAT open of a FIFO (or a regular file) when:
-@@ -1025,18 +1026,18 @@ static int may_linkat(struct path *link)
-  *
-  * Returns 0 if the open is allowed, -ve on error.
-  */
-static int may_create_in_sticky(struct dentry * const dir,
-+static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid,
- 				struct inode * const inode)
- {
- 	if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
- 	    (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
-	    likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
-	    uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
-+	    likely(!(dir_mode & S_ISVTX)) ||
-+	    uid_eq(inode->i_uid, dir_uid) ||
- 	    uid_eq(current_fsuid(), inode->i_uid))
- 		return 0;
- 
-	if (likely(dir->d_inode->i_mode & 0002) ||
-	    (dir->d_inode->i_mode & 0020 &&
-+	if (likely(dir_mode & 0002) ||
-+	    (dir_mode & 0020 &&
- 	     ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
- 	      (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
- 		return -EACCES;
-@@ -3258,6 +3259,8 @@ static int do_last(struct nameidata *nd,
- 		   struct file *file, const struct open_flags *op)
- {
- 	struct dentry *dir = nd->path.dentry;
-+	kuid_t dir_uid = dir->d_inode->i_uid;
-+	umode_t dir_mode = dir->d_inode->i_mode;
- 	int open_flag = op->open_flag;
- 	bool will_truncate = (open_flag & O_TRUNC) != 0;
- 	bool got_write = false;
-@@ -3393,7 +3396,7 @@ finish_open:
- 		error = -EISDIR;
- 		if (d_is_dir(nd->path.dentry))
- 			goto out;
-		error = may_create_in_sticky(dir,
-+		error = may_create_in_sticky(dir_mode, dir_uid,
- 					     d_backing_inode(nd->path.dentry));
- 		if (unlikely(error))
- 			goto out;
--- a/debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
+++ b/debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
@ -1,64 +0,0 @@
-From: Wen Huang <huangwenabc@gmail.com>
-Date: Thu, 28 Nov 2019 18:51:04 +0800
-Subject: libertas: Fix two buffer overflows at parsing bss descriptor
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit/?id=e5e884b42639c74b5b57dc277909915c0aefc8bb
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14896
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14897
-
-add_ie_rates() copys rates without checking the length
-in bss descriptor from remote AP.when victim connects to
-remote attacker, this may trigger buffer overflow.
-lbs_ibss_join_existing() copys rates without checking the length
-in bss descriptor from remote IBSS node.when victim connects to
-remote attacker, this may trigger buffer overflow.
-Fix them by putting the length check before performing copy.
-
-This fix addresses CVE-2019-14896 and CVE-2019-14897.
-This also fix build warning of mixed declarations and code.
-
-Reported-by: kbuild test robot <lkp@intel.com>
-Signed-off-by: Wen Huang <huangwenabc@gmail.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
---
- drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
--- a/drivers/net/wireless/marvell/libertas/cfg.c
-+++ b/drivers/net/wireless/marvell/libertas/cfg.c
-@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int
- 	int hw, ap, ap_max = ie[1];
- 	u8 hw_rate;
- 
-+	if (ap_max > MAX_RATES) {
-+		lbs_deb_assoc("invalid rates\n");
-+		return tlv;
-+	}
- 	/* Advance past IE header */
- 	ie += 2;
- 
-@@ -1717,6 +1721,9 @@ static int lbs_ibss_join_existing(struct
- 	struct cmd_ds_802_11_ad_hoc_join cmd;
- 	u8 preamble = RADIO_PREAMBLE_SHORT;
- 	int ret = 0;
-+	int hw, i;
-+	u8 rates_max;
-+	u8 *rates;
- 
- 	/* TODO: set preamble based on scan result */
- 	ret = lbs_set_radio(priv, preamble, 1);
-@@ -1775,9 +1782,12 @@ static int lbs_ibss_join_existing(struct
- 	if (!rates_eid) {
- 		lbs_add_rates(cmd.bss.rates);
- 	} else {
-		int hw, i;
-		u8 rates_max = rates_eid[1];
-		u8 *rates = cmd.bss.rates;
-+		rates_max = rates_eid[1];
-+		if (rates_max > MAX_RATES) {
-+			lbs_deb_join("invalid rates");
-+			goto out;
-+		}
-+		rates = cmd.bss.rates;
- 		for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
- 			u8 hw_rate = lbs_rates[hw].bitrate / 5;
- 			for (i = 0; i < rates_max; i++) {
--- a/debian/patches/series
+++ b/debian/patches/series
@ -295,10 +295,8 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 debian/ntfs-mark-it-as-broken.patch
-bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
 bugfix/all/wimax-i2400-fix-memory-leak.patch
 bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
-bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch
 bugfix/all/vfs-fix-do_last-regression.patch

 # Backported change to provide boot-time entropy