From fc7f6fafd826ae0ca73493cc7d0b032dafe3e792 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 20 Dec 2017 19:27:18 +0000 Subject: [PATCH] Add security fixes --- debian/changelog | 15 ++ ...stack-info-leak-from-the-efs-element.patch | 48 ++++++ ...017-8824-use-after-free-in-dccp-code.patch | 38 +++++ ...ack-out-of-bounds-read-in-write_mmio.patch | 153 ++++++++++++++++++ ...-lmedm04-Improve-logic-checking-of-w.patch | 83 ++++++++++ ...-lmedm04-move-ts2020-attach-to-dm04_.patch | 67 ++++++++ ...an-error-handling-path-in-hdpvr_prob.patch | 98 +++++++++++ ...-for-a-race-condition-in-raw_sendmsg.patch | 70 ++++++++ ...ink_cthelper-add-missing-permission-.patch | 74 +++++++++ ...xt_osf-add-missing-permission-checks.patch | 56 +++++++ .../all/netlink-add-netns-check-on-taps.patch | 39 +++++ ...nt-malicious-bnuminterfaces-overflow.patch | 44 +++++ debian/patches/series | 11 ++ 13 files changed, 796 insertions(+) create mode 100644 debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch create mode 100644 debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch create mode 100644 debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch create mode 100644 debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch create mode 100644 debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch create mode 100644 debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch create mode 100644 debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch create mode 100644 debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch create mode 100644 debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch create mode 100644 debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch create mode 100644 debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch diff --git a/debian/changelog b/debian/changelog index 558586ef2..b81e58385 100644 --- a/debian/changelog +++ b/debian/changelog @@ -518,6 +518,21 @@ linux (4.14.7-1) UNRELEASED; urgency=medium + Fix use-after-free in trigger removal - mm/slub: close possible memory-leak in kmem_cache_alloc_bulk() - crypto: limit more FPU-enabled sections + * dccp: CVE-2017-8824: use-after-free in DCCP code + * netfilter: nfnetlink_cthelper: Add missing permission checks + (CVE-2017-17448) + * netlink: Add netns check on taps (CVE-2017-17449) + * netfilter: xt_osf: Add missing permission checks (CVE-2017-17450) + * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558) + * net: ipv4: fix for a race condition in raw_sendmsg (CVE-2017-17712) + * media: dvb-usb-v2: lmedm04: Improve logic checking of warm start + (CVE-2017-16538) + * media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner + (CVE-2017-16538) + * media: hdpvr: Fix an error handling path in hdpvr_probe() (CVE-2017-16644) + * [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio + (CVE-2017-17741) + * bluetooth: Prevent stack info leak from the EFS element. CVE-2017-1000410) -- Salvatore Bonaccorso Sun, 03 Dec 2017 10:18:39 +0100 diff --git a/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch b/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch new file mode 100644 index 000000000..308204888 --- /dev/null +++ b/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch @@ -0,0 +1,48 @@ +From: Ben Seri +Date: Mon, 04 Dec 2017 14:13:25 +0000 +Subject: bluetooth: Prevent stack info leak from the EFS element. +Origin: http://www.openwall.com/lists/oss-security/2017/12/06/3 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-1000410 + +Signed-off-by: Ben Seri +--- +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -3363,9 +3363,10 @@ static int l2cap_parse_conf_req(struct l + break; + + case L2CAP_CONF_EFS: +- remote_efs = 1; +- if (olen == sizeof(efs)) ++ if (olen == sizeof(efs)) { ++ remote_efs = 1; + memcpy(&efs, (void *) val, olen); ++ } + break; + + case L2CAP_CONF_EWS: +@@ -3584,16 +3585,17 @@ static int l2cap_parse_conf_rsp(struct l + break; + + case L2CAP_CONF_EFS: +- if (olen == sizeof(efs)) ++ if (olen == sizeof(efs)) { + memcpy(&efs, (void *)val, olen); + +- if (chan->local_stype != L2CAP_SERV_NOTRAFIC && +- efs.stype != L2CAP_SERV_NOTRAFIC && +- efs.stype != chan->local_stype) +- return -ECONNREFUSED; ++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC && ++ efs.stype != L2CAP_SERV_NOTRAFIC && ++ efs.stype != chan->local_stype) ++ return -ECONNREFUSED; + +- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), +- (unsigned long) &efs, endptr - ptr); ++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), ++ (unsigned long) &efs, endptr - ptr); ++ } + break; + + case L2CAP_CONF_FCS: diff --git a/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch new file mode 100644 index 000000000..3772ee858 --- /dev/null +++ b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch @@ -0,0 +1,38 @@ +From: Mohamed Ghannam +Date: Tue, 5 Dec 2017 20:58:35 +0000 +Subject: dccp: CVE-2017-8824: use-after-free in DCCP code +Origin: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8824 + +Whenever the sock object is in DCCP_CLOSED state, +dccp_disconnect() must free dccps_hc_tx_ccid and +dccps_hc_rx_ccid and set to NULL. + +Signed-off-by: Mohamed Ghannam +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/dccp/proto.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/dccp/proto.c ++++ b/net/dccp/proto.c +@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int + { + struct inet_connection_sock *icsk = inet_csk(sk); + struct inet_sock *inet = inet_sk(sk); ++ struct dccp_sock *dp = dccp_sk(sk); + int err = 0; + const int old_state = sk->sk_state; + +@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int + sk->sk_err = ECONNRESET; + + dccp_clear_xmit_timers(sk); ++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk); ++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk); ++ dp->dccps_hc_rx_ccid = NULL; ++ dp->dccps_hc_tx_ccid = NULL; + + __skb_queue_purge(&sk->sk_receive_queue); + __skb_queue_purge(&sk->sk_write_queue); diff --git a/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch b/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch new file mode 100644 index 000000000..c460e89c5 --- /dev/null +++ b/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch @@ -0,0 +1,153 @@ +From: Wanpeng Li +Date: Thu, 14 Dec 2017 17:40:50 -0800 +Subject: KVM: Fix stack-out-of-bounds read in write_mmio +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit +Origin: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit?id=e39d200fa5bf5b94a0948db0dae44c1b73b84a56 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17741 + +Reported by syzkaller: + + BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm] + Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298 + + CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18 + Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016 + Call Trace: + dump_stack+0xab/0xe1 + print_address_description+0x6b/0x290 + kasan_report+0x28a/0x370 + write_mmio+0x11e/0x270 [kvm] + emulator_read_write_onepage+0x311/0x600 [kvm] + emulator_read_write+0xef/0x240 [kvm] + emulator_fix_hypercall+0x105/0x150 [kvm] + em_hypercall+0x2b/0x80 [kvm] + x86_emulate_insn+0x2b1/0x1640 [kvm] + x86_emulate_instruction+0x39a/0xb90 [kvm] + handle_exception+0x1b4/0x4d0 [kvm_intel] + vcpu_enter_guest+0x15a0/0x2640 [kvm] + kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm] + kvm_vcpu_ioctl+0x479/0x880 [kvm] + do_vfs_ioctl+0x142/0x9a0 + SyS_ioctl+0x74/0x80 + entry_SYSCALL_64_fastpath+0x23/0x9a + +The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall) +to the guest memory, however, write_mmio tracepoint always prints 8 bytes +through *(u64 *)val since kvm splits the mmio access into 8 bytes. This +leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes +it by just accessing the bytes which we operate on. + +Before patch: + +syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f + +After patch: + +syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f + +Reported-by: Dmitry Vyukov +Reviewed-by: Darren Kenny +Reviewed-by: Marc Zyngier +Tested-by: Marc Zyngier +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Marc Zyngier +Cc: Christoffer Dall +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +--- + arch/x86/kvm/x86.c | 8 ++++---- + include/trace/events/kvm.h | 7 +++++-- + virt/kvm/arm/mmio.c | 6 +++--- + 3 files changed, 12 insertions(+), 9 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4362,7 +4362,7 @@ static int vcpu_mmio_read(struct kvm_vcp + addr, n, v)) + && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v)) + break; +- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v); ++ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v); + handled += n; + addr += n; + len -= n; +@@ -4621,7 +4621,7 @@ static int read_prepare(struct kvm_vcpu + { + if (vcpu->mmio_read_completed) { + trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes, +- vcpu->mmio_fragments[0].gpa, *(u64 *)val); ++ vcpu->mmio_fragments[0].gpa, val); + vcpu->mmio_read_completed = 0; + return 1; + } +@@ -4643,14 +4643,14 @@ static int write_emulate(struct kvm_vcpu + + static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val) + { +- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val); ++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val); + return vcpu_mmio_write(vcpu, gpa, bytes, val); + } + + static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, + void *val, int bytes) + { +- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0); ++ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL); + return X86EMUL_IO_NEEDED; + } + +--- a/include/trace/events/kvm.h ++++ b/include/trace/events/kvm.h +@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq, + { KVM_TRACE_MMIO_WRITE, "write" } + + TRACE_EVENT(kvm_mmio, +- TP_PROTO(int type, int len, u64 gpa, u64 val), ++ TP_PROTO(int type, int len, u64 gpa, void *val), + TP_ARGS(type, len, gpa, val), + + TP_STRUCT__entry( +@@ -225,7 +225,10 @@ TRACE_EVENT(kvm_mmio, + __entry->type = type; + __entry->len = len; + __entry->gpa = gpa; +- __entry->val = val; ++ __entry->val = 0; ++ if (val) ++ memcpy(&__entry->val, val, ++ min_t(u32, sizeof(__entry->val), len)); + ), + + TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx", +--- a/virt/kvm/arm/mmio.c ++++ b/virt/kvm/arm/mmio.c +@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vc + } + + trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr, +- data); ++ &data); + data = vcpu_data_host_to_guest(vcpu, data, len); + vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data); + } +@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu, + data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt), + len); + +- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data); ++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data); + kvm_mmio_write_buf(data_buf, len, data); + + ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len, + data_buf); + } else { + trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len, +- fault_ipa, 0); ++ fault_ipa, NULL); + + ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len, + data_buf); diff --git a/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch new file mode 100644 index 000000000..7942e8d8f --- /dev/null +++ b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch @@ -0,0 +1,83 @@ +From: Malcolm Priestley +Date: Tue, 26 Sep 2017 17:10:20 -0400 +Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm + start +Origin: https://git.linuxtv.org/media_tree.git/commit?id=3d932ee27e852e4904647f15b64dedca51187ad7 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538 + +Warm start has no check as whether a genuine device has +connected and proceeds to next execution path. + +Check device should read 0x47 at offset of 2 on USB descriptor read +and it is the amount requested of 6 bytes. + +Fix for +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access as + +Reported-by: Andrey Konovalov +Signed-off-by: Malcolm Priestley +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb + + static int lme2510_return_status(struct dvb_usb_device *d) + { +- int ret = 0; ++ int ret; + u8 *data; + +- data = kzalloc(10, GFP_KERNEL); ++ data = kzalloc(6, GFP_KERNEL); + if (!data) + return -ENOMEM; + +- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), +- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200); +- info("Firmware Status: %x (%x)", ret , data[2]); ++ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), ++ 0x06, 0x80, 0x0302, 0x00, ++ data, 0x6, 200); ++ if (ret != 6) ++ ret = -EINVAL; ++ else ++ ret = data[2]; ++ ++ info("Firmware Status: %6ph", data); + +- ret = (ret < 0) ? -ENODEV : data[2]; + kfree(data); + return ret; + } +@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(str + static int lme2510_identify_state(struct dvb_usb_device *d, const char **name) + { + struct lme2510_state *st = d->priv; ++ int status; + + usb_reset_configuration(d->udev); + +@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct + + st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware; + +- if (lme2510_return_status(d) == 0x44) { ++ status = lme2510_return_status(d); ++ if (status == 0x44) { + *name = lme_firmware_switch(d, 0); + return COLD; + } + +- return 0; ++ if (status != 0x47) ++ return -EINVAL; ++ ++ return WARM; + } + + static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type, diff --git a/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch new file mode 100644 index 000000000..143f87033 --- /dev/null +++ b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch @@ -0,0 +1,67 @@ +From: Malcolm Priestley +Date: Tue, 26 Sep 2017 17:10:21 -0400 +Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to + dm04_lme2510_tuner +Origin: https://git.linuxtv.org/media_tree.git/commit?id=7bf7a7116ed313c601307f7e585419369926ab05 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538 + +When the tuner was split from m88rs2000 the attach function is in wrong +place. + +Move to dm04_lme2510_tuner to trap errors on failure and removing +a call to lme_coldreset. + +Prevents driver starting up without any tuner connected. + +Fixes to trap for ts2020 fail. +LME2510(C): FE Found M88RS2000 +ts2020: probe of 0-0060 failed with error -11 +... +LME2510(C): TUN Found RS2000 tuner +kasan: CONFIG_KASAN_INLINE enabled +kasan: GPF could be caused by NULL-ptr deref or user memory access +general protection fault: 0000 [#1] PREEMPT SMP KASAN + +Reported-by: Andrey Konovalov +Signed-off-by: Malcolm Priestley +Tested-by: Andrey Konovalov +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c ++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c +@@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach( + + if (adap->fe[0]) { + info("FE Found M88RS2000"); +- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config, +- &d->i2c_adap); + st->i2c_tuner_gate_w = 5; + st->i2c_tuner_gate_r = 5; + st->i2c_tuner_addr = 0x60; +@@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb + ret = st->tuner_config; + break; + case TUNER_RS2000: +- ret = st->tuner_config; ++ if (dvb_attach(ts2020_attach, adap->fe[0], ++ &ts2020_config, &d->i2c_adap)) ++ ret = st->tuner_config; + break; + default: + break; + } + +- if (ret) ++ if (ret) { + info("TUN Found %s tuner", tun_msg[ret]); +- else { +- info("TUN No tuner found --- resetting device"); +- lme_coldreset(d); ++ } else { ++ info("TUN No tuner found"); + return -ENODEV; + } + diff --git a/debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch b/debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch new file mode 100644 index 000000000..88ba95e6d --- /dev/null +++ b/debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch @@ -0,0 +1,98 @@ +From: Arvind Yadav +Date: Fri, 22 Sep 2017 09:07:06 -0400 +Subject: media: hdpvr: Fix an error handling path in hdpvr_probe() +Origin: https://git.linuxtv.org/media_tree.git/commit?id=c0f71bbb810237a38734607ca4599632f7f5d47f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16644 + +Here, hdpvr_register_videodev() is responsible for setup and +register a video device. Also defining and initializing a worker. +hdpvr_register_videodev() is calling by hdpvr_probe at last. +So no need to flush any work here. +Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail. + +Signed-off-by: Arvind Yadav +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +--- + drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++++++++++++++----------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +--- a/drivers/media/usb/hdpvr/hdpvr-core.c ++++ b/drivers/media/usb/hdpvr/hdpvr-core.c +@@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interf + /* register v4l2_device early so it can be used for printks */ + if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) { + dev_err(&interface->dev, "v4l2_device_register failed\n"); +- goto error; ++ goto error_free_dev; + } + + mutex_init(&dev->io_mutex); +@@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interf + dev->usbc_buf = kmalloc(64, GFP_KERNEL); + if (!dev->usbc_buf) { + v4l2_err(&dev->v4l2_dev, "Out of memory\n"); +- goto error; ++ goto error_v4l2_unregister; + } + + init_waitqueue_head(&dev->wait_buffer); +@@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interf + } + if (!dev->bulk_in_endpointAddr) { + v4l2_err(&dev->v4l2_dev, "Could not find bulk-in endpoint\n"); +- goto error; ++ goto error_put_usb; + } + + /* init the device */ + if (hdpvr_device_init(dev)) { + v4l2_err(&dev->v4l2_dev, "device init failed\n"); +- goto error; ++ goto error_put_usb; + } + + mutex_lock(&dev->io_mutex); +@@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interf + mutex_unlock(&dev->io_mutex); + v4l2_err(&dev->v4l2_dev, + "allocating transfer buffers failed\n"); +- goto error; ++ goto error_put_usb; + } + mutex_unlock(&dev->io_mutex); + +@@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interf + retval = hdpvr_register_i2c_adapter(dev); + if (retval < 0) { + v4l2_err(&dev->v4l2_dev, "i2c adapter register failed\n"); +- goto error; ++ goto error_free_buffers; + } + + client = hdpvr_register_ir_rx_i2c(dev); +@@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interf + reg_fail: + #if IS_ENABLED(CONFIG_I2C) + i2c_del_adapter(&dev->i2c_adapter); ++error_free_buffers: + #endif ++ hdpvr_free_buffers(dev); ++error_put_usb: ++ usb_put_dev(dev->udev); ++ kfree(dev->usbc_buf); ++error_v4l2_unregister: ++ v4l2_device_unregister(&dev->v4l2_dev); ++error_free_dev: ++ kfree(dev); + error: +- if (dev) { +- flush_work(&dev->worker); +- /* this frees allocated memory */ +- hdpvr_delete(dev); +- } + return retval; + } + diff --git a/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch new file mode 100644 index 000000000..23ec66984 --- /dev/null +++ b/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch @@ -0,0 +1,70 @@ +From: Mohamed Ghannam +Date: Sun, 10 Dec 2017 03:50:58 +0000 +Subject: net: ipv4: fix for a race condition in raw_sendmsg +Origin: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17712 + +inet->hdrincl is racy, and could lead to uninitialized stack pointer +usage, so its value should be read only once. + +Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") +Signed-off-by: Mohamed Ghannam +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/ipv4/raw.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk, + int err; + struct ip_options_data opt_copy; + struct raw_frag_vec rfv; ++ int hdrincl; + + err = -EMSGSIZE; + if (len > 0xFFFF) + goto out; + ++ /* hdrincl should be READ_ONCE(inet->hdrincl) ++ * but READ_ONCE() doesn't work with bit fields ++ */ ++ hdrincl = inet->hdrincl; + /* + * Check the flags. + */ +@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk, + /* Linux does not mangle headers on raw sockets, + * so that IP options + IP_HDRINCL is non-sense. + */ +- if (inet->hdrincl) ++ if (hdrincl) + goto done; + if (ipc.opt->opt.srr) { + if (!daddr) +@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk, + + flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos, + RT_SCOPE_UNIVERSE, +- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol, ++ hdrincl ? IPPROTO_RAW : sk->sk_protocol, + inet_sk_flowi_flags(sk) | +- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), ++ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0), + daddr, saddr, 0, 0, sk->sk_uid); + +- if (!inet->hdrincl) { ++ if (!hdrincl) { + rfv.msg = msg; + rfv.hlen = 0; + +@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk, + goto do_confirm; + back_from_confirm: + +- if (inet->hdrincl) ++ if (hdrincl) + err = raw_send_hdrinc(sk, &fl4, msg, len, + &rt, msg->msg_flags, &ipc.sockc); + diff --git a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch new file mode 100644 index 000000000..effd6591c --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch @@ -0,0 +1,74 @@ +From: Kevin Cernekee +Date: Sun, 3 Dec 2017 12:12:45 -0800 +Subject: netfilter: nfnetlink_cthelper: Add missing permission checks +Origin: https://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17448 + +The capability check in nfnetlink_rcv() verifies that the caller +has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. +However, nfnl_cthelper_list is shared by all net namespaces on the +system. An unprivileged user can create user and net namespaces +in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() +check: + + $ nfct helper list + nfct v1.4.4: netlink error: Operation not permitted + $ vpnns -- nfct helper list + { + .name = ftp, + .queuenum = 0, + .l3protonum = 2, + .l4protonum = 6, + .priv_data_len = 24, + .status = enabled, + }; + +Add capable() checks in nfnetlink_cthelper, as this is cleaner than +trying to generalize the solution. + +Signed-off-by: Kevin Cernekee +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net + struct nfnl_cthelper *nlcth; + int ret = 0; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE]) + return -EINVAL; + +@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net + struct nfnl_cthelper *nlcth; + bool tuple_set = false; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (nlh->nlmsg_flags & NLM_F_DUMP) { + struct netlink_dump_control c = { + .dump = nfnl_cthelper_dump_table, +@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net + struct nfnl_cthelper *nlcth, *n; + int j = 0, ret; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (tb[NFCTH_NAME]) + helper_name = nla_data(tb[NFCTH_NAME]); + diff --git a/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch new file mode 100644 index 000000000..fcaacd725 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch @@ -0,0 +1,56 @@ +From: Kevin Cernekee +Date: Tue, 5 Dec 2017 15:42:41 -0800 +Subject: netfilter: xt_osf: Add missing permission checks +Origin: https://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17450 + +The capability check in nfnetlink_rcv() verifies that the caller +has CAP_NET_ADMIN in the namespace that "owns" the netlink socket. +However, xt_osf_fingers is shared by all net namespaces on the +system. An unprivileged user can create user and net namespaces +in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable() +check: + + vpnns -- nfnl_osf -f /tmp/pf.os + + vpnns -- nfnl_osf -f /tmp/pf.os -d + +These non-root operations successfully modify the systemwide OS +fingerprint list. Add new capable() checks so that they can't. + +Signed-off-by: Kevin Cernekee +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/xt_osf.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/netfilter/xt_osf.c ++++ b/net/netfilter/xt_osf.c +@@ -19,6 +19,7 @@ + #include + #include + ++#include + #include + #include + #include +@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct ne + struct xt_osf_finger *kf = NULL, *sf; + int err = 0; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (!osf_attrs[OSF_ATTR_FINGER]) + return -EINVAL; + +@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct + struct xt_osf_finger *sf; + int err = -ENOENT; + ++ if (!capable(CAP_NET_ADMIN)) ++ return -EPERM; ++ + if (!osf_attrs[OSF_ATTR_FINGER]) + return -EINVAL; + diff --git a/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch new file mode 100644 index 000000000..d037380e2 --- /dev/null +++ b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch @@ -0,0 +1,39 @@ +From: Kevin Cernekee +Date: Wed, 6 Dec 2017 12:12:27 -0800 +Subject: netlink: Add netns check on taps +Origin: https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17449 + +Currently, a nlmon link inside a child namespace can observe systemwide +netlink activity. Filter the traffic so that nlmon can only sniff +netlink messages from its own netns. + +Test case: + + vpnns -- bash -c "ip link add nlmon0 type nlmon; \ + ip link set nlmon0 up; \ + tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" & + sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \ + spi 0x1 mode transport \ + auth sha1 0x6162633132330000000000000000000000000000 \ + enc aes 0x00000000000000000000000000000000 + grep --binary abc123 /tmp/nlmon.pcap + +Signed-off-by: Kevin Cernekee +Signed-off-by: David S. Miller +--- + net/netlink/af_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(str + struct sock *sk = skb->sk; + int ret = -ENOMEM; + ++ if (!net_eq(dev_net(dev), sock_net(sk))) ++ return 0; ++ + dev_hold(dev); + + if (is_vmalloc_addr(skb->head)) diff --git a/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch new file mode 100644 index 000000000..13e050e03 --- /dev/null +++ b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch @@ -0,0 +1,44 @@ +From: Alan Stern +Date: Tue, 12 Dec 2017 14:25:13 -0500 +Subject: USB: core: prevent malicious bNumInterfaces overflow +Origin: https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17558 + +A malicious USB device with crafted descriptors can cause the kernel +to access unallocated memory by setting the bNumInterfaces value too +high in a configuration descriptor. Although the value is adjusted +during parsing, this adjustment is skipped in one of the error return +paths. + +This patch prevents the problem by setting bNumInterfaces to 0 +initially. The existing code already sets it to the proper value +after parsing is complete. + +Signed-off-by: Alan Stern +Reported-by: Andrey Konovalov +CC: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/config.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -555,6 +555,9 @@ static int usb_parse_configuration(struc + unsigned iad_num = 0; + + memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE); ++ nintf = nintf_orig = config->desc.bNumInterfaces; ++ config->desc.bNumInterfaces = 0; // Adjusted later ++ + if (config->desc.bDescriptorType != USB_DT_CONFIG || + config->desc.bLength < USB_DT_CONFIG_SIZE || + config->desc.bLength > size) { +@@ -568,7 +571,6 @@ static int usb_parse_configuration(struc + buffer += config->desc.bLength; + size -= config->desc.bLength; + +- nintf = nintf_orig = config->desc.bNumInterfaces; + if (nintf > USB_MAXINTERFACES) { + dev_warn(ddev, "config %d has too many interfaces: %d, " + "using maximum allowed: %d\n", diff --git a/debian/patches/series b/debian/patches/series index ed8e850df..2becbc1bb 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -116,6 +116,17 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch +bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch +bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch +bugfix/all/netlink-add-netns-check-on-taps.patch +bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch +bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch +bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch +bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch +bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch +bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch +bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch +bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch