From c2975cd055d496d879a4a57e2d2e729587ec6820 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Thu, 20 Feb 2020 19:27:11 +0100 Subject: [PATCH] Update to 4.19.100 Add CVE id reference for CVE-2020-8428 Drop "libertas: Fix two buffer overflows at parsing bss descriptor" Drop "do_last(): fetch directory ->i_mode and ->i_uid before it's too late" Cleanup debian/changelog file --- debian/changelog | 81 ++++++++++++++++++- ...rectory-i_mode-and-i_uid-before-it-s.patch | 70 ---------------- ...-overflows-at-parsing-bss-descriptor.patch | 64 --------------- debian/patches/series | 2 - 4 files changed, 78 insertions(+), 139 deletions(-) delete mode 100644 debian/patches/bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch delete mode 100644 debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch diff --git a/debian/changelog b/debian/changelog index d7c11d2a4..08820062f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.19.99-1) UNRELEASED; urgency=medium +linux (4.19.100-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.99 @@ -438,10 +438,85 @@ linux (4.19.99-1) UNRELEASED; urgency=medium - [armhf] dmaengine: ti: edma: fix missed failure handling - drm/radeon: fix bad DMA from INTERRUPT_CNTL2 - [arm64] dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.100 + - can, slip: Protect tty->disc_data in write_wakeup and close with RCU + - [x86] firestream: fix memory leaks + - gtp: make sure only SOCK_DGRAM UDP sockets are accepted + - ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions + - net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM + - net: ip6_gre: fix moving ip6gre between namespaces + - net, ip6_tunnel: fix namespaces move + - net, ip_tunnel: fix namespaces move + - net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() + - net_sched: fix datalen for ematch + - net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject + - net-sysfs: fix netdev_queue_add_kobject() breakage + - net-sysfs: Call dev_hold always in netdev_queue_add_kobject + - net-sysfs: Call dev_hold always in rx_queue_add_kobject + - net-sysfs: Fix reference count leak + - net: usb: lan78xx: Add .ndo_features_check + - Revert "udp: do rmem bulk free even if the rx sk queue is empty" + - tcp_bbr: improve arithmetic division in bbr_update_bw() + - tcp: do not leave dangling pointers in tp->highest_sack + - tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() + - afs: Fix characters allowed into cell names + - hwmon: (adt7475) Make volt2reg return same reg as reg2volt input + - hwmon: (core) Do not use device managed functions for memory allocations + - PCI: Mark AMD Navi14 GPU rev 0xc5 ATS as broken + - tracing: trigger: Replace unneeded RCU-list traversals + - Input: keyspan-remote - fix control-message timeouts + - [x86] Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus + transfers" + - [arm64,armhf] mmc: tegra: fix SDR50 tuning override + - mmc: sdhci: fix minimum clock rate for v3 controller + - Documentation: Document arm64 kpti control + - Input: sur40 - fix interface sanity checks + - Input: gtco - fix endpoint sanity check + - Input: aiptek - fix endpoint sanity check + - Input: pegasus_notetaker - fix endpoint sanity check + - [armhf] Input: sun4i-ts - add a check for + devm_thermal_zone_of_sensor_register + - netfilter: nft_osf: add missing check for DREG attribute + - hwmon: (nct7802) Fix voltage limits to wrong registers + - scsi: RDMA/isert: Fix a recently introduced regression related to logout + - do_last(): fetch directory ->i_mode and ->i_uid before it's too late + (CVE-2020-8428) + - sd: Fix REQ_OP_ZONE_REPORT completion handling + - [i386] crypto: geode-aes - switch to skcipher for cbc(aes) fallback + - media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT + - scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func + - netfilter: ipset: use bitmap infrastructure completely + - netfilter: nf_tables: add __nft_chain_type_get() + - mm/memory_hotplug: make remove_memory() take the device_hotplug_lock + - mm, sparse: drop pgdat_resize_lock in sparse_add/remove_one_section() + - mm, sparse: pass nid instead of pgdat to sparse_add_one_section() + - drivers/base/memory.c: remove an unnecessary check on NR_MEM_SECTIONS + - mm, memory_hotplug: add nid parameter to arch_remove_memory + - mm/memory_hotplug: release memory resource after arch_remove_memory() + - drivers/base/memory.c: clean up relics in function parameters + - mm, memory_hotplug: update a comment in unregister_memory() + - mm/memory_hotplug: make unregister_memory_section() never fail + - mm/memory_hotplug: make __remove_section() never fail + - [powerpc*] mm: Fix section mismatch warning + - mm/memory_hotplug: make __remove_pages() and arch_remove_memory() never + fail + - [s390x] mm: implement arch_remove_memory() + - mm/memory_hotplug: allow arch_remove_memory() without + CONFIG_MEMORY_HOTREMOVE + - drivers/base/memory: pass a block_id to init_memory_block() + - mm/memory_hotplug: create memory block devices after arch_add_memory() + - mm/memory_hotplug: remove memory block devices before + arch_remove_memory() + - mm/memory_hotplug: make unregister_memory_block_under_nodes() never fail + - mm/memory_hotplug: remove "zone" parameter from + sparse_remove_one_section + - mm/hotplug: kill is_dev_zone() usage in __remove_pages() + - drivers/base/node.c: simplify unregister_memory_block_under_nodes() + - mm/memunmap: don't access uninitialized memmap in memunmap_pages() + - mm/memory_hotplug: fix try_offline_node() + - mm/memory_hotplug: shrink zones when offlining memory [ Salvatore Bonaccorso ] - * do_last(): fetch directory ->i_mode and ->i_uid before it's too late - (CVE-2020-8428) * vfs: fix do_last() regression * Refresh "Revert "objtool: Fix CONFIG_STACK_VALIDATION=y warning for out-of-tree modules"" for context changes in 4.19.99 diff --git a/debian/patches/bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch b/debian/patches/bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch deleted file mode 100644 index bce29b1ad..000000000 --- a/debian/patches/bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: Al Viro -Date: Sun, 26 Jan 2020 09:29:34 -0500 -Subject: do_last(): fetch directory ->i_mode and ->i_uid before it's too late -Origin: https://git.kernel.org/linus/d0cb50185ae942b03c4327be322055d622dc79f6 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-8428 - -may_create_in_sticky() call is done when we already have dropped the -reference to dir. - -Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files) -Signed-off-by: Al Viro -[Salvatore Bonaccorso: Backport to 4.19.98 for context changes] ---- - fs/namei.c | 17 ++++++++++------- - 1 file changed, 10 insertions(+), 7 deletions(-) - ---- a/fs/namei.c -+++ b/fs/namei.c -@@ -1009,7 +1009,8 @@ static int may_linkat(struct path *link) - * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory - * should be allowed, or not, on files that already - * exist. -- * @dir: the sticky parent directory -+ * @dir_mode: mode bits of directory -+ * @dir_uid: owner of directory - * @inode: the inode of the file to open - * - * Block an O_CREAT open of a FIFO (or a regular file) when: -@@ -1025,18 +1026,18 @@ static int may_linkat(struct path *link) - * - * Returns 0 if the open is allowed, -ve on error. - */ --static int may_create_in_sticky(struct dentry * const dir, -+static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid, - struct inode * const inode) - { - if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) || - (!sysctl_protected_regular && S_ISREG(inode->i_mode)) || -- likely(!(dir->d_inode->i_mode & S_ISVTX)) || -- uid_eq(inode->i_uid, dir->d_inode->i_uid) || -+ likely(!(dir_mode & S_ISVTX)) || -+ uid_eq(inode->i_uid, dir_uid) || - uid_eq(current_fsuid(), inode->i_uid)) - return 0; - -- if (likely(dir->d_inode->i_mode & 0002) || -- (dir->d_inode->i_mode & 0020 && -+ if (likely(dir_mode & 0002) || -+ (dir_mode & 0020 && - ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) || - (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) { - return -EACCES; -@@ -3258,6 +3259,8 @@ static int do_last(struct nameidata *nd, - struct file *file, const struct open_flags *op) - { - struct dentry *dir = nd->path.dentry; -+ kuid_t dir_uid = dir->d_inode->i_uid; -+ umode_t dir_mode = dir->d_inode->i_mode; - int open_flag = op->open_flag; - bool will_truncate = (open_flag & O_TRUNC) != 0; - bool got_write = false; -@@ -3393,7 +3396,7 @@ finish_open: - error = -EISDIR; - if (d_is_dir(nd->path.dentry)) - goto out; -- error = may_create_in_sticky(dir, -+ error = may_create_in_sticky(dir_mode, dir_uid, - d_backing_inode(nd->path.dentry)); - if (unlikely(error)) - goto out; diff --git a/debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch b/debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch deleted file mode 100644 index 2cca93842..000000000 --- a/debian/patches/bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Wen Huang -Date: Thu, 28 Nov 2019 18:51:04 +0800 -Subject: libertas: Fix two buffer overflows at parsing bss descriptor -Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit/?id=e5e884b42639c74b5b57dc277909915c0aefc8bb -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14896 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14897 - -add_ie_rates() copys rates without checking the length -in bss descriptor from remote AP.when victim connects to -remote attacker, this may trigger buffer overflow. -lbs_ibss_join_existing() copys rates without checking the length -in bss descriptor from remote IBSS node.when victim connects to -remote attacker, this may trigger buffer overflow. -Fix them by putting the length check before performing copy. - -This fix addresses CVE-2019-14896 and CVE-2019-14897. -This also fix build warning of mixed declarations and code. - -Reported-by: kbuild test robot -Signed-off-by: Wen Huang -Signed-off-by: Kalle Valo ---- - drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - ---- a/drivers/net/wireless/marvell/libertas/cfg.c -+++ b/drivers/net/wireless/marvell/libertas/cfg.c -@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int - int hw, ap, ap_max = ie[1]; - u8 hw_rate; - -+ if (ap_max > MAX_RATES) { -+ lbs_deb_assoc("invalid rates\n"); -+ return tlv; -+ } - /* Advance past IE header */ - ie += 2; - -@@ -1717,6 +1721,9 @@ static int lbs_ibss_join_existing(struct - struct cmd_ds_802_11_ad_hoc_join cmd; - u8 preamble = RADIO_PREAMBLE_SHORT; - int ret = 0; -+ int hw, i; -+ u8 rates_max; -+ u8 *rates; - - /* TODO: set preamble based on scan result */ - ret = lbs_set_radio(priv, preamble, 1); -@@ -1775,9 +1782,12 @@ static int lbs_ibss_join_existing(struct - if (!rates_eid) { - lbs_add_rates(cmd.bss.rates); - } else { -- int hw, i; -- u8 rates_max = rates_eid[1]; -- u8 *rates = cmd.bss.rates; -+ rates_max = rates_eid[1]; -+ if (rates_max > MAX_RATES) { -+ lbs_deb_join("invalid rates"); -+ goto out; -+ } -+ rates = cmd.bss.rates; - for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) { - u8 hw_rate = lbs_rates[hw].bitrate / 5; - for (i = 0; i < rates_max; i++) { diff --git a/debian/patches/series b/debian/patches/series index 5211e82ac..ea5aecde6 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -295,10 +295,8 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch -bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch bugfix/all/wimax-i2400-fix-memory-leak.patch bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch -bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch bugfix/all/vfs-fix-do_last-regression.patch # Backported change to provide boot-time entropy