Update to 4.19.150
Add CVE id reference for CVE-2020-25211 Drop "net/packet: fix overflow in tpacket_rcv" Cleanup debian/changelog file
This commit is contained in:
parent
c9dc2f8b08
commit
75f7d8b1c7
|
@ -1,4 +1,4 @@
|
|||
linux (4.19.149-1) UNRELEASED; urgency=medium
|
||||
linux (4.19.150-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.147
|
||||
|
@ -281,6 +281,40 @@ linux (4.19.149-1) UNRELEASED; urgency=medium
|
|||
- ata: sata_mv, avoid trigerrable BUG_ON
|
||||
- [arm64] KVM: Assume write fault on S1PTW permission fault on instruction
|
||||
fetch
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.150
|
||||
- mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS
|
||||
models
|
||||
- USB: gadget: f_ncm: Fix NDP16 datagram validation
|
||||
- vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
|
||||
- vsock/virtio: stop workers during the .remove()
|
||||
- vsock/virtio: add transport parameter to the
|
||||
virtio_transport_reset_no_sock()
|
||||
- net: virtio_vsock: Enhance connection semantics
|
||||
- Input: i8042 - add nopnp quirk for Acer Aspire 5 A515
|
||||
- ftrace: Move RCU is watching check after recursion check
|
||||
- drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config
|
||||
- drivers/net/wan/hdlc_fr: Add needed_headroom for PVC devices
|
||||
- [armhf] drm/sun4i: mixer: Extend regmap max_register
|
||||
- net: dec: de2104x: Increase receive ring size for Tulip
|
||||
- rndis_host: increase sleep time in the query-response loop
|
||||
- nvme-core: get/put ctrl and transport module in nvme_dev_open/release()
|
||||
- [x86,ppc64el] drivers/net/wan/hdlc: Set skb->protocol before
|
||||
transmitting
|
||||
- mac80211: do not allow bigger VHT MPDUs than the hardware supports
|
||||
- nvme-fc: fail new connections to a deleted host or remote port
|
||||
- [armhf] pinctrl: mvebu: Fix i2c sda definition for 98DX3236
|
||||
- nfs: Fix security label length not being reset
|
||||
- [armhf] clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED
|
||||
- Input: trackpoint - enable Synaptics trackpoints
|
||||
- random32: Restore __latent_entropy attribute on net_rand_state
|
||||
- mm: replace memmap_context by meminit_context
|
||||
- mm: don't rely on system state to detect hot-plug operations
|
||||
- epoll: do not insert into poll queues until all sanity checks are done
|
||||
- epoll: replace ->visited/visited_list with generation count
|
||||
- epoll: EPOLL_CTL_ADD: close the race in decision to take fast path
|
||||
- ep_create_wakeup_source(): dentry name can change under you...
|
||||
- netfilter: ctnetlink: add a range check for l3/l4 protonum
|
||||
(CVE-2020-25211)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 26 Sep 2020 11:17:48 +0200
|
||||
|
||||
|
|
|
@ -1,57 +0,0 @@
|
|||
From: Or Cohen <orcohen@paloaltonetworks.com>
|
||||
Date: Thu, 3 Sep 2020 21:05:28 -0700
|
||||
Subject: net/packet: fix overflow in tpacket_rcv
|
||||
Origin: https://git.kernel.org/linus/acf69c946233259ab4d64f8869d4037a198c7f06
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14386
|
||||
|
||||
Using tp_reserve to calculate netoff can overflow as
|
||||
tp_reserve is unsigned int and netoff is unsigned short.
|
||||
|
||||
This may lead to macoff receving a smaller value then
|
||||
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
|
||||
is set, an out-of-bounds write will occur when
|
||||
calling virtio_net_hdr_from_skb.
|
||||
|
||||
The bug is fixed by converting netoff to unsigned int
|
||||
and checking if it exceeds USHRT_MAX.
|
||||
|
||||
This addresses CVE-2020-14386
|
||||
|
||||
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
|
||||
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
[Salvatore Bonaccorso: Backport to v4.19.y:
|
||||
- Adjust for context changes
|
||||
- Revert change to use atomic_inc as v4.19.y does not contain 8e8e2951e309
|
||||
("net/packet: make tp_drops atomic") introduced in v5.3-rc1
|
||||
]
|
||||
---
|
||||
net/packet/af_packet.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
@@ -2162,7 +2162,8 @@ static int tpacket_rcv(struct sk_buff *s
|
||||
int skb_len = skb->len;
|
||||
unsigned int snaplen, res;
|
||||
unsigned long status = TP_STATUS_USER;
|
||||
- unsigned short macoff, netoff, hdrlen;
|
||||
+ unsigned short macoff, hdrlen;
|
||||
+ unsigned int netoff;
|
||||
struct sk_buff *copy_skb = NULL;
|
||||
struct timespec ts;
|
||||
__u32 ts_status;
|
||||
@@ -2225,6 +2226,12 @@ static int tpacket_rcv(struct sk_buff *s
|
||||
}
|
||||
macoff = netoff - maclen;
|
||||
}
|
||||
+ if (netoff > USHRT_MAX) {
|
||||
+ spin_lock(&sk->sk_receive_queue.lock);
|
||||
+ po->stats.stats1.tp_drops++;
|
||||
+ spin_unlock(&sk->sk_receive_queue.lock);
|
||||
+ goto drop_n_restore;
|
||||
+ }
|
||||
if (po->tp_version <= TPACKET_V2) {
|
||||
if (macoff + snaplen > po->rx_ring.frame_size) {
|
||||
if (po->copy_thresh &&
|
|
@ -297,6 +297,5 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
|
|||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
debian/ntfs-mark-it-as-broken.patch
|
||||
bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch
|
||||
|
||||
# ABI maintenance
|
||||
|
|
Loading…
Reference in New Issue