diff --git a/debian/changelog b/debian/changelog index fbcb2ec43..99577bbc5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -14,6 +14,13 @@ linux (3.12.2-1~exp1) UNRELEASED; urgency=low * Enable CHECKPOINT_RESTORE (Closes: #682700) * Enable JUMP_LABEL (Closes: #730071) * [x86] staging: Enable CRYSTALHD as module (Closes: #730832) + * net: clamp ->msg_namelen instead of returning an error + * tcp: tsq: restore minimal amount of queueing + * rds: prevent BUG_ON triggered on congestion update to loopback + (CVE-2012-2372) + * ipv6: fix headroom calculation in udp6_ufo_fragment (CVE-2013-4563) + * [s390,s390x] qeth: avoid buffer overflow in snmp ioctl (CVE-2013-6381) + * xfs: underflow bug in xfs_attrlist_by_handle() (CVE-2013-6382) [ Bastian Blank ] * Use compiler name instead of Linux version in compiler meta-packages. diff --git a/debian/patches/bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch b/debian/patches/bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch new file mode 100644 index 000000000..92c5fa086 --- /dev/null +++ b/debian/patches/bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch @@ -0,0 +1,35 @@ +From: Hannes Frederic Sowa +Date: Tue, 5 Nov 2013 02:41:27 +0100 +Subject: ipv6: fix headroom calculation in udp6_ufo_fragment +Origin: https://git.kernel.org/linus/0e033e04c2678dbbe74a46b23fffb7bb918c288e + +Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp +fragmentation for tunnel traffic.") changed the calculation if +there is enough space to include a fragment header in the skb from a +skb->mac_header dervived one to skb_headroom. Because we already peeled +off the skb to transport_header this is wrong. Change this back to check +if we have enough room before the mac_header. + +This fixes a panic Saran Neti reported. He used the tbf scheduler which +skb_gso_segments the skb. The offsets get negative and we panic in memcpy +because the skb was erroneously not expanded at the head. + +Reported-by: Saran Neti +Cc: Pravin B Shelar +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/udp_offload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -88,7 +88,7 @@ static struct sk_buff *udp6_ufo_fragment + + /* Check if there is enough headroom to insert fragment header. */ + tnl_hlen = skb_tnl_header_len(skb); +- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) { ++ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) { + if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz)) + goto out; + } diff --git a/debian/patches/bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch b/debian/patches/bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch new file mode 100644 index 000000000..dbe220e26 --- /dev/null +++ b/debian/patches/bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch @@ -0,0 +1,47 @@ +From: Dan Carpenter +Date: Wed, 27 Nov 2013 15:40:21 +0300 +Subject: net: clamp ->msg_namelen instead of returning an error +Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=db31c55a6fb245fdbb752a2ca4aefec89afabb06 + +If kmsg->msg_namelen > sizeof(struct sockaddr_storage) then in the +original code that would lead to memory corruption in the kernel if you +had audit configured. If you didn't have audit configured it was +harmless. + +There are some programs such as beta versions of Ruby which use too +large of a buffer and returning an error code breaks them. We should +clamp the ->msg_namelen value instead. + +Fixes: 1661bf364ae9 ("net: heap overflow in __audit_sockaddr()") +Reported-by: Eric Wong +Signed-off-by: Dan Carpenter +Tested-by: Eric Wong +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/compat.c | 2 +- + net/socket.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/compat.c ++++ b/net/compat.c +@@ -72,7 +72,7 @@ int get_compat_msghdr(struct msghdr *kms + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) +- return -EINVAL; ++ kmsg->msg_namelen = sizeof(struct sockaddr_storage); + kmsg->msg_name = compat_ptr(tmp1); + kmsg->msg_iov = compat_ptr(tmp2); + kmsg->msg_control = compat_ptr(tmp3); +--- a/net/socket.c ++++ b/net/socket.c +@@ -1970,7 +1970,7 @@ static int copy_msghdr_from_user(struct + if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) + return -EFAULT; + if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) +- return -EINVAL; ++ kmsg->msg_namelen = sizeof(struct sockaddr_storage); + return 0; + } + diff --git a/debian/patches/bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch b/debian/patches/bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch new file mode 100644 index 000000000..28d857a28 --- /dev/null +++ b/debian/patches/bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch @@ -0,0 +1,36 @@ +Subject: rds: prevent BUG_ON triggered on congestion update to loopback +From: Venkat Venkatsubra +Date: Mon, 25 Nov 2013 09:47:34 +0300 +Origin: http://patchwork.ozlabs.org/patch/293827/ + +After congestion update on a local connection, when rds_ib_xmit returns +less bytes than that are there in the message, rds_send_xmit calls +back rds_ib_xmit with an offset that causes BUG_ON(off & RDS_FRAG_SIZE) +to trigger. + +Reported-by: Josh Hunt +Tested-by: Honggang Li +Acked-by: Bang Nguyen +Signed-off-by: Venkat Venkatsubra +Signed-off-by: Dan Carpenter + +--- +net/rds/ib_send.c | 5 ++--- + 1 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/net/rds/ib_send.c b/net/rds/ib_send.c +index e590949..37be6e2 100644 +--- a/net/rds/ib_send.c ++++ b/net/rds/ib_send.c +@@ -552,9 +552,8 @@ int rds_ib_xmit(struct rds_connection *conn, struct rds_message *rm, + && rm->m_inc.i_hdr.h_flags & RDS_FLAG_CONG_BITMAP) { + rds_cong_map_updated(conn->c_fcong, ~(u64) 0); + scat = &rm->data.op_sg[sg]; +- ret = sizeof(struct rds_header) + RDS_CONG_MAP_BYTES; +- ret = min_t(int, ret, scat->length - conn->c_xmit_data_off); +- return ret; ++ ret = max_t(int, RDS_CONG_MAP_BYTES, scat->length); ++ return sizeof(struct rds_header) + ret; + } + + /* FIXME we may overallocate here */ diff --git a/debian/patches/bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch b/debian/patches/bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch new file mode 100644 index 000000000..78ef8c57c --- /dev/null +++ b/debian/patches/bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch @@ -0,0 +1,85 @@ +From: Eric Dumazet +Date: Wed, 13 Nov 2013 06:32:54 -0800 +Subject: tcp: tsq: restore minimal amount of queueing +Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=98e09386c0ef4dfd48af7ba60ff908f0d525cdee + +After commit c9eeec26e32e ("tcp: TSQ can use a dynamic limit"), several +users reported throughput regressions, notably on mvneta and wifi +adapters. + +802.11 AMPDU requires a fair amount of queueing to be effective. + +This patch partially reverts the change done in tcp_write_xmit() +so that the minimal amount is sysctl_tcp_limit_output_bytes. + +It also remove the use of this sysctl while building skb stored +in write queue, as TSO autosizing does the right thing anyway. + +Users with well behaving NICS and correct qdisc (like sch_fq), +can then lower the default sysctl_tcp_limit_output_bytes value from +128KB to 8KB. + +This new usage of sysctl_tcp_limit_output_bytes permits each driver +authors to check how their driver performs when/if the value is set +to a minimum of 4KB. + +Normally, line rate for a single TCP flow should be possible, +but some drivers rely on timers to perform TX completion and +too long TX completion delays prevent reaching full throughput. + +Fixes: c9eeec26e32e ("tcp: TSQ can use a dynamic limit") +Signed-off-by: Eric Dumazet +Reported-by: Sujith Manoharan +Reported-by: Arnaud Ebalard +Tested-by: Sujith Manoharan +Cc: Felix Fietkau +Signed-off-by: David S. Miller +--- + Documentation/networking/ip-sysctl.txt | 3 --- + net/ipv4/tcp.c | 6 ------ + net/ipv4/tcp_output.c | 6 +++++- + 3 files changed, 5 insertions(+), 10 deletions(-) + +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -588,9 +588,6 @@ tcp_limit_output_bytes - INTEGER + typical pfifo_fast qdiscs. + tcp_limit_output_bytes limits the number of bytes on qdisc + or device to reduce artificial RTT/cwnd and reduce bufferbloat. +- Note: For GSO/TSO enabled flows, we try to have at least two +- packets in flight. Reducing tcp_limit_output_bytes might also +- reduce the size of individual GSO packet (64KB being the max) + Default: 131072 + + tcp_challenge_ack_limit - INTEGER +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -806,12 +806,6 @@ static unsigned int tcp_xmit_size_goal(s + xmit_size_goal = min_t(u32, gso_size, + sk->sk_gso_max_size - 1 - hlen); + +- /* TSQ : try to have at least two segments in flight +- * (one in NIC TX ring, another in Qdisc) +- */ +- xmit_size_goal = min_t(u32, xmit_size_goal, +- sysctl_tcp_limit_output_bytes >> 1); +- + xmit_size_goal = tcp_bound_to_half_wnd(tp, xmit_size_goal); + + /* We try hard to avoid divides here */ +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1875,8 +1875,12 @@ static bool tcp_write_xmit(struct sock * + * - better RTT estimation and ACK scheduling + * - faster recovery + * - high rates ++ * Alas, some drivers / subsystems require a fair amount ++ * of queued bytes to ensure line rate. ++ * One example is wifi aggregation (802.11 AMPDU) + */ +- limit = max(skb->truesize, sk->sk_pacing_rate >> 10); ++ limit = max_t(unsigned int, sysctl_tcp_limit_output_bytes, ++ sk->sk_pacing_rate >> 10); + + if (atomic_read(&sk->sk_wmem_alloc) > limit) { + set_bit(TSQ_THROTTLED, &tp->tsq_flags); diff --git a/debian/patches/bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch b/debian/patches/bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch new file mode 100644 index 000000000..192b87507 --- /dev/null +++ b/debian/patches/bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch @@ -0,0 +1,46 @@ +From: Dan Carpenter +Date: Sat, 23 Nov 2013 15:59:42 +1100 +Subject: xfs: underflow bug in xfs_attrlist_by_handle() +Origin: http://www.ozlabs.org/~akpm/mmotm/broken-out/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch + +If we allocate less than sizeof(struct attrlist) then we end up corrupting +memory or doing a ZERO_PTR_SIZE dereference. + +This can only be triggered with CAP_SYS_ADMIN. + +Signed-off-by: Dan Carpenter +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Acked-by: Ben Myers +Cc: Alex Elder +Reviewed-by: Dave Chinner +Signed-off-by: Andrew Morton +--- + fs/xfs/xfs_ioctl.c | 3 ++- + fs/xfs/xfs_ioctl32.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -443,7 +443,8 @@ xfs_attrlist_by_handle( + return -XFS_ERROR(EPERM); + if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) + return -XFS_ERROR(EFAULT); +- if (al_hreq.buflen > XATTR_LIST_MAX) ++ if (al_hreq.buflen < sizeof(struct attrlist) || ++ al_hreq.buflen > XATTR_LIST_MAX) + return -XFS_ERROR(EINVAL); + + /* +--- a/fs/xfs/xfs_ioctl32.c ++++ b/fs/xfs/xfs_ioctl32.c +@@ -357,7 +357,8 @@ xfs_compat_attrlist_by_handle( + if (copy_from_user(&al_hreq, arg, + sizeof(compat_xfs_fsop_attrlist_handlereq_t))) + return -XFS_ERROR(EFAULT); +- if (al_hreq.buflen > XATTR_LIST_MAX) ++ if (al_hreq.buflen < sizeof(struct attrlist) || ++ al_hreq.buflen > XATTR_LIST_MAX) + return -XFS_ERROR(EINVAL); + + /* diff --git a/debian/patches/bugfix/s390/qeth-avoid-buffer-overflow-in-snmp-ioctl.patch b/debian/patches/bugfix/s390/qeth-avoid-buffer-overflow-in-snmp-ioctl.patch new file mode 100644 index 000000000..d5afa4b97 --- /dev/null +++ b/debian/patches/bugfix/s390/qeth-avoid-buffer-overflow-in-snmp-ioctl.patch @@ -0,0 +1,43 @@ +From: Ursula Braun +Date: Wed, 6 Nov 2013 09:04:52 +0100 +Subject: qeth: avoid buffer overflow in snmp ioctl +Origin: https://git.kernel.org/linus/6fb392b1a63ae36c31f62bc3fc8630b49d602b62 + +Check user-defined length in snmp ioctl request and allow request +only if it fits into a qeth command buffer. + +Signed-off-by: Ursula Braun +Signed-off-by: Frank Blaschka +Reviewed-by: Heiko Carstens +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Cc: +Signed-off-by: David S. Miller +--- + drivers/s390/net/qeth_core_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/s390/net/qeth_core_main.c b/drivers/s390/net/qeth_core_main.c +index 0a328d0..bd8c09e 100644 +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -4451,7 +4451,7 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata) + struct qeth_cmd_buffer *iob; + struct qeth_ipa_cmd *cmd; + struct qeth_snmp_ureq *ureq; +- int req_len; ++ unsigned int req_len; + struct qeth_arp_query_info qinfo = {0, }; + int rc = 0; + +@@ -4467,6 +4467,10 @@ int qeth_snmp_command(struct qeth_card *card, char __user *udata) + /* skip 4 bytes (data_len struct member) to get req_len */ + if (copy_from_user(&req_len, udata + sizeof(int), sizeof(int))) + return -EFAULT; ++ if (req_len > (QETH_BUFSIZE - IPA_PDU_HEADER_SIZE - ++ sizeof(struct qeth_ipacmd_hdr) - ++ sizeof(struct qeth_ipacmd_setadpparms_hdr))) ++ return -EINVAL; + ureq = memdup_user(udata, req_len + sizeof(struct qeth_snmp_ureq_hdr)); + if (IS_ERR(ureq)) { + QETH_CARD_TEXT(card, 2, "snmpnome"); diff --git a/debian/patches/series b/debian/patches/series index 8450911aa..1bd6b18cc 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -75,3 +75,9 @@ bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch bugfix/all/UAPI-include-asm-byteorder.h-in-linux-raid-md_p.h.patch bugfix/all/HID-uhid-fix-leak-for-64-32-UHID_CREATE.mbox +bugfix/all/net-clamp-msg_namelen-instead-of-returning-an-error.patch +bugfix/all/tcp-tsq-restore-minimal-amount-of-queueing.patch +bugfix/all/rds-prevent-bug_on-triggered-by-congestion-update-to-loopback.patch +bugfix/all/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch +bugfix/s390/qeth-avoid-buffer-overflow-in-snmp-ioctl.patch +bugfix/all/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch