Merge branch 'stretch-security' into stretch
This commit is contained in:
Ben Hutchings
commit
f30fbaf597
|
|
@ -1,6 +1,10 @@
|
|||
linux (4.9.30-2) UNRELEASED; urgency=medium
|
||||
|
||||
* [x86] Enable SERIAL_8250_MID as built-in (Closes: #864368)
|
||||
* ipv6: Check ip6_find_1stfragopt() return value properly.
|
||||
* ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
|
||||
* ipv6: Fix leak in ipv6_gso_segment().
|
||||
* Revert "uapi: fix linux/if.h userspace compilation errors" (see #864269)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Wed, 07 Jun 2017 18:11:03 +0100
|
||||
|
||||
|
|
|
|||
84
debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
vendored
Normal file
84
debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
vendored
Normal file
|
|
@ -0,0 +1,84 @@
|
|||
From: "David S. Miller" <davem@davemloft.net>
|
||||
Date: Wed, 17 May 2017 22:54:11 -0400
|
||||
Subject: ipv6: Check ip6_find_1stfragopt() return value properly.
|
||||
Origin: https://git.kernel.org/linus/7dd7eb9513bd02184d45f000ab69d78cb1fa1531
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
|
||||
|
||||
Do not use unsigned variables to see if it returns a negative
|
||||
error or not.
|
||||
|
||||
Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
|
||||
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/ip6_offload.c | 9 ++++-----
|
||||
net/ipv6/ip6_output.c | 7 +++----
|
||||
net/ipv6/udp_offload.c | 8 +++++---
|
||||
3 files changed, 12 insertions(+), 12 deletions(-)
|
||||
|
||||
--- a/net/ipv6/ip6_offload.c
|
||||
+++ b/net/ipv6/ip6_offload.c
|
||||
@@ -63,7 +63,6 @@ static struct sk_buff *ipv6_gso_segment(
|
||||
const struct net_offload *ops;
|
||||
int proto;
|
||||
struct frag_hdr *fptr;
|
||||
- unsigned int unfrag_ip6hlen;
|
||||
unsigned int payload_len;
|
||||
u8 *prevhdr;
|
||||
int offset = 0;
|
||||
@@ -116,10 +115,10 @@ static struct sk_buff *ipv6_gso_segment(
|
||||
skb->network_header = (u8 *)ipv6h - skb->head;
|
||||
|
||||
if (udpfrag) {
|
||||
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
|
||||
- if (unfrag_ip6hlen < 0)
|
||||
- return ERR_PTR(unfrag_ip6hlen);
|
||||
- fptr = (struct frag_hdr *)((u8 *)ipv6h + unfrag_ip6hlen);
|
||||
+ int err = ip6_find_1stfragopt(skb, &prevhdr);
|
||||
+ if (err < 0)
|
||||
+ return ERR_PTR(err);
|
||||
+ fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
|
||||
fptr->frag_off = htons(offset);
|
||||
if (skb->next)
|
||||
fptr->frag_off |= htons(IP6_MF);
|
||||
--- a/net/ipv6/ip6_output.c
|
||||
+++ b/net/ipv6/ip6_output.c
|
||||
@@ -586,11 +586,10 @@ int ip6_fragment(struct net *net, struct
|
||||
int ptr, offset = 0, err = 0;
|
||||
u8 *prevhdr, nexthdr = 0;
|
||||
|
||||
- hlen = ip6_find_1stfragopt(skb, &prevhdr);
|
||||
- if (hlen < 0) {
|
||||
- err = hlen;
|
||||
+ err = ip6_find_1stfragopt(skb, &prevhdr);
|
||||
+ if (err < 0)
|
||||
goto fail;
|
||||
- }
|
||||
+ hlen = err;
|
||||
nexthdr = *prevhdr;
|
||||
|
||||
mtu = ip6_skb_dst_mtu(skb);
|
||||
--- a/net/ipv6/udp_offload.c
|
||||
+++ b/net/ipv6/udp_offload.c
|
||||
@@ -29,6 +29,7 @@ static struct sk_buff *udp6_ufo_fragment
|
||||
u8 frag_hdr_sz = sizeof(struct frag_hdr);
|
||||
__wsum csum;
|
||||
int tnl_hlen;
|
||||
+ int err;
|
||||
|
||||
mss = skb_shinfo(skb)->gso_size;
|
||||
if (unlikely(skb->len <= mss))
|
||||
@@ -90,9 +91,10 @@ static struct sk_buff *udp6_ufo_fragment
|
||||
/* Find the unfragmentable header and shift it left by frag_hdr_sz
|
||||
* bytes to insert fragment header.
|
||||
*/
|
||||
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
|
||||
- if (unfrag_ip6hlen < 0)
|
||||
- return ERR_PTR(unfrag_ip6hlen);
|
||||
+ err = ip6_find_1stfragopt(skb, &prevhdr);
|
||||
+ if (err < 0)
|
||||
+ return ERR_PTR(err);
|
||||
+ unfrag_ip6hlen = err;
|
||||
nexthdr = *prevhdr;
|
||||
*prevhdr = NEXTHDR_FRAGMENT;
|
||||
unfrag_len = (skb_network_header(skb) - skb_mac_header(skb)) +
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
From: "David S. Miller" <davem@davemloft.net>
|
||||
Date: Sun, 4 Jun 2017 21:41:10 -0400
|
||||
Subject: ipv6: Fix leak in ipv6_gso_segment().
|
||||
Origin: https://git.kernel.org/linus/e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
|
||||
|
||||
If ip6_find_1stfragopt() fails and we return an error we have to free
|
||||
up 'segs' because nobody else is going to.
|
||||
|
||||
Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
|
||||
Reported-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/ip6_offload.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c
|
||||
index 280268f1dd7b..cdb3728faca7 100644
|
||||
--- a/net/ipv6/ip6_offload.c
|
||||
+++ b/net/ipv6/ip6_offload.c
|
||||
@@ -116,8 +116,10 @@ static struct sk_buff *ipv6_gso_segment(struct sk_buff *skb,
|
||||
|
||||
if (udpfrag) {
|
||||
int err = ip6_find_1stfragopt(skb, &prevhdr);
|
||||
- if (err < 0)
|
||||
+ if (err < 0) {
|
||||
+ kfree_skb_list(segs);
|
||||
return ERR_PTR(err);
|
||||
+ }
|
||||
fptr = (struct frag_hdr *)((u8 *)ipv6h + err);
|
||||
fptr->frag_off = htons(offset);
|
||||
if (skb->next)
|
||||
40
debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
vendored
Normal file
40
debian/patches/bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
vendored
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Wed, 31 May 2017 13:15:41 +0100
|
||||
Subject: ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
|
||||
Origin: https://git.kernel.org/linus/6e80ac5cc992ab6256c3dae87f7e57db15e1a58c
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
|
||||
|
||||
xfrm6_find_1stfragopt() may now return an error code and we must
|
||||
not treat it as a length.
|
||||
|
||||
Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
Acked-by: Craig Gallek <kraig@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv6/xfrm6_mode_ro.c | 2 ++
|
||||
net/ipv6/xfrm6_mode_transport.c | 2 ++
|
||||
2 files changed, 4 insertions(+)
|
||||
|
||||
--- a/net/ipv6/xfrm6_mode_ro.c
|
||||
+++ b/net/ipv6/xfrm6_mode_ro.c
|
||||
@@ -47,6 +47,8 @@ static int xfrm6_ro_output(struct xfrm_s
|
||||
iph = ipv6_hdr(skb);
|
||||
|
||||
hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
|
||||
+ if (hdr_len < 0)
|
||||
+ return hdr_len;
|
||||
skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
|
||||
skb_set_network_header(skb, -x->props.header_len);
|
||||
skb->transport_header = skb->network_header + hdr_len;
|
||||
--- a/net/ipv6/xfrm6_mode_transport.c
|
||||
+++ b/net/ipv6/xfrm6_mode_transport.c
|
||||
@@ -28,6 +28,8 @@ static int xfrm6_transport_output(struct
|
||||
iph = ipv6_hdr(skb);
|
||||
|
||||
hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
|
||||
+ if (hdr_len < 0)
|
||||
+ return hdr_len;
|
||||
skb_set_mac_header(skb, (prevhdr - x->props.header_len) - skb->data);
|
||||
skb_set_network_header(skb, -x->props.header_len);
|
||||
skb->transport_header = skb->network_header + hdr_len;
|
||||
|
|
@ -1,68 +0,0 @@
|
|||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Mon, 20 Feb 2017 14:58:41 +0300
|
||||
Subject: uapi: fix linux/if.h userspace compilation errors
|
||||
Origin: https://git.kernel.org/linus/2618be7dccf8739b89e1906b64bd8d551af351e6
|
||||
Bug-Debian: https://bugs.debian.org/822393
|
||||
|
||||
Include <sys/socket.h> (guarded by ifndef __KERNEL__) to fix
|
||||
the following linux/if.h userspace compilation errors:
|
||||
|
||||
/usr/include/linux/if.h:234:19: error: field 'ifru_addr' has incomplete type
|
||||
struct sockaddr ifru_addr;
|
||||
/usr/include/linux/if.h:235:19: error: field 'ifru_dstaddr' has incomplete type
|
||||
struct sockaddr ifru_dstaddr;
|
||||
/usr/include/linux/if.h:236:19: error: field 'ifru_broadaddr' has incomplete type
|
||||
struct sockaddr ifru_broadaddr;
|
||||
/usr/include/linux/if.h:237:19: error: field 'ifru_netmask' has incomplete type
|
||||
struct sockaddr ifru_netmask;
|
||||
/usr/include/linux/if.h:238:20: error: field 'ifru_hwaddr' has incomplete type
|
||||
struct sockaddr ifru_hwaddr;
|
||||
|
||||
This also fixes userspace compilation of the following uapi headers:
|
||||
linux/atmbr2684.h
|
||||
linux/gsmmux.h
|
||||
linux/if_arp.h
|
||||
linux/if_bonding.h
|
||||
linux/if_frad.h
|
||||
linux/if_pppox.h
|
||||
linux/if_tunnel.h
|
||||
linux/netdevice.h
|
||||
linux/route.h
|
||||
linux/wireless.h
|
||||
|
||||
As no uapi header provides a definition of struct sockaddr, inclusion
|
||||
of <sys/socket.h> seems to be the most conservative and the only safe
|
||||
fix available.
|
||||
|
||||
All current users of <linux/if.h> are very likely to be including
|
||||
<sys/socket.h> already because the latter is the sole provider
|
||||
of struct sockaddr definition in libc, so adding a uapi header
|
||||
with a definition of struct sockaddr would create a potential
|
||||
conflict with <sys/socket.h>.
|
||||
|
||||
Replacing struct sockaddr in the definition of struct ifreq with
|
||||
a different type would create a potential incompatibility with current
|
||||
users of struct ifreq who might rely on ifru_addr et al members being
|
||||
of type struct sockaddr.
|
||||
|
||||
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
include/uapi/linux/if.h | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/include/uapi/linux/if.h b/include/uapi/linux/if.h
|
||||
index 1158a043342a..259617a551f2 100644
|
||||
--- a/include/uapi/linux/if.h
|
||||
+++ b/include/uapi/linux/if.h
|
||||
@@ -24,6 +24,10 @@
|
||||
#include <linux/socket.h> /* for "struct sockaddr" et al */
|
||||
#include <linux/compiler.h> /* for "__user" et al */
|
||||
|
||||
+#ifndef __KERNEL__
|
||||
+#include <sys/socket.h> /* for struct sockaddr. */
|
||||
+#endif
|
||||
+
|
||||
#if __UAPI_DEF_IF_IFNAMSIZ
|
||||
#define IFNAMSIZ 16
|
||||
#endif /* __UAPI_DEF_IF_IFNAMSIZ */
|
||||
|
|
@ -76,7 +76,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
|
|||
bugfix/all/kbuild-do-not-use-hyphen-in-exported-variable-name.patch
|
||||
bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
|
||||
bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
|
||||
bugfix/all/uapi-fix-linux-if.h-userspace-compilation-errors.patch
|
||||
|
||||
# Miscellaneous features
|
||||
features/all/netfilter-nft_ct-add-notrack-support.patch
|
||||
|
|
@ -113,6 +112,9 @@ bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
|
|||
bugfix/all/sunrpc-refactor-svc_set_num_threads.patch
|
||||
bugfix/all/nfsv4-fix-callback-server-shutdown.patch
|
||||
bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
|
||||
bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
|
||||
bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
|
||||
bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
|
||||
bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
|
||||
bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
|
||||
bugfix/all/crypto-skcipher-Add-missing-api-setkey-checks.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue