Merge changes from sid up to 3.10.11-1
svn path=/dists/trunk/linux/; revision=20600
This commit is contained in:
commit
a0ce50e15f
|
@ -129,6 +129,98 @@ linux (3.11~rc4-1~exp1) experimental; urgency=low
|
|||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Thu, 08 Aug 2013 13:09:47 +0200
|
||||
|
||||
linux (3.10.11-1) unstable; urgency=low
|
||||
|
||||
* New upstream stable update:
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.8
|
||||
- [arm] perf/arm: Fix armpmu_map_hw_event()
|
||||
- memcg: don't initialize kmem-cache destroying work for root caches
|
||||
- fs/proc/task_mmu.c: fix buffer overflow in add_page_map()
|
||||
- elevator: Fix a race in elevator switching
|
||||
- mac80211: fix infinite loop in ieee80211_determine_chantype
|
||||
- can: pcan_usb: fix wrong memcpy() bytes length
|
||||
- cfg80211: fix P2P GO interface teardown
|
||||
- ASoC: dapm: Fix empty list check in dapm_new_mux()
|
||||
- ALSA: 6fire: make buffers DMA-able (pcm)
|
||||
- ALSA: 6fire: make buffers DMA-able (midi)
|
||||
- USB: ti_usb_3410_5052: fix big-endian firmware handling
|
||||
- USB: mos7720: fix broken control requests
|
||||
- Fix TLB gather virtual address range invalidation corner cases
|
||||
- [arm] 7809/1: perf: fix event validation for software group leaders
|
||||
(CVE-2013-4254)
|
||||
- jbd2: Fix use after free after error in jbd2_journal_dirty_metadata()
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.9
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.10
|
||||
- [s390] KVM: s390: move kvm_guest_enter,exit closer to sie
|
||||
- mac80211: don't wait for TX status forever
|
||||
- tracing/kprobe: Wait for disabling all running kprobe handlers
|
||||
- tracing: Fix many race conditions including potential use-after-free
|
||||
- tracing/kprobes: Fail to unregister if probe event files are in use
|
||||
- tracing/uprobes: Fail to unregister if probe event files are in use
|
||||
- ftrace: Check module functions being traced on reload
|
||||
- zd1201: do not use stack as URB transfer_buffer
|
||||
- VFS: collect_mounts() should return an ERR_PTR
|
||||
- [arm] davinci: nand: specify ecc strength
|
||||
- drm/radeon/r7xx: fix copy paste typo in golden register setup
|
||||
- drm/radeon: fix UVD message buffer validation
|
||||
- drm/i915: Invalidate TLBs for the rings after a reset
|
||||
- nilfs2: remove double bio_put() in nilfs_end_bio_write() for
|
||||
BIO_EOPNOTSUPP error
|
||||
- Hostap: copying wrong data prism2_ioctl_giwaplist()
|
||||
- SCSI: zfcp: fix lock imbalance by reworking request queue locking
|
||||
- SCSI: zfcp: fix schedule-inside-lock in scsi_device list loops
|
||||
- SCSI: sg: Fix user memory corruption when SG_IO is interrupted by a
|
||||
signal
|
||||
- [x86] get_unmapped_area: Access mmap_legacy_base through mm_struct member
|
||||
- bcache: FUA fixes
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.11
|
||||
- drm/nouveau/mc: fix race condition between constructor and request_irq()
|
||||
- jfs: fix readdir cookie incompatibility with NFSv4 (Closes: #714974)
|
||||
- [powerpc] Work around gcc miscompilation of __pa() on 64-bit
|
||||
- [powerpc] Don't Oops when accessing /proc/powerpc/lparcfg without
|
||||
hypervisor
|
||||
- timer_list: correct the iterator for timer_list
|
||||
- drivers/base/memory.c: fix show_mem_removable() to handle missing sections
|
||||
- memcg: check that kmem_cache has memcg_params before accessing it
|
||||
- SUNRPC: Fix memory corruption issue on 32-bit highmem systems
|
||||
- ath9k_htc: Restore skb headroom when returning skb to mac80211
|
||||
- iscsi-target: Fix ImmediateData=Yes failure regression in >= v3.10
|
||||
- iscsi-target: Fix potential NULL pointer in solicited NOPOUT reject
|
||||
- ACPI / EC: Add ASUSTEK L4R to quirk list in order to validate ECDT
|
||||
- regmap: rbtree: Fix overlapping rbnodes.
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [rt] Update to 3.10.10-rt7:
|
||||
- hwlat-detector: Update hwlat_detector to add outer loop detection
|
||||
- hwlat-detector: Use thread instead of stop machine
|
||||
- hwlat-detector: Use trace_clock_local if available
|
||||
- genirq: do not invoke the affinity callback via a workqueue
|
||||
- simple-wait: rename and export the equivalent of waitqueue_active()
|
||||
- simple-wait: Fix a race condition with swait wakeups vs adding items
|
||||
to the list
|
||||
- rcu: Use swait_wake_all() in rcu_nocb_gp_cleanup()
|
||||
* aufs: Update to aufs3.10-20130826
|
||||
* aufs: mvdown, don't let unprivileged users provoke a WARNING
|
||||
* [x86] ACPI: Re-enable ACPI_HOTPLUG_MEMORY as built-in
|
||||
* [x86] amd64_edac: Fix single-channel setups (Closes: #717473)
|
||||
* [x86] efi: Ensure efi-pstore is loaded on EFI systems
|
||||
* bug script: Prompt to include crash logs from pstore
|
||||
* ipv6: remove max_addresses check from ipv6_create_tempaddr (CVE-2013-0343)
|
||||
* HID: validate HID report id size (CVE-2013-2888)
|
||||
* HID: pantherlord: validate output report details (CVE-2013-2892)
|
||||
* HID: ntrig: validate feature report details (CVE-2013-2896)
|
||||
* HID: sensor-hub: validate feature report details (CVE-2013-2898)
|
||||
* HID: picolcd_core: validate output report details (CVE-2013-2899)
|
||||
* HID: check for NULL field when setting values
|
||||
|
||||
[ Ian Campbell ]
|
||||
* [armel]: Enable MVMDIO and USB_EHCI_HCD_ORION on Kirkwood and Orion
|
||||
(Closes: #719680)
|
||||
* Bump ABI to 3
|
||||
* [armhf]: Add udebs for armmp flavour
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 10 Sep 2013 14:13:16 +0100
|
||||
|
||||
linux (3.10.7-1) unstable; urgency=low
|
||||
|
||||
* New upstream stable update:
|
||||
|
|
|
@ -441,6 +441,8 @@ CONFIG_MTD_UBI=y
|
|||
## file: drivers/net/ethernet/marvell/Kconfig
|
||||
##
|
||||
CONFIG_MV643XX_ETH=m
|
||||
CONFIG_MVMDIO=m
|
||||
|
||||
# CONFIG_SKGE is not set
|
||||
# CONFIG_SKY2 is not set
|
||||
|
||||
|
@ -621,6 +623,7 @@ CONFIG_USB_SPEEDTOUCH=m
|
|||
## file: drivers/usb/host/Kconfig
|
||||
##
|
||||
CONFIG_USB_EHCI_HCD=m
|
||||
CONFIG_USB_EHCI_HCD_ORION=y
|
||||
# CONFIG_USB_ISP116X_HCD is not set
|
||||
CONFIG_USB_OHCI_HCD=m
|
||||
CONFIG_USB_UHCI_HCD=m
|
||||
|
|
|
@ -394,6 +394,7 @@ CONFIG_MTD_NAND_ORION=y
|
|||
## file: drivers/net/ethernet/marvell/Kconfig
|
||||
##
|
||||
CONFIG_MV643XX_ETH=m
|
||||
CONFIG_MVMDIO=m
|
||||
# CONFIG_SKGE is not set
|
||||
# CONFIG_SKY2 is not set
|
||||
|
||||
|
@ -539,6 +540,7 @@ CONFIG_USB_SPEEDTOUCH=m
|
|||
## file: drivers/usb/host/Kconfig
|
||||
##
|
||||
CONFIG_USB_EHCI_HCD=m
|
||||
CONFIG_USB_EHCI_HCD_ORION=y
|
||||
# CONFIG_USB_ISP116X_HCD is not set
|
||||
CONFIG_USB_OHCI_HCD=m
|
||||
CONFIG_USB_UHCI_HCD=m
|
||||
|
|
|
@ -397,7 +397,7 @@ CONFIG_FIREWIRE_NOSY=m
|
|||
## file: drivers/firmware/efi/Kconfig
|
||||
##
|
||||
CONFIG_EFI_VARS=m
|
||||
CONFIG_EFI_VARS_PSTORE=y
|
||||
CONFIG_EFI_VARS_PSTORE=m
|
||||
# CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE is not set
|
||||
|
||||
##
|
||||
|
|
|
@ -6,6 +6,3 @@ CONFIG_WAKEUP_LATENCY_HIST=y
|
|||
|
||||
## disable aufs as it's not needed on rt and conflicts with fs-dentry-use-seqlock.patch
|
||||
# CONFIG_AUFS_FS is not set
|
||||
|
||||
## disable bcache as it uses {down,up}_read_non_owner() which don't exist on rt
|
||||
# CONFIG_BCACHE is not set
|
||||
|
|
|
@ -155,7 +155,7 @@ CONFIG_ACPI_THERMAL=m
|
|||
# CONFIG_ACPI_DEBUG is not set
|
||||
CONFIG_ACPI_PCI_SLOT=y
|
||||
CONFIG_ACPI_CONTAINER=y
|
||||
CONFIG_ACPI_HOTPLUG_MEMORY=m
|
||||
CONFIG_ACPI_HOTPLUG_MEMORY=y
|
||||
CONFIG_ACPI_SBS=m
|
||||
CONFIG_ACPI_HED=m
|
||||
# CONFIG_ACPI_CUSTOM_METHOD is not set
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
# arch version flavour installedname suffix build-depends
|
||||
armhf - armmp - y -
|
||||
armhf - mx5 - y -
|
||||
armhf - vexpress - y -
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
libata
|
|
@ -0,0 +1 @@
|
|||
#include <btrfs-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <core-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <crc-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <crypto-dm-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <crypto-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <event-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <ext2-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <ext3-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <ext4-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <fat-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <fuse-modules>
|
|
@ -0,0 +1,4 @@
|
|||
#include <input-modules>
|
||||
usbhid -
|
||||
usbmouse -
|
||||
usbkbd -
|
|
@ -0,0 +1 @@
|
|||
#include <isofs-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <jfs-modules>
|
|
@ -0,0 +1 @@
|
|||
# empty
|
|
@ -0,0 +1 @@
|
|||
#include <loop-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <md-modules>
|
|
@ -0,0 +1,2 @@
|
|||
#include <mmc-modules>
|
||||
sdhci-esdhc-imx
|
|
@ -0,0 +1 @@
|
|||
#include <multipath-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <nbd-modules>
|
|
@ -0,0 +1,5 @@
|
|||
mvneta
|
||||
mvmdio
|
||||
smsc911x
|
||||
sun4i-emac
|
||||
xgmac
|
|
@ -0,0 +1 @@
|
|||
#include <nic-shared-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <nic-usb-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <nic-wireless-modules>
|
|
@ -0,0 +1 @@
|
|||
pata_imx
|
|
@ -0,0 +1,4 @@
|
|||
#include <sata-modules>
|
||||
ahci_platform
|
||||
sata_highbank
|
||||
|
|
@ -0,0 +1 @@
|
|||
#include <scsi-core-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <squashfs-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <udf-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <uinput-modules>
|
|
@ -0,0 +1 @@
|
|||
#include <usb-modules>
|
|
@ -0,0 +1,2 @@
|
|||
#include <usb-storage-modules>
|
||||
usb-storage -
|
30
debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch
vendored
Normal file
30
debian/patches/bugfix/all/HID-check-for-NULL-field-when-setting-values.patch
vendored
Normal file
|
@ -0,0 +1,30 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:32:01 +0200
|
||||
Subject: [6/6] HID: check for NULL field when setting values
|
||||
Origin: https://git.kernel.org/linus/be67b68d52fa28b9b721c47bb42068f0c1214855
|
||||
|
||||
Defensively check that the field to be worked on is not NULL.
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-core.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/hid/hid-core.c
|
||||
+++ b/drivers/hid/hid-core.c
|
||||
@@ -1156,7 +1156,12 @@ EXPORT_SYMBOL_GPL(hid_output_report);
|
||||
|
||||
int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
|
||||
{
|
||||
- unsigned size = field->report_size;
|
||||
+ unsigned size;
|
||||
+
|
||||
+ if (!field)
|
||||
+ return -1;
|
||||
+
|
||||
+ size = field->report_size;
|
||||
|
||||
hid_dump_input(field->report->device, field->usage + offset, value);
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:31:28 +0200
|
||||
Subject: [3/6] HID: ntrig: validate feature report details
|
||||
Origin: https://git.kernel.org/linus/875b4e3763dbc941f15143dd1a18d10bb0be303b
|
||||
|
||||
A HID device could send a malicious feature report that would cause the
|
||||
ntrig HID driver to trigger a NULL dereference during initialization:
|
||||
|
||||
[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
|
||||
...
|
||||
[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
|
||||
[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
|
||||
|
||||
CVE-2013-2896
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-ntrig.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
|
||||
index 98d1fdf..600f207 100644
|
||||
--- a/drivers/hid/hid-ntrig.c
|
||||
+++ b/drivers/hid/hid-ntrig.c
|
||||
@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
|
||||
struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
|
||||
report_id_hash[0x0d];
|
||||
|
||||
- if (!report)
|
||||
+ if (!report || report->maxfield < 1 ||
|
||||
+ report->field[0]->report_count < 1)
|
||||
return -EINVAL;
|
||||
|
||||
hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
|
43
debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch
vendored
Normal file
43
debian/patches/bugfix/all/HID-pantherlord-validate-output-report-details.patch
vendored
Normal file
|
@ -0,0 +1,43 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:30:49 +0200
|
||||
Subject: [2/6] HID: pantherlord: validate output report details
|
||||
Origin: https://git.kernel.org/linus/412f30105ec6735224535791eed5cdc02888ecb4
|
||||
|
||||
A HID device could send a malicious output report that would cause the
|
||||
pantherlord HID driver to write beyond the output report allocation
|
||||
during initialization, causing a heap overflow:
|
||||
|
||||
[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
|
||||
...
|
||||
[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten
|
||||
|
||||
CVE-2013-2892
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-pl.c | 10 ++++++++--
|
||||
1 file changed, 8 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
|
||||
index d29112f..2dcd7d9 100644
|
||||
--- a/drivers/hid/hid-pl.c
|
||||
+++ b/drivers/hid/hid-pl.c
|
||||
@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
|
||||
strong = &report->field[0]->value[2];
|
||||
weak = &report->field[0]->value[3];
|
||||
debug("detected single-field device");
|
||||
- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
|
||||
- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
|
||||
+ } else if (report->field[0]->maxusage == 1 &&
|
||||
+ report->field[0]->usage[0].hid ==
|
||||
+ (HID_UP_LED | 0x43) &&
|
||||
+ report->maxfield >= 4 &&
|
||||
+ report->field[0]->report_count >= 1 &&
|
||||
+ report->field[1]->report_count >= 1 &&
|
||||
+ report->field[2]->report_count >= 1 &&
|
||||
+ report->field[3]->report_count >= 1) {
|
||||
report->field[0]->value[0] = 0x00;
|
||||
report->field[1]->value[0] = 0x00;
|
||||
strong = &report->field[2]->value[0];
|
45
debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch
vendored
Normal file
45
debian/patches/bugfix/all/HID-picolcd_core-validate-output-report-details.patch
vendored
Normal file
|
@ -0,0 +1,45 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:31:52 +0200
|
||||
Subject: [5/6] HID: picolcd_core: validate output report details
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/linus/1e87a2456b0227ca4ab881e19a11bb99d164e792
|
||||
|
||||
A HID device could send a malicious output report that would cause the
|
||||
picolcd HID driver to trigger a NULL dereference during attr file writing.
|
||||
|
||||
[jkosina@suse.cz: changed
|
||||
|
||||
report->maxfield < 1
|
||||
|
||||
to
|
||||
|
||||
report->maxfield != 1
|
||||
|
||||
as suggested by Bruno].
|
||||
|
||||
CVE-2013-2899
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
|
||||
Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-picolcd_core.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
|
||||
index b48092d..acbb0210 100644
|
||||
--- a/drivers/hid/hid-picolcd_core.c
|
||||
+++ b/drivers/hid/hid-picolcd_core.c
|
||||
@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
|
||||
buf += 10;
|
||||
cnt -= 10;
|
||||
}
|
||||
- if (!report)
|
||||
+ if (!report || report->maxfield != 1)
|
||||
return -EINVAL;
|
||||
|
||||
while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
|
33
debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch
vendored
Normal file
33
debian/patches/bugfix/all/HID-sensor-hub-validate-feature-report-details.patch
vendored
Normal file
|
@ -0,0 +1,33 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:31:44 +0200
|
||||
Subject: [4/6] HID: sensor-hub: validate feature report details
|
||||
Origin: https://git.kernel.org/linus/9e8910257397372633e74b333ef891f20c800ee4
|
||||
|
||||
A HID device could send a malicious feature report that would cause the
|
||||
sensor-hub HID driver to read past the end of heap allocation, leaking
|
||||
kernel memory contents to the caller.
|
||||
|
||||
CVE-2013-2898
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-sensor-hub.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
|
||||
index ffc80cf..6fca30e 100644
|
||||
--- a/drivers/hid/hid-sensor-hub.c
|
||||
+++ b/drivers/hid/hid-sensor-hub.c
|
||||
@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
|
||||
|
||||
mutex_lock(&data->mutex);
|
||||
report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
|
||||
- if (!report || (field_index >= report->maxfield)) {
|
||||
+ if (!report || (field_index >= report->maxfield) ||
|
||||
+ report->field[field_index]->report_count < 1) {
|
||||
ret = -EINVAL;
|
||||
goto done_proc;
|
||||
}
|
|
@ -0,0 +1,76 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 28 Aug 2013 22:29:55 +0200
|
||||
Subject: [1/6] HID: validate HID report id size
|
||||
Origin: https://git.kernel.org/linus/43622021d2e2b82ea03d883926605bdd0525e1d1
|
||||
|
||||
The "Report ID" field of a HID report is used to build indexes of
|
||||
reports. The kernel's index of these is limited to 256 entries, so any
|
||||
malicious device that sets a Report ID greater than 255 will trigger
|
||||
memory corruption on the host:
|
||||
|
||||
[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
|
||||
[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
|
||||
|
||||
CVE-2013-2888
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
|
||||
---
|
||||
drivers/hid/hid-core.c | 10 +++++++---
|
||||
include/linux/hid.h | 4 +++-
|
||||
2 files changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
|
||||
index 36668d1..5ea7d51 100644
|
||||
--- a/drivers/hid/hid-core.c
|
||||
+++ b/drivers/hid/hid-core.c
|
||||
@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
|
||||
struct hid_report_enum *report_enum = device->report_enum + type;
|
||||
struct hid_report *report;
|
||||
|
||||
+ if (id >= HID_MAX_IDS)
|
||||
+ return NULL;
|
||||
if (report_enum->report_id_hash[id])
|
||||
return report_enum->report_id_hash[id];
|
||||
|
||||
@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
|
||||
|
||||
case HID_GLOBAL_ITEM_TAG_REPORT_ID:
|
||||
parser->global.report_id = item_udata(item);
|
||||
- if (parser->global.report_id == 0) {
|
||||
- hid_err(parser->device, "report_id 0 is invalid\n");
|
||||
+ if (parser->global.report_id == 0 ||
|
||||
+ parser->global.report_id >= HID_MAX_IDS) {
|
||||
+ hid_err(parser->device, "report_id %u is invalid\n",
|
||||
+ parser->global.report_id);
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
|
||||
for (i = 0; i < HID_REPORT_TYPES; i++) {
|
||||
struct hid_report_enum *report_enum = device->report_enum + i;
|
||||
|
||||
- for (j = 0; j < 256; j++) {
|
||||
+ for (j = 0; j < HID_MAX_IDS; j++) {
|
||||
struct hid_report *report = report_enum->report_id_hash[j];
|
||||
if (report)
|
||||
hid_free_report(report);
|
||||
diff --git a/include/linux/hid.h b/include/linux/hid.h
|
||||
index 0c48991..ff545cc 100644
|
||||
--- a/include/linux/hid.h
|
||||
+++ b/include/linux/hid.h
|
||||
@@ -393,10 +393,12 @@ struct hid_report {
|
||||
struct hid_device *device; /* associated device */
|
||||
};
|
||||
|
||||
+#define HID_MAX_IDS 256
|
||||
+
|
||||
struct hid_report_enum {
|
||||
unsigned numbered;
|
||||
struct list_head report_list;
|
||||
- struct hid_report *report_id_hash[256];
|
||||
+ struct hid_report *report_id_hash[HID_MAX_IDS];
|
||||
};
|
||||
|
||||
#define HID_REPORT_TYPES 3
|
60
debian/patches/bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch
vendored
Normal file
60
debian/patches/bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch
vendored
Normal file
|
@ -0,0 +1,60 @@
|
|||
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Date: Fri, 16 Aug 2013 13:02:27 +0200
|
||||
Subject: ipv6: remove max_addresses check from ipv6_create_tempaddr
|
||||
Origin: https://git.kernel.org/linus/4b08a8f1bd8cb4541c93ec170027b4d0782dab52
|
||||
|
||||
Because of the max_addresses check attackers were able to disable privacy
|
||||
extensions on an interface by creating enough autoconfigured addresses:
|
||||
|
||||
<http://seclists.org/oss-sec/2012/q4/292>
|
||||
|
||||
But the check is not actually needed: max_addresses protects the
|
||||
kernel to install too many ipv6 addresses on an interface and guards
|
||||
addrconf_prefix_rcv to install further addresses as soon as this limit
|
||||
is reached. We only generate temporary addresses in direct response of
|
||||
a new address showing up. As soon as we filled up the maximum number of
|
||||
addresses of an interface, we stop installing more addresses and thus
|
||||
also stop generating more temp addresses.
|
||||
|
||||
Even if the attacker tries to generate a lot of temporary addresses
|
||||
by announcing a prefix and removing it again (lifetime == 0) we won't
|
||||
install more temp addresses, because the temporary addresses do count
|
||||
to the maximum number of addresses, thus we would stop installing new
|
||||
autoconfigured addresses when the limit is reached.
|
||||
|
||||
This patch fixes CVE-2013-0343 (but other layer-2 attacks are still
|
||||
possible).
|
||||
|
||||
Thanks to Ding Tianhong to bring this topic up again.
|
||||
|
||||
Cc: Ding Tianhong <dingtianhong@huawei.com>
|
||||
Cc: George Kargiotakis <kargig@void.gr>
|
||||
Cc: P J P <ppandit@redhat.com>
|
||||
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
|
||||
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
|
||||
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
[bwh: Backported to 3.10: adjust ipv6_add_addr() parameter list]
|
||||
---
|
||||
net/ipv6/addrconf.c | 10 ++++------
|
||||
1 file changed, 4 insertions(+), 6 deletions(-)
|
||||
|
||||
--- a/net/ipv6/addrconf.c
|
||||
+++ b/net/ipv6/addrconf.c
|
||||
@@ -1124,12 +1124,10 @@ retry:
|
||||
if (ifp->flags & IFA_F_OPTIMISTIC)
|
||||
addr_flags |= IFA_F_OPTIMISTIC;
|
||||
|
||||
- ift = !max_addresses ||
|
||||
- ipv6_count_addresses(idev) < max_addresses ?
|
||||
- ipv6_add_addr(idev, &addr, tmp_plen,
|
||||
- ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
|
||||
- addr_flags) : NULL;
|
||||
- if (IS_ERR_OR_NULL(ift)) {
|
||||
+ ift = ipv6_add_addr(idev, &addr, tmp_plen,
|
||||
+ ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK,
|
||||
+ addr_flags);
|
||||
+ if (IS_ERR(ift)) {
|
||||
in6_ifa_put(ifp);
|
||||
in6_dev_put(idev);
|
||||
pr_info("%s: retry temporary address regeneration\n", __func__);
|
|
@ -0,0 +1,46 @@
|
|||
From: Borislav Petkov <bp@suse.de>
|
||||
Date: Tue, 23 Jul 2013 20:01:23 +0200
|
||||
Subject: amd64_edac: Fix single-channel setups
|
||||
Origin: https://git.kernel.org/linus/f0a56c480196a98479760862468cc95879df3de0
|
||||
Bug-Debian: http://bugs.debian.org/717473
|
||||
|
||||
It can happen that configurations are running in a single-channel mode
|
||||
even with a dual-channel memory controller, by, say, putting the DIMMs
|
||||
only on the one channel and leaving the other empty. This causes a
|
||||
problem in init_csrows which implicitly assumes that when the second
|
||||
channel is enabled, i.e. channel 1, the struct dimm hierarchy will be
|
||||
present. Which is not.
|
||||
|
||||
So always allocate two channels unconditionally.
|
||||
|
||||
This provides for the nice side effect that the data structures are
|
||||
initialized so some day, when memory hotplug is supported, it should
|
||||
just work out of the box when all of a sudden a second channel appears.
|
||||
|
||||
Reported-and-tested-by: Roger Leigh <rleigh@debian.org>
|
||||
Signed-off-by: Borislav Petkov <bp@suse.de>
|
||||
---
|
||||
drivers/edac/amd64_edac.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c
|
||||
index 8b6a034..8b3d901 100644
|
||||
--- a/drivers/edac/amd64_edac.c
|
||||
+++ b/drivers/edac/amd64_edac.c
|
||||
@@ -2470,8 +2470,15 @@ static int amd64_init_one_instance(struct pci_dev *F2)
|
||||
layers[0].size = pvt->csels[0].b_cnt;
|
||||
layers[0].is_virt_csrow = true;
|
||||
layers[1].type = EDAC_MC_LAYER_CHANNEL;
|
||||
- layers[1].size = pvt->channel_count;
|
||||
+
|
||||
+ /*
|
||||
+ * Always allocate two channels since we can have setups with DIMMs on
|
||||
+ * only one channel. Also, this simplifies handling later for the price
|
||||
+ * of a couple of KBs tops.
|
||||
+ */
|
||||
+ layers[1].size = 2;
|
||||
layers[1].is_virt_csrow = false;
|
||||
+
|
||||
mci = edac_mc_alloc(nid, ARRAY_SIZE(layers), layers, 0);
|
||||
if (!mci)
|
||||
goto err_siblings;
|
38
debian/patches/features/all/aufs3/aufs-mvdown-don-t-let-unprivileged-users-provoke-a-W.patch
vendored
Normal file
38
debian/patches/features/all/aufs3/aufs-mvdown-don-t-let-unprivileged-users-provoke-a-W.patch
vendored
Normal file
|
@ -0,0 +1,38 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sat, 31 Aug 2013 18:34:51 +0100
|
||||
Subject: aufs: mvdown, don't let unprivileged users provoke a WARNING
|
||||
Forwarded:
|
||||
|
||||
Move the WARN_ONCE() about mvdown after the capability check.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
fs/aufs/ioctl.c | 1 -
|
||||
fs/aufs/mvdown.c | 2 ++
|
||||
2 files changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/fs/aufs/ioctl.c b/fs/aufs/ioctl.c
|
||||
index 628d627..1ac7688 100644
|
||||
--- a/fs/aufs/ioctl.c
|
||||
+++ b/fs/aufs/ioctl.c
|
||||
@@ -152,7 +152,6 @@ long aufs_ioctl_nondir(struct file *file, unsigned int cmd, unsigned long arg)
|
||||
|
||||
switch (cmd) {
|
||||
case AUFS_CTL_MVDOWN:
|
||||
- WARN_ONCE(1, "move-down is still testing...\n");
|
||||
err = au_mvdown(file->f_dentry, (void __user *)arg);
|
||||
break;
|
||||
|
||||
diff --git a/fs/aufs/mvdown.c b/fs/aufs/mvdown.c
|
||||
index e68002e..5f56645 100644
|
||||
--- a/fs/aufs/mvdown.c
|
||||
+++ b/fs/aufs/mvdown.c
|
||||
@@ -489,6 +489,8 @@ int au_mvdown(struct dentry *dentry, struct aufs_mvdown __user *uarg)
|
||||
if (unlikely(!capable(CAP_SYS_ADMIN)))
|
||||
goto out;
|
||||
|
||||
+ WARN_ONCE(1, "move-down is still testing...\n");
|
||||
+
|
||||
err = -ENOMEM;
|
||||
args = kmalloc(sizeof(*args), GFP_NOFS);
|
||||
if (unlikely(!args))
|
|
@ -6,12 +6,13 @@ Forwarded: no
|
|||
|
||||
efivars is generally useful to have on EFI systems, and in some cases
|
||||
it may be impossible to load it after a kernel upgrade in order to
|
||||
complete a boot loader update. At the same time we don't want to
|
||||
waste memory on non-EFI systems by making it built-in.
|
||||
complete a boot loader update. efi-pstore is similarly useful though
|
||||
less critical. At the same time we don't want to waste memory on
|
||||
non-EFI systems by making them built-in.
|
||||
|
||||
Instead, give it a module alias as if it's a platform driver, and
|
||||
Instead, give them module aliases as if they are platform drivers, and
|
||||
register a corresponding platform device whenever EFI runtime services
|
||||
are available. This should trigger udev to load it.
|
||||
are available. This should trigger udev to load them.
|
||||
|
||||
---
|
||||
--- a/arch/x86/platform/efi/efi.c
|
||||
|
@ -55,3 +56,10 @@ are available. This should trigger udev to load it.
|
|||
|
||||
LIST_HEAD(efivar_sysfs_list);
|
||||
EXPORT_SYMBOL_GPL(efivar_sysfs_list);
|
||||
--- a/drivers/firmware/efi/efi-pstore.c
|
||||
+++ b/drivers/firmware/efi/efi-pstore.c
|
||||
@@ -250,3 +250,4 @@ module_exit(efivars_pstore_exit);
|
||||
|
||||
MODULE_DESCRIPTION("EFI variable backend for pstore");
|
||||
MODULE_LICENSE("GPL");
|
||||
+MODULE_ALIAS("platform:efivars");
|
||||
|
|
|
@ -27,6 +27,8 @@ features/all/aufs3/aufs3-add.patch
|
|||
debian/aufs3-mark-as-staging.patch
|
||||
# hide broken config option
|
||||
debian/AUFS_PROC_MAP-is-BROKEN.patch
|
||||
# security fix
|
||||
#features/all/aufs3/aufs-mvdown-don-t-let-unprivileged-users-provoke-a-W.patch
|
||||
|
||||
# Change some defaults for security reasons
|
||||
features/all/sysrq-mask.patch
|
||||
|
@ -79,3 +81,12 @@ bugfix/all/irq-Always-define-devm_-request_threaded-free-_irq.patch
|
|||
|
||||
# m68k IRQ bugfix
|
||||
bugfix/m68k/atari-irqs.patch
|
||||
|
||||
bugfix/x86/amd64_edac-Fix-single-channel-setups.patch
|
||||
bugfix/all/ipv6-remove-max_addresses-check-from-ipv6_create_tem.patch
|
||||
bugfix/all/HID-validate-HID-report-id-size.patch
|
||||
bugfix/all/HID-pantherlord-validate-output-report-details.patch
|
||||
bugfix/all/HID-ntrig-validate-feature-report-details.patch
|
||||
bugfix/all/HID-sensor-hub-validate-feature-report-details.patch
|
||||
bugfix/all/HID-picolcd_core-validate-output-report-details.patch
|
||||
bugfix/all/HID-check-for-NULL-field-when-setting-values.patch
|
||||
|
|
|
@ -0,0 +1,77 @@
|
|||
_add_pstore_log() {
|
||||
if [ $# -le 3 ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
local backend="$1"
|
||||
local event="$2"
|
||||
local date="$3"
|
||||
|
||||
yesno "Include log of $event at $(date -d @$date +%c) stored by $backend?" yep
|
||||
if [ $REPLY != yep ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
echo >&3
|
||||
echo "*** Log of $event at $(date -d @$date -Iseconds) from $backend" >&3
|
||||
|
||||
shift 3
|
||||
for file in "$@"; do
|
||||
tail -n +2 "$file" | sed 's/^<.>//' >&3
|
||||
done
|
||||
}
|
||||
|
||||
add_pstore() {
|
||||
local backend
|
||||
local i
|
||||
local j
|
||||
local file
|
||||
local date
|
||||
local head
|
||||
local event
|
||||
local log_files
|
||||
|
||||
if ! mountpoint -q /sys/fs/pstore; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
set -- /sys/fs/pstore/dmesg-*-1
|
||||
backend=${1#*/dmesg-}
|
||||
backend=${backend%-1}
|
||||
if [ "$backend" = '*' ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
i=1
|
||||
while [ -f /sys/fs/pstore/dmesg-$backend-$i ]; do
|
||||
file=/sys/fs/pstore/dmesg-$backend-$i
|
||||
head="$(head -1 "$file")"
|
||||
|
||||
# Is this the first part of a log?
|
||||
if [ "x${head% Part1}" != "x$head" ]; then
|
||||
# Flush previous log, if any
|
||||
_add_pstore_log "$backend" "$event" "$date" $log_files
|
||||
|
||||
event="${head% Part1}"
|
||||
date=$(stat -c %Y $file)
|
||||
log_files=
|
||||
j=1
|
||||
fi
|
||||
|
||||
if [ "x$head" = "x$event Part$j" ]; then
|
||||
# Each part is prepended to the list, because they're numbered
|
||||
# backward in log history
|
||||
log_files="$file $log_files"
|
||||
j=$((j + 1))
|
||||
fi
|
||||
|
||||
i=$((i + 1))
|
||||
done
|
||||
|
||||
# Flush last log, if any
|
||||
_add_pstore_log "$backend" "$event" "$date" $log_files
|
||||
}
|
||||
|
||||
ask_pstore() {
|
||||
add_pstore
|
||||
}
|
|
@ -6,3 +6,9 @@ If you are reporting that the kernel fails to boot, please use a digital
|
|||
camera, serial console or netconsole to record the boot messages and
|
||||
attach these to your report. You can use the kernel parameter
|
||||
'boot_delay=1000' to slow down the boot messages.
|
||||
|
||||
If you are reporting a crash on a system that boots using EFI, it may
|
||||
be useful to mount the 'pstore' filesystem so that a crash log can be
|
||||
retrieved from flash memory. You can do this by running (as root):
|
||||
|
||||
mount -t pstore pstore /sys/fs/pstore
|
||||
|
|
Loading…
Reference in New Issue