Update to 4.8.12
This commit is contained in:
parent
8f06e2bdc6
commit
59ebe22f2f
|
@ -1,4 +1,40 @@
|
|||
linux (4.8.11-2) UNRELEASED; urgency=medium
|
||||
linux (4.8.12-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.12
|
||||
- [x86] iommu/vt-d: Fix PASID table allocation
|
||||
- [x86] iommu/vt-d: Fix IOMMU lookup for SR-IOV Virtual Functions
|
||||
- [x86] KVM: fix out-of-bounds access in lapic
|
||||
- [x86] KVM: x86: drop error recovery in em_jmp_far and em_ret_far
|
||||
(CVE-2016-9756)
|
||||
- [x86] KVM: fix out-of-bounds accesses of rtc_eoi map (CVE-2016-9777)
|
||||
- [x86] KVM: check for pic and ioapic presence before use
|
||||
- [arm64, armhf] usb: chipidea: move the lock initialization to core file
|
||||
- USB: serial: cp210x: add ID for the Zone DPMX
|
||||
- USB: serial: ftdi_sio: add support for TI CC3200 LaunchPad
|
||||
- scsi: mpt3sas: Fix secure erase premature termination
|
||||
- cfg80211: limit scan results cache size
|
||||
- apparmor: fix change_hat not finding hat after policy replacement
|
||||
- NFSv4.x: hide array-bounds warning
|
||||
- [x86] fpu: Fix invalid FPU ptrace state after execve()
|
||||
- [x86] traps: Ignore high word of regs->cs in early_fixup_exception()
|
||||
- perf/core: Fix address filter parser
|
||||
- perf/x86/intel: Cure bogus unwind from PEBS entries
|
||||
- [x86] thermal/powerclamp: add back module device table
|
||||
- [hppa/parisc] Fix races in parisc_setup_cache_timing()
|
||||
- [hppa/parisc] Switch to generic sched_clock implementation
|
||||
- [hppa/parisc] Fix race in pci-dma.c
|
||||
- [hppa/parisc] Also flush data TLB in flush_icache_page_asm
|
||||
- mpi: Fix NULL ptr dereference in mpi_powm()
|
||||
- X.509: Fix double free in x509_cert_parse()
|
||||
- xc2028: Fix use-after-free bug properly
|
||||
- [powerpc] Set missing wakeup bit in LPCR on POWER9
|
||||
- [powerpc] mm: Fixup kernel read only mapping
|
||||
- [powerpc] boot: Fix the early OPAL console wrappers
|
||||
- can: bcm: fix support for CAN FD frames
|
||||
- mm, oom: stop pre-mature high-order OOM killer invocations
|
||||
- flow_dissect: call init_default_flow_dissectors() earlier
|
||||
- scsi: mpt3sas: Unblock device after controller reset
|
||||
|
||||
[ Uwe Kleine-König ]
|
||||
* [armhf] dts: armada-385: add support for Turris Omnia
|
||||
|
|
|
@ -1,100 +0,0 @@
|
|||
From: Andrey Ryabinin <aryabinin@virtuozzo.com>
|
||||
Date: Thu, 24 Nov 2016 13:23:10 +0000
|
||||
Subject: mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
|
||||
Origin: https://git.kernel.org/linus/f5527fffff3f002b0a6b376163613b82f69de073
|
||||
|
||||
This fixes CVE-2016-8650.
|
||||
|
||||
If mpi_powm() is given a zero exponent, it wants to immediately return
|
||||
either 1 or 0, depending on the modulus. However, if the result was
|
||||
initalised with zero limb space, no limbs space is allocated and a
|
||||
NULL-pointer exception ensues.
|
||||
|
||||
Fix this by allocating a minimal amount of limb space for the result when
|
||||
the 0-exponent case when the result is 1 and not touching the limb space
|
||||
when the result is 0.
|
||||
|
||||
This affects the use of RSA keys and X.509 certificates that carry them.
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at (null)
|
||||
IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
|
||||
PGD 0
|
||||
Oops: 0002 [#1] SMP
|
||||
Modules linked in:
|
||||
CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
|
||||
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
|
||||
task: ffff8804011944c0 task.stack: ffff880401294000
|
||||
RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
|
||||
RSP: 0018:ffff880401297ad8 EFLAGS: 00010212
|
||||
RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0
|
||||
RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0
|
||||
RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000
|
||||
R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000
|
||||
R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50
|
||||
FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0
|
||||
Stack:
|
||||
ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
|
||||
0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
|
||||
ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
|
||||
Call Trace:
|
||||
[<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
|
||||
[<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
|
||||
[<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
|
||||
[<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
|
||||
[<ffffffff8132a95c>] rsa_verify+0x9d/0xee
|
||||
[<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
|
||||
[<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
|
||||
[<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
|
||||
[<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
|
||||
[<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
|
||||
[<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
|
||||
[<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
|
||||
[<ffffffff812fc9f3>] key_create_or_update+0x145/0x399
|
||||
[<ffffffff812fe227>] SyS_add_key+0x154/0x19e
|
||||
[<ffffffff81001c2b>] do_syscall_64+0x80/0x191
|
||||
[<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
|
||||
Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
|
||||
RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
|
||||
RSP <ffff880401297ad8>
|
||||
CR2: 0000000000000000
|
||||
---[ end trace d82015255d4a5d8d ]---
|
||||
|
||||
Basically, this is a backport of a libgcrypt patch:
|
||||
|
||||
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526
|
||||
|
||||
Fixes: cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
|
||||
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
|
||||
cc: linux-ima-devel@lists.sourceforge.net
|
||||
cc: stable@vger.kernel.org
|
||||
Signed-off-by: James Morris <james.l.morris@oracle.com>
|
||||
---
|
||||
lib/mpi/mpi-pow.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/mpi/mpi-pow.c b/lib/mpi/mpi-pow.c
|
||||
index 5464c87..e24388a 100644
|
||||
--- a/lib/mpi/mpi-pow.c
|
||||
+++ b/lib/mpi/mpi-pow.c
|
||||
@@ -64,8 +64,13 @@ int mpi_powm(MPI res, MPI base, MPI exp, MPI mod)
|
||||
if (!esize) {
|
||||
/* Exponent is zero, result is 1 mod MOD, i.e., 1 or 0
|
||||
* depending on if MOD equals 1. */
|
||||
- rp[0] = 1;
|
||||
res->nlimbs = (msize == 1 && mod->d[0] == 1) ? 0 : 1;
|
||||
+ if (res->nlimbs) {
|
||||
+ if (mpi_resize(res, 1) < 0)
|
||||
+ goto enomem;
|
||||
+ rp = res->d;
|
||||
+ rp[0] = 1;
|
||||
+ }
|
||||
res->sign = 0;
|
||||
goto leave;
|
||||
}
|
||||
--
|
||||
2.1.4
|
||||
|
|
@ -100,7 +100,6 @@ bugfix/all/ceph-Propagate-dentry-down-to-inode_change_ok.patch
|
|||
bugfix/all/fuse-Propagate-dentry-down-to-inode_change_ok.patch
|
||||
bugfix/all/fs-Give-dentry-to-inode_change_ok-instead-of-inode.patch
|
||||
bugfix/all/fs-Avoid-premature-clearing-of-capabilities.patch
|
||||
bugfix/all/mpi-Fix-NULL-ptr-dereference-in-mpi_powm-ver-3.patch
|
||||
bugfix/all/vfio-pci-Fix-integer-overflows-bitmask-check.patch
|
||||
bugfix/all/mnt-Add-a-per-mount-namespace-limit-on-the-number-of.patch
|
||||
|
||||
|
|
Loading…
Reference in New Issue