Add various upstream fixes with known or probable security impact
This commit is contained in:
parent
4e41e85a8c
commit
efbab1e4bf
|
@ -115,6 +115,11 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
|
|||
profile
|
||||
* debian/control: Remove alternate build-dependency on binutils-dev that was
|
||||
used for backports to wheezy
|
||||
* net: fix infoleak in rtnetlink (CVE-2016-4486)
|
||||
* nf_conntrack: avoid kernel pointer value leak in slab name
|
||||
* vfs: do_splice_to(): cap the size before passing to ->splice_read()
|
||||
* crypto: hash - Fix page length clamping in hash walk
|
||||
* isofs: get_rock_ridge_filename(): handle malformed NM entries
|
||||
|
||||
-- Aurelien Jarno <aurel32@debian.org> Tue, 10 May 2016 23:58:07 +0200
|
||||
|
||||
|
|
31
debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
vendored
Normal file
31
debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
vendored
Normal file
|
@ -0,0 +1,31 @@
|
|||
From: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
Date: Wed, 4 May 2016 17:52:56 +0800
|
||||
Subject: crypto: hash - Fix page length clamping in hash walk
|
||||
Origin: https://git.kernel.org/linus/13f4bb78cf6a312bbdec367ba3da044b09bf0e29
|
||||
|
||||
The crypto hash walk code is broken when supplied with an offset
|
||||
greater than or equal to PAGE_SIZE. This patch fixes it by adjusting
|
||||
walk->pg and walk->offset when this happens.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Reported-by: Steffen Klassert <steffen.klassert@secunet.com>
|
||||
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
||||
---
|
||||
crypto/ahash.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/crypto/ahash.c b/crypto/ahash.c
|
||||
index 5fc1f172963d..3887a98abcc3 100644
|
||||
--- a/crypto/ahash.c
|
||||
+++ b/crypto/ahash.c
|
||||
@@ -69,8 +69,9 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk)
|
||||
struct scatterlist *sg;
|
||||
|
||||
sg = walk->sg;
|
||||
- walk->pg = sg_page(sg);
|
||||
walk->offset = sg->offset;
|
||||
+ walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT);
|
||||
+ walk->offset = offset_in_page(walk->offset);
|
||||
walk->entrylen = sg->length;
|
||||
|
||||
if (walk->entrylen > walk->total)
|
24
debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
vendored
Normal file
24
debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
vendored
Normal file
|
@ -0,0 +1,24 @@
|
|||
From: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Date: Sat, 2 Apr 2016 14:56:58 -0400
|
||||
Subject: do_splice_to(): cap the size before passing to ->splice_read()
|
||||
Origin: https://git.kernel.org/linus/03cc0789a690eb9ab07070376252961caeae7441
|
||||
|
||||
pipe capacity won't exceed 2G anyway.
|
||||
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/splice.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/fs/splice.c
|
||||
+++ b/fs/splice.c
|
||||
@@ -1144,6 +1144,9 @@ long do_splice_to(struct file *in, loff_
|
||||
if (unlikely(ret < 0))
|
||||
return ret;
|
||||
|
||||
+ if (unlikely(len > MAX_RW_COUNT))
|
||||
+ len = MAX_RW_COUNT;
|
||||
+
|
||||
if (in->f_op->splice_read)
|
||||
splice_read = in->f_op->splice_read;
|
||||
else
|
60
debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
vendored
Normal file
60
debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
vendored
Normal file
|
@ -0,0 +1,60 @@
|
|||
From: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Date: Thu, 5 May 2016 16:25:35 -0400
|
||||
Subject: get_rock_ridge_filename(): handle malformed NM entries
|
||||
Origin: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6
|
||||
|
||||
Payloads of NM entries are not supposed to contain NUL. When we run
|
||||
into such, only the part prior to the first NUL goes into the
|
||||
concatenation (i.e. the directory entry name being encoded by a bunch
|
||||
of NM entries). We do stop when the amount collected so far + the
|
||||
claimed amount in the current NM entry exceed 254. So far, so good,
|
||||
but what we return as the total length is the sum of *claimed*
|
||||
sizes, not the actual amount collected. And that can grow pretty
|
||||
large - not unlimited, since you'd need to put CE entries in
|
||||
between to be able to get more than the maximum that could be
|
||||
contained in one isofs directory entry / continuation chunk and
|
||||
we are stop once we'd encountered 32 CEs, but you can get about 8Kb
|
||||
easily. And that's what will be passed to readdir callback as the
|
||||
name length. 8Kb __copy_to_user() from a buffer allocated by
|
||||
__get_free_page()
|
||||
|
||||
Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really)
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/isofs/rock.c | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
|
||||
index 5384ceb35b1c..98b3eb7d8eaf 100644
|
||||
--- a/fs/isofs/rock.c
|
||||
+++ b/fs/isofs/rock.c
|
||||
@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
|
||||
int retnamlen = 0;
|
||||
int truncate = 0;
|
||||
int ret = 0;
|
||||
+ char *p;
|
||||
+ int len;
|
||||
|
||||
if (!ISOFS_SB(inode->i_sb)->s_rock)
|
||||
return 0;
|
||||
@@ -267,12 +269,17 @@ repeat:
|
||||
rr->u.NM.flags);
|
||||
break;
|
||||
}
|
||||
- if ((strlen(retname) + rr->len - 5) >= 254) {
|
||||
+ len = rr->len - 5;
|
||||
+ if (retnamlen + len >= 254) {
|
||||
truncate = 1;
|
||||
break;
|
||||
}
|
||||
- strncat(retname, rr->u.NM.name, rr->len - 5);
|
||||
- retnamlen += rr->len - 5;
|
||||
+ p = memchr(rr->u.NM.name, '\0', len);
|
||||
+ if (unlikely(p))
|
||||
+ len = p - rr->u.NM.name;
|
||||
+ memcpy(retname + retnamlen, rr->u.NM.name, len);
|
||||
+ retnamlen += len;
|
||||
+ retname[retnamlen] = '\0';
|
||||
break;
|
||||
case SIG('R', 'E'):
|
||||
kfree(rs.buffer);
|
|
@ -0,0 +1,45 @@
|
|||
From: Kangjie Lu <kangjielu@gmail.com>
|
||||
Date: Tue, 3 May 2016 16:46:24 -0400
|
||||
Subject: net: fix infoleak in rtnetlink
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/5f8e44741f9f216e33736ea4ec65ca9ac03036e6
|
||||
|
||||
The stack object “map” has a total size of 32 bytes. Its last 4
|
||||
bytes are padding generated by compiler. These padding bytes are
|
||||
not initialized and sent out via “nla_put”.
|
||||
|
||||
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/core/rtnetlink.c | 18 ++++++++++--------
|
||||
1 file changed, 10 insertions(+), 8 deletions(-)
|
||||
|
||||
--- a/net/core/rtnetlink.c
|
||||
+++ b/net/core/rtnetlink.c
|
||||
@@ -1176,14 +1176,16 @@ static noinline_for_stack int rtnl_fill_
|
||||
|
||||
static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
|
||||
{
|
||||
- struct rtnl_link_ifmap map = {
|
||||
- .mem_start = dev->mem_start,
|
||||
- .mem_end = dev->mem_end,
|
||||
- .base_addr = dev->base_addr,
|
||||
- .irq = dev->irq,
|
||||
- .dma = dev->dma,
|
||||
- .port = dev->if_port,
|
||||
- };
|
||||
+ struct rtnl_link_ifmap map;
|
||||
+
|
||||
+ memset(&map, 0, sizeof(map));
|
||||
+ map.mem_start = dev->mem_start;
|
||||
+ map.mem_end = dev->mem_end;
|
||||
+ map.base_addr = dev->base_addr;
|
||||
+ map.irq = dev->irq;
|
||||
+ map.dma = dev->dma;
|
||||
+ map.port = dev->if_port;
|
||||
+
|
||||
if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
|
||||
return -EMSGSIZE;
|
||||
|
45
debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
vendored
Normal file
45
debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
vendored
Normal file
|
@ -0,0 +1,45 @@
|
|||
From: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Date: Sat, 14 May 2016 11:11:44 -0700
|
||||
Subject: nf_conntrack: avoid kernel pointer value leak in slab name
|
||||
Origin: https://git.kernel.org/linus/31b0b385f69d8d5491a4bca288e25e63f1d945d0
|
||||
|
||||
The slab name ends up being visible in the directory structure under
|
||||
/sys, and even if you don't have access rights to the file you can see
|
||||
the filenames.
|
||||
|
||||
Just use a 64-bit counter instead of the pointer to the 'net' structure
|
||||
to generate a unique name.
|
||||
|
||||
This code will go away in 4.7 when the conntrack code moves to a single
|
||||
kmemcache, but this is the backportable simple solution to avoiding
|
||||
leaking kernel pointers to user space.
|
||||
|
||||
Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep")
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/netfilter/nf_conntrack_core.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/netfilter/nf_conntrack_core.c
|
||||
+++ b/net/netfilter/nf_conntrack_core.c
|
||||
@@ -1780,6 +1780,7 @@ void nf_conntrack_init_end(void)
|
||||
|
||||
int nf_conntrack_init_net(struct net *net)
|
||||
{
|
||||
+ static atomic64_t unique_id;
|
||||
int ret = -ENOMEM;
|
||||
int cpu;
|
||||
|
||||
@@ -1802,7 +1803,8 @@ int nf_conntrack_init_net(struct net *ne
|
||||
if (!net->ct.stat)
|
||||
goto err_pcpu_lists;
|
||||
|
||||
- net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
|
||||
+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%llu",
|
||||
+ (u64)atomic64_inc_return(&unique_id));
|
||||
if (!net->ct.slabname)
|
||||
goto err_slabname;
|
||||
|
|
@ -137,6 +137,11 @@ bugfix/all/bpf-fix-refcnt-overflow.patch
|
|||
bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
|
||||
bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
|
||||
bugfix/all/net-fix-infoleak-in-llc.patch
|
||||
bugfix/all/net-fix-infoleak-in-rtnetlink.patch
|
||||
bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
|
||||
bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
|
||||
bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
|
||||
bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
|
||||
|
||||
# ABI maintenance
|
||||
debian/ib-fix-abi-change-in-4.5.3.patch
|
||||
|
|
Loading…
Reference in New Issue