Apply regression and security fixes previously committed for 3.11.10-1
* net: clamp ->msg_namelen instead of returning an error * tcp: tsq: restore minimal amount of queueing * rds: prevent BUG_ON triggered on congestion update to loopback (CVE-2012-2372) * ipv6: fix headroom calculation in udp6_ufo_fragment (CVE-2013-4563) * [s390,s390x] qeth: avoid buffer overflow in snmp ioctl (CVE-2013-6381) * xfs: underflow bug in xfs_attrlist_by_handle() (CVE-2013-6382) svn path=/dists/trunk/linux/; revision=20839
This commit is contained in:
parent
c0e9d9ca3b
commit
e10fc52041
|
@ -14,6 +14,13 @@ linux (3.12.2-1~exp1) UNRELEASED; urgency=low
|
|||
* Enable CHECKPOINT_RESTORE (Closes: #682700)
|
||||
* Enable JUMP_LABEL (Closes: #730071)
|
||||
* [x86] staging: Enable CRYSTALHD as module (Closes: #730832)
|
||||
* net: clamp ->msg_namelen instead of returning an error
|
||||
* tcp: tsq: restore minimal amount of queueing
|
||||
* rds: prevent BUG_ON triggered on congestion update to loopback
|
||||
(CVE-2012-2372)
|
||||
* ipv6: fix headroom calculation in udp6_ufo_fragment (CVE-2013-4563)
|
||||
* [s390,s390x] qeth: avoid buffer overflow in snmp ioctl (CVE-2013-6381)
|
||||
* xfs: underflow bug in xfs_attrlist_by_handle() (CVE-2013-6382)
|
||||
|
||||
[ Bastian Blank ]
|
||||
* Use compiler name instead of Linux version in compiler meta-packages.
|
||||
|
|
35
debian/patches/bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
vendored
Normal file
35
debian/patches/bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
vendored
Normal file
|
@ -0,0 +1,35 @@
|
|||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Tue, 5 Nov 2013 02:41:27 +0100
|
||||
Subject: ipv6: fix headroom calculation in udp6_ufo_fragment
|
||||
Origin: https://git.kernel.org/linus/0e033e04c2678dbbe74a46b23fffb7bb918c288e
|
||||
|
||||
Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp
|
||||
fragmentation for tunnel traffic.") changed the calculation if
|
||||
there is enough space to include a fragment header in the skb from a
|
||||
skb->mac_header dervived one to skb_headroom. Because we already peeled
|
||||
off the skb to transport_header this is wrong. Change this back to check
|
||||
if we have enough room before the mac_header.
|
||||
|
||||
This fixes a panic Saran Neti reported. He used the tbf scheduler which
|
||||
skb_gso_segments the skb. The offsets get negative and we panic in memcpy
|
||||
because the skb was erroneously not expanded at the head.
|
||||
|
||||
Reported-by: Saran Neti <Saran.Neti@telus.com>
|
||||
Cc: Pravin B Shelar <pshelar@nicira.com>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/udp_offload.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- a/net/ipv6/udp_offload.c
|
||||
+++ b/net/ipv6/udp_offload.c
|
||||
@@ -88,7 +88,7 @@ static struct sk_buff *udp6_ufo_fragment
|
||||
|
||||
/* Check if there is enough headroom to insert fragment header. */
|
||||
tnl_hlen = skb_tnl_header_len(skb);
|
||||
- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) {
|
||||
+ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) {
|
||||
if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz))
|
||||
goto out;
|
||||
}
|
47
debian/patches/bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch
vendored
Normal file
47
debian/patches/bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch
vendored
Normal file
|
@ -0,0 +1,47 @@
|
|||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Wed, 27 Nov 2013 15:40:21 +0300
|
||||
Subject: net: clamp ->msg_namelen instead of returning an error
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=db31c55a6fb245fdbb752a2ca4aefec89afabb06
|
||||
|
||||
If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the
|
||||
original code that would lead to memory corruption in the kernel if you
|
||||
had audit configured. If you didn't have audit configured it was
|
||||
harmless.
|
||||
|
||||
There are some programs such as beta versions of Ruby which use too
|
||||
large of a buffer and returning an error code breaks them. We should
|
||||
clamp the ->msg_namelen value instead.
|
||||
|
||||
Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()")
|
||||
Reported-by: Eric Wong <normalperson@yhbt.net>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Tested-by: Eric Wong <normalperson@yhbt.net>
|
||||
Acked-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/compat.c | 2 +-
|
||||
net/socket.c | 2 +-
|
||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/net/compat.c
|
||||
+++ b/net/compat.c
|
||||
@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kms
|
||||
__get_user(kmsg->msg_flags, &umsg->msg_flags))
|
||||
return -EFAULT;
|
||||
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
|
||||
- return -EINVAL;
|
||||
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
|
||||
kmsg->msg_name = compat_ptr(tmp1);
|
||||
kmsg->msg_iov = compat_ptr(tmp2);
|
||||
kmsg->msg_control = compat_ptr(tmp3);
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -1970,7 +1970,7 @@ static int copy_msghdr_from_user(struct
|
||||
if (copy_from_user(kmsg, umsg, sizeof(struct msghdr)))
|
||||
return -EFAULT;
|
||||
if (kmsg->msg_namelen > sizeof(struct sockaddr_storage))
|
||||
- return -EINVAL;
|
||||
+ kmsg->msg_namelen = sizeof(struct sockaddr_storage);
|
||||
return 0;
|
||||
}
|
||||
|
36
debian/patches/bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch
vendored
Normal file
36
debian/patches/bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch
vendored
Normal file
|
@ -0,0 +1,36 @@
|
|||
Subject: rds: prevent BUG_ON triggered on congestion update to loopback
|
||||
From: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
Date: Mon, 25 Nov 2013 09:47:34 +0300
|
||||
Origin: http://patchwork.ozlabs.org/patch/293827/
|
||||
|
||||
After congestion update on a local connection, when rds_ib_xmit returns
|
||||
less bytes than that are there in the message, rds_send_xmit calls
|
||||
back rds_ib_xmit with an offset that causes BUG_ON(off & RDS_FRAG_SIZE)
|
||||
to trigger.
|
||||
|
||||
Reported-by: Josh Hunt <joshhunt00@gmail.com>
|
||||
Tested-by: Honggang Li <honli@redhat.com>
|
||||
Acked-by: Bang Nguyen <bang.nguyen@oracle.com>
|
||||
Signed-off-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
|
||||
---
|
||||
net/rds/ib_send.c | 5 ++---
|
||||
1 files changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c
|
||||
index e590949..37be6e2 100644
|
||||
--- a/net/rds/ib_send.c
|
||||
+++ b/net/rds/ib_send.c
|
||||
@@ -552,9 +552,8 @@ int rds_ib_xmit(struct rds_connection *conn, struct rds_message *rm,
|
||||
&& rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) {
|
||||
rds_cong_map_updated(conn->c_fcong, ~(u64) 0);
|
||||
scat = &rm->data.op_sg[sg];
|
||||
- ret = sizeof(struct rds_header) + RDS_CONG_MAP_BYTES;
|
||||
- ret = min_t(int, ret, scat->length - conn->c_xmit_data_off);
|
||||
- return ret;
|
||||
+ ret = max_t(int, RDS_CONG_MAP_BYTES, scat->length);
|
||||
+ return sizeof(struct rds_header) + ret;
|
||||
}
|
||||
|
||||
/* FIXME we may overallocate here */
|
|
@ -0,0 +1,85 @@
|
|||
From: Eric Dumazet <edumazet@google.com>
|
||||
Date: Wed, 13 Nov 2013 06:32:54 -0800
|
||||
Subject: tcp: tsq: restore minimal amount of queueing
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=98e09386c0ef4dfd48af7ba60ff908f0d525cdee
|
||||
|
||||
After commit c9eeec26e32e ("tcp: TSQ can use a dynamic limit"), several
|
||||
users reported throughput regressions, notably on mvneta and wifi
|
||||
adapters.
|
||||
|
||||
802.11 AMPDU requires a fair amount of queueing to be effective.
|
||||
|
||||
This patch partially reverts the change done in tcp_write_xmit()
|
||||
so that the minimal amount is sysctl_tcp_limit_output_bytes.
|
||||
|
||||
It also remove the use of this sysctl while building skb stored
|
||||
in write queue, as TSO autosizing does the right thing anyway.
|
||||
|
||||
Users with well behaving NICS and correct qdisc (like sch_fq),
|
||||
can then lower the default sysctl_tcp_limit_output_bytes value from
|
||||
128KB to 8KB.
|
||||
|
||||
This new usage of sysctl_tcp_limit_output_bytes permits each driver
|
||||
authors to check how their driver performs when/if the value is set
|
||||
to a minimum of 4KB.
|
||||
|
||||
Normally, line rate for a single TCP flow should be possible,
|
||||
but some drivers rely on timers to perform TX completion and
|
||||
too long TX completion delays prevent reaching full throughput.
|
||||
|
||||
Fixes: c9eeec26e32e ("tcp: TSQ can use a dynamic limit")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Reported-by: Sujith Manoharan <sujith@msujith.org>
|
||||
Reported-by: Arnaud Ebalard <arno@natisbad.org>
|
||||
Tested-by: Sujith Manoharan <sujith@msujith.org>
|
||||
Cc: Felix Fietkau <nbd@openwrt.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
Documentation/networking/ip-sysctl.txt | 3 ---
|
||||
net/ipv4/tcp.c | 6 ------
|
||||
net/ipv4/tcp_output.c | 6 +++++-
|
||||
3 files changed, 5 insertions(+), 10 deletions(-)
|
||||
|
||||
--- a/Documentation/networking/ip-sysctl.txt
|
||||
+++ b/Documentation/networking/ip-sysctl.txt
|
||||
@@ -588,9 +588,6 @@ tcp_limit_output_bytes - INTEGER
|
||||
typical pfifo_fast qdiscs.
|
||||
tcp_limit_output_bytes limits the number of bytes on qdisc
|
||||
or device to reduce artificial RTT/cwnd and reduce bufferbloat.
|
||||
- Note: For GSO/TSO enabled flows, we try to have at least two
|
||||
- packets in flight. Reducing tcp_limit_output_bytes might also
|
||||
- reduce the size of individual GSO packet (64KB being the max)
|
||||
Default: 131072
|
||||
|
||||
tcp_challenge_ack_limit - INTEGER
|
||||
--- a/net/ipv4/tcp.c
|
||||
+++ b/net/ipv4/tcp.c
|
||||
@@ -806,12 +806,6 @@ static unsigned int tcp_xmit_size_goal(s
|
||||
xmit_size_goal = min_t(u32, gso_size,
|
||||
sk->sk_gso_max_size - 1 - hlen);
|
||||
|
||||
- /* TSQ : try to have at least two segments in flight
|
||||
- * (one in NIC TX ring, another in Qdisc)
|
||||
- */
|
||||
- xmit_size_goal = min_t(u32, xmit_size_goal,
|
||||
- sysctl_tcp_limit_output_bytes >> 1);
|
||||
-
|
||||
xmit_size_goal = tcp_bound_to_half_wnd(tp, xmit_size_goal);
|
||||
|
||||
/* We try hard to avoid divides here */
|
||||
--- a/net/ipv4/tcp_output.c
|
||||
+++ b/net/ipv4/tcp_output.c
|
||||
@@ -1875,8 +1875,12 @@ static bool tcp_write_xmit(struct sock *
|
||||
* - better RTT estimation and ACK scheduling
|
||||
* - faster recovery
|
||||
* - high rates
|
||||
+ * Alas, some drivers / subsystems require a fair amount
|
||||
+ * of queued bytes to ensure line rate.
|
||||
+ * One example is wifi aggregation (802.11 AMPDU)
|
||||
*/
|
||||
- limit = max(skb->truesize, sk->sk_pacing_rate >> 10);
|
||||
+ limit = max_t(unsigned int, sysctl_tcp_limit_output_bytes,
|
||||
+ sk->sk_pacing_rate >> 10);
|
||||
|
||||
if (atomic_read(&sk->sk_wmem_alloc) > limit) {
|
||||
set_bit(TSQ_THROTTLED, &tp->tsq_flags);
|
|
@ -0,0 +1,46 @@
|
|||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Sat, 23 Nov 2013 15:59:42 +1100
|
||||
Subject: xfs: underflow bug in xfs_attrlist_by_handle()
|
||||
Origin: http://www.ozlabs.org/~akpm/mmotm/broken-out/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
|
||||
If we allocate less than sizeof(struct attrlist) then we end up corrupting
|
||||
memory or doing a ZERO_PTR_SIZE dereference.
|
||||
|
||||
This can only be triggered with CAP_SYS_ADMIN.
|
||||
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Reported-by: Nico Golde <nico@ngolde.de>
|
||||
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||
Acked-by: Ben Myers <bpm@sgi.com>
|
||||
Cc: Alex Elder <elder@kernel.org>
|
||||
Reviewed-by: Dave Chinner <dchinner@redhat.com>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
---
|
||||
fs/xfs/xfs_ioctl.c | 3 ++-
|
||||
fs/xfs/xfs_ioctl32.c | 3 ++-
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/fs/xfs/xfs_ioctl.c
|
||||
+++ b/fs/xfs/xfs_ioctl.c
|
||||
@@ -443,7 +443,8 @@ xfs_attrlist_by_handle(
|
||||
return -XFS_ERROR(EPERM);
|
||||
if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
|
||||
return -XFS_ERROR(EFAULT);
|
||||
- if (al_hreq.buflen > XATTR_LIST_MAX)
|
||||
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
|
||||
+ al_hreq.buflen > XATTR_LIST_MAX)
|
||||
return -XFS_ERROR(EINVAL);
|
||||
|
||||
/*
|
||||
--- a/fs/xfs/xfs_ioctl32.c
|
||||
+++ b/fs/xfs/xfs_ioctl32.c
|
||||
@@ -357,7 +357,8 @@ xfs_compat_attrlist_by_handle(
|
||||
if (copy_from_user(&al_hreq, arg,
|
||||
sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
|
||||
return -XFS_ERROR(EFAULT);
|
||||
- if (al_hreq.buflen > XATTR_LIST_MAX)
|
||||
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
|
||||
+ al_hreq.buflen > XATTR_LIST_MAX)
|
||||
return -XFS_ERROR(EINVAL);
|
||||
|
||||
/*
|
|
@ -0,0 +1,43 @@
|
|||
From: Ursula Braun <ursula.braun@de.ibm.com>
|
||||
Date: Wed, 6 Nov 2013 09:04:52 +0100
|
||||
Subject: qeth: avoid buffer overflow in snmp ioctl
|
||||
Origin: https://git.kernel.org/linus/6fb392b1a63ae36c31f62bc3fc8630b49d602b62
|
||||
|
||||
Check user-defined length in snmp ioctl request and allow request
|
||||
only if it fits into a qeth command buffer.
|
||||
|
||||
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
|
||||
Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
|
||||
Reviewed-by: Heiko Carstens <heicars2@linux.vnet.ibm.com>
|
||||
Reported-by: Nico Golde <nico@ngolde.de>
|
||||
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
drivers/s390/net/qeth_core_main.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c
|
||||
index 0a328d0..bd8c09e 100644
|
||||
--- a/drivers/s390/net/qeth_core_main.c
|
||||
+++ b/drivers/s390/net/qeth_core_main.c
|
||||
@@ -4451,7 +4451,7 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
|
||||
struct qeth_cmd_buffer *iob;
|
||||
struct qeth_ipa_cmd *cmd;
|
||||
struct qeth_snmp_ureq *ureq;
|
||||
- int req_len;
|
||||
+ unsigned int req_len;
|
||||
struct qeth_arp_query_info qinfo = {0, };
|
||||
int rc = 0;
|
||||
|
||||
@@ -4467,6 +4467,10 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata)
|
||||
/* skip 4 bytes (data_len struct member) to get req_len */
|
||||
if (copy_from_user(&req_len, udata + sizeof(int), sizeof(int)))
|
||||
return -EFAULT;
|
||||
+ if (req_len > (QETH_BUFSIZE - IPA_PDU_HEADER_SIZE -
|
||||
+ sizeof(struct qeth_ipacmd_hdr) -
|
||||
+ sizeof(struct qeth_ipacmd_setadpparms_hdr)))
|
||||
+ return -EINVAL;
|
||||
ureq = memdup_user(udata, req_len + sizeof(struct qeth_snmp_ureq_hdr));
|
||||
if (IS_ERR(ureq)) {
|
||||
QETH_CARD_TEXT(card, 2, "snmpnome");
|
|
@ -75,3 +75,9 @@ bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
|
|||
debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
|
||||
bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch
|
||||
bugfix/all/HID-uhid-fix-leak-for-64-32-UHID_CREATE.mbox
|
||||
bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch
|
||||
bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch
|
||||
bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch
|
||||
bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch
|
||||
bugfix/s390/qeth-avoid-buffer-overflow-in-snmp-ioctl.patch
|
||||
bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
|
||||
|
|
Loading…
Reference in New Issue