parent
326a2052e2
commit
31945f628c
|
@ -1,4 +1,226 @@
|
|||
linux (4.9.18-2) UNRELEASED; urgency=medium
|
||||
linux (4.9.22-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.19
|
||||
- net/openvswitch: Set the ipv6 source tunnel key address attribute
|
||||
correctly
|
||||
- net: properly release sk_frag.page
|
||||
- [arm64] amd-xgbe: Fix jumbo MTU processing on newer hardware
|
||||
- openvswitch: Add missing case OVS_TUNNEL_KEY_ATTR_PAD
|
||||
- net: unix: properly re-increment inflight counter of GC discarded
|
||||
candidates
|
||||
- net: vrf: Reset rt6i_idev in local dst after put
|
||||
- net/mlx5: Add missing entries for set/query rate limit commands
|
||||
- net/mlx5e: Use the proper UAPI values when offloading TC vlan actions
|
||||
- net/mlx5: Increase number of max QPs in default profile
|
||||
- net/mlx5e: Count GSO/LRO packets correctly
|
||||
- ipv6: make sure to initialize sockc.tsflags before first use
|
||||
- ipv4: provide stronger user input validation in nl_fib_input()
|
||||
- socket, bpf: fix sk_filter use after free in sk_clone_lock
|
||||
- tcp: initialize icsk_ack.lrcvtime at session start time
|
||||
- Input: iforce,ims-pcu,hanwang,yealink,cm109,kbtab,sur40 - validate
|
||||
number of endpoints before using them
|
||||
- ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
|
||||
- ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
|
||||
- ALSA: hda - Adding a group of pin definition to fix headset problem
|
||||
- ACM gadget: fix endianness in notifications
|
||||
- usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's
|
||||
wBytesPerInterval
|
||||
- USB: uss720,idmouse,wusbcore: fix NULL-deref at probe
|
||||
- usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
|
||||
- usb: hub: Fix crash after failure to read BOS descriptor
|
||||
- USB: usbtmc: add missing endpoint sanity check
|
||||
- USB: usbtmc: fix probe error path
|
||||
- uwb: i1480-dfu: fix NULL-deref at probe
|
||||
- mmc: ushc: fix NULL-deref at probe
|
||||
- [armhf[ iio: adc: ti_am335x_adc: fix fifo overrun recovery
|
||||
- iio: sw-device: Fix config group initialization
|
||||
- iio: hid-sensor-trigger: Change get poll value function order to avoid
|
||||
sensor properties losing after resume from S3
|
||||
- parport: fix attempt to write duplicate procfiles
|
||||
- ext4: mark inode dirty after converting inline directory
|
||||
- ext4: lock the xattr block before checksuming it
|
||||
- [powerpc*/*64*] Fix idle wakeup potential to clobber registers
|
||||
- mmc: sdhci: Do not disable interrupts while waiting for clock
|
||||
- mmc: sdhci-pci: Do not disable interrupts in sdhci_intel_set_power
|
||||
- [x86] hwrng: amd - Revert managed API changes
|
||||
- [x86] hwrng: geode - Revert managed API changes
|
||||
- [armhf] clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module
|
||||
clock
|
||||
- [armhf] clk: sunxi-ng: mp: Adjust parent rate for pre-dividers
|
||||
- mwifiex: pcie: don't leak DMA buffers when removing
|
||||
- [x86] crypto: ccp - Assign DMA commands to the channel's CCP
|
||||
- xen/acpi: upload PM state from init-domain to Xen
|
||||
- [x86] iommu/vt-d: Fix NULL pointer dereference in device_to_iommu
|
||||
- [arm64] kaslr: Fix up the kernel image alignment
|
||||
- cpufreq: Restore policy min/max limits on CPU online
|
||||
- cgroup, net_cls: iterate the fds of only the tasks which are being
|
||||
migrated
|
||||
- blk-mq: don't complete un-started request in timeout handler
|
||||
- [x86] drm/amdgpu: reinstate oland workaround for sclk
|
||||
- jbd2: don't leak memory if setting up journal fails
|
||||
- [x86] intel_th: Don't leak module refcount on failure to activate
|
||||
- [x86] Drivers: hv: vmbus: Don't leak channel ids
|
||||
- [x86] Drivers: hv: vmbus: Don't leak memory when a channel is rescinded
|
||||
- libceph: don't set weight to IN when OSD is destroyed
|
||||
- [x86] device-dax: fix pmd/pte fault fallback handling
|
||||
- [armhf] drm/bridge: analogix dp: Fix runtime PM state on driver bind
|
||||
- nl80211: fix dumpit error path RTNL deadlocks
|
||||
- drm: reference count event->completion
|
||||
- fbcon: Fix vc attr at deinit
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.20
|
||||
- xfrm: policy: init locks early
|
||||
- [x86] KVM: cleanup the page tracking SRCU instance
|
||||
- virtio_balloon: init 1st buffer in stats vq
|
||||
- [mips*] ptrace: Preserve previous registers for short regset write
|
||||
- [sparc64] ptrace: Preserve previous registers for short regset write
|
||||
- fscrypt: remove broken support for detecting keyring key revocation
|
||||
(CVE-2017-7374)
|
||||
- sched/rt: Add a missing rescheduling point
|
||||
- [armhf] usb: musb: fix possible spinlock deadlock
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.21
|
||||
- libceph: force GFP_NOIO for socket allocations
|
||||
- xen/setup: Don't relocate p2m over existing one
|
||||
- xfs: only update mount/resv fields on success in __xfs_ag_resv_init
|
||||
- xfs: use per-AG reservations for the finobt
|
||||
- xfs: pull up iolock from xfs_free_eofblocks()
|
||||
- xfs: sync eofblocks scans under iolock are livelock prone
|
||||
- xfs: fix eofblocks race with file extending async dio writes
|
||||
- xfs: fix toctou race when locking an inode to access the data map
|
||||
- xfs: fail _dir_open when readahead fails
|
||||
- xfs: filter out obviously bad btree pointers
|
||||
- xfs: check for obviously bad level values in the bmbt root
|
||||
- xfs: verify free block header fields
|
||||
- xfs: allow unwritten extents in the CoW fork
|
||||
- xfs: mark speculative prealloc CoW fork extents unwritten
|
||||
- xfs: reset b_first_retry_time when clear the retry status of xfs_buf_t
|
||||
- xfs: update ctime and mtime on clone destinatation inodes
|
||||
- xfs: reject all unaligned direct writes to reflinked files
|
||||
- xfs: don't fail xfs_extent_busy allocation
|
||||
- xfs: handle indlen shortage on delalloc extent merge
|
||||
- xfs: split indlen reservations fairly when under reserved
|
||||
- xfs: fix uninitialized variable in _reflink_convert_cow
|
||||
- xfs: don't reserve blocks for right shift transactions
|
||||
- xfs: Use xfs_icluster_size_fsb() to calculate inode chunk alignment
|
||||
- xfs: tune down agno asserts in the bmap code
|
||||
- xfs: only reclaim unwritten COW extents periodically
|
||||
- xfs: fix and streamline error handling in xfs_end_io
|
||||
- xfs: Use xfs_icluster_size_fsb() to calculate inode alignment mask
|
||||
- xfs: use iomap new flag for newly allocated delalloc blocks
|
||||
- xfs: try any AG when allocating the first btree block when reflinking
|
||||
- scsi: libsas: fix ata xfer length
|
||||
- scsi: scsi_dh_alua: Check scsi_device_get() return value
|
||||
- scsi: scsi_dh_alua: Ensure that alua_activate() calls the completion
|
||||
function
|
||||
- ALSA: seq: Fix race during FIFO resize
|
||||
- ALSA: hda - fix a problem for lineout on a Dell AIO machine
|
||||
- [x86] ASoC: Intel: Skylake: fix invalid memory access due to wrong
|
||||
reference of pointer
|
||||
- HID: wacom: Don't add ghost interface as shared data
|
||||
- mmc: sdhci: Disable runtime pm when the sdio_irq is enabled
|
||||
- NFSv4.1 fix infinite loop on IO BAD_STATEID error
|
||||
- nfsd: map the ENOKEY to nfserr_perm for avoiding warning
|
||||
- [hppa] Clean up fixup routines for get_user()/put_user()
|
||||
- [hppa] Avoid stalled CPU warnings after system shutdown
|
||||
- [hppa] Fix access fault handling in pa_memcpy()
|
||||
- ACPI: Fix incompatibility with mcount-based function graph tracing
|
||||
- ACPI: Do not create a platform_device for IOAPIC/IOxAPIC
|
||||
- USB: fix linked-list corruption in rh_call_control()
|
||||
- [x86] KVM: clear bus pointer when destroyed
|
||||
- KVM: kvm_io_bus_unregister_dev() should never fail
|
||||
- drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags
|
||||
- [armhf,arm64] drm/vc4: Allocate the right amount of space for boot-time
|
||||
CRTC state.
|
||||
- [armhf] drm/etnaviv: (re-)protect fence allocation with GPU mutex
|
||||
- [x86] mm/KASLR: Exclude EFI region from KASLR VA space randomization
|
||||
- [x86] mce: Fix copy/paste error in exception table entries
|
||||
- lib/syscall: Clear return values when no stack
|
||||
- mm: rmap: fix huge file mmap accounting in the memcg stats
|
||||
- mm, hugetlb: use pte_present() instead of pmd_present() in
|
||||
follow_huge_pmd()
|
||||
- qla2xxx: Allow vref count to timeout on vport delete.
|
||||
- mm: workingset: fix premature shadow node shrinking with cgroups
|
||||
- blk: improve order of bio handling in generic_make_request()
|
||||
- blk: Ensure users for current->bio_list can see the full list.
|
||||
- padata: avoid race in reordering
|
||||
- nvme/core: Fix race kicking freed request_queue
|
||||
- nvme/pci: Disable on removal when disconnected
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.22
|
||||
- ppdev: check before attaching port
|
||||
- ppdev: fix registering same device name
|
||||
- [x86] drm/vmwgfx: Type-check lookups of fence objects
|
||||
- [x86] drm/vmwgfx: avoid calling vzalloc with a 0 size in
|
||||
vmw_get_cap_3d_ioctl()
|
||||
- drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
|
||||
- [x86] drm/vmwgfx: Remove getparam error message
|
||||
- sysfs: be careful of error returns from ops->show()
|
||||
- [armhf,arm64] KVM: Take mmap_sem in stage2_unmap_vm
|
||||
- [armhf,arm64] KVM: Take mmap_sem in kvm_arch_prepare_memory_region
|
||||
- [armhf,arm64] kvm: Fix locking for kvm_free_stage2_pgd
|
||||
- [x86] iio: bmg160: reset chip when probing
|
||||
- [arm64] mm: unaligned access by user-land should be received as SIGBUS
|
||||
- cfg80211: check rdev resume callback only for registered wiphy
|
||||
- CIFS: Reset TreeId to zero on SMB2 TREE_CONNECT
|
||||
- mm/page_alloc.c: fix print order in show_free_areas()
|
||||
- ptrace: fix PTRACE_LISTEN race corrupting task->state
|
||||
- dm verity fec: limit error correction recursion
|
||||
- dm verity fec: fix bufio leaks
|
||||
- ACPI / gpio: do not fall back to parsing _CRS when we get a deferral
|
||||
- xfs: Honor FALLOC_FL_KEEP_SIZE when punching ends of files
|
||||
- ring-buffer: Fix return value check in test_ringbuffer()
|
||||
- mac80211: unconditionally start new netdev queues with iTXQ support
|
||||
- brcmfmac: use local iftype avoiding use-after-free of virtual interface
|
||||
- [powerpc*] Disable HFSCR[TM] if TM is not supported
|
||||
- [powerpc*] mm: Add missing global TLB invalidate if cxl is active
|
||||
- [powerpc*/*64*]: Fix flush_(d|i)cache_range() called from modules
|
||||
- [powerpc*] Don't try to fix up misaligned load-with-reservation
|
||||
instructions
|
||||
- [powerpc*] crypto/crc32c-vpmsum: Fix missing preempt_disable()
|
||||
- dm raid: fix NULL pointer dereference for raid1 without bitmap
|
||||
- [s390x] decompressor: fix initrd corruption caused by bss clear
|
||||
- [s390x] uaccess: get_user() should zero on failure (again)
|
||||
- [mips*el/loongson-3] Check TLB before handle_ri_rdhwr() for Loongson-3
|
||||
- [mips*el/loongson-3] Add MIPS_CPU_FTLB for Loongson-3A R2
|
||||
- [mips*el/loongson-3] Flush wrong invalid FTLB entry for huge page
|
||||
- [mips*el/loongson-3] c-r4k: Fix Loongson-3's vcache/scache waysize
|
||||
calculation
|
||||
- mm/mempolicy.c: fix error handling in set_mempolicy and mbind
|
||||
(CVE-2017-7616)
|
||||
- random: use chacha20 for get_random_int/long
|
||||
- [armhf] drm/sun4i: tcon: Move SoC specific quirks to a DT matched data
|
||||
structure
|
||||
- [armhf] drm/sun4i: Add compatible strings for A31/A31s display pipelines
|
||||
- [armhf] drm/sun4i: Add compatible string for A31/A31s TCON (timing
|
||||
controller)
|
||||
- HID: i2c-hid: add a simple quirk to fix device defects
|
||||
- usb: dwc3: gadget: delay unmap of bounced requests
|
||||
- [x86] ASoC: Intel: bytct_rt5640: change default capture settings
|
||||
- [armhf,arm64] clocksource/drivers/arm_arch_timer: Don't assume clock runs
|
||||
in suspend
|
||||
- scsi: ufs: introduce UFSHCD_QUIRK_PRDT_BYTE_GRAN quirk
|
||||
- HID: multitouch: do not retrieve all reports for all devices
|
||||
- [arm64] mmc: sdhci-msm: Enable few quirks
|
||||
- scsi: ufs: ensure that host pa_tactivate is higher than device
|
||||
- svcauth_gss: Close connection when dropping an incoming message
|
||||
- scsi: ufs: add quirk to increase host PA_SaveConfigTime
|
||||
- [x86] platform: acer-wmi: Only supports AMW0_GUID1 on acer family
|
||||
- nvme: simplify stripe quirk
|
||||
- ACPI / sysfs: Provide quirk mechanism to prevent GPE flooding
|
||||
- HID: usbhid: Add quirk for the Futaba TOSD-5711BB VFD
|
||||
- [x86] drm/i915: actually drive the BDW reserved IDs
|
||||
- scsi: ufs: issue link starup 2 times if device isn't active
|
||||
- [armhf] serial: 8250_omap: Add OMAP_DMA_TX_KICK quirk for AM437x
|
||||
- ACPI / button: Change default behavior to lid_init_state=open
|
||||
- [x86] ACPI: save NVS memory for Lenovo G50-45
|
||||
- HID: wacom: don't apply generic settings to old devices
|
||||
- [arm64] firmware: qcom: scm: Fix interrupted SCM calls
|
||||
- [armhf] watchdog: s3c2410: Fix infinite interrupt in soft mode
|
||||
- [x86] platform: asus-wmi: Set specified XUSB2PR value for X550LB
|
||||
- [x86] platform: asus-wmi: Detect quirk_no_rfkill from the DSDT
|
||||
- [x86] reboot/quirks: Add ASUS EeeBook X205TA reboot quirk
|
||||
- [x86] reboot/quirks: Add ASUS EeeBook X205TA/W reboot quirk
|
||||
- usb-storage: Add ignore-residue quirk for Initio INIC-3619
|
||||
- [x86] reboot/quirks: Fix typo in ASUS EeeBook X205TA reboot quirk
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* w1: Really enable W1_MASTER_GPIO as module (Closes: #858975)
|
||||
|
@ -25,10 +247,6 @@ linux (4.9.18-2) UNRELEASED; urgency=medium
|
|||
|
||||
[ Salvatore Bonaccorso ]
|
||||
* ping: implement proper locking (CVE-2017-2671)
|
||||
* fscrypt: remove broken support for detecting keyring key revocation
|
||||
(CVE-2017-7374)
|
||||
* mm/mempolicy.c: fix error handling in set_mempolicy and mbind
|
||||
(CVE-2017-7616)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Thu, 30 Mar 2017 18:27:30 +0100
|
||||
|
||||
|
|
|
@ -1,253 +0,0 @@
|
|||
From: Eric Biggers <ebiggers@google.com>
|
||||
Date: Tue, 21 Feb 2017 15:07:11 -0800
|
||||
Subject: fscrypt: remove broken support for detecting keyring key revocation
|
||||
Origin: https://git.kernel.org/linus/1b53cf9815bb4744958d41f3795d5d5a1d365e2d
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7374
|
||||
|
||||
Filesystem encryption ostensibly supported revoking a keyring key that
|
||||
had been used to "unlock" encrypted files, causing those files to become
|
||||
"locked" again. This was, however, buggy for several reasons, the most
|
||||
severe of which was that when key revocation happened to be detected for
|
||||
an inode, its fscrypt_info was immediately freed, even while other
|
||||
threads could be using it for encryption or decryption concurrently.
|
||||
This could be exploited to crash the kernel or worse.
|
||||
|
||||
This patch fixes the use-after-free by removing the code which detects
|
||||
the keyring key having been revoked, invalidated, or expired. Instead,
|
||||
an encrypted inode that is "unlocked" now simply remains unlocked until
|
||||
it is evicted from memory. Note that this is no worse than the case for
|
||||
block device-level encryption, e.g. dm-crypt, and it still remains
|
||||
possible for a privileged user to evict unused pages, inodes, and
|
||||
dentries by running 'sync; echo 3 > /proc/sys/vm/drop_caches', or by
|
||||
simply unmounting the filesystem. In fact, one of those actions was
|
||||
already needed anyway for key revocation to work even somewhat sanely.
|
||||
This change is not expected to break any applications.
|
||||
|
||||
In the future I'd like to implement a real API for fscrypt key
|
||||
revocation that interacts sanely with ongoing filesystem operations ---
|
||||
waiting for existing operations to complete and blocking new operations,
|
||||
and invalidating and sanitizing key material and plaintext from the VFS
|
||||
caches. But this is a hard problem, and for now this bug must be fixed.
|
||||
|
||||
This bug affected almost all versions of ext4, f2fs, and ubifs
|
||||
encryption, and it was potentially reachable in any kernel configured
|
||||
with encryption support (CONFIG_EXT4_ENCRYPTION=y,
|
||||
CONFIG_EXT4_FS_ENCRYPTION=y, CONFIG_F2FS_FS_ENCRYPTION=y, or
|
||||
CONFIG_UBIFS_FS_ENCRYPTION=y). Note that older kernels did not use the
|
||||
shared fs/crypto/ code, but due to the potential security implications
|
||||
of this bug, it may still be worthwhile to backport this fix to them.
|
||||
|
||||
Fixes: b7236e21d55f ("ext4 crypto: reorganize how we store keys in the inode")
|
||||
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
||||
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
||||
Acked-by: Michael Halcrow <mhalcrow@google.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
[carnil: backport synced with 2984e52c75c657db7901f6189f02e0251ca963c2 in 4.9.20]
|
||||
---
|
||||
fs/crypto/crypto.c | 10 +---------
|
||||
fs/crypto/fname.c | 2 +-
|
||||
fs/crypto/keyinfo.c | 52 +++++++++---------------------------------------
|
||||
include/linux/fscrypto.h | 2 --
|
||||
4 files changed, 11 insertions(+), 55 deletions(-)
|
||||
|
||||
diff --git a/fs/crypto/crypto.c b/fs/crypto/crypto.c
|
||||
index 98f87fe8f186..61cfccea77bc 100644
|
||||
--- a/fs/crypto/crypto.c
|
||||
+++ b/fs/crypto/crypto.c
|
||||
@@ -352,7 +352,6 @@ EXPORT_SYMBOL(fscrypt_zeroout_range);
|
||||
static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
|
||||
{
|
||||
struct dentry *dir;
|
||||
- struct fscrypt_info *ci;
|
||||
int dir_has_key, cached_with_key;
|
||||
|
||||
if (flags & LOOKUP_RCU)
|
||||
@@ -364,18 +363,11 @@ static int fscrypt_d_revalidate(struct dentry *dentry, unsigned int flags)
|
||||
return 0;
|
||||
}
|
||||
|
||||
- ci = d_inode(dir)->i_crypt_info;
|
||||
- if (ci && ci->ci_keyring_key &&
|
||||
- (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
|
||||
- (1 << KEY_FLAG_REVOKED) |
|
||||
- (1 << KEY_FLAG_DEAD))))
|
||||
- ci = NULL;
|
||||
-
|
||||
/* this should eventually be an flag in d_flags */
|
||||
spin_lock(&dentry->d_lock);
|
||||
cached_with_key = dentry->d_flags & DCACHE_ENCRYPTED_WITH_KEY;
|
||||
spin_unlock(&dentry->d_lock);
|
||||
- dir_has_key = (ci != NULL);
|
||||
+ dir_has_key = (d_inode(dir)->i_crypt_info != NULL);
|
||||
dput(dir);
|
||||
|
||||
/*
|
||||
diff --git a/fs/crypto/fname.c b/fs/crypto/fname.c
|
||||
index 9b774f4b50c8..80bb956e14e5 100644
|
||||
--- a/fs/crypto/fname.c
|
||||
+++ b/fs/crypto/fname.c
|
||||
@@ -350,7 +350,7 @@ int fscrypt_setup_filename(struct inode *dir, const struct qstr *iname,
|
||||
fname->disk_name.len = iname->len;
|
||||
return 0;
|
||||
}
|
||||
- ret = get_crypt_info(dir);
|
||||
+ ret = fscrypt_get_encryption_info(dir);
|
||||
if (ret && ret != -EOPNOTSUPP)
|
||||
return ret;
|
||||
|
||||
diff --git a/fs/crypto/keyinfo.c b/fs/crypto/keyinfo.c
|
||||
index 67fb6d8876d0..bb4606368eb1 100644
|
||||
--- a/fs/crypto/keyinfo.c
|
||||
+++ b/fs/crypto/keyinfo.c
|
||||
@@ -99,6 +99,7 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
|
||||
kfree(full_key_descriptor);
|
||||
if (IS_ERR(keyring_key))
|
||||
return PTR_ERR(keyring_key);
|
||||
+ down_read(&keyring_key->sem);
|
||||
|
||||
if (keyring_key->type != &key_type_logon) {
|
||||
printk_once(KERN_WARNING
|
||||
@@ -106,11 +107,9 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
|
||||
res = -ENOKEY;
|
||||
goto out;
|
||||
}
|
||||
- down_read(&keyring_key->sem);
|
||||
ukp = user_key_payload(keyring_key);
|
||||
if (ukp->datalen != sizeof(struct fscrypt_key)) {
|
||||
res = -EINVAL;
|
||||
- up_read(&keyring_key->sem);
|
||||
goto out;
|
||||
}
|
||||
master_key = (struct fscrypt_key *)ukp->data;
|
||||
@@ -121,17 +120,11 @@ static int validate_user_key(struct fscrypt_info *crypt_info,
|
||||
"%s: key size incorrect: %d\n",
|
||||
__func__, master_key->size);
|
||||
res = -ENOKEY;
|
||||
- up_read(&keyring_key->sem);
|
||||
goto out;
|
||||
}
|
||||
res = derive_key_aes(ctx->nonce, master_key->raw, raw_key);
|
||||
- up_read(&keyring_key->sem);
|
||||
- if (res)
|
||||
- goto out;
|
||||
-
|
||||
- crypt_info->ci_keyring_key = keyring_key;
|
||||
- return 0;
|
||||
out:
|
||||
+ up_read(&keyring_key->sem);
|
||||
key_put(keyring_key);
|
||||
return res;
|
||||
}
|
||||
@@ -173,12 +166,11 @@ static void put_crypt_info(struct fscrypt_info *ci)
|
||||
if (!ci)
|
||||
return;
|
||||
|
||||
- key_put(ci->ci_keyring_key);
|
||||
crypto_free_skcipher(ci->ci_ctfm);
|
||||
kmem_cache_free(fscrypt_info_cachep, ci);
|
||||
}
|
||||
|
||||
-int get_crypt_info(struct inode *inode)
|
||||
+int fscrypt_get_encryption_info(struct inode *inode)
|
||||
{
|
||||
struct fscrypt_info *crypt_info;
|
||||
struct fscrypt_context ctx;
|
||||
@@ -188,21 +180,15 @@ int get_crypt_info(struct inode *inode)
|
||||
u8 *raw_key = NULL;
|
||||
int res;
|
||||
|
||||
+ if (inode->i_crypt_info)
|
||||
+ return 0;
|
||||
+
|
||||
res = fscrypt_initialize();
|
||||
if (res)
|
||||
return res;
|
||||
|
||||
if (!inode->i_sb->s_cop->get_context)
|
||||
return -EOPNOTSUPP;
|
||||
-retry:
|
||||
- crypt_info = ACCESS_ONCE(inode->i_crypt_info);
|
||||
- if (crypt_info) {
|
||||
- if (!crypt_info->ci_keyring_key ||
|
||||
- key_validate(crypt_info->ci_keyring_key) == 0)
|
||||
- return 0;
|
||||
- fscrypt_put_encryption_info(inode, crypt_info);
|
||||
- goto retry;
|
||||
- }
|
||||
|
||||
res = inode->i_sb->s_cop->get_context(inode, &ctx, sizeof(ctx));
|
||||
if (res < 0) {
|
||||
@@ -230,7 +216,6 @@ int get_crypt_info(struct inode *inode)
|
||||
crypt_info->ci_data_mode = ctx.contents_encryption_mode;
|
||||
crypt_info->ci_filename_mode = ctx.filenames_encryption_mode;
|
||||
crypt_info->ci_ctfm = NULL;
|
||||
- crypt_info->ci_keyring_key = NULL;
|
||||
memcpy(crypt_info->ci_master_key, ctx.master_key_descriptor,
|
||||
sizeof(crypt_info->ci_master_key));
|
||||
|
||||
@@ -285,14 +270,8 @@ int get_crypt_info(struct inode *inode)
|
||||
if (res)
|
||||
goto out;
|
||||
|
||||
- kzfree(raw_key);
|
||||
- raw_key = NULL;
|
||||
- if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) != NULL) {
|
||||
- put_crypt_info(crypt_info);
|
||||
- goto retry;
|
||||
- }
|
||||
- return 0;
|
||||
-
|
||||
+ if (cmpxchg(&inode->i_crypt_info, NULL, crypt_info) == NULL)
|
||||
+ crypt_info = NULL;
|
||||
out:
|
||||
if (res == -ENOKEY)
|
||||
res = 0;
|
||||
@@ -300,6 +279,7 @@ int get_crypt_info(struct inode *inode)
|
||||
kzfree(raw_key);
|
||||
return res;
|
||||
}
|
||||
+EXPORT_SYMBOL(fscrypt_get_encryption_info);
|
||||
|
||||
void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
|
||||
{
|
||||
@@ -317,17 +297,3 @@ void fscrypt_put_encryption_info(struct inode *inode, struct fscrypt_info *ci)
|
||||
put_crypt_info(ci);
|
||||
}
|
||||
EXPORT_SYMBOL(fscrypt_put_encryption_info);
|
||||
-
|
||||
-int fscrypt_get_encryption_info(struct inode *inode)
|
||||
-{
|
||||
- struct fscrypt_info *ci = inode->i_crypt_info;
|
||||
-
|
||||
- if (!ci ||
|
||||
- (ci->ci_keyring_key &&
|
||||
- (ci->ci_keyring_key->flags & ((1 << KEY_FLAG_INVALIDATED) |
|
||||
- (1 << KEY_FLAG_REVOKED) |
|
||||
- (1 << KEY_FLAG_DEAD)))))
|
||||
- return get_crypt_info(inode);
|
||||
- return 0;
|
||||
-}
|
||||
-EXPORT_SYMBOL(fscrypt_get_encryption_info);
|
||||
diff --git a/include/linux/fscrypto.h b/include/linux/fscrypto.h
|
||||
index ff8b11b26f31..f6dfc2950f76 100644
|
||||
--- a/include/linux/fscrypto.h
|
||||
+++ b/include/linux/fscrypto.h
|
||||
@@ -79,7 +79,6 @@ struct fscrypt_info {
|
||||
u8 ci_filename_mode;
|
||||
u8 ci_flags;
|
||||
struct crypto_skcipher *ci_ctfm;
|
||||
- struct key *ci_keyring_key;
|
||||
u8 ci_master_key[FS_KEY_DESCRIPTOR_SIZE];
|
||||
};
|
||||
|
||||
@@ -256,7 +255,6 @@ extern int fscrypt_has_permitted_context(struct inode *, struct inode *);
|
||||
extern int fscrypt_inherit_context(struct inode *, struct inode *,
|
||||
void *, bool);
|
||||
/* keyinfo.c */
|
||||
-extern int get_crypt_info(struct inode *);
|
||||
extern int fscrypt_get_encryption_info(struct inode *);
|
||||
extern void fscrypt_put_encryption_info(struct inode *, struct fscrypt_info *);
|
||||
|
||||
--
|
||||
2.11.0
|
||||
|
|
@ -1,76 +0,0 @@
|
|||
From: Chris Salls <salls@cs.ucsb.edu>
|
||||
Date: Fri, 7 Apr 2017 23:48:11 -0700
|
||||
Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
|
||||
Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
|
||||
|
||||
In the case that compat_get_bitmap fails we do not want to copy the
|
||||
bitmap to the user as it will contain uninitialized stack data and leak
|
||||
sensitive data.
|
||||
|
||||
Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
---
|
||||
mm/mempolicy.c | 20 ++++++++------------
|
||||
1 file changed, 8 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
|
||||
index 75b2745..37d0b33 100644
|
||||
--- a/mm/mempolicy.c
|
||||
+++ b/mm/mempolicy.c
|
||||
@@ -1529,7 +1529,6 @@ COMPAT_SYSCALL_DEFINE5(get_mempolicy, int __user *, policy,
|
||||
COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
|
||||
compat_ulong_t, maxnode)
|
||||
{
|
||||
- long err = 0;
|
||||
unsigned long __user *nm = NULL;
|
||||
unsigned long nr_bits, alloc_size;
|
||||
DECLARE_BITMAP(bm, MAX_NUMNODES);
|
||||
@@ -1538,14 +1537,13 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
|
||||
alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
|
||||
|
||||
if (nmask) {
|
||||
- err = compat_get_bitmap(bm, nmask, nr_bits);
|
||||
+ if (compat_get_bitmap(bm, nmask, nr_bits))
|
||||
+ return -EFAULT;
|
||||
nm = compat_alloc_user_space(alloc_size);
|
||||
- err |= copy_to_user(nm, bm, alloc_size);
|
||||
+ if (copy_to_user(nm, bm, alloc_size))
|
||||
+ return -EFAULT;
|
||||
}
|
||||
|
||||
- if (err)
|
||||
- return -EFAULT;
|
||||
-
|
||||
return sys_set_mempolicy(mode, nm, nr_bits+1);
|
||||
}
|
||||
|
||||
@@ -1553,7 +1551,6 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
|
||||
compat_ulong_t, mode, compat_ulong_t __user *, nmask,
|
||||
compat_ulong_t, maxnode, compat_ulong_t, flags)
|
||||
{
|
||||
- long err = 0;
|
||||
unsigned long __user *nm = NULL;
|
||||
unsigned long nr_bits, alloc_size;
|
||||
nodemask_t bm;
|
||||
@@ -1562,14 +1559,13 @@ COMPAT_SYSCALL_DEFINE6(mbind, compat_ulong_t, start, compat_ulong_t, len,
|
||||
alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
|
||||
|
||||
if (nmask) {
|
||||
- err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
|
||||
+ if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
|
||||
+ return -EFAULT;
|
||||
nm = compat_alloc_user_space(alloc_size);
|
||||
- err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
|
||||
+ if (copy_to_user(nm, nodes_addr(bm), alloc_size))
|
||||
+ return -EFAULT;
|
||||
}
|
||||
|
||||
- if (err)
|
||||
- return -EFAULT;
|
||||
-
|
||||
return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
|
||||
}
|
||||
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
From: peter chang <dpf@google.com>
|
||||
Date: Wed, 15 Feb 2017 14:11:54 -0800
|
||||
Subject: scsi: sg: check length passed to SG_NEXT_CMD_LEN
|
||||
Origin: https://git.kernel.org/cgit/linux/kernel/git/mkp/scsi.git/commit?id=bf33f87dd04c371ea33feb821b60d63d754e3124
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7187
|
||||
|
||||
The user can control the size of the next command passed along, but the
|
||||
value passed to the ioctl isn't checked against the usable max command
|
||||
size.
|
||||
|
||||
Cc: <stable@vger.kernel.org>
|
||||
Signed-off-by: Peter Chang <dpf@google.com>
|
||||
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
|
||||
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
|
||||
---
|
||||
drivers/scsi/sg.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
--- a/drivers/scsi/sg.c
|
||||
+++ b/drivers/scsi/sg.c
|
||||
@@ -998,6 +998,8 @@ sg_ioctl(struct file *filp, unsigned int
|
||||
result = get_user(val, ip);
|
||||
if (result)
|
||||
return result;
|
||||
+ if (val > SG_MAX_CDB_SIZE)
|
||||
+ return -ENOMEM;
|
||||
sfp->next_cmd_len = (val > 0) ? val : 0;
|
||||
return 0;
|
||||
case SG_GET_VERSION_NUM:
|
|
@ -1,34 +0,0 @@
|
|||
From: Andy Whitcroft <apw@canonical.com>
|
||||
Date: Thu, 23 Mar 2017 07:45:44 +0000
|
||||
Subject: [PATCH 2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size
|
||||
harder
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
|
||||
|
||||
Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
|
||||
wrapping issues. To ensure we are correctly ensuring that the two ESN
|
||||
structures are the same size compare both the overall size as reported
|
||||
by xfrm_replay_state_esn_len() and the internal length are the same.
|
||||
|
||||
CVE-2017-7184
|
||||
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
||||
---
|
||||
net/xfrm/xfrm_user.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
|
||||
index 81c4112..87e0c22 100644
|
||||
--- a/net/xfrm/xfrm_user.c
|
||||
+++ b/net/xfrm/xfrm_user.c
|
||||
@@ -412,7 +412,11 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
|
||||
up = nla_data(rp);
|
||||
ulen = xfrm_replay_state_esn_len(up);
|
||||
|
||||
- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
|
||||
+ /* Check the overall length and the internal bitmap length to avoid
|
||||
+ * potential overflow. */
|
||||
+ if (nla_len(rp) < ulen ||
|
||||
+ xfrm_replay_state_esn_len(replay_esn) != ulen ||
|
||||
+ replay_esn->bmp_len != up->bmp_len)
|
||||
return -EINVAL;
|
||||
|
||||
if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
|
|
@ -1,42 +0,0 @@
|
|||
From: Andy Whitcroft <apw@canonical.com>
|
||||
Date: Wed, 22 Mar 2017 07:29:31 +0000
|
||||
Subject: [PATCH 1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL
|
||||
replay_window
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
|
||||
|
||||
When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate
|
||||
the user supplied replay_esn to ensure that the size is valid and to ensure
|
||||
that the replay_window size is within the allocated buffer. However later
|
||||
it is possible to update this replay_esn via a XFRM_MSG_NEWAE call.
|
||||
There we again validate the size of the supplied buffer matches the
|
||||
existing state and if so inject the contents. We do not at this point
|
||||
check that the replay_window is within the allocated memory. This leads
|
||||
to out-of-bounds reads and writes triggered by netlink packets. This leads
|
||||
to memory corruption and the potential for priviledge escalation.
|
||||
|
||||
We already attempt to validate the incoming replay information in
|
||||
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the
|
||||
user is not trying to change the size of the replay state buffer which
|
||||
includes the replay_esn. It however does not check the replay_window
|
||||
remains within that buffer. Add validation of the contained replay_window.
|
||||
|
||||
CVE-2017-7184
|
||||
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
||||
---
|
||||
net/xfrm/xfrm_user.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
|
||||
index 0889209..81c4112 100644
|
||||
--- a/net/xfrm/xfrm_user.c
|
||||
+++ b/net/xfrm/xfrm_user.c
|
||||
@@ -415,6 +415,9 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
|
||||
if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
|
||||
return -EINVAL;
|
||||
|
||||
+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
|
||||
From: Li Qiang <liq3ea@gmail.com>
|
||||
Date: Tue, 28 Mar 2017 03:10:53 +0000
|
||||
Origin: https://lists.freedesktop.org/archives/dri-devel/2017-March/137124.html
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
|
||||
|
||||
In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
|
||||
'req->mip_levels' array. This array can be assigned any value from
|
||||
the user space. As both the 'num_sizes' and the array is uint32_t,
|
||||
it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
|
||||
used as the loop count. This can lead an oob write. Add the check of
|
||||
'req->mip_levels' to avoid this.
|
||||
|
||||
Signed-off-by: Li Qiang <liqiang6-s@360.cn>
|
||||
---
|
||||
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
||||
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
||||
@@ -713,8 +713,11 @@ int vmw_surface_define_ioctl(struct drm_
|
||||
128;
|
||||
|
||||
num_sizes = 0;
|
||||
- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
|
||||
+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
|
||||
+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
|
||||
+ return -EINVAL;
|
||||
num_sizes += req->mip_levels[i];
|
||||
+ }
|
||||
|
||||
if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
|
||||
num_sizes == 0)
|
|
@ -1,29 +0,0 @@
|
|||
From: Murray McAllister <murray.mcallister@insomniasec.com>
|
||||
Date: Fri, 24 Mar 2017 20:33:00 -0700
|
||||
Subject: vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
|
||||
Origin: https://cgit.freedesktop.org/mesa/vmwgfx/commit/?id=e904061d2c8968429954be87ad1cc45526510812
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261
|
||||
|
||||
Before memory allocations vmw_surface_define_ioctl() checks the
|
||||
upper-bounds of a user-supplied size, but does not check if the
|
||||
supplied size is 0.
|
||||
|
||||
Add check to avoid NULL pointer dereferences.
|
||||
|
||||
Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
|
||||
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
|
||||
[bwh: Fix filename]
|
||||
---
|
||||
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
||||
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
|
||||
@@ -716,8 +716,8 @@ int vmw_surface_define_ioctl(struct drm_
|
||||
for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
|
||||
num_sizes += req->mip_levels[i];
|
||||
|
||||
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
|
||||
- DRM_VMW_MAX_MIP_LEVELS)
|
||||
+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
|
||||
+ num_sizes == 0)
|
||||
return -EINVAL;
|
||||
|
||||
size = vmw_user_surface_size + 128 +
|
|
@ -58,7 +58,7 @@ use of $(ARCH) needs to be moved after this.
|
|||
export KCONFIG_CONFIG
|
||||
|
||||
@@ -373,6 +337,44 @@ LDFLAGS_vmlinux =
|
||||
CFLAGS_GCOV = -fprofile-arcs -ftest-coverage -fno-tree-loop-im -Wno-maybe-uninitialized
|
||||
CFLAGS_GCOV := -fprofile-arcs -ftest-coverage -fno-tree-loop-im $(call cc-disable-warning,maybe-uninitialized,)
|
||||
CFLAGS_KCOV := $(call cc-option,-fsanitize-coverage=trace-pc,)
|
||||
|
||||
+-include $(obj)/.kernelvariables
|
||||
|
|
|
@ -122,17 +122,10 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
|||
bugfix/x86/kvm-fix-page-struct-leak-in-handle_vmon.patch
|
||||
debian/time-mark-timer_stats-as-broken.patch
|
||||
bugfix/all/sctp-deny-peeloff-operation-on-asocs-with-threads-sl.patch
|
||||
bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
|
||||
bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
|
||||
bugfix/all/scsi-sg-check-length-passed-to-sg_next_cmd_len.patch
|
||||
bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
|
||||
bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
|
||||
bugfix/all/ping-implement-proper-locking.patch
|
||||
bugfix/all/fscrypt-remove-broken-support-for-detecting-keyring-.patch
|
||||
bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
|
||||
|
|
Loading…
Reference in New Issue