diff --git a/debian/changelog b/debian/changelog index f62a15159..f7867f1d0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -21,6 +21,88 @@ linux (4.4~rc4-1~exp1) experimental; urgency=medium -- Ben Hutchings Sun, 13 Dec 2015 16:25:45 +0000 +linux (4.3.3-1) unstable; urgency=medium + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.2 + - X.509: Fix the time validation [ver #2] + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.3.3 + - r8169: fix kasan reported skb use-after-free. (regression in 4.3) + - af-unix: fix use-after-free with concurrent readers while splicing + (regression in 4.2) + - af_unix: don't append consumed skbs to sk_receive_queue + (regression in 4.2) + - af_unix: take receive queue lock while appending new skb + (regression in 4.2) + - af-unix: passcred support for sendpage (regression in 4.2) + - ipv6: Avoid creating RTF_CACHE from a rt that is not managed by fib6 tree + (regression in 4.2) + - ipv6: Check expire on DST_NOCACHE route + - ipv6: Check rt->dst.from for the DST_NOCACHE route (regression in 4.3) + - Revert "ipv6: ndisc: inherit metadata dst when creating ndisc requests" + (regression in 4.3) + - packet: only allow extra vlan len on ethernet devices + - packet: infer protocol from ethernet header if unset + - packet: fix tpacket_snd max frame len + - sctp: translate host order to network order when setting a hmacid + - net/mlx5e: Added self loopback prevention (regression in 4.3) + - net/mlx4_core: Fix sleeping while holding spinlock at rem_slave_counters + (regression in 4.2) + - ip_tunnel: disable preemption when updating per-cpu tstats + - net/ip6_tunnel: fix dst leak (regression in 4.3) + - tcp: disable Fast Open on timeouts after handshake + - tcp: fix potential huge kmalloc() calls in TCP_REPAIR + - tcp: initialize tp->copied_seq in case of cross SYN connection + - net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds + - net: ipmr: fix static mfc/dev leaks on table destruction + - net: ip6mr: fix static mfc/dev leaks on table destruction + - vrf: fix double free and memory corruption on register_netdevice failure + - tipc: fix error handling of expanding buffer headroom (regression in 4.3) + - ipv6: distinguish frag queues by device for multicast and link-local + packets + - bpf, array: fix heap out-of-bounds access when updating elements + - ipv6: add complete rcu protection around np->opt + - net/neighbour: fix crash at dumping device-agnostic proxy entries + - ipv6: sctp: implement sctp_v6_destroy_sock() + - openvswitch: fix hangup on vxlan/gre/geneve device deletion + - net_sched: fix qdisc_tree_decrease_qlen() races + - btrfs: fix resending received snapshot with parent (regression in 4.2) + - Btrfs: fix file corruption and data loss after cloning inline extents + - Btrfs: fix regression when running delayed references (regression in 4.2) + - Btrfs: fix race leading to incorrect item deletion when dropping extents + - Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow + - Btrfs: fix race when listing an inode's xattrs + - rbd: don't put snap_context twice in rbd_queue_workfn() + - ext4 crypto: fix memory leak in ext4_bio_write_page() + - ext4 crypto: fix bugs in ext4_encrypted_zeroout() + - ext4: fix potential use after free in __ext4_journal_stop + (regression in 4.2) + - ext4, jbd2: ensure entering into panic after recording an error in + superblock + - nfsd: serialize state seqid morphing operations + - nfsd: eliminate sending duplicate and repeated delegations + - nfs4: start callback_ident at idr 1 + - nfs4: resend LAYOUTGET when there is a race that changes the seqid + - nfs: if we have no valid attrs, then don't declare the attribute cache + valid + - ocfs2: fix umask ignored issue + - block: fix segment split (regression in 4.3) + - ceph: fix message length computation + - Btrfs: fix regression running delayed references when using qgroups + (regression in 4.2) + + [ Ben Hutchings ] + * net: add validation for the socket syscall protocol argument (CVE-2015-8543) + * [armel/kirkwood] udeb: Override inclusion of gpio_keys in input-modules + (fixes FTBFS) + * vrf: Fix broken backport of "vrf: fix double free and memory corruption on + register_netdevice failure" in 4.3.3 + * net: Ignore ABI changes due to "ipv6: add complete rcu protection around + np->opt", which don't appear to affect out-of-tree modules + * tipc: Fix kfree_skb() of uninitialised pointer (regression in 4.3.3) + + -- Ben Hutchings Tue, 15 Dec 2015 21:25:26 +0000 + linux (4.3.1-1) unstable; urgency=medium * New upstream stable update: diff --git a/debian/installer/armel/modules/armel-kirkwood/input-modules b/debian/installer/armel/modules/armel-kirkwood/input-modules index 5ecb595a4..34183581c 100644 --- a/debian/installer/armel/modules/armel-kirkwood/input-modules +++ b/debian/installer/armel/modules/armel-kirkwood/input-modules @@ -1 +1,3 @@ #include +# Moved to event-modules for use in network-console builds +gpio_keys - diff --git a/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch new file mode 100644 index 000000000..10e6b65cb --- /dev/null +++ b/debian/patches/bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch @@ -0,0 +1,82 @@ +From: Hannes Frederic Sowa +Subject: net: add validation for the socket syscall protocol argument +Date: Mon, 14 Dec 2015 17:17:49 +0100 +Origin: http://article.gmane.org/gmane.linux.network/391482 + +郭永刚 reported that one could simply crash the kernel as root by +using a simple program: + + int socket_fd; + struct sockaddr_in addr; + addr.sin_port = 0; + addr.sin_addr.s_addr = INADDR_ANY; + addr.sin_family = 10; + + socket_fd = socket(10,3,0x40000000); + connect(socket_fd , &addr,16); + +AF_INET, AF_INET6 sockets actually only support 8-bit protocol +identifiers. inet_sock's skc_protocol field thus is sized accordingly, +thus larger protocol identifiers simply cut off the higher bits and +store a zero in the protocol fields. + +This could lead to e.g. NULL function pointer because as a result of +the cut off inet_num is zero and we call down to inet_autobind, which +is NULL for raw sockets. + +kernel: Call Trace: +kernel: [] ? inet_autobind+0x2e/0x70 +kernel: [] inet_dgram_connect+0x54/0x80 +kernel: [] SYSC_connect+0xd9/0x110 +kernel: [] ? ptrace_notify+0x5b/0x80 +kernel: [] ? syscall_trace_enter_phase2+0x108/0x200 +kernel: [] SyS_connect+0xe/0x10 +kernel: [] tracesys_phase2+0x84/0x89 + +I found no particular commit which introduced this problem. + +CVE: CVE-2015-8543 +Reported-by: 郭永刚 +Signed-off-by: Hannes Frederic Sowa +--- + net/ipv4/af_inet.c | 3 +++ + net/ipv6/af_inet6.c | 3 +++ + net/socket.c | 3 +++ + 3 files changed, 9 insertions(+) + +--- a/net/ipv4/af_inet.c ++++ b/net/ipv4/af_inet.c +@@ -261,6 +261,9 @@ static int inet_create(struct net *net, + int try_loading_module = 0; + int err; + ++ if (protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + sock->state = SS_UNCONNECTED; + + /* Look for the requested type/protocol pair. */ +--- a/net/ipv6/af_inet6.c ++++ b/net/ipv6/af_inet6.c +@@ -109,6 +109,9 @@ static int inet6_create(struct net *net, + int try_loading_module = 0; + int err; + ++ if (protocol >= IPPROTO_MAX) ++ return -EINVAL; ++ + /* Look for the requested type/protocol pair. */ + lookup_protocol: + err = -ESOCKTNOSUPPORT; +--- a/net/socket.c ++++ b/net/socket.c +@@ -1105,6 +1105,9 @@ int __sock_create(struct net *net, int f + return -EAFNOSUPPORT; + if (type < 0 || type >= SOCK_MAX) + return -EINVAL; ++ /* upper bound should be tested by per-protocol .create callbacks */ ++ if (protocol < 0) ++ return -EINVAL; + + /* Compatibility. + diff --git a/debian/patches/series b/debian/patches/series index 3c0719578..41fada6d7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -67,3 +67,4 @@ features/all/grsecurity/grkernsec_perf_harden.patch bugfix/all/usbvision-fix-overflow-of-interfaces-array.patch bugfix/all/media-usbvision-fix-crash-on-detecting-device-with-i.patch bugfix/x86/drm-i915-shut-up-gen8-sde-irq-dmesg-noise.patch +bugfix/all/net-add-validation-for-the-socket-syscall-protocol.patch