Update to 4.19.100
Add CVE id reference for CVE-2020-8428 Drop "libertas: Fix two buffer overflows at parsing bss descriptor" Drop "do_last(): fetch directory ->i_mode and ->i_uid before it's too late" Cleanup debian/changelog file
This commit is contained in:
parent
5454dfc211
commit
c2975cd055
|
@ -1,4 +1,4 @@
|
|||
linux (4.19.99-1) UNRELEASED; urgency=medium
|
||||
linux (4.19.100-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.99
|
||||
|
@ -438,10 +438,85 @@ linux (4.19.99-1) UNRELEASED; urgency=medium
|
|||
- [armhf] dmaengine: ti: edma: fix missed failure handling
|
||||
- drm/radeon: fix bad DMA from INTERRUPT_CNTL2
|
||||
- [arm64] dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.100
|
||||
- can, slip: Protect tty->disc_data in write_wakeup and close with RCU
|
||||
- [x86] firestream: fix memory leaks
|
||||
- gtp: make sure only SOCK_DGRAM UDP sockets are accepted
|
||||
- ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions
|
||||
- net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM
|
||||
- net: ip6_gre: fix moving ip6gre between namespaces
|
||||
- net, ip6_tunnel: fix namespaces move
|
||||
- net, ip_tunnel: fix namespaces move
|
||||
- net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()
|
||||
- net_sched: fix datalen for ematch
|
||||
- net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
|
||||
- net-sysfs: fix netdev_queue_add_kobject() breakage
|
||||
- net-sysfs: Call dev_hold always in netdev_queue_add_kobject
|
||||
- net-sysfs: Call dev_hold always in rx_queue_add_kobject
|
||||
- net-sysfs: Fix reference count leak
|
||||
- net: usb: lan78xx: Add .ndo_features_check
|
||||
- Revert "udp: do rmem bulk free even if the rx sk queue is empty"
|
||||
- tcp_bbr: improve arithmetic division in bbr_update_bw()
|
||||
- tcp: do not leave dangling pointers in tp->highest_sack
|
||||
- tun: add mutex_unlock() call and napi.skb clearing in tun_get_user()
|
||||
- afs: Fix characters allowed into cell names
|
||||
- hwmon: (adt7475) Make volt2reg return same reg as reg2volt input
|
||||
- hwmon: (core) Do not use device managed functions for memory allocations
|
||||
- PCI: Mark AMD Navi14 GPU rev 0xc5 ATS as broken
|
||||
- tracing: trigger: Replace unneeded RCU-list traversals
|
||||
- Input: keyspan-remote - fix control-message timeouts
|
||||
- [x86] Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus
|
||||
transfers"
|
||||
- [arm64,armhf] mmc: tegra: fix SDR50 tuning override
|
||||
- mmc: sdhci: fix minimum clock rate for v3 controller
|
||||
- Documentation: Document arm64 kpti control
|
||||
- Input: sur40 - fix interface sanity checks
|
||||
- Input: gtco - fix endpoint sanity check
|
||||
- Input: aiptek - fix endpoint sanity check
|
||||
- Input: pegasus_notetaker - fix endpoint sanity check
|
||||
- [armhf] Input: sun4i-ts - add a check for
|
||||
devm_thermal_zone_of_sensor_register
|
||||
- netfilter: nft_osf: add missing check for DREG attribute
|
||||
- hwmon: (nct7802) Fix voltage limits to wrong registers
|
||||
- scsi: RDMA/isert: Fix a recently introduced regression related to logout
|
||||
- do_last(): fetch directory ->i_mode and ->i_uid before it's too late
|
||||
(CVE-2020-8428)
|
||||
- sd: Fix REQ_OP_ZONE_REPORT completion handling
|
||||
- [i386] crypto: geode-aes - switch to skcipher for cbc(aes) fallback
|
||||
- media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT
|
||||
- scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
|
||||
- netfilter: ipset: use bitmap infrastructure completely
|
||||
- netfilter: nf_tables: add __nft_chain_type_get()
|
||||
- mm/memory_hotplug: make remove_memory() take the device_hotplug_lock
|
||||
- mm, sparse: drop pgdat_resize_lock in sparse_add/remove_one_section()
|
||||
- mm, sparse: pass nid instead of pgdat to sparse_add_one_section()
|
||||
- drivers/base/memory.c: remove an unnecessary check on NR_MEM_SECTIONS
|
||||
- mm, memory_hotplug: add nid parameter to arch_remove_memory
|
||||
- mm/memory_hotplug: release memory resource after arch_remove_memory()
|
||||
- drivers/base/memory.c: clean up relics in function parameters
|
||||
- mm, memory_hotplug: update a comment in unregister_memory()
|
||||
- mm/memory_hotplug: make unregister_memory_section() never fail
|
||||
- mm/memory_hotplug: make __remove_section() never fail
|
||||
- [powerpc*] mm: Fix section mismatch warning
|
||||
- mm/memory_hotplug: make __remove_pages() and arch_remove_memory() never
|
||||
fail
|
||||
- [s390x] mm: implement arch_remove_memory()
|
||||
- mm/memory_hotplug: allow arch_remove_memory() without
|
||||
CONFIG_MEMORY_HOTREMOVE
|
||||
- drivers/base/memory: pass a block_id to init_memory_block()
|
||||
- mm/memory_hotplug: create memory block devices after arch_add_memory()
|
||||
- mm/memory_hotplug: remove memory block devices before
|
||||
arch_remove_memory()
|
||||
- mm/memory_hotplug: make unregister_memory_block_under_nodes() never fail
|
||||
- mm/memory_hotplug: remove "zone" parameter from
|
||||
sparse_remove_one_section
|
||||
- mm/hotplug: kill is_dev_zone() usage in __remove_pages()
|
||||
- drivers/base/node.c: simplify unregister_memory_block_under_nodes()
|
||||
- mm/memunmap: don't access uninitialized memmap in memunmap_pages()
|
||||
- mm/memory_hotplug: fix try_offline_node()
|
||||
- mm/memory_hotplug: shrink zones when offlining memory
|
||||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* do_last(): fetch directory ->i_mode and ->i_uid before it's too late
|
||||
(CVE-2020-8428)
|
||||
* vfs: fix do_last() regression
|
||||
* Refresh "Revert "objtool: Fix CONFIG_STACK_VALIDATION=y warning for
|
||||
out-of-tree modules"" for context changes in 4.19.99
|
||||
|
|
|
@ -1,70 +0,0 @@
|
|||
From: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Date: Sun, 26 Jan 2020 09:29:34 -0500
|
||||
Subject: do_last(): fetch directory ->i_mode and ->i_uid before it's too late
|
||||
Origin: https://git.kernel.org/linus/d0cb50185ae942b03c4327be322055d622dc79f6
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-8428
|
||||
|
||||
may_create_in_sticky() call is done when we already have dropped the
|
||||
reference to dir.
|
||||
|
||||
Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
[Salvatore Bonaccorso: Backport to 4.19.98 for context changes]
|
||||
---
|
||||
fs/namei.c | 17 ++++++++++-------
|
||||
1 file changed, 10 insertions(+), 7 deletions(-)
|
||||
|
||||
--- a/fs/namei.c
|
||||
+++ b/fs/namei.c
|
||||
@@ -1009,7 +1009,8 @@ static int may_linkat(struct path *link)
|
||||
* may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
|
||||
* should be allowed, or not, on files that already
|
||||
* exist.
|
||||
- * @dir: the sticky parent directory
|
||||
+ * @dir_mode: mode bits of directory
|
||||
+ * @dir_uid: owner of directory
|
||||
* @inode: the inode of the file to open
|
||||
*
|
||||
* Block an O_CREAT open of a FIFO (or a regular file) when:
|
||||
@@ -1025,18 +1026,18 @@ static int may_linkat(struct path *link)
|
||||
*
|
||||
* Returns 0 if the open is allowed, -ve on error.
|
||||
*/
|
||||
-static int may_create_in_sticky(struct dentry * const dir,
|
||||
+static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid,
|
||||
struct inode * const inode)
|
||||
{
|
||||
if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
|
||||
(!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
|
||||
- likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
|
||||
- uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
|
||||
+ likely(!(dir_mode & S_ISVTX)) ||
|
||||
+ uid_eq(inode->i_uid, dir_uid) ||
|
||||
uid_eq(current_fsuid(), inode->i_uid))
|
||||
return 0;
|
||||
|
||||
- if (likely(dir->d_inode->i_mode & 0002) ||
|
||||
- (dir->d_inode->i_mode & 0020 &&
|
||||
+ if (likely(dir_mode & 0002) ||
|
||||
+ (dir_mode & 0020 &&
|
||||
((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
|
||||
(sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
|
||||
return -EACCES;
|
||||
@@ -3258,6 +3259,8 @@ static int do_last(struct nameidata *nd,
|
||||
struct file *file, const struct open_flags *op)
|
||||
{
|
||||
struct dentry *dir = nd->path.dentry;
|
||||
+ kuid_t dir_uid = dir->d_inode->i_uid;
|
||||
+ umode_t dir_mode = dir->d_inode->i_mode;
|
||||
int open_flag = op->open_flag;
|
||||
bool will_truncate = (open_flag & O_TRUNC) != 0;
|
||||
bool got_write = false;
|
||||
@@ -3393,7 +3396,7 @@ finish_open:
|
||||
error = -EISDIR;
|
||||
if (d_is_dir(nd->path.dentry))
|
||||
goto out;
|
||||
- error = may_create_in_sticky(dir,
|
||||
+ error = may_create_in_sticky(dir_mode, dir_uid,
|
||||
d_backing_inode(nd->path.dentry));
|
||||
if (unlikely(error))
|
||||
goto out;
|
|
@ -1,64 +0,0 @@
|
|||
From: Wen Huang <huangwenabc@gmail.com>
|
||||
Date: Thu, 28 Nov 2019 18:51:04 +0800
|
||||
Subject: libertas: Fix two buffer overflows at parsing bss descriptor
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers.git/commit/?id=e5e884b42639c74b5b57dc277909915c0aefc8bb
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14896
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-14897
|
||||
|
||||
add_ie_rates() copys rates without checking the length
|
||||
in bss descriptor from remote AP.when victim connects to
|
||||
remote attacker, this may trigger buffer overflow.
|
||||
lbs_ibss_join_existing() copys rates without checking the length
|
||||
in bss descriptor from remote IBSS node.when victim connects to
|
||||
remote attacker, this may trigger buffer overflow.
|
||||
Fix them by putting the length check before performing copy.
|
||||
|
||||
This fix addresses CVE-2019-14896 and CVE-2019-14897.
|
||||
This also fix build warning of mixed declarations and code.
|
||||
|
||||
Reported-by: kbuild test robot <lkp@intel.com>
|
||||
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
drivers/net/wireless/marvell/libertas/cfg.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
--- a/drivers/net/wireless/marvell/libertas/cfg.c
|
||||
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
|
||||
@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int
|
||||
int hw, ap, ap_max = ie[1];
|
||||
u8 hw_rate;
|
||||
|
||||
+ if (ap_max > MAX_RATES) {
|
||||
+ lbs_deb_assoc("invalid rates\n");
|
||||
+ return tlv;
|
||||
+ }
|
||||
/* Advance past IE header */
|
||||
ie += 2;
|
||||
|
||||
@@ -1717,6 +1721,9 @@ static int lbs_ibss_join_existing(struct
|
||||
struct cmd_ds_802_11_ad_hoc_join cmd;
|
||||
u8 preamble = RADIO_PREAMBLE_SHORT;
|
||||
int ret = 0;
|
||||
+ int hw, i;
|
||||
+ u8 rates_max;
|
||||
+ u8 *rates;
|
||||
|
||||
/* TODO: set preamble based on scan result */
|
||||
ret = lbs_set_radio(priv, preamble, 1);
|
||||
@@ -1775,9 +1782,12 @@ static int lbs_ibss_join_existing(struct
|
||||
if (!rates_eid) {
|
||||
lbs_add_rates(cmd.bss.rates);
|
||||
} else {
|
||||
- int hw, i;
|
||||
- u8 rates_max = rates_eid[1];
|
||||
- u8 *rates = cmd.bss.rates;
|
||||
+ rates_max = rates_eid[1];
|
||||
+ if (rates_max > MAX_RATES) {
|
||||
+ lbs_deb_join("invalid rates");
|
||||
+ goto out;
|
||||
+ }
|
||||
+ rates = cmd.bss.rates;
|
||||
for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
|
||||
u8 hw_rate = lbs_rates[hw].bitrate / 5;
|
||||
for (i = 0; i < rates_max; i++) {
|
|
@ -295,10 +295,8 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
debian/ntfs-mark-it-as-broken.patch
|
||||
bugfix/all/libertas-fix-two-buffer-overflows-at-parsing-bss-descriptor.patch
|
||||
bugfix/all/wimax-i2400-fix-memory-leak.patch
|
||||
bugfix/all/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
|
||||
bugfix/all/do_last-fetch-directory-i_mode-and-i_uid-before-it-s.patch
|
||||
bugfix/all/vfs-fix-do_last-regression.patch
|
||||
|
||||
# Backported change to provide boot-time entropy
|
||||
|
|
Loading…
Reference in New Issue