From 75f7d8b1c77277e79c1e3f876d6fcb1fd678303d Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Mon, 12 Oct 2020 14:14:21 +0200 Subject: [PATCH] Update to 4.19.150 Add CVE id reference for CVE-2020-25211 Drop "net/packet: fix overflow in tpacket_rcv" Cleanup debian/changelog file --- debian/changelog | 36 +++++++++++- ...t-packet-fix-overflow-in-tpacket_rcv.patch | 57 ------------------- debian/patches/series | 1 - 3 files changed, 35 insertions(+), 59 deletions(-) delete mode 100644 debian/patches/bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch diff --git a/debian/changelog b/debian/changelog index 98fe3ec7a..3d4eec855 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.19.149-1) UNRELEASED; urgency=medium +linux (4.19.150-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.147 @@ -281,6 +281,40 @@ linux (4.19.149-1) UNRELEASED; urgency=medium - ata: sata_mv, avoid trigerrable BUG_ON - [arm64] KVM: Assume write fault on S1PTW permission fault on instruction fetch + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.150 + - mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS + models + - USB: gadget: f_ncm: Fix NDP16 datagram validation + - vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock + - vsock/virtio: stop workers during the .remove() + - vsock/virtio: add transport parameter to the + virtio_transport_reset_no_sock() + - net: virtio_vsock: Enhance connection semantics + - Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 + - ftrace: Move RCU is watching check after recursion check + - drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config + - drivers/net/wan/hdlc_fr: Add needed_headroom for PVC devices + - [armhf] drm/sun4i: mixer: Extend regmap max_register + - net: dec: de2104x: Increase receive ring size for Tulip + - rndis_host: increase sleep time in the query-response loop + - nvme-core: get/put ctrl and transport module in nvme_dev_open/release() + - [x86,ppc64el] drivers/net/wan/hdlc: Set skb->protocol before + transmitting + - mac80211: do not allow bigger VHT MPDUs than the hardware supports + - nvme-fc: fail new connections to a deleted host or remote port + - [armhf] pinctrl: mvebu: Fix i2c sda definition for 98DX3236 + - nfs: Fix security label length not being reset + - [armhf] clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED + - Input: trackpoint - enable Synaptics trackpoints + - random32: Restore __latent_entropy attribute on net_rand_state + - mm: replace memmap_context by meminit_context + - mm: don't rely on system state to detect hot-plug operations + - epoll: do not insert into poll queues until all sanity checks are done + - epoll: replace ->visited/visited_list with generation count + - epoll: EPOLL_CTL_ADD: close the race in decision to take fast path + - ep_create_wakeup_source(): dentry name can change under you... + - netfilter: ctnetlink: add a range check for l3/l4 protonum + (CVE-2020-25211) -- Salvatore Bonaccorso Sat, 26 Sep 2020 11:17:48 +0200 diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch deleted file mode 100644 index b54fe3ec5..000000000 --- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch +++ /dev/null @@ -1,57 +0,0 @@ -From: Or Cohen -Date: Thu, 3 Sep 2020 21:05:28 -0700 -Subject: net/packet: fix overflow in tpacket_rcv -Origin: https://git.kernel.org/linus/acf69c946233259ab4d64f8869d4037a198c7f06 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14386 - -Using tp_reserve to calculate netoff can overflow as -tp_reserve is unsigned int and netoff is unsigned short. - -This may lead to macoff receving a smaller value then -sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr -is set, an out-of-bounds write will occur when -calling virtio_net_hdr_from_skb. - -The bug is fixed by converting netoff to unsigned int -and checking if it exceeds USHRT_MAX. - -This addresses CVE-2020-14386 - -Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") -Signed-off-by: Or Cohen -Signed-off-by: Eric Dumazet -Signed-off-by: Linus Torvalds -[Salvatore Bonaccorso: Backport to v4.19.y: - - Adjust for context changes - - Revert change to use atomic_inc as v4.19.y does not contain 8e8e2951e309 - ("net/packet: make tp_drops atomic") introduced in v5.3-rc1 -] ---- - net/packet/af_packet.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -2162,7 +2162,8 @@ static int tpacket_rcv(struct sk_buff *s - int skb_len = skb->len; - unsigned int snaplen, res; - unsigned long status = TP_STATUS_USER; -- unsigned short macoff, netoff, hdrlen; -+ unsigned short macoff, hdrlen; -+ unsigned int netoff; - struct sk_buff *copy_skb = NULL; - struct timespec ts; - __u32 ts_status; -@@ -2225,6 +2226,12 @@ static int tpacket_rcv(struct sk_buff *s - } - macoff = netoff - maclen; - } -+ if (netoff > USHRT_MAX) { -+ spin_lock(&sk->sk_receive_queue.lock); -+ po->stats.stats1.tp_drops++; -+ spin_unlock(&sk->sk_receive_queue.lock); -+ goto drop_n_restore; -+ } - if (po->tp_version <= TPACKET_V2) { - if (macoff + snaplen > po->rx_ring.frame_size) { - if (po->copy_thresh && diff --git a/debian/patches/series b/debian/patches/series index 6b00380a4..99578b307 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -297,6 +297,5 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch # Security fixes debian/i386-686-pae-pci-set-pci-nobios-by-default.patch debian/ntfs-mark-it-as-broken.patch -bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch # ABI maintenance