debian-packaging
/
linux
8
0
Fork 0
Code Releases Activity

Merge changes from sid up to 3.10.11-1 

svn path=/dists/trunk/linux/; revision=20600
This commit is contained in:
Ben Hutchings 2013-09-11 01:24:25 +00:00
parent 12b7a6ff80 8d7685172c
commit a0ce50e15f
53 changed files with 659 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
debian/changelog vendored
View File

@ -129,6 +129,98 @@ linux (3.11~rc4-1~exp1) experimental; urgency=low
-- Ben Hutchings <ben@decadent.org.uk> Thu, 08 Aug 2013 13:09:47 +0200
linux (3.10.11-1) unstable; urgency=low
* New upstream stable update:
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.8
- [arm] perf/arm: Fix armpmu_map_hw_event()
- memcg: don't initialize kmem-cache destroying work for root caches
- fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
- elevator: Fix a race in elevator switching
- mac80211: fix infinite loop in ieee80211_determine_chantype
- can: pcan_usb: fix wrong memcpy() bytes length
- cfg80211: fix P2P GO interface teardown
- ASoC: dapm: Fix empty list check in dapm_new_mux()
- ALSA: 6fire: make buffers DMA-able (pcm)
- ALSA: 6fire: make buffers DMA-able (midi)
- USB: ti_usb_3410_5052: fix big-endian firmware handling
- USB: mos7720: fix broken control requests
- Fix TLB gather virtual address range invalidation corner cases
- [arm] 7809/1: perf: fix event validation for software group leaders
(CVE-2013-4254)
- jbd2: Fix use after free after error in jbd2_journal_dirty_metadata()
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.9
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.10
- [s390] KVM: s390: move kvm_guest_enter,exit closer to sie
- mac80211: don't wait for TX status forever
- tracing/kprobe: Wait for disabling all running kprobe handlers
- tracing: Fix many race conditions including potential use-after-free
- tracing/kprobes: Fail to unregister if probe event files are in use
- tracing/uprobes: Fail to unregister if probe event files are in use
- ftrace: Check module functions being traced on reload
- zd1201: do not use stack as URB transfer_buffer
- VFS: collect_mounts() should return an ERR_PTR
- [arm] davinci: nand: specify ecc strength
- drm/radeon/r7xx: fix copy paste typo in golden register setup
- drm/radeon: fix UVD message buffer validation
- drm/i915: Invalidate TLBs for the rings after a reset
- nilfs2: remove double bio_put() in nilfs_end_bio_write() for
BIO_EOPNOTSUPP error
- Hostap: copying wrong data prism2_ioctl_giwaplist()
- SCSI: zfcp: fix lock imbalance by reworking request queue locking
- SCSI: zfcp: fix schedule-inside-lock in scsi_device list loops
- SCSI: sg: Fix user memory corruption when SG_IO is interrupted by a
signal
- [x86] get_unmapped_area: Access mmap_legacy_base through mm_struct member
- bcache: FUA fixes
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.11
- drm/nouveau/mc: fix race condition between constructor and request_irq()
- jfs: fix readdir cookie incompatibility with NFSv4 (Closes: #714974)
- [powerpc] Work around gcc miscompilation of __pa() on 64-bit
- [powerpc] Don't Oops when accessing /proc/powerpc/lparcfg without
hypervisor
- timer_list: correct the iterator for timer_list
- drivers/base/memory.c: fix show_mem_removable() to handle missing sections
- memcg: check that kmem_cache has memcg_params before accessing it
- SUNRPC: Fix memory corruption issue on 32-bit highmem systems
- ath9k_htc: Restore skb headroom when returning skb to mac80211
- iscsi-target: Fix ImmediateData=Yes failure regression in >= v3.10
- iscsi-target: Fix potential NULL pointer in solicited NOPOUT reject
- ACPI / EC: Add ASUSTEK L4R to quirk list in order to validate ECDT
- regmap: rbtree: Fix overlapping rbnodes.
[ Ben Hutchings ]
* [rt] Update to 3.10.10-rt7:
- hwlat-detector: Update hwlat_detector to add outer loop detection
- hwlat-detector: Use thread instead of stop machine
- hwlat-detector: Use trace_clock_local if available
- genirq: do not invoke the affinity callback via a workqueue
- simple-wait: rename and export the equivalent of waitqueue_active()
- simple-wait: Fix a race condition with swait wakeups vs adding items
to the list
- rcu: Use swait_wake_all() in rcu_nocb_gp_cleanup()
* aufs: Update to aufs3.10-20130826
* aufs: mvdown, don't let unprivileged users provoke a WARNING
* [x86] ACPI: Re-enable ACPI_HOTPLUG_MEMORY as built-in
* [x86] amd64_edac: Fix single-channel setups (Closes: #717473)
* [x86] efi: Ensure efi-pstore is loaded on EFI systems
* bug script: Prompt to include crash logs from pstore
* ipv6: remove max_addresses check from ipv6_create_tempaddr (CVE-2013-0343)
* HID: validate HID report id size (CVE-2013-2888)
* HID: pantherlord: validate output report details (CVE-2013-2892)
* HID: ntrig: validate feature report details (CVE-2013-2896)
* HID: sensor-hub: validate feature report details (CVE-2013-2898)
* HID: picolcd_core: validate output report details (CVE-2013-2899)
* HID: check for NULL field when setting values
[ Ian Campbell ]
* [armel]: Enable MVMDIO and USB_EHCI_HCD_ORION on Kirkwood and Orion
(Closes: #719680)
* Bump ABI to 3
* [armhf]: Add udebs for armmp flavour
-- Ben Hutchings <ben@decadent.org.uk> Tue, 10 Sep 2013 14:13:16 +0100
linux (3.10.7-1) unstable; urgency=low
* New upstream stable update:

3
debian/config/armel/config.kirkwood vendored
View File

@ -441,6 +441,8 @@ CONFIG_MTD_UBI=y
## file: drivers/net/ethernet/marvell/Kconfig
##
CONFIG_MV643XX_ETH=m
CONFIG_MVMDIO=m
# CONFIG_SKGE is not set
# CONFIG_SKY2 is not set
@ -621,6 +623,7 @@ CONFIG_USB_SPEEDTOUCH=m
## file: drivers/usb/host/Kconfig
##
CONFIG_USB_EHCI_HCD=m
CONFIG_USB_EHCI_HCD_ORION=y
# CONFIG_USB_ISP116X_HCD is not set
CONFIG_USB_OHCI_HCD=m
CONFIG_USB_UHCI_HCD=m

2
debian/config/armel/config.orion5x vendored
View File

@ -394,6 +394,7 @@ CONFIG_MTD_NAND_ORION=y
## file: drivers/net/ethernet/marvell/Kconfig
##
CONFIG_MV643XX_ETH=m
CONFIG_MVMDIO=m
# CONFIG_SKGE is not set
# CONFIG_SKY2 is not set
@ -539,6 +540,7 @@ CONFIG_USB_SPEEDTOUCH=m
## file: drivers/usb/host/Kconfig
##
CONFIG_USB_EHCI_HCD=m
CONFIG_USB_EHCI_HCD_ORION=y
# CONFIG_USB_ISP116X_HCD is not set
CONFIG_USB_OHCI_HCD=m
CONFIG_USB_UHCI_HCD=m

2
debian/config/config vendored
View File

@ -397,7 +397,7 @@ CONFIG_FIREWIRE_NOSY=m
## file: drivers/firmware/efi/Kconfig
##
CONFIG_EFI_VARS=m
CONFIG_EFI_VARS_PSTORE=y
CONFIG_EFI_VARS_PSTORE=m
# CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
##

3
debian/config/featureset-rt/config vendored
View File

@ -6,6 +6,3 @@ CONFIG_WAKEUP_LATENCY_HIST=y
## disable aufs as it's not needed on rt and conflicts with fs-dentry-use-seqlock.patch
# CONFIG_AUFS_FS is not set
## disable bcache as it uses {down,up}_read_non_owner() which don't exist on rt
# CONFIG_BCACHE is not set

2
debian/config/kernelarch-x86/config vendored
View File

@ -155,7 +155,7 @@ CONFIG_ACPI_THERMAL=m
# CONFIG_ACPI_DEBUG is not set
CONFIG_ACPI_PCI_SLOT=y
CONFIG_ACPI_CONTAINER=y
CONFIG_ACPI_HOTPLUG_MEMORY=m
CONFIG_ACPI_HOTPLUG_MEMORY=y
CONFIG_ACPI_SBS=m
CONFIG_ACPI_HED=m
# CONFIG_ACPI_CUSTOM_METHOD is not set

1
debian/installer/armhf/kernel-versions vendored
View File

@ -1,3 +1,4 @@
# arch version flavour installedname suffix build-depends
armhf - armmp - y -
armhf - mx5 - y -
armhf - vexpress - y -

1
debian/installer/armhf/modules/armhf-armmp/ata-modules vendored Normal file
View File

@ -0,0 +1 @@
libata

1
debian/installer/armhf/modules/armhf-armmp/btrfs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <btrfs-modules>

1
debian/installer/armhf/modules/armhf-armmp/core-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <core-modules>

1
debian/installer/armhf/modules/armhf-armmp/crc-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <crc-modules>

1
debian/installer/armhf/modules/armhf-armmp/crypto-dm-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <crypto-dm-modules>

1
debian/installer/armhf/modules/armhf-armmp/crypto-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <crypto-modules>

1
debian/installer/armhf/modules/armhf-armmp/event-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <event-modules>

1
debian/installer/armhf/modules/armhf-armmp/ext2-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <ext2-modules>

1
debian/installer/armhf/modules/armhf-armmp/ext3-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <ext3-modules>

1
debian/installer/armhf/modules/armhf-armmp/ext4-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <ext4-modules>

1
debian/installer/armhf/modules/armhf-armmp/fat-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <fat-modules>

1
debian/installer/armhf/modules/armhf-armmp/fuse-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <fuse-modules>

4
debian/installer/armhf/modules/armhf-armmp/input-modules vendored Normal file
View File

@ -0,0 +1,4 @@
#include <input-modules>
usbhid -
usbmouse -
usbkbd -

1
debian/installer/armhf/modules/armhf-armmp/isofs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <isofs-modules>

1
debian/installer/armhf/modules/armhf-armmp/jfs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <jfs-modules>

1
debian/installer/armhf/modules/armhf-armmp/kernel-image vendored Normal file
View File

@ -0,0 +1 @@
# empty

1
debian/installer/armhf/modules/armhf-armmp/loop-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <loop-modules>

1
debian/installer/armhf/modules/armhf-armmp/md-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <md-modules>

2
debian/installer/armhf/modules/armhf-armmp/mmc-modules vendored Normal file
View File

@ -0,0 +1,2 @@
#include <mmc-modules>
sdhci-esdhc-imx

1
debian/installer/armhf/modules/armhf-armmp/multipath-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <multipath-modules>

1
debian/installer/armhf/modules/armhf-armmp/nbd-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <nbd-modules>

5
debian/installer/armhf/modules/armhf-armmp/nic-modules vendored Normal file
View File

@ -0,0 +1,5 @@
mvneta
mvmdio
smsc911x
sun4i-emac
xgmac

1
debian/installer/armhf/modules/armhf-armmp/nic-shared-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <nic-shared-modules>

1
debian/installer/armhf/modules/armhf-armmp/nic-usb-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <nic-usb-modules>

1
debian/installer/armhf/modules/armhf-armmp/nic-wireless-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <nic-wireless-modules>

1
debian/installer/armhf/modules/armhf-armmp/pata-modules vendored Normal file
View File

@ -0,0 +1 @@
pata_imx

4
debian/installer/armhf/modules/armhf-armmp/sata-modules vendored Normal file
View File

@ -0,0 +1,4 @@
#include <sata-modules>
ahci_platform
sata_highbank

1
debian/installer/armhf/modules/armhf-armmp/scsi-core-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <scsi-core-modules>

1
debian/installer/armhf/modules/armhf-armmp/squashfs-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <squashfs-modules>

1
debian/installer/armhf/modules/armhf-armmp/udf-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <udf-modules>

1
debian/installer/armhf/modules/armhf-armmp/uinput-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <uinput-modules>

1
debian/installer/armhf/modules/armhf-armmp/usb-modules vendored Normal file
View File

@ -0,0 +1 @@
#include <usb-modules>

2
debian/installer/armhf/modules/armhf-armmp/usb-storage-modules vendored Normal file
View File

@ -0,0 +1,2 @@
#include <usb-storage-modules>
usb-storage -

30
debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch vendored Normal file
View File

@ -0,0 +1,30 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:32:01 +0200
Subject: [6/6] HID: check for NULL field when setting values
Origin: https://git.kernel.org/linus/be67b68d52fa28b9b721c47bb42068f0c1214855
Defensively check that the field to be worked on is not NULL.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1156,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
{
- unsigned size = field->report_size;
+ unsigned size;
+
+ if (!field)
+ return -1;
+
+ size = field->report_size;
hid_dump_input(field->report->device, field->usage + offset, value);

37
debian/patches/bugfix/all/HID-ntrig-validate-feature-report-details.patch vendored Normal file
View File

@ -0,0 +1,37 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:31:28 +0200
Subject: [3/6] HID: ntrig: validate feature report details
Origin: https://git.kernel.org/linus/875b4e3763dbc941f15143dd1a18d10bb0be303b
A HID device could send a malicious feature report that would cause the
ntrig HID driver to trigger a NULL dereference during initialization:
[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
...
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
CVE-2013-2896
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-ntrig.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
index 98d1fdf..600f207 100644
--- a/drivers/hid/hid-ntrig.c
+++ b/drivers/hid/hid-ntrig.c
@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
report_id_hash[0x0d];
- if (!report)
+ if (!report || report->maxfield < 1 ||
+ report->field[0]->report_count < 1)
return -EINVAL;
hid_hw_request(hdev, report, HID_REQ_GET_REPORT);

43
debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch vendored Normal file
View File

@ -0,0 +1,43 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:30:49 +0200
Subject: [2/6] HID: pantherlord: validate output report details
Origin: https://git.kernel.org/linus/412f30105ec6735224535791eed5cdc02888ecb4
A HID device could send a malicious output report that would cause the
pantherlord HID driver to write beyond the output report allocation
during initialization, causing a heap overflow:
[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
...
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
CVE-2013-2892
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-pl.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
index d29112f..2dcd7d9 100644
--- a/drivers/hid/hid-pl.c
+++ b/drivers/hid/hid-pl.c
@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
strong = &report->field[0]->value[2];
weak = &report->field[0]->value[3];
debug("detected single-field device");
- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
+ } else if (report->field[0]->maxusage == 1 &&
+ report->field[0]->usage[0].hid ==
+ (HID_UP_LED | 0x43) &&
+ report->maxfield >= 4 &&
+ report->field[0]->report_count >= 1 &&
+ report->field[1]->report_count >= 1 &&
+ report->field[2]->report_count >= 1 &&
+ report->field[3]->report_count >= 1) {
report->field[0]->value[0] = 0x00;
report->field[1]->value[0] = 0x00;
strong = &report->field[2]->value[0];

45
debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch vendored Normal file
View File

@ -0,0 +1,45 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:31:52 +0200
Subject: [5/6] HID: picolcd_core: validate output report details
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Origin: https://git.kernel.org/linus/1e87a2456b0227ca4ab881e19a11bb99d164e792
A HID device could send a malicious output report that would cause the
picolcd HID driver to trigger a NULL dereference during attr file writing.
[jkosina@suse.cz: changed
report->maxfield < 1
to
report->maxfield != 1
as suggested by Bruno].
CVE-2013-2899
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-picolcd_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
index b48092d..acbb0210 100644
--- a/drivers/hid/hid-picolcd_core.c
+++ b/drivers/hid/hid-picolcd_core.c
@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
buf += 10;
cnt -= 10;
}
- if (!report)
+ if (!report || report->maxfield != 1)
return -EINVAL;
while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))

33
debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch vendored Normal file
View File

@ -0,0 +1,33 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:31:44 +0200
Subject: [4/6] HID: sensor-hub: validate feature report details
Origin: https://git.kernel.org/linus/9e8910257397372633e74b333ef891f20c800ee4
A HID device could send a malicious feature report that would cause the
sensor-hub HID driver to read past the end of heap allocation, leaking
kernel memory contents to the caller.
CVE-2013-2898
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-sensor-hub.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
index ffc80cf..6fca30e 100644
--- a/drivers/hid/hid-sensor-hub.c
+++ b/drivers/hid/hid-sensor-hub.c
@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
mutex_lock(&data->mutex);
report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
- if (!report || (field_index >= report->maxfield)) {
+ if (!report || (field_index >= report->maxfield) ||
+ report->field[field_index]->report_count < 1) {
ret = -EINVAL;
goto done_proc;
}

76
debian/patches/bugfix/all/HID-validate-HID-report-id-size.patch vendored Normal file
View File

@ -0,0 +1,76 @@
From: Kees Cook <keescook@chromium.org>
Date: Wed, 28 Aug 2013 22:29:55 +0200
Subject: [1/6] HID: validate HID report id size
Origin: https://git.kernel.org/linus/43622021d2e2b82ea03d883926605bdd0525e1d1
The "Report ID" field of a HID report is used to build indexes of
reports. The kernel's index of these is limited to 256 entries, so any
malicious device that sets a Report ID greater than 255 will trigger
memory corruption on the host:
[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
CVE-2013-2888
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
drivers/hid/hid-core.c | 10 +++++++---
include/linux/hid.h | 4 +++-
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 36668d1..5ea7d51 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
struct hid_report_enum *report_enum = device->report_enum + type;
struct hid_report *report;
+ if (id >= HID_MAX_IDS)
+ return NULL;
if (report_enum->report_id_hash[id])
return report_enum->report_id_hash[id];
@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
case HID_GLOBAL_ITEM_TAG_REPORT_ID:
parser->global.report_id = item_udata(item);
- if (parser->global.report_id == 0) {
- hid_err(parser->device, "report_id 0 is invalid\n");
+ if (parser->global.report_id == 0 ||
+ parser->global.report_id >= HID_MAX_IDS) {
+ hid_err(parser->device, "report_id %u is invalid\n",
+ parser->global.report_id);
return -1;
}
return 0;
@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
for (i = 0; i < HID_REPORT_TYPES; i++) {
struct hid_report_enum *report_enum = device->report_enum + i;
- for (j = 0; j < 256; j++) {
+ for (j = 0; j < HID_MAX_IDS; j++) {
struct hid_report *report = report_enum->report_id_hash[j];
if (report)
hid_free_report(report);
diff --git a/include/linux/hid.h b/include/linux/hid.h
index 0c48991..ff545cc 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -393,10 +393,12 @@ struct hid_report {
struct hid_device *device; /* associated device */
};
+#define HID_MAX_IDS 256
+
struct hid_report_enum {
unsigned numbered;
struct list_head report_list;
- struct hid_report *report_id_hash[256];
+ struct hid_report *report_id_hash[HID_MAX_IDS];
};
#define HID_REPORT_TYPES 3

60
debian/patches/bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch vendored Normal file
View File

@ -0,0 +1,60 @@
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Fri, 16 Aug 2013 13:02:27 +0200
Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr
Origin: https://git.kernel.org/linus/4b08a8f1bd8cb4541c93ec170027b4d0782dab52
Because of the max_addresses check attackers were able to disable privacy
extensions on an interface by creating enough autoconfigured addresses:
<http://seclists.org/oss-sec/2012/q4/292>
But the check is not actually needed: max_addresses protects the
kernel to install too many ipv6 addresses on an interface and guards
addrconf_prefix_rcv to install further addresses as soon as this limit
is reached. We only generate temporary addresses in direct response of
a new address showing up. As soon as we filled up the maximum number of
addresses of an interface, we stop installing more addresses and thus
also stop generating more temp addresses.
Even if the attacker tries to generate a lot of temporary addresses
by announcing a prefix and removing it again (lifetime == 0) we won't
install more temp addresses, because the temporary addresses do count
to the maximum number of addresses, thus we would stop installing new
autoconfigured addresses when the limit is reached.
This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
possible).
Thanks to Ding Tianhong to bring this topic up again.
Cc: Ding Tianhong <dingtianhong@huawei.com>
Cc: George Kargiotakis <kargig@void.gr>
Cc: P J P <ppandit@redhat.com>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.10: adjust ipv6_add_addr() parameter list]
---
net/ipv6/addrconf.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1124,12 +1124,10 @@ retry:
if (ifp->flags & IFA_F_OPTIMISTIC)
addr_flags |= IFA_F_OPTIMISTIC;
- ift = !max_addresses ||
- ipv6_count_addresses(idev) < max_addresses ?
- ipv6_add_addr(idev, &addr, tmp_plen,
- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
- addr_flags) : NULL;
- if (IS_ERR_OR_NULL(ift)) {
+ ift = ipv6_add_addr(idev, &addr, tmp_plen,
+ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
+ addr_flags);
+ if (IS_ERR(ift)) {
in6_ifa_put(ifp);
in6_dev_put(idev);
pr_info("%s: retry temporary address regeneration\n", __func__);

46
debian/patches/bugfix/x86/amd64_edac-Fix-single-channel-setups.patch vendored Normal file
View File

@ -0,0 +1,46 @@
From: Borislav Petkov <bp@suse.de>
Date: Tue, 23 Jul 2013 20:01:23 +0200
Subject: amd64_edac: Fix single-channel setups
Origin: https://git.kernel.org/linus/f0a56c480196a98479760862468cc95879df3de0
Bug-Debian: http://bugs.debian.org/717473
It can happen that configurations are running in a single-channel mode
even with a dual-channel memory controller, by, say, putting the DIMMs
only on the one channel and leaving the other empty. This causes a
problem in init_csrows which implicitly assumes that when the second
channel is enabled, i.e. channel 1, the struct dimm hierarchy will be
present. Which is not.
So always allocate two channels unconditionally.
This provides for the nice side effect that the data structures are
initialized so some day, when memory hotplug is supported, it should
just work out of the box when all of a sudden a second channel appears.
Reported-and-tested-by: Roger Leigh <rleigh@debian.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
---
drivers/edac/amd64_edac.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c
index 8b6a034..8b3d901 100644
--- a/drivers/edac/amd64_edac.c
+++ b/drivers/edac/amd64_edac.c
@@ -2470,8 +2470,15 @@ static int amd64_init_one_instance(struct pci_dev *F2)
layers[0].size = pvt->csels[0].b_cnt;
layers[0].is_virt_csrow = true;
layers[1].type = EDAC_MC_LAYER_CHANNEL;
- layers[1].size = pvt->channel_count;
+
+ /*
+ * Always allocate two channels since we can have setups with DIMMs on
+ * only one channel. Also, this simplifies handling later for the price
+ * of a couple of KBs tops.
+ */
+ layers[1].size = 2;
layers[1].is_virt_csrow = false;
+
mci = edac_mc_alloc(nid, ARRAY_SIZE(layers), layers, 0);
if (!mci)
goto err_siblings;

38
debian/patches/features/all/aufs3/aufs-mvdown-don-t-let-unprivileged-users-provoke-a-W.patch vendored Normal file
View File

@ -0,0 +1,38 @@
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 31 Aug 2013 18:34:51 +0100
Subject: aufs: mvdown, don't let unprivileged users provoke a WARNING
Forwarded:
Move the WARN_ONCE() about mvdown after the capability check.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/aufs/ioctl.c | 1 -
fs/aufs/mvdown.c | 2 ++
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/aufs/ioctl.c b/fs/aufs/ioctl.c
index 628d627..1ac7688 100644
--- a/fs/aufs/ioctl.c
+++ b/fs/aufs/ioctl.c
@@ -152,7 +152,6 @@ long aufs_ioctl_nondir(struct file *file, unsigned int cmd, unsigned long arg)
switch (cmd) {
case AUFS_CTL_MVDOWN:
- WARN_ONCE(1, "move-down is still testing...\n");
err = au_mvdown(file->f_dentry, (void __user *)arg);
break;
diff --git a/fs/aufs/mvdown.c b/fs/aufs/mvdown.c
index e68002e..5f56645 100644
--- a/fs/aufs/mvdown.c
+++ b/fs/aufs/mvdown.c
@@ -489,6 +489,8 @@ int au_mvdown(struct dentry *dentry, struct aufs_mvdown __user *uarg)
if (unlikely(!capable(CAP_SYS_ADMIN)))
goto out;
+ WARN_ONCE(1, "move-down is still testing...\n");
+
err = -ENOMEM;
args = kmalloc(sizeof(*args), GFP_NOFS);
if (unlikely(!args))

16
debian/patches/features/all/efi-autoload-efivars.patch vendored
View File

@ -6,12 +6,13 @@ Forwarded: no
efivars is generally useful to have on EFI systems, and in some cases
it may be impossible to load it after a kernel upgrade in order to
complete a boot loader update. At the same time we don't want to
waste memory on non-EFI systems by making it built-in.
complete a boot loader update. efi-pstore is similarly useful though
less critical. At the same time we don't want to waste memory on
non-EFI systems by making them built-in.
Instead, give it a module alias as if it's a platform driver, and
Instead, give them module aliases as if they are platform drivers, and
register a corresponding platform device whenever EFI runtime services
are available. This should trigger udev to load it.
are available. This should trigger udev to load them.
---
--- a/arch/x86/platform/efi/efi.c
@ -55,3 +56,10 @@ are available. This should trigger udev to load it.
LIST_HEAD(efivar_sysfs_list);
EXPORT_SYMBOL_GPL(efivar_sysfs_list);
--- a/drivers/firmware/efi/efi-pstore.c
+++ b/drivers/firmware/efi/efi-pstore.c
@@ -250,3 +250,4 @@ module_exit(efivars_pstore_exit);
MODULE_DESCRIPTION("EFI variable backend for pstore");
MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:efivars");

11
debian/patches/series vendored
View File

@ -27,6 +27,8 @@ features/all/aufs3/aufs3-add.patch
debian/aufs3-mark-as-staging.patch
# hide broken config option
debian/AUFS_PROC_MAP-is-BROKEN.patch
# security fix
#features/all/aufs3/aufs-mvdown-don-t-let-unprivileged-users-provoke-a-W.patch
# Change some defaults for security reasons
features/all/sysrq-mask.patch
@ -79,3 +81,12 @@ bugfix/all/irq-Always-define-devm_-request_threaded-free-_irq.patch
# m68k IRQ bugfix
bugfix/m68k/atari-irqs.patch
bugfix/x86/amd64_edac-Fix-single-channel-setups.patch
bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch
bugfix/all/HID-validate-HID-report-id-size.patch
bugfix/all/HID-pantherlord-validate-output-report-details.patch
bugfix/all/HID-ntrig-validate-feature-report-details.patch
bugfix/all/HID-sensor-hub-validate-feature-report-details.patch
bugfix/all/HID-picolcd_core-validate-output-report-details.patch
bugfix/all/HID-check-for-NULL-field-when-setting-values.patch

77
debian/templates/image.plain.bug/include-pstore vendored Normal file
View File

@ -0,0 +1,77 @@
_add_pstore_log() {
if [ $# -le 3 ]; then
return
fi
local backend="$1"
local event="$2"
local date="$3"
yesno "Include log of $event at $(date -d @$date +%c) stored by $backend?" yep
if [ $REPLY != yep ]; then
return
fi
echo >&3
echo "*** Log of $event at $(date -d @$date -Iseconds) from $backend" >&3
shift 3
for file in "$@"; do
tail -n +2 "$file" | sed 's/^<.>//' >&3
done
}
add_pstore() {
local backend
local i
local j
local file
local date
local head
local event
local log_files
if ! mountpoint -q /sys/fs/pstore; then
return 0
fi
set -- /sys/fs/pstore/dmesg-*-1
backend=${1#*/dmesg-}
backend=${backend%-1}
if [ "$backend" = '*' ]; then
return 0
fi
i=1
while [ -f /sys/fs/pstore/dmesg-$backend-$i ]; do
file=/sys/fs/pstore/dmesg-$backend-$i
head="$(head -1 "$file")"
# Is this the first part of a log?
if [ "x${head% Part1}" != "x$head" ]; then
# Flush previous log, if any
_add_pstore_log "$backend" "$event" "$date" $log_files
event="${head% Part1}"
date=$(stat -c %Y $file)
log_files=
j=1
fi
if [ "x$head" = "x$event Part$j" ]; then
# Each part is prepended to the list, because they're numbered
# backward in log history
log_files="$file $log_files"
j=$((j + 1))
fi
i=$((i + 1))
done
# Flush last log, if any
_add_pstore_log "$backend" "$event" "$date" $log_files
}
ask_pstore() {
add_pstore
}

6
debian/templates/image.plain.bug/presubj vendored
View File

@ -6,3 +6,9 @@ If you are reporting that the kernel fails to boot, please use a digital
camera, serial console or netconsole to record the boot messages and
attach these to your report. You can use the kernel parameter
'boot_delay=1000' to slow down the boot messages.
If you are reporting a crash on a system that boots using EFI, it may
be useful to mount the 'pstore' filesystem so that a crash log can be
retrieved from flash memory. You can do this by running (as root):
mount -t pstore pstore /sys/fs/pstore