Update to 4.19.150

Add CVE id reference for CVE-2020-25211

Drop "net/packet: fix overflow in tpacket_rcv"

Cleanup debian/changelog file
This commit is contained in:
Salvatore Bonaccorso 2020-10-12 14:14:21 +02:00
parent c9dc2f8b08
commit 75f7d8b1c7
3 changed files with 35 additions and 59 deletions

36
debian/changelog vendored
View File

@ -1,4 +1,4 @@
linux (4.19.149-1) UNRELEASED; urgency=medium
linux (4.19.150-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.147
@ -281,6 +281,40 @@ linux (4.19.149-1) UNRELEASED; urgency=medium
- ata: sata_mv, avoid trigerrable BUG_ON
- [arm64] KVM: Assume write fault on S1PTW permission fault on instruction
fetch
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.150
- mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS
models
- USB: gadget: f_ncm: Fix NDP16 datagram validation
- vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
- vsock/virtio: stop workers during the .remove()
- vsock/virtio: add transport parameter to the
virtio_transport_reset_no_sock()
- net: virtio_vsock: Enhance connection semantics
- Input: i8042 - add nopnp quirk for Acer Aspire 5 A515
- ftrace: Move RCU is watching check after recursion check
- drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config
- drivers/net/wan/hdlc_fr: Add needed_headroom for PVC devices
- [armhf] drm/sun4i: mixer: Extend regmap max_register
- net: dec: de2104x: Increase receive ring size for Tulip
- rndis_host: increase sleep time in the query-response loop
- nvme-core: get/put ctrl and transport module in nvme_dev_open/release()
- [x86,ppc64el] drivers/net/wan/hdlc: Set skb->protocol before
transmitting
- mac80211: do not allow bigger VHT MPDUs than the hardware supports
- nvme-fc: fail new connections to a deleted host or remote port
- [armhf] pinctrl: mvebu: Fix i2c sda definition for 98DX3236
- nfs: Fix security label length not being reset
- [armhf] clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED
- Input: trackpoint - enable Synaptics trackpoints
- random32: Restore __latent_entropy attribute on net_rand_state
- mm: replace memmap_context by meminit_context
- mm: don't rely on system state to detect hot-plug operations
- epoll: do not insert into poll queues until all sanity checks are done
- epoll: replace ->visited/visited_list with generation count
- epoll: EPOLL_CTL_ADD: close the race in decision to take fast path
- ep_create_wakeup_source(): dentry name can change under you...
- netfilter: ctnetlink: add a range check for l3/l4 protonum
(CVE-2020-25211)
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 26 Sep 2020 11:17:48 +0200

View File

@ -1,57 +0,0 @@
From: Or Cohen <orcohen@paloaltonetworks.com>
Date: Thu, 3 Sep 2020 21:05:28 -0700
Subject: net/packet: fix overflow in tpacket_rcv
Origin: https://git.kernel.org/linus/acf69c946233259ab4d64f8869d4037a198c7f06
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14386
Using tp_reserve to calculate netoff can overflow as
tp_reserve is unsigned int and netoff is unsigned short.
This may lead to macoff receving a smaller value then
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
is set, an out-of-bounds write will occur when
calling virtio_net_hdr_from_skb.
The bug is fixed by converting netoff to unsigned int
and checking if it exceeds USHRT_MAX.
This addresses CVE-2020-14386
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[Salvatore Bonaccorso: Backport to v4.19.y:
- Adjust for context changes
- Revert change to use atomic_inc as v4.19.y does not contain 8e8e2951e309
("net/packet: make tp_drops atomic") introduced in v5.3-rc1
]
---
net/packet/af_packet.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2162,7 +2162,8 @@ static int tpacket_rcv(struct sk_buff *s
int skb_len = skb->len;
unsigned int snaplen, res;
unsigned long status = TP_STATUS_USER;
- unsigned short macoff, netoff, hdrlen;
+ unsigned short macoff, hdrlen;
+ unsigned int netoff;
struct sk_buff *copy_skb = NULL;
struct timespec ts;
__u32 ts_status;
@@ -2225,6 +2226,12 @@ static int tpacket_rcv(struct sk_buff *s
}
macoff = netoff - maclen;
}
+ if (netoff > USHRT_MAX) {
+ spin_lock(&sk->sk_receive_queue.lock);
+ po->stats.stats1.tp_drops++;
+ spin_unlock(&sk->sk_receive_queue.lock);
+ goto drop_n_restore;
+ }
if (po->tp_version <= TPACKET_V2) {
if (macoff + snaplen > po->rx_ring.frame_size) {
if (po->copy_thresh &&

View File

@ -297,6 +297,5 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
debian/ntfs-mark-it-as-broken.patch
bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch
# ABI maintenance