Update to 3.2.36
svn path=/dists/sid/linux/; revision=19676
This commit is contained in:
parent
51ab8338ff
commit
997f08649d
|
@ -1,4 +1,29 @@
|
||||||
linux (3.2.35-3) UNRELEASED; urgency=low
|
linux (3.2.36-1) UNRELEASED; urgency=low
|
||||||
|
|
||||||
|
* New upstream stable update:
|
||||||
|
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.36
|
||||||
|
- freezer: PF_FREEZER_NOSIG should be cleared along with PF_NOFREEZE
|
||||||
|
(Closes: #697077)
|
||||||
|
- drm/i915: add Ivy Bridge GT2 Server entries (Closes: #684767)
|
||||||
|
- tmpfs: fix shared mempolicy leak
|
||||||
|
- virtio: 9p: correctly pass physical address to userspace for high pages
|
||||||
|
- virtio: force vring descriptors to be allocated from lowmem
|
||||||
|
- USB: EHCI: bugfix: urb->hcpriv should not be NULL
|
||||||
|
- rcu: Fix batch-limit size problem
|
||||||
|
- mvsas: fix undefined bit shift
|
||||||
|
- target/file: Fix 32-bit highmem breakage for SGL -> iovec mapping
|
||||||
|
- drm/i915: Close race between processing unpin task and queueing the flip
|
||||||
|
- SCSI: fix Null pointer dereference on disk error
|
||||||
|
- proc: pid/status: show all supplementary groups
|
||||||
|
- nfsd4: fix oops on unusual readlike compound
|
||||||
|
- ARM: missing ->mmap_sem around find_vma() in swp_emulate.c
|
||||||
|
- sctp: fix memory leak in sctp_datamsg_from_user() when copy from user
|
||||||
|
space fails
|
||||||
|
- ne2000: add the right platform device
|
||||||
|
- irda: sir_dev: Fix copy/paste typo
|
||||||
|
- ipv4: ip_check_defrag must not modify skb before unsharing
|
||||||
|
- telephony: ijx: buffer overflow in ixj_write_cid()
|
||||||
|
- udf: fix memory leak while allocating blocks during write
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* Input: wacom - fix touch support for Bamboo Fun CTH-461
|
* Input: wacom - fix touch support for Bamboo Fun CTH-461
|
||||||
|
|
|
@ -1,115 +0,0 @@
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Thu, 6 Dec 2012 17:00:21 +1100
|
|
||||||
Subject: [1/2] exec: do not leave bprm->interp on stack
|
|
||||||
|
|
||||||
commit 1e1b8374592f5fb347625e84d8a5f2f40d858a24 upstream.
|
|
||||||
|
|
||||||
If a series of scripts are executed, each triggering module loading via
|
|
||||||
unprintable bytes in the script header, kernel stack contents can leak
|
|
||||||
into the command line.
|
|
||||||
|
|
||||||
Normally execution of binfmt_script and binfmt_misc happens recursively.
|
|
||||||
However, when modules are enabled, and unprintable bytes exist in the
|
|
||||||
bprm->buf, execution will restart after attempting to load matching binfmt
|
|
||||||
modules. Unfortunately, the logic in binfmt_script and binfmt_misc does
|
|
||||||
not expect to get restarted. They leave bprm->interp pointing to their
|
|
||||||
local stack. This means on restart bprm->interp is left pointing into
|
|
||||||
unused stack memory which can then be copied into the userspace argv
|
|
||||||
areas.
|
|
||||||
|
|
||||||
After additional study, it seems that both recursion and restart remains
|
|
||||||
the desirable way to handle exec with scripts, misc, and modules. As
|
|
||||||
such, we need to protect the changes to interp.
|
|
||||||
|
|
||||||
This changes the logic to require allocation for any changes to the
|
|
||||||
bprm->interp. To avoid adding a new kmalloc to every exec, the default
|
|
||||||
value is left as-is. Only when passing through binfmt_script or
|
|
||||||
binfmt_misc does an allocation take place.
|
|
||||||
|
|
||||||
For a proof of concept, see DoTest.sh from:
|
|
||||||
http://www.halfdog.net/Security/2012/LinuxKernelBinfmtScriptStackDataDisclosure/
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Cc: halfdog <me@halfdog.net>
|
|
||||||
Cc: P J P <ppandit@redhat.com>
|
|
||||||
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
|
|
||||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
|
||||||
---
|
|
||||||
fs/binfmt_misc.c | 5 ++++-
|
|
||||||
fs/binfmt_script.c | 4 +++-
|
|
||||||
fs/exec.c | 15 +++++++++++++++
|
|
||||||
include/linux/binfmts.h | 1 +
|
|
||||||
4 files changed, 23 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c
|
|
||||||
index b0b70fb..b0c1755 100644
|
|
||||||
--- a/fs/binfmt_misc.c
|
|
||||||
+++ b/fs/binfmt_misc.c
|
|
||||||
@@ -176,7 +176,10 @@ static int load_misc_binary(struct linux_binprm *bprm)
|
|
||||||
goto _error;
|
|
||||||
bprm->argc ++;
|
|
||||||
|
|
||||||
- bprm->interp = iname; /* for binfmt_script */
|
|
||||||
+ /* Update interp in case binfmt_script needs it. */
|
|
||||||
+ retval = bprm_change_interp(iname, bprm);
|
|
||||||
+ if (retval < 0)
|
|
||||||
+ goto _error;
|
|
||||||
|
|
||||||
interp_file = open_exec (iname);
|
|
||||||
retval = PTR_ERR (interp_file);
|
|
||||||
diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c
|
|
||||||
index 8c95499..4834f2c 100644
|
|
||||||
--- a/fs/binfmt_script.c
|
|
||||||
+++ b/fs/binfmt_script.c
|
|
||||||
@@ -82,7 +82,9 @@ static int load_script(struct linux_binprm *bprm)
|
|
||||||
retval = copy_strings_kernel(1, &i_name, bprm);
|
|
||||||
if (retval) return retval;
|
|
||||||
bprm->argc++;
|
|
||||||
- bprm->interp = interp;
|
|
||||||
+ retval = bprm_change_interp(interp, bprm);
|
|
||||||
+ if (retval < 0)
|
|
||||||
+ return retval;
|
|
||||||
|
|
||||||
/*
|
|
||||||
* OK, now restart the process with the interpreter's dentry.
|
|
||||||
diff --git a/fs/exec.c b/fs/exec.c
|
|
||||||
index b71b08c..bf50973 100644
|
|
||||||
--- a/fs/exec.c
|
|
||||||
+++ b/fs/exec.c
|
|
||||||
@@ -1175,9 +1175,24 @@ void free_bprm(struct linux_binprm *bprm)
|
|
||||||
mutex_unlock(¤t->signal->cred_guard_mutex);
|
|
||||||
abort_creds(bprm->cred);
|
|
||||||
}
|
|
||||||
+ /* If a binfmt changed the interp, free it. */
|
|
||||||
+ if (bprm->interp != bprm->filename)
|
|
||||||
+ kfree(bprm->interp);
|
|
||||||
kfree(bprm);
|
|
||||||
}
|
|
||||||
|
|
||||||
+int bprm_change_interp(char *interp, struct linux_binprm *bprm)
|
|
||||||
+{
|
|
||||||
+ /* If a binfmt changed the interp, free it first. */
|
|
||||||
+ if (bprm->interp != bprm->filename)
|
|
||||||
+ kfree(bprm->interp);
|
|
||||||
+ bprm->interp = kstrdup(interp, GFP_KERNEL);
|
|
||||||
+ if (!bprm->interp)
|
|
||||||
+ return -ENOMEM;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+EXPORT_SYMBOL(bprm_change_interp);
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* install the new credentials for this executable
|
|
||||||
*/
|
|
||||||
diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
|
|
||||||
index 2630c9b..7f0e297 100644
|
|
||||||
--- a/include/linux/binfmts.h
|
|
||||||
+++ b/include/linux/binfmts.h
|
|
||||||
@@ -114,6 +114,7 @@ extern int setup_arg_pages(struct linux_binprm * bprm,
|
|
||||||
unsigned long stack_top,
|
|
||||||
int executable_stack);
|
|
||||||
extern int bprm_mm_init(struct linux_binprm *bprm);
|
|
||||||
+extern int bprm_change_interp(char *interp, struct linux_binprm *bprm);
|
|
||||||
extern int copy_strings_kernel(int argc, const char *const *argv,
|
|
||||||
struct linux_binprm *bprm);
|
|
||||||
extern int prepare_bprm_creds(struct linux_binprm *bprm);
|
|
|
@ -1,32 +0,0 @@
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Fri, 19 Oct 2012 18:45:53 -0700
|
|
||||||
Subject: [2/2] use clamp_t in UNAME26 fix
|
|
||||||
|
|
||||||
commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream.
|
|
||||||
|
|
||||||
The min/max call needed to have explicit types on some architectures
|
|
||||||
(e.g. mn10300). Use clamp_t instead to avoid the warning:
|
|
||||||
|
|
||||||
kernel/sys.c: In function 'override_release':
|
|
||||||
kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]
|
|
||||||
|
|
||||||
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
||||||
---
|
|
||||||
kernel/sys.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/kernel/sys.c b/kernel/sys.c
|
|
||||||
index 01865c6..e6e0ece 100644
|
|
||||||
--- a/kernel/sys.c
|
|
||||||
+++ b/kernel/sys.c
|
|
||||||
@@ -1284,7 +1284,7 @@ static int override_release(char __user *release, size_t len)
|
|
||||||
rest++;
|
|
||||||
}
|
|
||||||
v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
|
|
||||||
- copy = min(sizeof(buf), max_t(size_t, 1, len));
|
|
||||||
+ copy = clamp_t(size_t, len, 1, sizeof(buf));
|
|
||||||
copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
|
|
||||||
ret = copy_to_user(release, buf, copy + 1);
|
|
||||||
}
|
|
|
@ -1,49 +0,0 @@
|
||||||
From: Zhang Rui <rui.zhang@intel.com>
|
|
||||||
Date: Tue, 4 Dec 2012 23:30:19 +0100
|
|
||||||
Subject: ACPI / video: ignore BIOS initial backlight value for HP Folio
|
|
||||||
13-2000
|
|
||||||
|
|
||||||
commit 129ff8f8d58297b04f47b5d6fad81aa2d08404e1 upstream.
|
|
||||||
|
|
||||||
Or else the laptop will boot with a dimmed screen.
|
|
||||||
|
|
||||||
References: https://bugzilla.kernel.org/show_bug.cgi?id=51141
|
|
||||||
Tested-by: Stefan Nagy <public@stefan-nagy.at>
|
|
||||||
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
|
|
||||||
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
|
|
||||||
---
|
|
||||||
drivers/acpi/video.c | 14 ++++++++++++++
|
|
||||||
1 file changed, 14 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c
|
|
||||||
index 0230cb6..ac9a69c 100644
|
|
||||||
--- a/drivers/acpi/video.c
|
|
||||||
+++ b/drivers/acpi/video.c
|
|
||||||
@@ -389,6 +389,12 @@ static int __init video_set_bqc_offset(const struct dmi_system_id *d)
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int video_ignore_initial_backlight(const struct dmi_system_id *d)
|
|
||||||
+{
|
|
||||||
+ use_bios_initial_backlight = 0;
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static struct dmi_system_id video_dmi_table[] __initdata = {
|
|
||||||
/*
|
|
||||||
* Broken _BQC workaround http://bugzilla.kernel.org/show_bug.cgi?id=13121
|
|
||||||
@@ -433,6 +439,14 @@ static struct dmi_system_id video_dmi_table[] __initdata = {
|
|
||||||
DMI_MATCH(DMI_PRODUCT_NAME, "Aspire 7720"),
|
|
||||||
},
|
|
||||||
},
|
|
||||||
+ {
|
|
||||||
+ .callback = video_ignore_initial_backlight,
|
|
||||||
+ .ident = "HP Folio 13-2000",
|
|
||||||
+ .matches = {
|
|
||||||
+ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"),
|
|
||||||
+ DMI_MATCH(DMI_PRODUCT_NAME, "HP Folio 13 - 2000 Notebook PC"),
|
|
||||||
+ },
|
|
||||||
+ },
|
|
||||||
{}
|
|
||||||
};
|
|
||||||
|
|
|
@ -1,71 +0,0 @@
|
||||||
From 6d1068b3a98519247d8ba4ec85cd40ac136dbdf9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Matousek <pmatouse@redhat.com>
|
|
||||||
Date: Tue, 6 Nov 2012 19:24:07 +0100
|
|
||||||
Subject: [PATCH] KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit
|
|
||||||
set (CVE-2012-4461)
|
|
||||||
|
|
||||||
On hosts without the XSAVE support unprivileged local user can trigger
|
|
||||||
oops similar to the one below by setting X86_CR4_OSXSAVE bit in guest
|
|
||||||
cr4 register using KVM_SET_SREGS ioctl and later issuing KVM_RUN
|
|
||||||
ioctl.
|
|
||||||
|
|
||||||
invalid opcode: 0000 [#2] SMP
|
|
||||||
Modules linked in: tun ip6table_filter ip6_tables ebtable_nat ebtables
|
|
||||||
...
|
|
||||||
Pid: 24935, comm: zoog_kvm_monito Tainted: G D 3.2.0-3-686-pae
|
|
||||||
EIP: 0060:[<f8b9550c>] EFLAGS: 00210246 CPU: 0
|
|
||||||
EIP is at kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm]
|
|
||||||
EAX: 00000001 EBX: 000f387e ECX: 00000000 EDX: 00000000
|
|
||||||
ESI: 00000000 EDI: 00000000 EBP: ef5a0060 ESP: d7c63e70
|
|
||||||
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
|
|
||||||
Process zoog_kvm_monito (pid: 24935, ti=d7c62000 task=ed84a0c0
|
|
||||||
task.ti=d7c62000)
|
|
||||||
Stack:
|
|
||||||
00000001 f70a1200 f8b940a9 ef5a0060 00000000 00200202 f8769009 00000000
|
|
||||||
ef5a0060 000f387e eda5c020 8722f9c8 00015bae 00000000 ed84a0c0 ed84a0c0
|
|
||||||
c12bf02d 0000ae80 ef7f8740 fffffffb f359b740 ef5a0060 f8b85dc1 0000ae80
|
|
||||||
Call Trace:
|
|
||||||
[<f8b940a9>] ? kvm_arch_vcpu_ioctl_set_sregs+0x2fe/0x308 [kvm]
|
|
||||||
...
|
|
||||||
[<c12bfb44>] ? syscall_call+0x7/0xb
|
|
||||||
Code: 89 e8 e8 14 ee ff ff ba 00 00 04 00 89 e8 e8 98 48 ff ff 85 c0 74
|
|
||||||
1e 83 7d 48 00 75 18 8b 85 08 07 00 00 31 c9 8b 95 0c 07 00 00 <0f> 01
|
|
||||||
d1 c7 45 48 01 00 00 00 c7 45 1c 01 00 00 00 0f ae f0 89
|
|
||||||
EIP: [<f8b9550c>] kvm_arch_vcpu_ioctl_run+0x92a/0xd13 [kvm] SS:ESP
|
|
||||||
0068:d7c63e70
|
|
||||||
|
|
||||||
QEMU first retrieves the supported features via KVM_GET_SUPPORTED_CPUID
|
|
||||||
and then sets them later. So guest's X86_FEATURE_XSAVE should be masked
|
|
||||||
out on hosts without X86_FEATURE_XSAVE, making kvm_set_cr4 with
|
|
||||||
X86_CR4_OSXSAVE fail. Userspaces that allow specifying guest cpuid with
|
|
||||||
X86_FEATURE_XSAVE even on hosts that do not support it, might be
|
|
||||||
susceptible to this attack from inside the guest as well.
|
|
||||||
|
|
||||||
Allow setting X86_CR4_OSXSAVE bit only if host has XSAVE support.
|
|
||||||
|
|
||||||
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
|
|
||||||
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
|
|
||||||
[bwh: Backported to 3.2: both functions are in arch/x86/kvm/x86.c]
|
|
||||||
---
|
|
||||||
--- a/arch/x86/kvm/x86.c
|
|
||||||
+++ b/arch/x86/kvm/x86.c
|
|
||||||
@@ -578,6 +578,9 @@ static bool guest_cpuid_has_xsave(struct
|
|
||||||
{
|
|
||||||
struct kvm_cpuid_entry2 *best;
|
|
||||||
|
|
||||||
+ if (!static_cpu_has(X86_FEATURE_XSAVE))
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
best = kvm_find_cpuid_entry(vcpu, 1, 0);
|
|
||||||
return best && (best->ecx & bit(X86_FEATURE_XSAVE));
|
|
||||||
}
|
|
||||||
@@ -6154,6 +6157,9 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct
|
|
||||||
int pending_vec, max_bits, idx;
|
|
||||||
struct desc_ptr dt;
|
|
||||||
|
|
||||||
+ if (!guest_cpuid_has_xsave(vcpu) && (sregs->cr4 & X86_CR4_OSXSAVE))
|
|
||||||
+ return -EINVAL;
|
|
||||||
+
|
|
||||||
dt.size = sregs->idt.limit;
|
|
||||||
dt.address = sregs->idt.base;
|
|
||||||
kvm_x86_ops->set_idt(vcpu, &dt);
|
|
|
@ -403,7 +403,6 @@ debian/perf-hide-abi-change-in-3.2.30.patch
|
||||||
debian/iwlwifi-do-not-request-unreleased-firmware.patch
|
debian/iwlwifi-do-not-request-unreleased-firmware.patch
|
||||||
debian/hid-avoid-ABI-change-in-3.2.31.patch
|
debian/hid-avoid-ABI-change-in-3.2.31.patch
|
||||||
debian/xfrm-avoid-ABI-change-in-3.2.31.patch
|
debian/xfrm-avoid-ABI-change-in-3.2.31.patch
|
||||||
bugfix/all/use-clamp_t-in-UNAME26-fix.patch
|
|
||||||
debian/fs-writeback-avoid-ABI-change-in-3.2.32.patch
|
debian/fs-writeback-avoid-ABI-change-in-3.2.32.patch
|
||||||
bugfix/x86/asus-laptop-Do-not-call-HWRS-on-init.patch
|
bugfix/x86/asus-laptop-Do-not-call-HWRS-on-init.patch
|
||||||
bugfix/x86/drm-i915-Only-kick-out-vesafb-if-we-takeover-the-fbc.patch
|
bugfix/x86/drm-i915-Only-kick-out-vesafb-if-we-takeover-the-fbc.patch
|
||||||
|
@ -422,14 +421,11 @@ features/all/xen/microcode-typo.patch
|
||||||
bugfix/all/firmware_class-log-every-success-and-failure.patch
|
bugfix/all/firmware_class-log-every-success-and-failure.patch
|
||||||
bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
|
bugfix/all/firmware-remove-redundant-log-messages-from-drivers.patch
|
||||||
|
|
||||||
bugfix/x86/ACPI-video-ignore-BIOS-initial-backlight-value-for-H.patch
|
|
||||||
bugfix/x86/KVM-x86-invalid-opcode-oops-on-SET_SREGS-with-OSXSAV.patch
|
|
||||||
bugfix/all/usermodehelper-introduce-umh_complete.patch
|
bugfix/all/usermodehelper-introduce-umh_complete.patch
|
||||||
bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
|
bugfix/all/usermodehelper-implement-UMH_KILLABLE.patch
|
||||||
bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
|
bugfix/all/usermodehelper-____call_usermodehelper-doesnt-need-do_exit.patch
|
||||||
bugfix/all/kmod-introduce-call_modprobe-helper.patch
|
bugfix/all/kmod-introduce-call_modprobe-helper.patch
|
||||||
bugfix/all/kmod-make-__request_module-killable.patch
|
bugfix/all/kmod-make-__request_module-killable.patch
|
||||||
bugfix/all/exec-do-not-leave-bprm-interp-on-stack.patch
|
|
||||||
bugfix/all/exec-use-ELOOP-for-max-recursion-depth.patch
|
bugfix/all/exec-use-ELOOP-for-max-recursion-depth.patch
|
||||||
bugfix/all/megaraid_sas-fix-memory-leak-if-SGL-has-zero-length-entries.patch
|
bugfix/all/megaraid_sas-fix-memory-leak-if-SGL-has-zero-length-entries.patch
|
||||||
debian/audit-increase-AUDIT_NAMES.patch
|
debian/audit-increase-AUDIT_NAMES.patch
|
||||||
|
|
Loading…
Reference in New Issue