From f445dbb9d99266b6979a7aab4b636883b8967d45 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Wed, 24 Aug 2016 01:33:42 +0100 Subject: [PATCH] Update to 4.7.2 Note the CVE IDs and Debian bugs fixed. Drop the patches that have gone upstream. --- debian/changelog | 13 ++++- ...v4l2-verify-planes-array-in-buffer-d.patch | 52 ----------------- ...e-signatures-on-force-loaded-modules.patch | 58 ------------------- ...fix-crash-after-fixing-cve-2016-4568.patch | 26 --------- debian/patches/series | 3 - 5 files changed, 12 insertions(+), 140 deletions(-) delete mode 100644 debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch delete mode 100644 debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch delete mode 100644 debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch diff --git a/debian/changelog b/debian/changelog index 98cbd1fdc..45873ec3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,15 @@ -linux (4.7~rc7-1~exp2) UNRELEASED; urgency=medium +linux (4.7.2-1) UNRELEASED; urgency=medium + + * New upstream release: https://kernelnewbies.org/Linux_4.7 + - media: fix airspy usb probe error path (CVE-2016-5400) + - libata: LITE-ON CX1-JB256-HP needs lower max_sectors (Closes: #830971) + - tcp: make challenge acks less predictable (CVE-2016-5696) + * New stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.1 + - vfs: ioctl: prevent double-fetch in dedupe ioctl (CVE-2016-6516) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.2 + - [powerpc*] KVM: Book3S HV: Save/restore TM state in H_CEDE (CVE-2016-5412) + - audit: fix a double fetch in audit_log_single_execve_arg() (CVE-2016-6136) [ Ben Hutchings ] * sched: Enable SCHEDSTATS (Closes: #796674) diff --git a/debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch b/debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch deleted file mode 100644 index 5391ca0c0..000000000 --- a/debian/patches/bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Sakari Ailus -Date: Sun, 3 Apr 2016 16:31:03 -0300 -Subject: [media] videobuf2-v4l2: Verify planes array in buffer dequeueing -Origin: https://git.kernel.org/linus/2c1f6951a8a82e6de0d82b1158b5e493fc6c54ab - -When a buffer is being dequeued using VIDIOC_DQBUF IOCTL, the exact buffer -which will be dequeued is not known until the buffer has been removed from -the queue. The number of planes is specific to a buffer, not to the queue. - -This does lead to the situation where multi-plane buffers may be requested -and queued with n planes, but VIDIOC_DQBUF IOCTL may be passed an argument -struct with fewer planes. - -__fill_v4l2_buffer() however uses the number of planes from the dequeued -videobuf2 buffer, overwriting kernel memory (the m.planes array allocated -in video_usercopy() in v4l2-ioctl.c) if the user provided fewer -planes than the dequeued buffer had. Oops! - -Fixes: b0e0e1f83de3 ("[media] media: videobuf2: Prepare to divide videobuf2") - -Signed-off-by: Sakari Ailus -Acked-by: Hans Verkuil -Cc: stable@vger.kernel.org # for v4.4 and later -Signed-off-by: Mauro Carvalho Chehab ---- - drivers/media/v4l2-core/videobuf2-v4l2.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/media/v4l2-core/videobuf2-v4l2.c b/drivers/media/v4l2-core/videobuf2-v4l2.c -index 91f552124050..8da7470ca364 100644 ---- a/drivers/media/v4l2-core/videobuf2-v4l2.c -+++ b/drivers/media/v4l2-core/videobuf2-v4l2.c -@@ -74,6 +74,11 @@ static int __verify_planes_array(struct vb2_buffer *vb, const struct v4l2_buffer - return 0; - } - -+static int __verify_planes_array_core(struct vb2_buffer *vb, const void *pb) -+{ -+ return __verify_planes_array(vb, pb); -+} -+ - /** - * __verify_length() - Verify that the bytesused value for each plane fits in - * the plane length and that the data offset doesn't exceed the bytesused value. -@@ -437,6 +442,7 @@ static int __fill_vb2_buffer(struct vb2_buffer *vb, - } - - static const struct vb2_buf_ops v4l2_buf_ops = { -+ .verify_planes_array = __verify_planes_array_core, - .fill_user_buffer = __fill_v4l2_buffer, - .fill_vb2_buffer = __fill_vb2_buffer, - .copy_timestamp = __copy_timestamp, diff --git a/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch b/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch deleted file mode 100644 index e751fd11c..000000000 --- a/debian/patches/bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch +++ /dev/null @@ -1,58 +0,0 @@ -From: Ben Hutchings -Date: Sun, 17 Apr 2016 22:59:03 +0100 -Subject: module: Invalidate signatures on force-loaded modules -Forwarded: http://mid.gmane.org/20160423184501.GM3348@decadent.org.uk - -Signing a module should only make it trusted by the specific kernel it -was built for, not anything else. Loading a signed module meant for a -kernel with a different ABI could have interesting effects. -Therefore, treat all signatures as invalid when a module is -force-loaded. - -Signed-off-by: Ben Hutchings -Cc: stable@vger.kernel.org ---- - kernel/module.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -2597,13 +2597,18 @@ static inline void kmemleak_load_module( - #endif - - #ifdef CONFIG_MODULE_SIG --static int module_sig_check(struct load_info *info) -+static int module_sig_check(struct load_info *info, int flags) - { - int err = -ENOKEY; - const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1; - const void *mod = info->hdr; - -- if (info->len > markerlen && -+ /* -+ * Require flags == 0, as a module with version information -+ * removed is no longer the module that was signed -+ */ -+ if (flags == 0 && -+ info->len > markerlen && - memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen) == 0) { - /* We truncate the module to discard the signature */ - info->len -= markerlen; -@@ -2622,7 +2627,7 @@ static int module_sig_check(struct load_ - return err; - } - #else /* !CONFIG_MODULE_SIG */ --static int module_sig_check(struct load_info *info) -+static int module_sig_check(struct load_info *info, int flags) - { - return 0; - } -@@ -3429,7 +3434,7 @@ static int load_module(struct load_info - long err; - char *after_dashes; - -- err = module_sig_check(info); -+ err = module_sig_check(info, flags); - if (err) - goto free_copy; - diff --git a/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch b/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch deleted file mode 100644 index c94f1842a..000000000 --- a/debian/patches/bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Ben Hutchings -Date: Mon, 16 May 2016 03:26:30 +0100 -Subject: videobuf2-core: Fix crash after fixing CVE-2016-4568 -Forwarded: no - -Commit 2c1f6951a8a8 "[media] videobuf2-v4l2: Verify planes array in buffer -dequeueing" was reverted upstream by commit 93f0750dcdae. - -It's obvious from the log in the revert commit message that pb == NULL -in __verify_planes_array(). We should treat this case as successful -because vb2_core_dqbuf() won't attempt to copy anything to user -buffers. - -Signed-off-by: Ben Hutchings ---- ---- a/drivers/media/v4l2-core/videobuf2-core.c -+++ b/drivers/media/v4l2-core/videobuf2-core.c -@@ -1665,7 +1665,7 @@ static int __vb2_get_done_vb(struct vb2_ - * Only remove the buffer from done_list if v4l2_buffer can handle all - * the planes. - */ -- ret = call_bufop(q, verify_planes_array, *vb, pb); -+ ret = pb ? call_bufop(q, verify_planes_array, *vb, pb) : 0; - if (!ret) - list_del(&(*vb)->done_entry); - spin_unlock_irqrestore(&q->done_lock, flags); diff --git a/debian/patches/series b/debian/patches/series index 75bbe0f3c..ed061bd4d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -72,8 +72,6 @@ features/arm/arm64-tegra-correct-tegra210-xusb-mailbox-interrupt.patch bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch bugfix/all/disable-some-marvell-phys.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch -bugfix/all/module-invalidate-signatures-on-force-loaded-modules.patch -bugfix/all/videobuf2-core-fix-crash-after-fixing-cve-2016-4568.patch # Miscellaneous features @@ -107,7 +105,6 @@ features/all/securelevel/mtd-disable-slram-and-phram-when-securelevel-is-enabled # Security fixes bugfix/all/ptrace-being-capable-wrt-a-process-requires-mapped-uids-gids.patch debian/i386-686-pae-pci-set-pci-nobios-by-default.patch -bugfix/all/media-videobuf2-v4l2-verify-planes-array-in-buffer-d.patch # Tools bug fixes bugfix/all/usbip-document-tcp-wrappers.patch