From e58e3e6be94fa74a631471ff37a562bf415dc53a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 12 Aug 2017 16:10:56 +0200 Subject: [PATCH] Update to 4.12.6 --- debian/changelog | 117 +++++++++++++++++- ...low-of-offset-in-ip6_find_1stfragopt.patch | 55 -------- ...x-double-fetch-PCIe-access-condition.patch | 77 ------------ debian/patches/series | 2 - 4 files changed, 114 insertions(+), 137 deletions(-) delete mode 100644 debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch delete mode 100644 debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch diff --git a/debian/changelog b/debian/changelog index 60254a782..3a800fb8b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.12.5-1~exp1) UNRELEASED; urgency=medium +linux (4.12.6-1~exp1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.3 @@ -250,6 +250,119 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium - ipmi/watchdog: fix watchdog timeout set on reboot - dentry name snapshots (CVE-2017-7533) - mmc: tmio-mmc: fix bad pointer math + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.12.6 + - [hppa/parisc] Increase thread and stack size to 32kb + - [hppa/parisc] Handle vma's whose context is not current in + flush_cache_range + - scsi: lpfc: fix linking against modular NVMe support + - ACPI / LPSS: Only call pwm_add_table() for the first PWM controller + - cgroup: don't call migration methods if there are no tasks to migrate + - cgroup: create dfl_root files on subsys registration + - cgroup: fix error return value from cgroup_subtree_control() + - libata: array underflow in ata_find_dev() + - workqueue: restore WQ_UNBOUND/max_active==1 to be ordered + - iwlwifi: dvm: prevent an out of bounds access + - brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice + - NFSv4: Fix EXCHANGE_ID corrupt verifier issue + - mmc: sdhci-of-at91: force card detect value for non removable devices + - mmc: core: Use device_property_read instead of of_property_read + - mmc: dw_mmc: Use device_property_read instead of of_property_read + - mm, mprotect: flush TLB if potentially racing with a parallel reclaim + leaving stale TLB entries + - mm/hugetlb.c: __get_user_pages ignores certain follow_hugetlb_page + errors + - userfaultfd: non-cooperative: notify about unmap of destination during + mremap + - userfaultfd_zeropage: return -ENOSPC in case mm has gone + - userfaultfd: non-cooperative: flush event_wqh at release time + - cpuset: fix a deadlock due to incomplete patching of cpusets_enabled() + - ocfs2: don't clear SGID when inheriting ACLs + - ALSA: hda - Fix speaker output from VAIO VPCL14M1R + - [x86] drm/amdgpu: fix header on gfx9 clear state + - [x86] drm/amdgpu: Fix undue fallthroughs in golden registers + initialization + - ASoC: fix pcm-creation regression + - ASoC: ux500: Restore platform DAI assignments + - ASoC: do not close shared backend dailink + - KVM: arm/arm64: Handle hva aging while destroying the vm + - KVM: async_pf: make rcu irq exit if not triggered from idle task + - timers: Fix overflow in get_next_timer_interrupt + - [powerpc*] tm: Fix saving of TM SPRs in core dump + - [powerpc/powerpc64] Fix __check_irq_replay missing decrementer interrupt + - iommu/amd: Enable ga_log_intr when enabling guest_mode + - [arm64] dts: marvell: armada-37xx: Fix the number of GPIO on south bridge + - gpiolib: skip unwanted events, don't convert them to opposite edge + - ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize + - ext4: fix overflow caused by missing cast in ext4_resize_fs() + - [mips*] ralink: Fix build error due to missing header + - clk: sunxi-ng: sun5i: Add clk_set_rate_parent to the CPU clock + - ARM: mvebu: use __pa_symbol in the mv98dx3236 platform SMP code + - ARM: dts: armada-38x: Fix irq type for pca955 + - ARM: dts: tango4: Request RGMII RX and TX clock delays + - media: pulse8-cec: persistent_config should be off by default + - media: lirc: LIRC_GET_REC_RESOLUTION should return microseconds + - media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS + ioctl + - ir-spi: Fix issues with lirc API + - tcmu: Fix flushing cmd entry dcache page + - tcmu: Fix possbile memory leak / OOPs when recalculating cmd base size + - ext4: preserve i_mode if __ext4_set_acl() fails + - ext4: Don't clear SGID when inheriting ACLs + - Btrfs: fix early ENOSPC due to delalloc + - blk-mq: Include all present CPUs in the default queue mapping + - blk-mq: Create hctx for each present CPU + - block: disable runtime-pm for blk-mq + - saa7164: fix double fetch PCIe access condition (CVE-2017-8831) + - sctp: fix an array overflow when all ext chunks are set + - tcp_bbr: cut pacing rate only if filled pipe + - tcp_bbr: introduce bbr_bw_to_pacing_rate() helper + - tcp_bbr: introduce bbr_init_pacing_rate_from_rtt() helper + - tcp_bbr: remove sk_pacing_rate=0 transient during init + - tcp_bbr: init pacing rate on first RTT sample + - ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() + - wireless: wext: terminate ifr name coming from userspace + - net: Zero terminate ifr_name in dev_ifname(). + - net: dsa: mv88e6xxx: Enable CMODE config support for 6390X + - Revert "rtnetlink: Do not generate notifications for CHANGEADDR event" + - ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542) + - net: dsa: b53: Add missing ARL entries for BCM53125 + - ipv4: initialize fib_trie prior to register_netdev_notifier call. + - rtnetlink: allocate more memory for dev_set_mac_address() + - net: bonding: Fix transmit load balancing in balance-alb mode + - mcs7780: Fix initialization when CONFIG_VMAP_STACK is enabled + - openvswitch: fix potential out of bound access in parse_ct + - packet: fix use-after-free in prb_retire_rx_blk_timer_expired() + - ipv6: Don't increase IPSTATS_MIB_FRAGFAILS twice in ip6_fragment() + - net: ethernet: nb8800: Handle all 4 RGMII modes identically + - bonding: commit link status change after propose + - dccp: fix a memleak that dccp_ipv6 doesn't put reqsk properly + - dccp: fix a memleak that dccp_ipv4 doesn't put reqsk properly + - dccp: fix a memleak for dccp_feat_init err process + - net/mlx5: Consider tx_enabled in all modes on remap + - net/mlx5: Fix command completion after timeout access invalid structure + - net/mlx5: Fix command bad flow on command entry allocation failure + - sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}() + - sctp: fix the check for _sctp_walk_params and _sctp_walk_errors + - net/mlx5e: IPoIB, Modify add/remove underlay QPN flows + - net/mlx5e: Fix outer_header_zero() check size + - net/mlx5: Fix mlx5_ifc_mtpps_reg_bits structure size + - net/mlx5e: Add field select to MTPPS register + - net/mlx5e: Fix broken disable 1PPS flow + - net/mlx5e: Change 1PPS out scheme + - net/mlx5e: Add missing support for PTP_CLK_REQ_PPS request + - net/mlx5e: Fix wrong delay calculation for overflow check scheduling + - net/mlx5e: Schedule overflow check work to mlx5e workqueue + - net/mlx5: Fix mlx5_add_flow_rules call with correct num of dests + - udp6: fix socket leak on early demux + - net: phy: Correctly process PHY_HALTED in phy_stop_machine() + - workqueue: implicit ordered attribute should be overridable + - ipv4: fib: Fix NULL pointer deref during fib_sync_down_dev() + - virtio_net: fix truesize for mergeable buffers + - [sparc64] Measure receiver forward progress to avoid send mondo timeout + - [sparc64] Prevent perf from running during super critical sections + - [sparc64] Register hugepages during arch init + - [sparc64] Fix exception handling in UltraSPARC-III memcpy. + - drm/vmwgfx: Fix cursor hotspot issue with Wayland on Fedora [ Ben Hutchings ] * media: Enable USB_RAINSHADOW_CEC as module (see #868511) @@ -267,8 +380,6 @@ linux (4.12.5-1~exp1) UNRELEASED; urgency=medium linux-headers-*-common* (Closes: #869511) [ Salvatore Bonaccorso ] - * ipv6: avoid overflow of offset in ip6_find_1stfragopt (CVE-2017-7542) - * media: saa7164: fix double fetch PCIe access condition (CVE-2017-8831) * packet: fix tp_reserve race in packet_set_ring (CVE-2017-1000111) * udp: consistently apply ufo or fragmentation (CVE-2017-1000112) diff --git a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch b/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch deleted file mode 100644 index d1b4d726f..000000000 --- a/debian/patches/bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Sabrina Dubroca -Date: Wed, 19 Jul 2017 22:28:55 +0200 -Subject: ipv6: avoid overflow of offset in ip6_find_1stfragopt -Origin: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7542 - -In some cases, offset can overflow and can cause an infinite loop in -ip6_find_1stfragopt(). Make it unsigned int to prevent the overflow, and -cap it at IPV6_MAXPLEN, since packets larger than that should be invalid. - -This problem has been here since before the beginning of git history. - -Signed-off-by: Sabrina Dubroca -Acked-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/output_core.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c -index e9065b8d3af8..abb2c307fbe8 100644 ---- a/net/ipv6/output_core.c -+++ b/net/ipv6/output_core.c -@@ -78,7 +78,7 @@ EXPORT_SYMBOL(ipv6_select_ident); - - int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - { -- u16 offset = sizeof(struct ipv6hdr); -+ unsigned int offset = sizeof(struct ipv6hdr); - unsigned int packet_len = skb_tail_pointer(skb) - - skb_network_header(skb); - int found_rhdr = 0; -@@ -86,6 +86,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - - while (offset <= packet_len) { - struct ipv6_opt_hdr *exthdr; -+ unsigned int len; - - switch (**nexthdr) { - -@@ -111,7 +112,10 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr) - - exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + - offset); -- offset += ipv6_optlen(exthdr); -+ len = ipv6_optlen(exthdr); -+ if (len + offset >= IPV6_MAXPLEN) -+ return -EINVAL; -+ offset += len; - *nexthdr = &exthdr->nexthdr; - } - --- -2.11.0 - diff --git a/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch b/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch deleted file mode 100644 index bc642e1ef..000000000 --- a/debian/patches/bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: Steven Toth -Date: Tue, 6 Jun 2017 09:30:27 -0300 -Subject: [media] saa7164: fix double fetch PCIe access condition -Origin: https://git.kernel.org/linus/6fb05e0dd32e566facb96ea61a48c7488daa5ac3 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8831 - -Avoid a double fetch by reusing the values from the prior transfer. - -Originally reported via https://bugzilla.kernel.org/show_bug.cgi?id=195559 - -Thanks to Pengfei Wang for reporting. - -Signed-off-by: Steven Toth -Reported-by: Pengfei Wang -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/pci/saa7164/saa7164-bus.c | 13 +------------ - 1 file changed, 1 insertion(+), 12 deletions(-) - -diff --git a/drivers/media/pci/saa7164/saa7164-bus.c b/drivers/media/pci/saa7164/saa7164-bus.c -index b2ff82fa7116..ecfeac5cdbed 100644 ---- a/drivers/media/pci/saa7164/saa7164-bus.c -+++ b/drivers/media/pci/saa7164/saa7164-bus.c -@@ -389,11 +389,11 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, - msg_tmp.size = le16_to_cpu((__force __le16)msg_tmp.size); - msg_tmp.command = le32_to_cpu((__force __le32)msg_tmp.command); - msg_tmp.controlselector = le16_to_cpu((__force __le16)msg_tmp.controlselector); -+ memcpy(msg, &msg_tmp, sizeof(*msg)); - - /* No need to update the read positions, because this was a peek */ - /* If the caller specifically want to peek, return */ - if (peekonly) { -- memcpy(msg, &msg_tmp, sizeof(*msg)); - goto peekout; - } - -@@ -438,21 +438,15 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, - space_rem = bus->m_dwSizeGetRing - curr_grp; - - if (space_rem < sizeof(*msg)) { -- /* msg wraps around the ring */ -- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, space_rem); -- memcpy_fromio((u8 *)msg + space_rem, bus->m_pdwGetRing, -- sizeof(*msg) - space_rem); - if (buf) - memcpy_fromio(buf, bus->m_pdwGetRing + sizeof(*msg) - - space_rem, buf_size); - - } else if (space_rem == sizeof(*msg)) { -- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); - if (buf) - memcpy_fromio(buf, bus->m_pdwGetRing, buf_size); - } else { - /* Additional data wraps around the ring */ -- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); - if (buf) { - memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + - sizeof(*msg), space_rem - sizeof(*msg)); -@@ -465,15 +459,10 @@ int saa7164_bus_get(struct saa7164_dev *dev, struct tmComResInfo* msg, - - } else { - /* No wrapping */ -- memcpy_fromio(msg, bus->m_pdwGetRing + curr_grp, sizeof(*msg)); - if (buf) - memcpy_fromio(buf, bus->m_pdwGetRing + curr_grp + sizeof(*msg), - buf_size); - } -- /* Convert from little endian to CPU */ -- msg->size = le16_to_cpu((__force __le16)msg->size); -- msg->command = le32_to_cpu((__force __le32)msg->command); -- msg->controlselector = le16_to_cpu((__force __le16)msg->controlselector); - - /* Update the read positions, adjusting the ring */ - saa7164_writel(bus->m_dwGetReadPos, new_grp); --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index c211945f1..6e7b53657 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -119,8 +119,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/ipv6-avoid-overflow-of-offset-in-ip6_find_1stfragopt.patch -bugfix/all/media-saa7164-fix-double-fetch-PCIe-access-condition.patch bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch