Update to 4.19.150
Add CVE id reference for CVE-2020-25211 Drop "net/packet: fix overflow in tpacket_rcv" Cleanup debian/changelog file
This commit is contained in:
parent
c9dc2f8b08
commit
75f7d8b1c7
|
@ -1,4 +1,4 @@
|
||||||
linux (4.19.149-1) UNRELEASED; urgency=medium
|
linux (4.19.150-1) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
* New upstream stable update:
|
* New upstream stable update:
|
||||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.147
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.147
|
||||||
|
@ -281,6 +281,40 @@ linux (4.19.149-1) UNRELEASED; urgency=medium
|
||||||
- ata: sata_mv, avoid trigerrable BUG_ON
|
- ata: sata_mv, avoid trigerrable BUG_ON
|
||||||
- [arm64] KVM: Assume write fault on S1PTW permission fault on instruction
|
- [arm64] KVM: Assume write fault on S1PTW permission fault on instruction
|
||||||
fetch
|
fetch
|
||||||
|
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.19.150
|
||||||
|
- mmc: sdhci: Workaround broken command queuing on Intel GLK based IRBIS
|
||||||
|
models
|
||||||
|
- USB: gadget: f_ncm: Fix NDP16 datagram validation
|
||||||
|
- vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
|
||||||
|
- vsock/virtio: stop workers during the .remove()
|
||||||
|
- vsock/virtio: add transport parameter to the
|
||||||
|
virtio_transport_reset_no_sock()
|
||||||
|
- net: virtio_vsock: Enhance connection semantics
|
||||||
|
- Input: i8042 - add nopnp quirk for Acer Aspire 5 A515
|
||||||
|
- ftrace: Move RCU is watching check after recursion check
|
||||||
|
- drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config
|
||||||
|
- drivers/net/wan/hdlc_fr: Add needed_headroom for PVC devices
|
||||||
|
- [armhf] drm/sun4i: mixer: Extend regmap max_register
|
||||||
|
- net: dec: de2104x: Increase receive ring size for Tulip
|
||||||
|
- rndis_host: increase sleep time in the query-response loop
|
||||||
|
- nvme-core: get/put ctrl and transport module in nvme_dev_open/release()
|
||||||
|
- [x86,ppc64el] drivers/net/wan/hdlc: Set skb->protocol before
|
||||||
|
transmitting
|
||||||
|
- mac80211: do not allow bigger VHT MPDUs than the hardware supports
|
||||||
|
- nvme-fc: fail new connections to a deleted host or remote port
|
||||||
|
- [armhf] pinctrl: mvebu: Fix i2c sda definition for 98DX3236
|
||||||
|
- nfs: Fix security label length not being reset
|
||||||
|
- [armhf] clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED
|
||||||
|
- Input: trackpoint - enable Synaptics trackpoints
|
||||||
|
- random32: Restore __latent_entropy attribute on net_rand_state
|
||||||
|
- mm: replace memmap_context by meminit_context
|
||||||
|
- mm: don't rely on system state to detect hot-plug operations
|
||||||
|
- epoll: do not insert into poll queues until all sanity checks are done
|
||||||
|
- epoll: replace ->visited/visited_list with generation count
|
||||||
|
- epoll: EPOLL_CTL_ADD: close the race in decision to take fast path
|
||||||
|
- ep_create_wakeup_source(): dentry name can change under you...
|
||||||
|
- netfilter: ctnetlink: add a range check for l3/l4 protonum
|
||||||
|
(CVE-2020-25211)
|
||||||
|
|
||||||
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 26 Sep 2020 11:17:48 +0200
|
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 26 Sep 2020 11:17:48 +0200
|
||||||
|
|
||||||
|
|
|
@ -1,57 +0,0 @@
|
||||||
From: Or Cohen <orcohen@paloaltonetworks.com>
|
|
||||||
Date: Thu, 3 Sep 2020 21:05:28 -0700
|
|
||||||
Subject: net/packet: fix overflow in tpacket_rcv
|
|
||||||
Origin: https://git.kernel.org/linus/acf69c946233259ab4d64f8869d4037a198c7f06
|
|
||||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14386
|
|
||||||
|
|
||||||
Using tp_reserve to calculate netoff can overflow as
|
|
||||||
tp_reserve is unsigned int and netoff is unsigned short.
|
|
||||||
|
|
||||||
This may lead to macoff receving a smaller value then
|
|
||||||
sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
|
|
||||||
is set, an out-of-bounds write will occur when
|
|
||||||
calling virtio_net_hdr_from_skb.
|
|
||||||
|
|
||||||
The bug is fixed by converting netoff to unsigned int
|
|
||||||
and checking if it exceeds USHRT_MAX.
|
|
||||||
|
|
||||||
This addresses CVE-2020-14386
|
|
||||||
|
|
||||||
Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt")
|
|
||||||
Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
|
|
||||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
[Salvatore Bonaccorso: Backport to v4.19.y:
|
|
||||||
- Adjust for context changes
|
|
||||||
- Revert change to use atomic_inc as v4.19.y does not contain 8e8e2951e309
|
|
||||||
("net/packet: make tp_drops atomic") introduced in v5.3-rc1
|
|
||||||
]
|
|
||||||
---
|
|
||||||
net/packet/af_packet.c | 7 ++++++-
|
|
||||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
--- a/net/packet/af_packet.c
|
|
||||||
+++ b/net/packet/af_packet.c
|
|
||||||
@@ -2162,7 +2162,8 @@ static int tpacket_rcv(struct sk_buff *s
|
|
||||||
int skb_len = skb->len;
|
|
||||||
unsigned int snaplen, res;
|
|
||||||
unsigned long status = TP_STATUS_USER;
|
|
||||||
- unsigned short macoff, netoff, hdrlen;
|
|
||||||
+ unsigned short macoff, hdrlen;
|
|
||||||
+ unsigned int netoff;
|
|
||||||
struct sk_buff *copy_skb = NULL;
|
|
||||||
struct timespec ts;
|
|
||||||
__u32 ts_status;
|
|
||||||
@@ -2225,6 +2226,12 @@ static int tpacket_rcv(struct sk_buff *s
|
|
||||||
}
|
|
||||||
macoff = netoff - maclen;
|
|
||||||
}
|
|
||||||
+ if (netoff > USHRT_MAX) {
|
|
||||||
+ spin_lock(&sk->sk_receive_queue.lock);
|
|
||||||
+ po->stats.stats1.tp_drops++;
|
|
||||||
+ spin_unlock(&sk->sk_receive_queue.lock);
|
|
||||||
+ goto drop_n_restore;
|
|
||||||
+ }
|
|
||||||
if (po->tp_version <= TPACKET_V2) {
|
|
||||||
if (macoff + snaplen > po->rx_ring.frame_size) {
|
|
||||||
if (po->copy_thresh &&
|
|
|
@ -297,6 +297,5 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
|
||||||
# Security fixes
|
# Security fixes
|
||||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||||
debian/ntfs-mark-it-as-broken.patch
|
debian/ntfs-mark-it-as-broken.patch
|
||||||
bugfix/all/net-packet-fix-overflow-in-tpacket_rcv.patch
|
|
||||||
|
|
||||||
# ABI maintenance
|
# ABI maintenance
|
||||||
|
|
Loading…
Reference in New Issue