From e8880932f802768ad1da702f1e8ee5d11a9c173b Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 11 Nov 2016 13:31:51 +0100 Subject: [PATCH] Update to 4.8.7 --- debian/changelog | 118 +++++++++++++++++- ...printf-buffer-in-proc-keys-show-func.patch | 70 ----------- ...flog-fix-unexpected-truncated-packet.patch | 36 ------ ...mopp-before-dereference-CVE-2016-863.patch | 34 ----- debian/patches/series | 3 - 5 files changed, 114 insertions(+), 147 deletions(-) delete mode 100644 debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch delete mode 100644 debian/patches/bugfix/all/netfilter-xt_nflog-fix-unexpected-truncated-packet.patch delete mode 100644 debian/patches/bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch diff --git a/debian/changelog b/debian/changelog index 5d74b4eda..7225e91db 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -linux (4.8.6-1) UNRELEASED; urgency=medium +linux (4.8.7-1) UNRELEASED; urgency=medium * New upstream stable update: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.6 @@ -104,6 +104,119 @@ linux (4.8.6-1) UNRELEASED; urgency=medium - PCI: generic: Fix pci_remap_iospace() failure path - [armhf] PCI: tegra: Fix pci_remap_iospace() failure path - libnvdimm: clear the internal poison_list when clearing badblocks + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.8.7 + - [armhf] i2c: rk3x: Give the tuning value 0 during + rk3x_i2c_v0_calc_timings + - i2c: core: fix NULL pointer dereference under race condition + - drm/dp/mst: Clear port->pdt when tearing down the i2c adapter + - gpio / ACPI: fix returned error from acpi_dev_gpio_irq_get() + - gpio: GPIO_GET_CHIPINFO_IOCTL: Fix line offset validation + - gpio: GPIO_GET_CHIPINFO_IOCTL: Fix information leak + - gpio: GPIO_GET_LINEHANDLE_IOCTL: Validate line offset + - gpio: GPIOHANDLE_GET_LINE_VALUES_IOCTL: Fix information leak + - gpio: GPIO_GET_LINEEVENT_IOCTL: Validate line offset + - gpio: GPIO_GET_LINEHANDLE_IOCTL: Reject invalid line flags + - gpio: GPIO_GET_LINEEVENT_IOCTL: Reject invalid line and event flags + - gpio: GPIOHANDLE_GET_LINE_VALUES_IOCTL: Fix another information leak + - gpio: GPIO_GET_LINE{HANDLE,EVENT}_IOCTL: Fix file descriptor leak + - libxfs: clean up _calc_dquots_per_chunk + - mm/list_lru.c: avoid error-path NULL pointer deref + - mm/slab: fix kmemcg cache creation delayed issue + - mm: memcontrol: do not recurse in direct reclaim + - [x86] thermal/powerclamp: correct cpu support check + - KEYS: Fix short sprintf buffer in /proc/keys show function + - ALSA: usb-audio: Add quirk for Syntek STK1160 + - ALSA: seq: Fix time account regression + - ALSA: hda - allow 40 bit DMA mask for NVidia devices + - ALSA: hda - Adding a new group of pin cfg into ALC295 pin quirk table + - ALSA: hda - Fix surround output pins for ASRock B150M mobo + - ALSA: hda - Fix headset mic detection problem for two Dell laptops + - [powerpc*] cxl: Fix leaking pid refs in some error paths + - btrfs: fix races on root_log_ctx lists + - [powerpc] Convert cmp to cmpd in idle enter sequence + - [powerpc] mm/radix: Use tlbiel only if we ever ran on the current cpu + - [powerpc] Re-fix race condition between going idle and entering guest + - [powerpc] Fix race condition in setting lock bit in idle/wakeup code + - [amd64] x86/microcode/AMD: Fix more fallout from + CONFIG_RANDOMIZE_MEMORY=y + - timers: Prevent base clock rewind when forwarding clock + - timers: Prevent base clock corruption when forwarding + - timers: Plug locking race vs. timer migration + - timers: Lock base for same bucket optimization + - mei: txe: don't clean an unprocessed interrupt cause. + - USB: serial: fix potential NULL-dereference at probe + - USB: serial: cp210x: fix tiocmget error handling + - USB: serial: ftdi_sio: add support for Infineon TriBoard TC2X7 + - xhci: use default USB_RESUME_TIMEOUT when resuming ports. + - [powerpc] GenWQE: Fix bad page access during abort of resource + allocation + - [x86] smpboot: Init apic mapping before usage + - vt: clear selection before resizing + - [x86] hv: do not lose pending heartbeat vmbus packets + - xhci: add restart quirk for Intel Wildcatpoint PCH + - xhci: workaround for hosts missing CAS bit + - tty: limit terminal size to 4M chars + - [arm64] dts: marvell: fix clocksource for CP110 master SPI0 + - dm: free io_barrier after blk_cleanup_queue call + - [x86] KVM: fix wbinvd_dirty_mask use-after-free + - [s390] KVM: Fix STHYI buffer alignment for diag224 + - [armhf] mvebu: Select corediv clk for all mvebu v7 SoC + - nfsd: Fix general protection fault in release_lock_stateid() + - [mips*] KASLR: Fix handling of NULL FDT + - ovl: fix get_acl() on tmpfs + - ovl: update S_ISGID when setting posix ACLs + - ovl: fsync after copy-up + - virtio_ring: Make interrupt suppression spec compliant + - virtio_pci: Limit DMA mask to 44 bits for legacy virtio devices + - virtio: console: Unlock vqs while freeing buffers + - dm mirror: fix read error on recovery after default leg failure + - dm table: fix missing dm_put_target_type() in dm_table_add_target() + - dm rq: clear kworker_task if kthread_run() returned an error + - dm raid: fix compat_features validation + - dm raid: fix activation of existing raid4/10 devices + - firewire: net: guard against rx buffer overflows (CVE-2016-8633) + - firewire: net: fix fragmented datagram_size off-by-one + - mac80211: discard multicast and 4-addr A-MSDUs + - ath10k: cache calibration data when the core is stopped + - scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded + - scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware + - [arm64, armhf] mmc: dw_mmc-pltfm: fix the potential NULL pointer + dereference + - RAID1: ignore discard error + - RAID10: ignore discard error + - md: be careful not lot leak internal curr_resync value into metadata. -- (all) + - Revert "drm/radeon: fix DP link training issue with second 4K monitor" + - [armhf] drm/imx: ipuv3-plane: Switch EBA buffer only when we don't need + modeset + - [armhf] drm/imx: ipuv3-plane: Access old u/vbo properly in + ->atomic_check for YU12/YV12 + - drm/radeon/si_dpm: Limit clocks on HD86xx part + - drm/radeon/si_dpm: workaround for SI kickers + - drm/radeon: drop register readback in cayman_cp_int_cntl_setup + - drm/nouveau/acpi: fix check for power resources support + - drm/fb-helper: Don't call dirty callback for untouched clips + - drm/fb-helper: Fix connector ref leak on error + - drm/fb-helper: Keep references for the current set of used connectors + - drm/i915/gen9: fix DDB partitioning for multi-screen cases + - drm/i915/gen9: fix watermarks when using the pipe scaler + - drm/dp/mst: Check peer device type before attempting EDID read + - drm: Release reference from blob lookup after replacing property + - drm/i915: Respect alternate_aux_channel for all DDI ports + - drm/i915: Clean up DDI DDC/AUX CH sanitation + - drm/i915/fbc: fix CFB size calculation for gen8+ + - drm: i915: Wait for fences on new fb, not old + - i2c: mark device nodes only in case of successful instantiation + - netfilter: xt_NFLOG: fix unexpected truncated packet + - [arm64, armhf] pwm: Unexport children before chip removal + - [arm64, armhf] usb: dwc3: Fix size used in dma_free_coherent() + - [arm64, armhf] usb: chipidea: host: fix NULL ptr dereference during + shutdown + - [armhf] usb: musb: Fix hardirq-safe hardirq-unsafe lock order error + - tty: vt, fix bogus division in csi_J + - [x86] kvm: Check memopp before dereference (CVE-2016-8630) + - btrfs: qgroup: Prevent qgroup->reserved from going subzero + - [x86] cpufreq: intel_pstate: Set P-state upfront in performance mode + - HID: usbhid: add ATEN CS962 to list of quirky devices [ Ben Hutchings ] * debian/control: Fix build-dependency on openssl to work with new @@ -122,9 +235,6 @@ linux (4.8.6-1) UNRELEASED; urgency=medium * cpupower: Fix checks for CPU existence (Closes: #843071) * perf: Disable use of libcrypto (Closes: #843199) - [ Salvatore Bonaccorso ] - * [x86] kvm: Check memopp before dereference (CVE-2016-8630) - -- Ben Hutchings Wed, 02 Nov 2016 12:01:42 -0600 linux (4.8.5-1) unstable; urgency=medium diff --git a/debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch b/debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch deleted file mode 100644 index 904105512..000000000 --- a/debian/patches/bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch +++ /dev/null @@ -1,70 +0,0 @@ -From: David Howells -Date: Thu, 13 Oct 2016 22:38:46 +0200 -Subject: KEYS: Fix short sprintf buffer in /proc/keys show function -Origin: https://bugzilla.redhat.com/attachment.cgi?id=1200212 - -Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector -is turned on, this can cause a panic due to stack corruption. - -The problem is that xbuf[] is not big enough to hold a 64-bit timeout -rendered as weeks: - - (gdb) p 0xffffffffffffffffULL/(60*60*24*7) - $2 = 30500568904943 - -That's 14 chars plus NUL, not 11 chars plus NUL. - -Expand the buffer to 16 chars. - -I think the unpatched code apparently works if the stack-protector is not -enabled because on a 32-bit machine the buffer won't be overflowed and on a -64-bit machine there's a 64-bit aligned pointer at one side and an int that -isn't checked again on the other side. - -The panic incurred looks something like: - -Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe -CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1 -Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 - 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f - ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6 - ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679 -Call Trace: - [] dump_stack+0x63/0x84 - [] panic+0xde/0x22a - [] ? proc_keys_show+0x3ce/0x3d0 - [] __stack_chk_fail+0x19/0x30 - [] proc_keys_show+0x3ce/0x3d0 - [] ? key_validate+0x50/0x50 - [] ? key_default_cmp+0x20/0x20 - [] seq_read+0x2cc/0x390 - [] proc_reg_read+0x42/0x70 - [] __vfs_read+0x37/0x150 - [] ? security_file_permission+0xa0/0xc0 - [] vfs_read+0x96/0x130 - [] SyS_read+0x55/0xc0 - [] entry_SYSCALL_64_fastpath+0x1a/0xa4 - -Reported-by: Ondrej Kozina -Signed-off-by: David Howells -Tested-by: Ondrej Kozina ---- - security/keys/proc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/security/keys/proc.c b/security/keys/proc.c -index f0611a6..b9f531c 100644 ---- a/security/keys/proc.c -+++ b/security/keys/proc.c -@@ -181,7 +181,7 @@ static int proc_keys_show(struct seq_file *m, void *v) - struct timespec now; - unsigned long timo; - key_ref_t key_ref, skey_ref; -- char xbuf[12]; -+ char xbuf[16]; - int rc; - - struct keyring_search_context ctx = { --- -2.9.3 - diff --git a/debian/patches/bugfix/all/netfilter-xt_nflog-fix-unexpected-truncated-packet.patch b/debian/patches/bugfix/all/netfilter-xt_nflog-fix-unexpected-truncated-packet.patch deleted file mode 100644 index 8b2ac7fc8..000000000 --- a/debian/patches/bugfix/all/netfilter-xt_nflog-fix-unexpected-truncated-packet.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Liping Zhang -Date: Tue, 11 Oct 2016 21:03:45 +0800 -Subject: netfilter: xt_NFLOG: fix unexpected truncated packet -Origin: https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit?id=6d19375b58763fefc2f215fb45117d3353ced888 -Bug-Debian: https://bugs.debian.org/841261 - -Justin and Chris spotted that iptables NFLOG target was broken when they -upgraded the kernel to 4.8: "ulogd-2.0.5- IPs are no longer logged" or -"results in segfaults in ulogd-2.0.5". - -Because "struct nf_loginfo li;" is a local variable, and flags will be -filled with garbage value, not inited to zero. So if it contains 0x1, -packets will not be logged to the userspace anymore. - -Fixes: 7643507fe8b5 ("netfilter: xt_NFLOG: nflog-range does not truncate packets") -Reported-by: Justin Piszcz -Reported-by: Chris Caputo -Tested-by: Chris Caputo -Signed-off-by: Liping Zhang -Signed-off-by: Pablo Neira Ayuso ---- - net/netfilter/xt_NFLOG.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/netfilter/xt_NFLOG.c b/net/netfilter/xt_NFLOG.c -index 018eed7e1ff1..8668a5c18dc3 100644 ---- a/net/netfilter/xt_NFLOG.c -+++ b/net/netfilter/xt_NFLOG.c -@@ -32,6 +32,7 @@ nflog_tg(struct sk_buff *skb, const struct xt_action_param *par) - li.u.ulog.copy_len = info->len; - li.u.ulog.group = info->group; - li.u.ulog.qthreshold = info->threshold; -+ li.u.ulog.flags = 0; - - if (info->flags & XT_NFLOG_F_COPY_LEN) - li.u.ulog.flags |= NF_LOG_F_COPY_LEN; diff --git a/debian/patches/bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch b/debian/patches/bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch deleted file mode 100644 index 5a3297e77..000000000 --- a/debian/patches/bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch +++ /dev/null @@ -1,34 +0,0 @@ -From: Owen Hofmann -Date: Thu, 27 Oct 2016 11:25:52 -0700 -Subject: kvm: x86: Check memopp before dereference (CVE-2016-8630) -Origin: https://git.kernel.org/linus/d9092f52d7e61dd1557f2db2400ddb430e85937e - -Commit 41061cdb98 ("KVM: emulate: do not initialize memopp") removes a -check for non-NULL under incorrect assumptions. An undefined instruction -with a ModR/M byte with Mod=0 and R/M-5 (e.g. 0xc7 0x15) will attempt -to dereference a null pointer here. - -Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 -Message-Id: <1477592752-126650-2-git-send-email-osh@google.com> -Signed-off-by: Owen Hofmann -Signed-off-by: Paolo Bonzini ---- - arch/x86/kvm/emulate.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 4e95d3e..cbd7b92 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -5045,7 +5045,7 @@ int x86_decode_insn(struct x86_emulate_ctxt *ctxt, void *insn, int insn_len) - /* Decode and fetch the destination operand: register or memory. */ - rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask); - -- if (ctxt->rip_relative) -+ if (ctxt->rip_relative && likely(ctxt->memopp)) - ctxt->memopp->addr.mem.ea = address_mask(ctxt, - ctxt->memopp->addr.mem.ea + ctxt->_eip); - --- -2.10.2 - diff --git a/debian/patches/series b/debian/patches/series index 7a9ebf282..4fe2aa5f7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -63,7 +63,6 @@ bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch bugfix/all/kbuild-do-not-use-hyphen-in-exported-variable-name.patch bugfix/all/ext4-fix-bug-838544.patch bugfix/all/mm-memcontrol-use-special-workqueue-for-creating-per-memcg-caches.patch -bugfix/all/netfilter-xt_nflog-fix-unexpected-truncated-packet.patch # Miscellaneous features @@ -95,8 +94,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch bugfix/all/net-add-recursion-limit-to-gro.patch -bugfix/all/KEYS-Fix-short-sprintf-buffer-in-proc-keys-show-func.patch -bugfix/x86/kvm-x86-Check-memopp-before-dereference-CVE-2016-863.patch # ABI maintenance