diff --git a/debian/changelog b/debian/changelog index 31b1aa2b5..59ba7395e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,8 @@ -linux (4.13.3-1~exp1) UNRELEASED; urgency=medium +linux (4.13.4-1~exp1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.3 + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.4 [ Ben Hutchings ] * [armhf,arm64] mmc: Enable MMC_BCM2835 (Closes: #845422) diff --git a/debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch b/debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch deleted file mode 100644 index 7359feaaf..000000000 --- a/debian/patches/bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: Dan Carpenter -Date: Wed, 30 Aug 2017 16:30:35 +0300 -Subject: scsi: qla2xxx: Fix an integer overflow in sysfs code -Origin: https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017 -Bug: https://bugzilla.kernel.org/show_bug.cgi?id=194061 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14051 - -The value of "size" comes from the user. When we add "start + size" it -could lead to an integer overflow bug. - -It means we vmalloc() a lot more memory than we had intended. I believe -that on 64 bit systems vmalloc() can succeed even if we ask it to -allocate huge 4GB buffers. So we would get memory corruption and likely -a crash when we call ha->isp_ops->write_optrom() and ->read_optrom(). - -Only root can trigger this bug. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061 - -Cc: -Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.") -Reported-by: shqking -Signed-off-by: Dan Carpenter -Signed-off-by: Martin K. Petersen ---- - drivers/scsi/qla2xxx/qla_attr.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c -index 08a1feb3a195..8c6ff1682fb1 100644 ---- a/drivers/scsi/qla2xxx/qla_attr.c -+++ b/drivers/scsi/qla2xxx/qla_attr.c -@@ -318,6 +318,8 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, - return -EINVAL; - if (start > ha->optrom_size) - return -EINVAL; -+ if (size > ha->optrom_size - start) -+ size = ha->optrom_size - start; - - mutex_lock(&ha->optrom_mutex); - switch (val) { -@@ -343,8 +345,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, - } - - ha->optrom_region_start = start; -- ha->optrom_region_size = start + size > ha->optrom_size ? -- ha->optrom_size - start : size; -+ ha->optrom_region_size = start + size; - - ha->optrom_state = QLA_SREADING; - ha->optrom_buffer = vmalloc(ha->optrom_region_size); -@@ -417,8 +418,7 @@ qla2x00_sysfs_write_optrom_ctl(struct file *filp, struct kobject *kobj, - } - - ha->optrom_region_start = start; -- ha->optrom_region_size = start + size > ha->optrom_size ? -- ha->optrom_size - start : size; -+ ha->optrom_region_size = start + size; - - ha->optrom_state = QLA_SWRITING; - ha->optrom_buffer = vmalloc(ha->optrom_region_size); --- -2.11.0 - diff --git a/debian/patches/series b/debian/patches/series index 8e8ade65a..a9c88fffc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -112,7 +112,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/scsi-qla2xxx-Fix-an-integer-overflow-in-sysfs-code.patch bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch