Add various upstream fixes with known or probable security impact

2016-05-16 03:02:51 +01:00 · 2016-05-16 03:02:51 +01:00 · efbab1e4bf
parent 4e41e85a8c
commit efbab1e4bf
7 changed files with 215 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -115,6 +115,11 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
    profile
  * debian/control: Remove alternate build-dependency on binutils-dev that was
    used for backports to wheezy
+  * net: fix infoleak in rtnetlink (CVE-2016-4486)
+  * nf_conntrack: avoid kernel pointer value leak in slab name
+  * vfs: do_splice_to(): cap the size before passing to ->splice_read()
+  * crypto: hash - Fix page length clamping in hash walk
+  * isofs: get_rock_ridge_filename(): handle malformed NM entries

 -- Aurelien Jarno <aurel32@debian.org>  Tue, 10 May 2016 23:58:07 +0200

--- a/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
+++ b/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
@ -0,0 +1,31 @@
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Wed, 4 May 2016 17:52:56 +0800
+Subject: crypto: hash - Fix page length clamping in hash walk
+Origin: https://git.kernel.org/linus/13f4bb78cf6a312bbdec367ba3da044b09bf0e29
+
+The crypto hash walk code is broken when supplied with an offset
+greater than or equal to PAGE_SIZE.  This patch fixes it by adjusting
+walk->pg and walk->offset when this happens.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+---
+ crypto/ahash.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/ahash.c b/crypto/ahash.c
+index 5fc1f172963d..3887a98abcc3 100644
+--- a/crypto/ahash.c
+++ b/crypto/ahash.c
+@@ -69,8 +69,9 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk)
+ 	struct scatterlist *sg;
+ 
+ 	sg = walk->sg;
+-	walk->pg = sg_page(sg);
+ 	walk->offset = sg->offset;
+	walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT);
+	walk->offset = offset_in_page(walk->offset);
+ 	walk->entrylen = sg->length;
+ 
+ 	if (walk->entrylen > walk->total)
--- a/debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
+++ b/debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
@ -0,0 +1,24 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Sat, 2 Apr 2016 14:56:58 -0400
+Subject: do_splice_to(): cap the size before passing to ->splice_read()
+Origin: https://git.kernel.org/linus/03cc0789a690eb9ab07070376252961caeae7441
+
+pipe capacity won't exceed 2G anyway.
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ fs/splice.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/splice.c
+++ b/fs/splice.c
+@@ -1144,6 +1144,9 @@ long do_splice_to(struct file *in, loff_
+ 	if (unlikely(ret < 0))
+ 		return ret;
+ 
+	if (unlikely(len > MAX_RW_COUNT))
+		len = MAX_RW_COUNT;
+
+ 	if (in->f_op->splice_read)
+ 		splice_read = in->f_op->splice_read;
+ 	else
--- a/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
+++ b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
@ -0,0 +1,60 @@
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 5 May 2016 16:25:35 -0400
+Subject: get_rock_ridge_filename(): handle malformed NM entries
+Origin: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6
+
+Payloads of NM entries are not supposed to contain NUL.  When we run
+into such, only the part prior to the first NUL goes into the
+concatenation (i.e. the directory entry name being encoded by a bunch
+of NM entries).  We do stop when the amount collected so far + the
+claimed amount in the current NM entry exceed 254.  So far, so good,
+but what we return as the total length is the sum of *claimed*
+sizes, not the actual amount collected.  And that can grow pretty
+large - not unlimited, since you'd need to put CE entries in
+between to be able to get more than the maximum that could be
+contained in one isofs directory entry / continuation chunk and
+we are stop once we'd encountered 32 CEs, but you can get about 8Kb
+easily.  And that's what will be passed to readdir callback as the
+name length.  8Kb __copy_to_user() from a buffer allocated by
+__get_free_page()
+
+Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really)
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ fs/isofs/rock.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index 5384ceb35b1c..98b3eb7d8eaf 100644
+--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
+@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
+ 	int retnamlen = 0;
+ 	int truncate = 0;
+ 	int ret = 0;
+	char *p;
+	int len;
+ 
+ 	if (!ISOFS_SB(inode->i_sb)->s_rock)
+ 		return 0;
+@@ -267,12 +269,17 @@ repeat:
+ 					rr->u.NM.flags);
+ 				break;
+ 			}
+-			if ((strlen(retname) + rr->len - 5) >= 254) {
+			len = rr->len - 5;
+			if (retnamlen + len >= 254) {
+ 				truncate = 1;
+ 				break;
+ 			}
+-			strncat(retname, rr->u.NM.name, rr->len - 5);
+-			retnamlen += rr->len - 5;
+			p = memchr(rr->u.NM.name, '\0', len);
+			if (unlikely(p))
+				len = p - rr->u.NM.name;
+			memcpy(retname + retnamlen, rr->u.NM.name, len);
+			retnamlen += len;
+			retname[retnamlen] = '\0';
+ 			break;
+ 		case SIG('R', 'E'):
+ 			kfree(rs.buffer);
--- a/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch
+++ b/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch
@ -0,0 +1,45 @@
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:46:24 -0400
+Subject: net: fix infoleak in rtnetlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/5f8e44741f9f216e33736ea4ec65ca9ac03036e6
+
+The stack object “map” has a total size of 32 bytes. Its last 4
+bytes are padding generated by compiler. These padding bytes are
+not initialized and sent out via “nla_put”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/core/rtnetlink.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
+@@ -1176,14 +1176,16 @@ static noinline_for_stack int rtnl_fill_
+ 
+ static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
+ {
+-	struct rtnl_link_ifmap map = {
+-		.mem_start   = dev->mem_start,
+-		.mem_end     = dev->mem_end,
+-		.base_addr   = dev->base_addr,
+-		.irq         = dev->irq,
+-		.dma         = dev->dma,
+-		.port        = dev->if_port,
+-	};
+	struct rtnl_link_ifmap map;
+
+	memset(&map, 0, sizeof(map));
+	map.mem_start   = dev->mem_start;
+	map.mem_end     = dev->mem_end;
+	map.base_addr   = dev->base_addr;
+	map.irq         = dev->irq;
+	map.dma         = dev->dma;
+	map.port        = dev->if_port;
+
+ 	if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
+ 		return -EMSGSIZE;
+ 
--- a/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
+++ b/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
@ -0,0 +1,45 @@
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sat, 14 May 2016 11:11:44 -0700
+Subject: nf_conntrack: avoid kernel pointer value leak in slab name
+Origin: https://git.kernel.org/linus/31b0b385f69d8d5491a4bca288e25e63f1d945d0
+
+The slab name ends up being visible in the directory structure under
+/sys, and even if you don't have access rights to the file you can see
+the filenames.
+
+Just use a 64-bit counter instead of the pointer to the 'net' structure
+to generate a unique name.
+
+This code will go away in 4.7 when the conntrack code moves to a single
+kmemcache, but this is the backportable simple solution to avoiding
+leaking kernel pointers to user space.
+
+Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep")
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/netfilter/nf_conntrack_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
+@@ -1780,6 +1780,7 @@ void nf_conntrack_init_end(void)
+ 
+ int nf_conntrack_init_net(struct net *net)
+ {
+	static atomic64_t unique_id;
+ 	int ret = -ENOMEM;
+ 	int cpu;
+ 
+@@ -1802,7 +1803,8 @@ int nf_conntrack_init_net(struct net *ne
+ 	if (!net->ct.stat)
+ 		goto err_pcpu_lists;
+ 
+-	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
+	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%llu",
+				(u64)atomic64_inc_return(&unique_id));
+ 	if (!net->ct.slabname)
+ 		goto err_slabname;
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@ -137,6 +137,11 @@ bugfix/all/bpf-fix-refcnt-overflow.patch
 bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
 bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
 bugfix/all/net-fix-infoleak-in-llc.patch
+bugfix/all/net-fix-infoleak-in-rtnetlink.patch
+bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
+bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
+bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
+bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch

 # ABI maintenance
 debian/ib-fix-abi-change-in-4.5.3.patch