Add some security fixes that have been applied upstream
svn path=/dists/sid/linux/; revision=20589
This commit is contained in:
parent
9681a7adac
commit
2533029529
|
@ -74,6 +74,13 @@ linux (3.10.11-1) UNRELEASED; urgency=low
|
||||||
* [x86] amd64_edac: Fix single-channel setups (Closes: #717473)
|
* [x86] amd64_edac: Fix single-channel setups (Closes: #717473)
|
||||||
* [x86] efi: Ensure efi-pstore is loaded on EFI systems
|
* [x86] efi: Ensure efi-pstore is loaded on EFI systems
|
||||||
* bug script: Prompt to include crash logs from pstore
|
* bug script: Prompt to include crash logs from pstore
|
||||||
|
* ipv6: remove max_addresses check from ipv6_create_tempaddr (CVE-2013-0343)
|
||||||
|
* HID: validate HID report id size (CVE-2013-2888)
|
||||||
|
* HID: pantherlord: validate output report details (CVE-2013-2892)
|
||||||
|
* HID: ntrig: validate feature report details (CVE-2013-2896)
|
||||||
|
* HID: sensor-hub: validate feature report details (CVE-2013-2898)
|
||||||
|
* HID: picolcd_core: validate output report details (CVE-2013-2899)
|
||||||
|
* HID: check for NULL field when setting values
|
||||||
|
|
||||||
[ Ian Campbell ]
|
[ Ian Campbell ]
|
||||||
* [armel]: Enable MVMDIO and USB_EHCI_HCD_ORION on Kirkwood and Orion
|
* [armel]: Enable MVMDIO and USB_EHCI_HCD_ORION on Kirkwood and Orion
|
||||||
|
|
30
debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch
vendored
Normal file
30
debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch
vendored
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
From: Kees Cook <keescook@chromium.org>
|
||||||
|
Date: Wed, 28 Aug 2013 22:32:01 +0200
|
||||||
|
Subject: [6/6] HID: check for NULL field when setting values
|
||||||
|
Origin: https://git.kernel.org/linus/be67b68d52fa28b9b721c47bb42068f0c1214855
|
||||||
|
|
||||||
|
Defensively check that the field to be worked on is not NULL.
|
||||||
|
|
||||||
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Cc: stable@kernel.org
|
||||||
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||||
|
---
|
||||||
|
drivers/hid/hid-core.c | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/drivers/hid/hid-core.c
|
||||||
|
+++ b/drivers/hid/hid-core.c
|
||||||
|
@@ -1156,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
|
||||||
|
|
||||||
|
int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
|
||||||
|
{
|
||||||
|
- unsigned size = field->report_size;
|
||||||
|
+ unsigned size;
|
||||||
|
+
|
||||||
|
+ if (!field)
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
+ size = field->report_size;
|
||||||
|
|
||||||
|
hid_dump_input(field->report->device, field->usage + offset, value);
|
||||||
|
|
|
@ -0,0 +1,37 @@
|
||||||
|
From: Kees Cook <keescook@chromium.org>
|
||||||
|
Date: Wed, 28 Aug 2013 22:31:28 +0200
|
||||||
|
Subject: [3/6] HID: ntrig: validate feature report details
|
||||||
|
Origin: https://git.kernel.org/linus/875b4e3763dbc941f15143dd1a18d10bb0be303b
|
||||||
|
|
||||||
|
A HID device could send a malicious feature report that would cause the
|
||||||
|
ntrig HID driver to trigger a NULL dereference during initialization:
|
||||||
|
|
||||||
|
[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
|
||||||
|
...
|
||||||
|
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
|
||||||
|
[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
|
||||||
|
|
||||||
|
CVE-2013-2896
|
||||||
|
|
||||||
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Cc: stable@kernel.org
|
||||||
|
Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
|
||||||
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||||
|
---
|
||||||
|
drivers/hid/hid-ntrig.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
|
||||||
|
index 98d1fdf..600f207 100644
|
||||||
|
--- a/drivers/hid/hid-ntrig.c
|
||||||
|
+++ b/drivers/hid/hid-ntrig.c
|
||||||
|
@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
|
||||||
|
struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
|
||||||
|
report_id_hash[0x0d];
|
||||||
|
|
||||||
|
- if (!report)
|
||||||
|
+ if (!report || report->maxfield < 1 ||
|
||||||
|
+ report->field[0]->report_count < 1)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
|
43
debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch
vendored
Normal file
43
debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch
vendored
Normal file
|
@ -0,0 +1,43 @@
|
||||||
|
From: Kees Cook <keescook@chromium.org>
|
||||||
|
Date: Wed, 28 Aug 2013 22:30:49 +0200
|
||||||
|
Subject: [2/6] HID: pantherlord: validate output report details
|
||||||
|
Origin: https://git.kernel.org/linus/412f30105ec6735224535791eed5cdc02888ecb4
|
||||||
|
|
||||||
|
A HID device could send a malicious output report that would cause the
|
||||||
|
pantherlord HID driver to write beyond the output report allocation
|
||||||
|
during initialization, causing a heap overflow:
|
||||||
|
|
||||||
|
[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
|
||||||
|
...
|
||||||
|
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
|
||||||
|
|
||||||
|
CVE-2013-2892
|
||||||
|
|
||||||
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Cc: stable@kernel.org
|
||||||
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||||
|
---
|
||||||
|
drivers/hid/hid-pl.c | 10 ++++++++--
|
||||||
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
|
||||||
|
index d29112f..2dcd7d9 100644
|
||||||
|
--- a/drivers/hid/hid-pl.c
|
||||||
|
+++ b/drivers/hid/hid-pl.c
|
||||||
|
@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
|
||||||
|
strong = &report->field[0]->value[2];
|
||||||
|
weak = &report->field[0]->value[3];
|
||||||
|
debug("detected single-field device");
|
||||||
|
- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
|
||||||
|
- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
|
||||||
|
+ } else if (report->field[0]->maxusage == 1 &&
|
||||||
|
+ report->field[0]->usage[0].hid ==
|
||||||
|
+ (HID_UP_LED | 0x43) &&
|
||||||
|
+ report->maxfield >= 4 &&
|
||||||
|
+ report->field[0]->report_count >= 1 &&
|
||||||
|
+ report->field[1]->report_count >= 1 &&
|
||||||
|
+ report->field[2]->report_count >= 1 &&
|
||||||
|
+ report->field[3]->report_count >= 1) {
|
||||||
|
report->field[0]->value[0] = 0x00;
|
||||||
|
report->field[1]->value[0] = 0x00;
|
||||||
|
strong = &report->field[2]->value[0];
|
45
debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch
vendored
Normal file
45
debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch
vendored
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
From: Kees Cook <keescook@chromium.org>
|
||||||
|
Date: Wed, 28 Aug 2013 22:31:52 +0200
|
||||||
|
Subject: [5/6] HID: picolcd_core: validate output report details
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
Origin: https://git.kernel.org/linus/1e87a2456b0227ca4ab881e19a11bb99d164e792
|
||||||
|
|
||||||
|
A HID device could send a malicious output report that would cause the
|
||||||
|
picolcd HID driver to trigger a NULL dereference during attr file writing.
|
||||||
|
|
||||||
|
[jkosina@suse.cz: changed
|
||||||
|
|
||||||
|
report->maxfield < 1
|
||||||
|
|
||||||
|
to
|
||||||
|
|
||||||
|
report->maxfield != 1
|
||||||
|
|
||||||
|
as suggested by Bruno].
|
||||||
|
|
||||||
|
CVE-2013-2899
|
||||||
|
|
||||||
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Cc: stable@kernel.org
|
||||||
|
Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
|
||||||
|
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
|
||||||
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||||
|
---
|
||||||
|
drivers/hid/hid-picolcd_core.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
|
||||||
|
index b48092d..acbb0210 100644
|
||||||
|
--- a/drivers/hid/hid-picolcd_core.c
|
||||||
|
+++ b/drivers/hid/hid-picolcd_core.c
|
||||||
|
@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
|
||||||
|
buf += 10;
|
||||||
|
cnt -= 10;
|
||||||
|
}
|
||||||
|
- if (!report)
|
||||||
|
+ if (!report || report->maxfield != 1)
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
|
while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
|
33
debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch
vendored
Normal file
33
debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch
vendored
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
From: Kees Cook <keescook@chromium.org>
|
||||||
|
Date: Wed, 28 Aug 2013 22:31:44 +0200
|
||||||
|
Subject: [4/6] HID: sensor-hub: validate feature report details
|
||||||
|
Origin: https://git.kernel.org/linus/9e8910257397372633e74b333ef891f20c800ee4
|
||||||
|
|
||||||
|
A HID device could send a malicious feature report that would cause the
|
||||||
|
sensor-hub HID driver to read past the end of heap allocation, leaking
|
||||||
|
kernel memory contents to the caller.
|
||||||
|
|
||||||
|
CVE-2013-2898
|
||||||
|
|
||||||
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Cc: stable@kernel.org
|
||||||
|
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
|
||||||
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||||
|
---
|
||||||
|
drivers/hid/hid-sensor-hub.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
|
||||||
|
index ffc80cf..6fca30e 100644
|
||||||
|
--- a/drivers/hid/hid-sensor-hub.c
|
||||||
|
+++ b/drivers/hid/hid-sensor-hub.c
|
||||||
|
@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
|
||||||
|
|
||||||
|
mutex_lock(&data->mutex);
|
||||||
|
report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
|
||||||
|
- if (!report || (field_index >= report->maxfield)) {
|
||||||
|
+ if (!report || (field_index >= report->maxfield) ||
|
||||||
|
+ report->field[field_index]->report_count < 1) {
|
||||||
|
ret = -EINVAL;
|
||||||
|
goto done_proc;
|
||||||
|
}
|
|
@ -0,0 +1,57 @@
|
||||||
|
From: Kees Cook <keescook@chromium.org>
|
||||||
|
Date: Wed, 28 Aug 2013 22:29:55 +0200
|
||||||
|
Subject: [1/6] HID: validate HID report id size
|
||||||
|
Origin: https://git.kernel.org/linus/43622021d2e2b82ea03d883926605bdd0525e1d1
|
||||||
|
|
||||||
|
The "Report ID" field of a HID report is used to build indexes of
|
||||||
|
reports. The kernel's index of these is limited to 256 entries, so any
|
||||||
|
malicious device that sets a Report ID greater than 255 will trigger
|
||||||
|
memory corruption on the host:
|
||||||
|
|
||||||
|
[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
|
||||||
|
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
|
||||||
|
|
||||||
|
CVE-2013-2888
|
||||||
|
|
||||||
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||||
|
Cc: stable@kernel.org
|
||||||
|
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||||
|
---
|
||||||
|
drivers/hid/hid-core.c | 10 +++++++---
|
||||||
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
||||||
|
index 36668d1..5ea7d51 100644
|
||||||
|
--- a/drivers/hid/hid-core.c
|
||||||
|
+++ b/drivers/hid/hid-core.c
|
||||||
|
@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
|
||||||
|
struct hid_report_enum *report_enum = device->report_enum + type;
|
||||||
|
struct hid_report *report;
|
||||||
|
|
||||||
|
+ if (id >= HID_MAX_IDS)
|
||||||
|
+ return NULL;
|
||||||
|
if (report_enum->report_id_hash[id])
|
||||||
|
return report_enum->report_id_hash[id];
|
||||||
|
|
||||||
|
@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
|
||||||
|
|
||||||
|
case HID_GLOBAL_ITEM_TAG_REPORT_ID:
|
||||||
|
parser->global.report_id = item_udata(item);
|
||||||
|
- if (parser->global.report_id == 0) {
|
||||||
|
- hid_err(parser->device, "report_id 0 is invalid\n");
|
||||||
|
+ if (parser->global.report_id == 0 ||
|
||||||
|
+ parser->global.report_id >= HID_MAX_IDS) {
|
||||||
|
+ hid_err(parser->device, "report_id %u is invalid\n",
|
||||||
|
+ parser->global.report_id);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
|
||||||
|
for (i = 0; i < HID_REPORT_TYPES; i++) {
|
||||||
|
struct hid_report_enum *report_enum = device->report_enum + i;
|
||||||
|
|
||||||
|
- for (j = 0; j < 256; j++) {
|
||||||
|
+ for (j = 0; j < HID_MAX_IDS; j++) {
|
||||||
|
struct hid_report *report = report_enum->report_id_hash[j];
|
||||||
|
if (report)
|
||||||
|
hid_free_report(report);
|
60
debian/patches/bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch
vendored
Normal file
60
debian/patches/bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch
vendored
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||||
|
Date: Fri, 16 Aug 2013 13:02:27 +0200
|
||||||
|
Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr
|
||||||
|
Origin: https://git.kernel.org/linus/4b08a8f1bd8cb4541c93ec170027b4d0782dab52
|
||||||
|
|
||||||
|
Because of the max_addresses check attackers were able to disable privacy
|
||||||
|
extensions on an interface by creating enough autoconfigured addresses:
|
||||||
|
|
||||||
|
<http://seclists.org/oss-sec/2012/q4/292>
|
||||||
|
|
||||||
|
But the check is not actually needed: max_addresses protects the
|
||||||
|
kernel to install too many ipv6 addresses on an interface and guards
|
||||||
|
addrconf_prefix_rcv to install further addresses as soon as this limit
|
||||||
|
is reached. We only generate temporary addresses in direct response of
|
||||||
|
a new address showing up. As soon as we filled up the maximum number of
|
||||||
|
addresses of an interface, we stop installing more addresses and thus
|
||||||
|
also stop generating more temp addresses.
|
||||||
|
|
||||||
|
Even if the attacker tries to generate a lot of temporary addresses
|
||||||
|
by announcing a prefix and removing it again (lifetime == 0) we won't
|
||||||
|
install more temp addresses, because the temporary addresses do count
|
||||||
|
to the maximum number of addresses, thus we would stop installing new
|
||||||
|
autoconfigured addresses when the limit is reached.
|
||||||
|
|
||||||
|
This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
|
||||||
|
possible).
|
||||||
|
|
||||||
|
Thanks to Ding Tianhong to bring this topic up again.
|
||||||
|
|
||||||
|
Cc: Ding Tianhong <dingtianhong@huawei.com>
|
||||||
|
Cc: George Kargiotakis <kargig@void.gr>
|
||||||
|
Cc: P J P <ppandit@redhat.com>
|
||||||
|
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
|
||||||
|
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||||
|
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
|
||||||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||||
|
[bwh: Backported to 3.10: adjust ipv6_add_addr() parameter list]
|
||||||
|
---
|
||||||
|
net/ipv6/addrconf.c | 10 ++++------
|
||||||
|
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
--- a/net/ipv6/addrconf.c
|
||||||
|
+++ b/net/ipv6/addrconf.c
|
||||||
|
@@ -1124,12 +1124,10 @@ retry:
|
||||||
|
if (ifp->flags & IFA_F_OPTIMISTIC)
|
||||||
|
addr_flags |= IFA_F_OPTIMISTIC;
|
||||||
|
|
||||||
|
- ift = !max_addresses ||
|
||||||
|
- ipv6_count_addresses(idev) < max_addresses ?
|
||||||
|
- ipv6_add_addr(idev, &addr, tmp_plen,
|
||||||
|
- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
|
||||||
|
- addr_flags) : NULL;
|
||||||
|
- if (IS_ERR_OR_NULL(ift)) {
|
||||||
|
+ ift = ipv6_add_addr(idev, &addr, tmp_plen,
|
||||||
|
+ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
|
||||||
|
+ addr_flags);
|
||||||
|
+ if (IS_ERR(ift)) {
|
||||||
|
in6_ifa_put(ifp);
|
||||||
|
in6_dev_put(idev);
|
||||||
|
pr_info("%s: retry temporary address regeneration\n", __func__);
|
|
@ -117,3 +117,10 @@ bugfix/arm/I2C-mv64xxx-move-mv64xxx_i2c_prepare_for_io.patch
|
||||||
bugfix/arm/I2C-mv64xxx-fix-race-between-FSM-interrupt-and-proce.patch
|
bugfix/arm/I2C-mv64xxx-fix-race-between-FSM-interrupt-and-proce.patch
|
||||||
bugfix/arm/ARM-Fix-the-world-famous-typo-with-is_gate_vma.patch
|
bugfix/arm/ARM-Fix-the-world-famous-typo-with-is_gate_vma.patch
|
||||||
bugfix/x86/amd64_edac-Fix-single-channel-setups.patch
|
bugfix/x86/amd64_edac-Fix-single-channel-setups.patch
|
||||||
|
bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch
|
||||||
|
bugfix/all/HID-validate-HID-report-id-size.patch
|
||||||
|
bugfix/all/HID-pantherlord-validate-output-report-details.patch
|
||||||
|
bugfix/all/HID-ntrig-validate-feature-report-details.patch
|
||||||
|
bugfix/all/HID-sensor-hub-validate-feature-report-details.patch
|
||||||
|
bugfix/all/HID-picolcd_core-validate-output-report-details.patch
|
||||||
|
bugfix/all/HID-check-for-NULL-field-when-setting-values.patch
|
||||||
|
|
Loading…
Reference in New Issue