Update to 4.7.2
Note the CVE IDs and Debian bugs fixed. Drop the patches that have gone upstream.
This commit is contained in:
Ben Hutchings
parent
1d2857f9c5
commit
f445dbb9d9
|
|
@ -1,4 +1,15 @@
|
|||
linux (4.7~rc7-1~exp2) UNRELEASED; urgency=medium
|
||||
linux (4.7.2-1) UNRELEASED; urgency=medium
|
||||
|
||||
* New upstream release: https://kernelnewbies.org/Linux_4.7
|
||||
- media: fix airspy usb probe error path (CVE-2016-5400)
|
||||
- libata: LITE-ON CX1-JB256-HP needs lower max_sectors (Closes: #830971)
|
||||
- tcp: make challenge acks less predictable (CVE-2016-5696)
|
||||
* New stable update:
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.1
|
||||
- vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516)
|
||||
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.2
|
||||
- [powerpc*] KVM: Book3S HV: Save/restore TM state in H_CEDE (CVE-2016-5412)
|
||||
- audit: fix a double fetch in audit_log_single_execve_arg() (CVE-2016-6136)
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* sched: Enable SCHEDSTATS (Closes: #796674)
|
||||
|
|
|
|||
|
|
@ -1,52 +0,0 @@
|
|||
From: Sakari Ailus <sakari.ailus@linux.intel.com>
|
||||
Date: Sun, 3 Apr 2016 16:31:03 -0300
|
||||
Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
|
||||
Origin: https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab
|
||||
|
||||
When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer
|
||||
which will be dequeued is not known until the buffer has been removed from
|
||||
the queue. The number of planes is specific to a buffer, not to the queue.
|
||||
|
||||
This does lead to the situation where multi-plane buffers may be requested
|
||||
and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument
|
||||
struct with fewer planes.
|
||||
|
||||
__fill_v4l2_buffer() however uses the number of planes from the dequeued
|
||||
videobuf2 buffer, overwriting kernel memory (the m.planes array allocated
|
||||
in video_usercopy() in v4l2-ioctl.c) if the user provided fewer
|
||||
planes than the dequeued buffer had. Oops!
|
||||
|
||||
Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2")
|
||||
|
||||
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
|
||||
Acked-by: Hans Verkuil <hans.verkuil@cisco.com>
|
||||
Cc: stable@vger.kernel.org # for v4.4 and later
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
|
||||
---
|
||||
drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c
|
||||
index 91f552124050..8da7470ca364 100644
|
||||
--- a/drivers/media/v4l2-core/videobuf2-v4l2.c
|
||||
+++ b/drivers/media/v4l2-core/videobuf2-v4l2.c
|
||||
@@ -74,6 +74,11 @@ static int __verify_planes_array(struct vb2_buffer *vb, const struct v4l2_buffer
|
||||
return 0;
|
||||
}
|
||||
|
||||
+static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb)
|
||||
+{
|
||||
+ return __verify_planes_array(vb, pb);
|
||||
+}
|
||||
+
|
||||
/**
|
||||
* __verify_length() - Verify that the bytesused value for each plane fits in
|
||||
* the plane length and that the data offset doesn't exceed the bytesused value.
|
||||
@@ -437,6 +442,7 @@ static int __fill_vb2_buffer(struct vb2_buffer *vb,
|
||||
}
|
||||
|
||||
static const struct vb2_buf_ops v4l2_buf_ops = {
|
||||
+ .verify_planes_array = __verify_planes_array_core,
|
||||
.fill_user_buffer = __fill_v4l2_buffer,
|
||||
.fill_vb2_buffer = __fill_vb2_buffer,
|
||||
.copy_timestamp = __copy_timestamp,
|
||||
|
|
@ -1,58 +0,0 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Sun, 17 Apr 2016 22:59:03 +0100
|
||||
Subject: module: Invalidate signatures on force-loaded modules
|
||||
Forwarded: http://mid.gmane.org/20160423184501.GM3348@decadent.org.uk
|
||||
|
||||
Signing a module should only make it trusted by the specific kernel it
|
||||
was built for, not anything else. Loading a signed module meant for a
|
||||
kernel with a different ABI could have interesting effects.
|
||||
Therefore, treat all signatures as invalid when a module is
|
||||
force-loaded.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
kernel/module.c | 13 +++++++++----
|
||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/kernel/module.c
|
||||
+++ b/kernel/module.c
|
||||
@@ -2597,13 +2597,18 @@ static inline void kmemleak_load_module(
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_MODULE_SIG
|
||||
-static int module_sig_check(struct load_info *info)
|
||||
+static int module_sig_check(struct load_info *info, int flags)
|
||||
{
|
||||
int err = -ENOKEY;
|
||||
const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
|
||||
const void *mod = info->hdr;
|
||||
|
||||
- if (info->len > markerlen &&
|
||||
+ /*
|
||||
+ * Require flags == 0, as a module with version information
|
||||
+ * removed is no longer the module that was signed
|
||||
+ */
|
||||
+ if (flags == 0 &&
|
||||
+ info->len > markerlen &&
|
||||
memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) {
|
||||
/* We truncate the module to discard the signature */
|
||||
info->len -= markerlen;
|
||||
@@ -2622,7 +2627,7 @@ static int module_sig_check(struct load_
|
||||
return err;
|
||||
}
|
||||
#else /* !CONFIG_MODULE_SIG */
|
||||
-static int module_sig_check(struct load_info *info)
|
||||
+static int module_sig_check(struct load_info *info, int flags)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
@@ -3429,7 +3434,7 @@ static int load_module(struct load_info
|
||||
long err;
|
||||
char *after_dashes;
|
||||
|
||||
- err = module_sig_check(info);
|
||||
+ err = module_sig_check(info, flags);
|
||||
if (err)
|
||||
goto free_copy;
|
||||
|
||||
|
|
@ -1,26 +0,0 @@
|
|||
From: Ben Hutchings <ben@decadent.org.uk>
|
||||
Date: Mon, 16 May 2016 03:26:30 +0100
|
||||
Subject: videobuf2-core: Fix crash after fixing CVE-2016-4568
|
||||
Forwarded: no
|
||||
|
||||
Commit 2c1f6951a8a8 "[media] videobuf2-v4l2: Verify planes array in buffer
|
||||
dequeueing" was reverted upstream by commit 93f0750dcdae.
|
||||
|
||||
It's obvious from the log in the revert commit message that pb == NULL
|
||||
in __verify_planes_array(). We should treat this case as successful
|
||||
because vb2_core_dqbuf() won't attempt to copy anything to user
|
||||
buffers.
|
||||
|
||||
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
---
|
||||
--- a/drivers/media/v4l2-core/videobuf2-core.c
|
||||
+++ b/drivers/media/v4l2-core/videobuf2-core.c
|
||||
@@ -1665,7 +1665,7 @@ static int __vb2_get_done_vb(struct vb2_
|
||||
* Only remove the buffer from done_list if v4l2_buffer can handle all
|
||||
* the planes.
|
||||
*/
|
||||
- ret = call_bufop(q, verify_planes_array, *vb, pb);
|
||||
+ ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0;
|
||||
if (!ret)
|
||||
list_del(&(*vb)->done_entry);
|
||||
spin_unlock_irqrestore(&q->done_lock, flags);
|
||||
|
|
@ -72,8 +72,6 @@ features/arm/arm64-tegra-correct-tegra210-xusb-mailbox-interrupt.patch
|
|||
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
|
||||
bugfix/all/disable-some-marvell-phys.patch
|
||||
bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
|
||||
bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch
|
||||
bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch
|
||||
|
||||
# Miscellaneous features
|
||||
|
||||
|
|
@ -107,7 +105,6 @@ features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled
|
|||
# Security fixes
|
||||
bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch
|
||||
|
||||
# Tools bug fixes
|
||||
bugfix/all/usbip-document-tcp-wrappers.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue