debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Update to 4.18.11

This commit is contained in:
Romain Perier 2018-10-14 16:11:01 +02:00
parent 88995ec002
commit eba87a92ee
5 changed files with 85 additions and 305 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
debian/changelog vendored
View File

@ -1,5 +1,89 @@
linux (4.18.10-3) UNRELEASED; urgency=medium
linux (4.18.11-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.11
- gso_segment: Reset skb->mac_len after modifying network header
- ipv6: fix possible use-after-free in ip6_xmit()
- net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
- [alpha, hppa, x86] net: hp100: fix always-true check for link up state
- pppoe: fix reception of frames with no mac header
- qmi_wwan: set DTR for modems in forced USB2 mode
- udp4: fix IP_CMSG_CHECKSUM for connected sockets
- neighbour: confirm neigh entries when ARP packet is received
- udp6: add missing checks on edumux packet processing
- net/sched: act_sample: fix NULL dereference in the data path
- hv_netvsc: fix schedule in RCU context
- [arm64, armhf] net: dsa: mv88e6xxx: Fix ATU Miss Violation
- socket: fix struct ifreq size in compat ioctl
- bnxt_en: Fix VF mac address regression.
- ipv6: use rt6_info members when dst is set in rt6_fill_node
- net/ipv6: do not copy dst flags on rt init
- [arm64, armhf] net: mvpp2: let phylink manage the carrier state
- net: rtnl_configure_link: fix dev flags changes arg to __dev_notify_flags
- NFC: Fix possible memory corruption when handling SHDLC I-Frame commands
- NFC: Fix the number of pipes
- ASoC: uapi: fix sound/skl-tplg-interface.h userspace compilation errors
- ALSA: bebob: fix memory leak for M-Audio FW1814 and ProjectMix I/O at
error path
- ALSA: bebob: use address returned by kmalloc() instead of kernel stack for
streaming DMA mapping
- [powerpc*, mips*, x86, alpha, sparc*] ALSA: emu10k1: fix possible info
leak to userspace on SNDRV_EMU10K1_IOCTL_INFO
- ALSA: firewire-digi00x: fix memory leak of private data
- ALSA: firewire-tascam: fix memory leak of private data
- ALSA: fireworks: fix memory leak of response buffer at error path
- ALSA: oxfw: fix memory leak for model-dependent data at error path
- ALSA: oxfw: fix memory leak of discovered stream formats at error path
- ALSA: oxfw: fix memory leak of private data
- mtd: devices: m25p80: Make sure the buffer passed in op is DMA-able
- [x86] platform: dell-smbios-wmi: Correct a memory leak
- [x86] platform: alienware-wmi: Correct a memory leak
- xen/netfront: don't bug in case of too many frags
- Revert "PCI: Add ACS quirk for Intel 300 series"
- crypto: x86/aegis,morus - Do not require OSXSAVE for SSE2
- fork: report pid exhaustion correctly
- mm: disable deferred struct page for 32-bit arches
- mm: shmem.c: Correctly annotate new inodes for lockdep
- bpf/verifier: disallow pointer subtraction
- Revert "uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct
member name"
- scsi: target: iscsi: Use hex2bin instead of a re-implementation
- scsi: target: iscsi: Use bin2hex instead of a re-implementation
- Revert "ubifs: xattr: Don't operate on deleted inodes"
- libata: mask swap internal and hardware tag
- ocfs2: fix ocfs2 read block panic
- drm/i915/bdw: Increase IPS disable timeout to 100ms
- drm/nouveau: Reset MST branching unit before enabling
- drm/nouveau: Only write DP_MSTM_CTRL when needed
- drm/nouveau: Remove duplicate poll_enable() in pmops_runtime_suspend()
- drm/nouveau: Fix deadlocks in nouveau_connector_detect()
- drm/nouveau/drm/nouveau: Don't forget to cancel hpd_work on suspend/unload
- drm/nouveau/drm/nouveau: Fix bogus drm_kms_helper_poll_enable() placement
- drm/nouveau/drm/nouveau: Fix deadlock with fb_helper with async RPM
requests
- drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in
connector_detect()
- drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early
- drm/vc4: Fix the "no scaling" case on multi-planar YUV formats
- drm: udl: Destroy framebuffer only if it was initialized
- drm/amdgpu: add new polaris pci id
- tty: vt_ioctl: fix potential Spectre v1
- ext4: check to make sure the rename(2)'s destination is not freed
- ext4: avoid divide by zero fault when deleting corrupted inline
directories
- ext4: avoid arithemetic overflow that can trigger a BUG
- ext4: recalucate superblock checksum after updating free blocks/inodes
- ext4: fix online resize's handling of a too-small final block group
- ext4: fix online resizing for bigalloc file systems with a 1k block size
- ext4: don't mark mmp buffer head dirty
- ext4: show test_dummy_encryption mount option in /proc/mounts
- ext4, dax: add ext4_bmap to ext4_dax_aops
- ext4, dax: set ext4_dax_aops for dax files
- sched/fair: Fix vruntime_normalized() for remote non-migration wakeup
- [x86] vmw_balloon: include asm/io.h
- iw_cxgb4: only allow 1 flush on user qps
[ Ben Hutchings ]
* linux-perf: Fix BPF feature detection
-- Ben Hutchings <ben@decadent.org.uk> Mon, 08 Oct 2018 19:02:53 +0100

58
debian/patches/bugfix/all/revert-uapi-linux-keyctl.h-don-t-use-c-reserved-keyw.patch vendored
View File

@ -1,58 +0,0 @@
From: Lubomir Rintel <lkundrak@v3.sk>
Date: Mon, 24 Sep 2018 13:18:34 +0100
Subject: Revert "uapi/linux/keyctl.h: don't use C++ reserved keyword as a
struct member name"
Origin: https://git.kernel.org/linus/8c0f9f5b309d627182d5da72a69246f58bde1026
Bug-Debian: https://bugs.debian.org/909813
This changes UAPI, breaking iwd and libell:
ell/key.c: In function 'kernel_dh_compute':
ell/key.c:205:38: error: 'struct keyctl_dh_params' has no member named 'private'; did you mean 'dh_private'?
struct keyctl_dh_params params = { .private = private,
^~~~~~~
dh_private
This reverts commit 8a2336e549d385bb0b46880435b411df8d8200e8.
Fixes: 8a2336e549d3 ("uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name")
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Randy Dunlap <rdunlap@infradead.org>
cc: Mat Martineau <mathew.j.martineau@linux.intel.com>
cc: Stephan Mueller <smueller@chronox.de>
cc: James Morris <jmorris@namei.org>
cc: "Serge E. Hallyn" <serge@hallyn.com>
cc: Mat Martineau <mathew.j.martineau@linux.intel.com>
cc: Andrew Morton <akpm@linux-foundation.org>
cc: Linus Torvalds <torvalds@linux-foundation.org>
cc: <stable@vger.kernel.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/keyctl.h | 2 +-
security/keys/dh.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/include/uapi/linux/keyctl.h
+++ b/include/uapi/linux/keyctl.h
@@ -65,7 +65,7 @@
/* keyctl structures */
struct keyctl_dh_params {
- __s32 dh_private;
+ __s32 private;
__s32 prime;
__s32 base;
};
--- a/security/keys/dh.c
+++ b/security/keys/dh.c
@@ -300,7 +300,7 @@ long __keyctl_dh_compute(struct keyctl_d
}
dh_inputs.g_size = dlen;
- dlen = dh_data_from_key(pcopy.dh_private, &dh_inputs.key);
+ dlen = dh_data_from_key(pcopy.private, &dh_inputs.key);
if (dlen < 0) {
ret = dlen;
goto out2;

62
debian/patches/bugfix/all/scsi-target-iscsi-Use-bin2hex-instead-of-a-re-implem.patch vendored
View File

@ -1,62 +0,0 @@
From: Vincent Pelletier <plr.vincent@gmail.com>
Date: Sun, 9 Sep 2018 04:09:27 +0000
Subject: scsi: target: iscsi: Use bin2hex instead of a re-implementation
Origin: https://git.kernel.org/linus/8c39e2699f8acb2e29782a834e56306da24937fe
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---
drivers/target/iscsi/iscsi_target_auth.c | 15 +++------------
1 file changed, 3 insertions(+), 12 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
index 6c3b4c022894..4e680d753941 100644
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -26,15 +26,6 @@
#include "iscsi_target_nego.h"
#include "iscsi_target_auth.h"
-static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
-{
- int i;
-
- for (i = 0; i < src_len; i++) {
- sprintf(&dst[i*2], "%02x", (int) src[i] & 0xff);
- }
-}
-
static int chap_gen_challenge(
struct iscsi_conn *conn,
int caller,
@@ -50,7 +41,7 @@ static int chap_gen_challenge(
ret = get_random_bytes_wait(chap->challenge, CHAP_CHALLENGE_LENGTH);
if (unlikely(ret))
return ret;
- chap_binaryhex_to_asciihex(challenge_asciihex, chap->challenge,
+ bin2hex(challenge_asciihex, chap->challenge,
CHAP_CHALLENGE_LENGTH);
/*
* Set CHAP_C, and copy the generated challenge into c_str.
@@ -289,7 +280,7 @@ static int chap_server_compute_md5(
goto out;
}
- chap_binaryhex_to_asciihex(response, server_digest, MD5_SIGNATURE_SIZE);
+ bin2hex(response, server_digest, MD5_SIGNATURE_SIZE);
pr_debug("[server] MD5 Server Digest: %s\n", response);
if (memcmp(server_digest, client_digest, MD5_SIGNATURE_SIZE) != 0) {
@@ -411,7 +402,7 @@ static int chap_server_compute_md5(
/*
* Convert response from binary hex to ascii hext.
*/
- chap_binaryhex_to_asciihex(response, digest, MD5_SIGNATURE_SIZE);
+ bin2hex(response, digest, MD5_SIGNATURE_SIZE);
*nr_out_len += sprintf(nr_out_ptr + *nr_out_len, "CHAP_R=0x%s",
response);
*nr_out_len += 1;
--
2.11.0

181
debian/patches/bugfix/all/scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch vendored
View File

@ -1,181 +0,0 @@
From: Vincent Pelletier <plr.vincent@gmail.com>
Date: Sun, 9 Sep 2018 04:09:26 +0000
Subject: scsi: target: iscsi: Use hex2bin instead of a re-implementation
Origin: https://git.kernel.org/linus/1816494330a83f2a064499d8ed2797045641f92c
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-14633
This change has the following effects, in order of descreasing importance:
1) Prevent a stack buffer overflow
2) Do not append an unnecessary NULL to an anyway binary buffer, which
is writing one byte past client_digest when caller is:
chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
The latter was found by KASAN (see below) when input value hes expected size
(32 hex chars), and further analysis revealed a stack buffer overflow can
happen when network-received value is longer, allowing an unauthenticated
remote attacker to smash up to 17 bytes after destination buffer (16 bytes
attacker-controlled and one null). As switching to hex2bin requires
specifying destination buffer length, and does not internally append any null,
it solves both issues.
This addresses CVE-2018-14633.
Beyond this:
- Validate received value length and check hex2bin accepted the input, to log
this rejection reason instead of just failing authentication.
- Only log received CHAP_R and CHAP_C values once they passed sanity checks.
==================================================================
BUG: KASAN: stack-out-of-bounds in chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
Write of size 1 at addr ffff8801090ef7c8 by task kworker/0:0/1021
CPU: 0 PID: 1021 Comm: kworker/0:0 Tainted: G O 4.17.8kasan.sess.connops+ #2
Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 05/19/2014
Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod]
Call Trace:
dump_stack+0x71/0xac
print_address_description+0x65/0x22e
? chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
kasan_report.cold.6+0x241/0x2fd
chap_string_to_hex+0x32/0x60 [iscsi_target_mod]
chap_server_compute_md5.isra.2+0x2cb/0x860 [iscsi_target_mod]
? chap_binaryhex_to_asciihex.constprop.5+0x50/0x50 [iscsi_target_mod]
? ftrace_caller_op_ptr+0xe/0xe
? __orc_find+0x6f/0xc0
? unwind_next_frame+0x231/0x850
? kthread+0x1a0/0x1c0
? ret_from_fork+0x35/0x40
? ret_from_fork+0x35/0x40
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? deref_stack_reg+0xd0/0xd0
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? is_module_text_address+0xa/0x11
? kernel_text_address+0x4c/0x110
? __save_stack_trace+0x82/0x100
? ret_from_fork+0x35/0x40
? save_stack+0x8c/0xb0
? 0xffffffffc1660000
? iscsi_target_do_login+0x155/0x8d0 [iscsi_target_mod]
? iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? process_one_work+0x35c/0x640
? worker_thread+0x66/0x5d0
? kthread+0x1a0/0x1c0
? ret_from_fork+0x35/0x40
? iscsi_update_param_value+0x80/0x80 [iscsi_target_mod]
? iscsit_release_cmd+0x170/0x170 [iscsi_target_mod]
chap_main_loop+0x172/0x570 [iscsi_target_mod]
? chap_server_compute_md5.isra.2+0x860/0x860 [iscsi_target_mod]
? rx_data+0xd6/0x120 [iscsi_target_mod]
? iscsit_print_session_params+0xd0/0xd0 [iscsi_target_mod]
? cyc2ns_read_begin.part.2+0x90/0x90
? _raw_spin_lock_irqsave+0x25/0x50
? memcmp+0x45/0x70
iscsi_target_do_login+0x875/0x8d0 [iscsi_target_mod]
? iscsi_target_check_first_request.isra.5+0x1a0/0x1a0 [iscsi_target_mod]
? del_timer+0xe0/0xe0
? memset+0x1f/0x40
? flush_sigqueue+0x29/0xd0
iscsi_target_do_login_rx+0x3bc/0x4c0 [iscsi_target_mod]
? iscsi_target_nego_release+0x80/0x80 [iscsi_target_mod]
? iscsi_target_restore_sock_callbacks+0x130/0x130 [iscsi_target_mod]
process_one_work+0x35c/0x640
worker_thread+0x66/0x5d0
? flush_rcu_work+0x40/0x40
kthread+0x1a0/0x1c0
? kthread_bind+0x30/0x30
ret_from_fork+0x35/0x40
The buggy address belongs to the page:
page:ffffea0004243bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x17fffc000000000()
raw: 017fffc000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0004243c20 ffffea0004243ba0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801090ef680: f2 f2 f2 f2 f2 f2 f2 01 f2 f2 f2 f2 f2 f2 f2 00
ffff8801090ef700: f2 f2 f2 f2 f2 f2 f2 00 02 f2 f2 f2 f2 f2 f2 00
>ffff8801090ef780: 00 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2 00
^
ffff8801090ef800: 00 f2 f2 f2 f2 f2 f2 00 00 00 00 02 f2 f2 f2 f2
ffff8801090ef880: f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00
==================================================================
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Reviewed-by: Mike Christie <mchristi@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
---
drivers/target/iscsi/iscsi_target_auth.c | 30 ++++++++++++++----------------
1 file changed, 14 insertions(+), 16 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target_auth.c b/drivers/target/iscsi/iscsi_target_auth.c
index 9518ffd8b8ba..6c3b4c022894 100644
--- a/drivers/target/iscsi/iscsi_target_auth.c
+++ b/drivers/target/iscsi/iscsi_target_auth.c
@@ -26,18 +26,6 @@
#include "iscsi_target_nego.h"
#include "iscsi_target_auth.h"
-static int chap_string_to_hex(unsigned char *dst, unsigned char *src, int len)
-{
- int j = DIV_ROUND_UP(len, 2), rc;
-
- rc = hex2bin(dst, src, j);
- if (rc < 0)
- pr_debug("CHAP string contains non hex digit symbols\n");
-
- dst[j] = '\0';
- return j;
-}
-
static void chap_binaryhex_to_asciihex(char *dst, char *src, int src_len)
{
int i;
@@ -248,9 +236,16 @@ static int chap_server_compute_md5(
pr_err("Could not find CHAP_R.\n");
goto out;
}
+ if (strlen(chap_r) != MD5_SIGNATURE_SIZE * 2) {
+ pr_err("Malformed CHAP_R\n");
+ goto out;
+ }
+ if (hex2bin(client_digest, chap_r, MD5_SIGNATURE_SIZE) < 0) {
+ pr_err("Malformed CHAP_R\n");
+ goto out;
+ }
pr_debug("[server] Got CHAP_R=%s\n", chap_r);
- chap_string_to_hex(client_digest, chap_r, strlen(chap_r));
tfm = crypto_alloc_shash("md5", 0, 0);
if (IS_ERR(tfm)) {
@@ -349,9 +344,7 @@ static int chap_server_compute_md5(
pr_err("Could not find CHAP_C.\n");
goto out;
}
- pr_debug("[server] Got CHAP_C=%s\n", challenge);
- challenge_len = chap_string_to_hex(challenge_binhex, challenge,
- strlen(challenge));
+ challenge_len = DIV_ROUND_UP(strlen(challenge), 2);
if (!challenge_len) {
pr_err("Unable to convert incoming challenge\n");
goto out;
@@ -360,6 +353,11 @@ static int chap_server_compute_md5(
pr_err("CHAP_C exceeds maximum binary size of 1024 bytes\n");
goto out;
}
+ if (hex2bin(challenge_binhex, challenge, challenge_len) < 0) {
+ pr_err("Malformed CHAP_C\n");
+ goto out;
+ }
+ pr_debug("[server] Got CHAP_C=%s\n", challenge);
/*
* During mutual authentication, the CHAP_C generated by the
* initiator must not match the original CHAP_C generated by
--
2.11.0

3
debian/patches/series vendored
View File

@ -98,7 +98,6 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
debian/revert-objtool-fix-config_stack_validation-y-warning.patch
bugfix/all/netfilter-ipvs-Fix-invalid-bytes-in-IP_VS_MH_TAB_IND.patch
bugfix/all/revert-uapi-linux-keyctl.h-don-t-use-c-reserved-keyw.patch
# Miscellaneous features
features/all/kbuild-add-build-salt-to-the-kernel-and-modules.patch
@ -144,8 +143,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/Revert-net-increase-fragment-memory-usage-limits.patch
bugfix/all/floppy-Do-not-copy-a-kernel-pointer-to-user-memory-i.patch
bugfix/all/scsi-target-iscsi-Use-hex2bin-instead-of-a-re-implem.patch
bugfix/all/scsi-target-iscsi-Use-bin2hex-instead-of-a-re-implem.patch
bugfix/arm64/arm64-kvm-tighten-guest-core-register-access-from-us.patch
bugfix/arm64/arm64-kvm-sanitize-pstate.m-when-being-set-from-user.patch
bugfix/all/xen-netback-fix-input-validation-in-xenvif_set_hash_.patch