Add security fixes
This commit is contained in:
parent
285e1090f2
commit
fc7f6fafd8
|
@ -518,6 +518,21 @@ linux (4.14.7-1) UNRELEASED; urgency=medium
|
|||
+ Fix use-after-free in trigger removal
|
||||
- mm/slub: close possible memory-leak in kmem_cache_alloc_bulk()
|
||||
- crypto: limit more FPU-enabled sections
|
||||
* dccp: CVE-2017-8824: use-after-free in DCCP code
|
||||
* netfilter: nfnetlink_cthelper: Add missing permission checks
|
||||
(CVE-2017-17448)
|
||||
* netlink: Add netns check on taps (CVE-2017-17449)
|
||||
* netfilter: xt_osf: Add missing permission checks (CVE-2017-17450)
|
||||
* USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558)
|
||||
* net: ipv4: fix for a race condition in raw_sendmsg (CVE-2017-17712)
|
||||
* media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
|
||||
(CVE-2017-16538)
|
||||
* media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
|
||||
(CVE-2017-16538)
|
||||
* media: hdpvr: Fix an error handling path in hdpvr_probe() (CVE-2017-16644)
|
||||
* [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio
|
||||
(CVE-2017-17741)
|
||||
* bluetooth: Prevent stack info leak from the EFS element. CVE-2017-1000410)
|
||||
|
||||
-- Salvatore Bonaccorso <carnil@debian.org> Sun, 03 Dec 2017 10:18:39 +0100
|
||||
|
||||
|
|
48
debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
vendored
Normal file
48
debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
vendored
Normal file
|
@ -0,0 +1,48 @@
|
|||
From: Ben Seri <ben@armis.com>
|
||||
Date: Mon, 04 Dec 2017 14:13:25 +0000
|
||||
Subject: bluetooth: Prevent stack info leak from the EFS element.
|
||||
Origin: http://www.openwall.com/lists/oss-security/2017/12/06/3
|
||||
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-1000410
|
||||
|
||||
Signed-off-by: Ben Seri <ben@armis.com>
|
||||
---
|
||||
--- a/net/bluetooth/l2cap_core.c
|
||||
+++ b/net/bluetooth/l2cap_core.c
|
||||
@@ -3363,9 +3363,10 @@ static int l2cap_parse_conf_req(struct l
|
||||
break;
|
||||
|
||||
case L2CAP_CONF_EFS:
|
||||
- remote_efs = 1;
|
||||
- if (olen == sizeof(efs))
|
||||
+ if (olen == sizeof(efs)) {
|
||||
+ remote_efs = 1;
|
||||
memcpy(&efs, (void *) val, olen);
|
||||
+ }
|
||||
break;
|
||||
|
||||
case L2CAP_CONF_EWS:
|
||||
@@ -3584,16 +3585,17 @@ static int l2cap_parse_conf_rsp(struct l
|
||||
break;
|
||||
|
||||
case L2CAP_CONF_EFS:
|
||||
- if (olen == sizeof(efs))
|
||||
+ if (olen == sizeof(efs)) {
|
||||
memcpy(&efs, (void *)val, olen);
|
||||
|
||||
- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
|
||||
- efs.stype != L2CAP_SERV_NOTRAFIC &&
|
||||
- efs.stype != chan->local_stype)
|
||||
- return -ECONNREFUSED;
|
||||
+ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
|
||||
+ efs.stype != L2CAP_SERV_NOTRAFIC &&
|
||||
+ efs.stype != chan->local_stype)
|
||||
+ return -ECONNREFUSED;
|
||||
|
||||
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
|
||||
- (unsigned long) &efs, endptr - ptr);
|
||||
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
|
||||
+ (unsigned long) &efs, endptr - ptr);
|
||||
+ }
|
||||
break;
|
||||
|
||||
case L2CAP_CONF_FCS:
|
38
debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
vendored
Normal file
38
debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
vendored
Normal file
|
@ -0,0 +1,38 @@
|
|||
From: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Date: Tue, 5 Dec 2017 20:58:35 +0000
|
||||
Subject: dccp: CVE-2017-8824: use-after-free in DCCP code
|
||||
Origin: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8824
|
||||
|
||||
Whenever the sock object is in DCCP_CLOSED state,
|
||||
dccp_disconnect() must free dccps_hc_tx_ccid and
|
||||
dccps_hc_rx_ccid and set to NULL.
|
||||
|
||||
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Reviewed-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/dccp/proto.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
--- a/net/dccp/proto.c
|
||||
+++ b/net/dccp/proto.c
|
||||
@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int
|
||||
{
|
||||
struct inet_connection_sock *icsk = inet_csk(sk);
|
||||
struct inet_sock *inet = inet_sk(sk);
|
||||
+ struct dccp_sock *dp = dccp_sk(sk);
|
||||
int err = 0;
|
||||
const int old_state = sk->sk_state;
|
||||
|
||||
@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int
|
||||
sk->sk_err = ECONNRESET;
|
||||
|
||||
dccp_clear_xmit_timers(sk);
|
||||
+ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
|
||||
+ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
|
||||
+ dp->dccps_hc_rx_ccid = NULL;
|
||||
+ dp->dccps_hc_tx_ccid = NULL;
|
||||
|
||||
__skb_queue_purge(&sk->sk_receive_queue);
|
||||
__skb_queue_purge(&sk->sk_write_queue);
|
153
debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
vendored
Normal file
153
debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
vendored
Normal file
|
@ -0,0 +1,153 @@
|
|||
From: Wanpeng Li <wanpeng.li@hotmail.com>
|
||||
Date: Thu, 14 Dec 2017 17:40:50 -0800
|
||||
Subject: KVM: Fix stack-out-of-bounds read in write_mmio
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
Origin: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit?id=e39d200fa5bf5b94a0948db0dae44c1b73b84a56
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17741
|
||||
|
||||
Reported by syzkaller:
|
||||
|
||||
BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
|
||||
Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
|
||||
|
||||
CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18
|
||||
Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
|
||||
Call Trace:
|
||||
dump_stack+0xab/0xe1
|
||||
print_address_description+0x6b/0x290
|
||||
kasan_report+0x28a/0x370
|
||||
write_mmio+0x11e/0x270 [kvm]
|
||||
emulator_read_write_onepage+0x311/0x600 [kvm]
|
||||
emulator_read_write+0xef/0x240 [kvm]
|
||||
emulator_fix_hypercall+0x105/0x150 [kvm]
|
||||
em_hypercall+0x2b/0x80 [kvm]
|
||||
x86_emulate_insn+0x2b1/0x1640 [kvm]
|
||||
x86_emulate_instruction+0x39a/0xb90 [kvm]
|
||||
handle_exception+0x1b4/0x4d0 [kvm_intel]
|
||||
vcpu_enter_guest+0x15a0/0x2640 [kvm]
|
||||
kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
|
||||
kvm_vcpu_ioctl+0x479/0x880 [kvm]
|
||||
do_vfs_ioctl+0x142/0x9a0
|
||||
SyS_ioctl+0x74/0x80
|
||||
entry_SYSCALL_64_fastpath+0x23/0x9a
|
||||
|
||||
The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
|
||||
to the guest memory, however, write_mmio tracepoint always prints 8 bytes
|
||||
through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
|
||||
leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes
|
||||
it by just accessing the bytes which we operate on.
|
||||
|
||||
Before patch:
|
||||
|
||||
syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
|
||||
|
||||
After patch:
|
||||
|
||||
syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
|
||||
|
||||
Reported-by: Dmitry Vyukov <dvyukov@google.com>
|
||||
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
|
||||
Reviewed-by: Marc Zyngier <marc.zyngier@arm.com>
|
||||
Tested-by: Marc Zyngier <marc.zyngier@arm.com>
|
||||
Cc: Paolo Bonzini <pbonzini@redhat.com>
|
||||
Cc: Radim Krčmář <rkrcmar@redhat.com>
|
||||
Cc: Marc Zyngier <marc.zyngier@arm.com>
|
||||
Cc: Christoffer Dall <christoffer.dall@linaro.org>
|
||||
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
|
||||
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
|
||||
---
|
||||
arch/x86/kvm/x86.c | 8 ++++----
|
||||
include/trace/events/kvm.h | 7 +++++--
|
||||
virt/kvm/arm/mmio.c | 6 +++---
|
||||
3 files changed, 12 insertions(+), 9 deletions(-)
|
||||
|
||||
--- a/arch/x86/kvm/x86.c
|
||||
+++ b/arch/x86/kvm/x86.c
|
||||
@@ -4362,7 +4362,7 @@ static int vcpu_mmio_read(struct kvm_vcp
|
||||
addr, n, v))
|
||||
&& kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
|
||||
break;
|
||||
- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
|
||||
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
|
||||
handled += n;
|
||||
addr += n;
|
||||
len -= n;
|
||||
@@ -4621,7 +4621,7 @@ static int read_prepare(struct kvm_vcpu
|
||||
{
|
||||
if (vcpu->mmio_read_completed) {
|
||||
trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
|
||||
- vcpu->mmio_fragments[0].gpa, *(u64 *)val);
|
||||
+ vcpu->mmio_fragments[0].gpa, val);
|
||||
vcpu->mmio_read_completed = 0;
|
||||
return 1;
|
||||
}
|
||||
@@ -4643,14 +4643,14 @@ static int write_emulate(struct kvm_vcpu
|
||||
|
||||
static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
|
||||
{
|
||||
- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
|
||||
+ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
|
||||
return vcpu_mmio_write(vcpu, gpa, bytes, val);
|
||||
}
|
||||
|
||||
static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
|
||||
void *val, int bytes)
|
||||
{
|
||||
- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
|
||||
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
|
||||
return X86EMUL_IO_NEEDED;
|
||||
}
|
||||
|
||||
--- a/include/trace/events/kvm.h
|
||||
+++ b/include/trace/events/kvm.h
|
||||
@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq,
|
||||
{ KVM_TRACE_MMIO_WRITE, "write" }
|
||||
|
||||
TRACE_EVENT(kvm_mmio,
|
||||
- TP_PROTO(int type, int len, u64 gpa, u64 val),
|
||||
+ TP_PROTO(int type, int len, u64 gpa, void *val),
|
||||
TP_ARGS(type, len, gpa, val),
|
||||
|
||||
TP_STRUCT__entry(
|
||||
@@ -225,7 +225,10 @@ TRACE_EVENT(kvm_mmio,
|
||||
__entry->type = type;
|
||||
__entry->len = len;
|
||||
__entry->gpa = gpa;
|
||||
- __entry->val = val;
|
||||
+ __entry->val = 0;
|
||||
+ if (val)
|
||||
+ memcpy(&__entry->val, val,
|
||||
+ min_t(u32, sizeof(__entry->val), len));
|
||||
),
|
||||
|
||||
TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
|
||||
--- a/virt/kvm/arm/mmio.c
|
||||
+++ b/virt/kvm/arm/mmio.c
|
||||
@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vc
|
||||
}
|
||||
|
||||
trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
|
||||
- data);
|
||||
+ &data);
|
||||
data = vcpu_data_host_to_guest(vcpu, data, len);
|
||||
vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
|
||||
}
|
||||
@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu,
|
||||
data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
|
||||
len);
|
||||
|
||||
- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
|
||||
+ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
|
||||
kvm_mmio_write_buf(data_buf, len, data);
|
||||
|
||||
ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
|
||||
data_buf);
|
||||
} else {
|
||||
trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
|
||||
- fault_ipa, 0);
|
||||
+ fault_ipa, NULL);
|
||||
|
||||
ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
|
||||
data_buf);
|
83
debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
vendored
Normal file
83
debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
vendored
Normal file
|
@ -0,0 +1,83 @@
|
|||
From: Malcolm Priestley <tvboxspy@gmail.com>
|
||||
Date: Tue, 26 Sep 2017 17:10:20 -0400
|
||||
Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm
|
||||
start
|
||||
Origin: https://git.linuxtv.org/media_tree.git/commit?id=3d932ee27e852e4904647f15b64dedca51187ad7
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538
|
||||
|
||||
Warm start has no check as whether a genuine device has
|
||||
connected and proceeds to next execution path.
|
||||
|
||||
Check device should read 0x47 at offset of 2 on USB descriptor read
|
||||
and it is the amount requested of 6 bytes.
|
||||
|
||||
Fix for
|
||||
kasan: CONFIG_KASAN_INLINE enabled
|
||||
kasan: GPF could be caused by NULL-ptr deref or user memory access as
|
||||
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||||
---
|
||||
drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
|
||||
1 file changed, 18 insertions(+), 8 deletions(-)
|
||||
|
||||
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb
|
||||
|
||||
static int lme2510_return_status(struct dvb_usb_device *d)
|
||||
{
|
||||
- int ret = 0;
|
||||
+ int ret;
|
||||
u8 *data;
|
||||
|
||||
- data = kzalloc(10, GFP_KERNEL);
|
||||
+ data = kzalloc(6, GFP_KERNEL);
|
||||
if (!data)
|
||||
return -ENOMEM;
|
||||
|
||||
- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
|
||||
- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
|
||||
- info("Firmware Status: %x (%x)", ret , data[2]);
|
||||
+ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
|
||||
+ 0x06, 0x80, 0x0302, 0x00,
|
||||
+ data, 0x6, 200);
|
||||
+ if (ret != 6)
|
||||
+ ret = -EINVAL;
|
||||
+ else
|
||||
+ ret = data[2];
|
||||
+
|
||||
+ info("Firmware Status: %6ph", data);
|
||||
|
||||
- ret = (ret < 0) ? -ENODEV : data[2];
|
||||
kfree(data);
|
||||
return ret;
|
||||
}
|
||||
@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(str
|
||||
static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
|
||||
{
|
||||
struct lme2510_state *st = d->priv;
|
||||
+ int status;
|
||||
|
||||
usb_reset_configuration(d->udev);
|
||||
|
||||
@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct
|
||||
|
||||
st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
|
||||
|
||||
- if (lme2510_return_status(d) == 0x44) {
|
||||
+ status = lme2510_return_status(d);
|
||||
+ if (status == 0x44) {
|
||||
*name = lme_firmware_switch(d, 0);
|
||||
return COLD;
|
||||
}
|
||||
|
||||
- return 0;
|
||||
+ if (status != 0x47)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
+ return WARM;
|
||||
}
|
||||
|
||||
static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
|
67
debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
vendored
Normal file
67
debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
vendored
Normal file
|
@ -0,0 +1,67 @@
|
|||
From: Malcolm Priestley <tvboxspy@gmail.com>
|
||||
Date: Tue, 26 Sep 2017 17:10:21 -0400
|
||||
Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to
|
||||
dm04_lme2510_tuner
|
||||
Origin: https://git.linuxtv.org/media_tree.git/commit?id=7bf7a7116ed313c601307f7e585419369926ab05
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538
|
||||
|
||||
When the tuner was split from m88rs2000 the attach function is in wrong
|
||||
place.
|
||||
|
||||
Move to dm04_lme2510_tuner to trap errors on failure and removing
|
||||
a call to lme_coldreset.
|
||||
|
||||
Prevents driver starting up without any tuner connected.
|
||||
|
||||
Fixes to trap for ts2020 fail.
|
||||
LME2510(C): FE Found M88RS2000
|
||||
ts2020: probe of 0-0060 failed with error -11
|
||||
...
|
||||
LME2510(C): TUN Found RS2000 tuner
|
||||
kasan: CONFIG_KASAN_INLINE enabled
|
||||
kasan: GPF could be caused by NULL-ptr deref or user memory access
|
||||
general protection fault: 0000 [#1] PREEMPT SMP KASAN
|
||||
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
|
||||
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||||
---
|
||||
drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++-------
|
||||
1 file changed, 6 insertions(+), 7 deletions(-)
|
||||
|
||||
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
|
||||
@@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach(
|
||||
|
||||
if (adap->fe[0]) {
|
||||
info("FE Found M88RS2000");
|
||||
- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
|
||||
- &d->i2c_adap);
|
||||
st->i2c_tuner_gate_w = 5;
|
||||
st->i2c_tuner_gate_r = 5;
|
||||
st->i2c_tuner_addr = 0x60;
|
||||
@@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb
|
||||
ret = st->tuner_config;
|
||||
break;
|
||||
case TUNER_RS2000:
|
||||
- ret = st->tuner_config;
|
||||
+ if (dvb_attach(ts2020_attach, adap->fe[0],
|
||||
+ &ts2020_config, &d->i2c_adap))
|
||||
+ ret = st->tuner_config;
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
- if (ret)
|
||||
+ if (ret) {
|
||||
info("TUN Found %s tuner", tun_msg[ret]);
|
||||
- else {
|
||||
- info("TUN No tuner found --- resetting device");
|
||||
- lme_coldreset(d);
|
||||
+ } else {
|
||||
+ info("TUN No tuner found");
|
||||
return -ENODEV;
|
||||
}
|
||||
|
98
debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
vendored
Normal file
98
debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
vendored
Normal file
|
@ -0,0 +1,98 @@
|
|||
From: Arvind Yadav <arvind.yadav.cs@gmail.com>
|
||||
Date: Fri, 22 Sep 2017 09:07:06 -0400
|
||||
Subject: media: hdpvr: Fix an error handling path in hdpvr_probe()
|
||||
Origin: https://git.linuxtv.org/media_tree.git/commit?id=c0f71bbb810237a38734607ca4599632f7f5d47f
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16644
|
||||
|
||||
Here, hdpvr_register_videodev() is responsible for setup and
|
||||
register a video device. Also defining and initializing a worker.
|
||||
hdpvr_register_videodev() is calling by hdpvr_probe at last.
|
||||
So no need to flush any work here.
|
||||
Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
|
||||
|
||||
Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Tested-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
|
||||
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
|
||||
---
|
||||
drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++++++++++++++-----------
|
||||
1 file changed, 15 insertions(+), 11 deletions(-)
|
||||
|
||||
--- a/drivers/media/usb/hdpvr/hdpvr-core.c
|
||||
+++ b/drivers/media/usb/hdpvr/hdpvr-core.c
|
||||
@@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interf
|
||||
/* register v4l2_device early so it can be used for printks */
|
||||
if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
|
||||
dev_err(&interface->dev, "v4l2_device_register failed\n");
|
||||
- goto error;
|
||||
+ goto error_free_dev;
|
||||
}
|
||||
|
||||
mutex_init(&dev->io_mutex);
|
||||
@@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interf
|
||||
dev->usbc_buf = kmalloc(64, GFP_KERNEL);
|
||||
if (!dev->usbc_buf) {
|
||||
v4l2_err(&dev->v4l2_dev, "Out of memory\n");
|
||||
- goto error;
|
||||
+ goto error_v4l2_unregister;
|
||||
}
|
||||
|
||||
init_waitqueue_head(&dev->wait_buffer);
|
||||
@@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interf
|
||||
}
|
||||
if (!dev->bulk_in_endpointAddr) {
|
||||
v4l2_err(&dev->v4l2_dev, "Could not find bulk-in endpoint\n");
|
||||
- goto error;
|
||||
+ goto error_put_usb;
|
||||
}
|
||||
|
||||
/* init the device */
|
||||
if (hdpvr_device_init(dev)) {
|
||||
v4l2_err(&dev->v4l2_dev, "device init failed\n");
|
||||
- goto error;
|
||||
+ goto error_put_usb;
|
||||
}
|
||||
|
||||
mutex_lock(&dev->io_mutex);
|
||||
@@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interf
|
||||
mutex_unlock(&dev->io_mutex);
|
||||
v4l2_err(&dev->v4l2_dev,
|
||||
"allocating transfer buffers failed\n");
|
||||
- goto error;
|
||||
+ goto error_put_usb;
|
||||
}
|
||||
mutex_unlock(&dev->io_mutex);
|
||||
|
||||
@@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interf
|
||||
retval = hdpvr_register_i2c_adapter(dev);
|
||||
if (retval < 0) {
|
||||
v4l2_err(&dev->v4l2_dev, "i2c adapter register failed\n");
|
||||
- goto error;
|
||||
+ goto error_free_buffers;
|
||||
}
|
||||
|
||||
client = hdpvr_register_ir_rx_i2c(dev);
|
||||
@@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interf
|
||||
reg_fail:
|
||||
#if IS_ENABLED(CONFIG_I2C)
|
||||
i2c_del_adapter(&dev->i2c_adapter);
|
||||
+error_free_buffers:
|
||||
#endif
|
||||
+ hdpvr_free_buffers(dev);
|
||||
+error_put_usb:
|
||||
+ usb_put_dev(dev->udev);
|
||||
+ kfree(dev->usbc_buf);
|
||||
+error_v4l2_unregister:
|
||||
+ v4l2_device_unregister(&dev->v4l2_dev);
|
||||
+error_free_dev:
|
||||
+ kfree(dev);
|
||||
error:
|
||||
- if (dev) {
|
||||
- flush_work(&dev->worker);
|
||||
- /* this frees allocated memory */
|
||||
- hdpvr_delete(dev);
|
||||
- }
|
||||
return retval;
|
||||
}
|
||||
|
70
debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
vendored
Normal file
70
debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
vendored
Normal file
|
@ -0,0 +1,70 @@
|
|||
From: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Date: Sun, 10 Dec 2017 03:50:58 +0000
|
||||
Subject: net: ipv4: fix for a race condition in raw_sendmsg
|
||||
Origin: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17712
|
||||
|
||||
inet->hdrincl is racy, and could lead to uninitialized stack pointer
|
||||
usage, so its value should be read only once.
|
||||
|
||||
Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
|
||||
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
|
||||
Reviewed-by: Eric Dumazet <edumazet@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/ipv4/raw.c | 15 ++++++++++-----
|
||||
1 file changed, 10 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/net/ipv4/raw.c
|
||||
+++ b/net/ipv4/raw.c
|
||||
@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk,
|
||||
int err;
|
||||
struct ip_options_data opt_copy;
|
||||
struct raw_frag_vec rfv;
|
||||
+ int hdrincl;
|
||||
|
||||
err = -EMSGSIZE;
|
||||
if (len > 0xFFFF)
|
||||
goto out;
|
||||
|
||||
+ /* hdrincl should be READ_ONCE(inet->hdrincl)
|
||||
+ * but READ_ONCE() doesn't work with bit fields
|
||||
+ */
|
||||
+ hdrincl = inet->hdrincl;
|
||||
/*
|
||||
* Check the flags.
|
||||
*/
|
||||
@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk,
|
||||
/* Linux does not mangle headers on raw sockets,
|
||||
* so that IP options + IP_HDRINCL is non-sense.
|
||||
*/
|
||||
- if (inet->hdrincl)
|
||||
+ if (hdrincl)
|
||||
goto done;
|
||||
if (ipc.opt->opt.srr) {
|
||||
if (!daddr)
|
||||
@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk,
|
||||
|
||||
flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
|
||||
RT_SCOPE_UNIVERSE,
|
||||
- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
|
||||
+ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
|
||||
inet_sk_flowi_flags(sk) |
|
||||
- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
|
||||
+ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
|
||||
daddr, saddr, 0, 0, sk->sk_uid);
|
||||
|
||||
- if (!inet->hdrincl) {
|
||||
+ if (!hdrincl) {
|
||||
rfv.msg = msg;
|
||||
rfv.hlen = 0;
|
||||
|
||||
@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk,
|
||||
goto do_confirm;
|
||||
back_from_confirm:
|
||||
|
||||
- if (inet->hdrincl)
|
||||
+ if (hdrincl)
|
||||
err = raw_send_hdrinc(sk, &fl4, msg, len,
|
||||
&rt, msg->msg_flags, &ipc.sockc);
|
||||
|
74
debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
vendored
Normal file
74
debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
vendored
Normal file
|
@ -0,0 +1,74 @@
|
|||
From: Kevin Cernekee <cernekee@chromium.org>
|
||||
Date: Sun, 3 Dec 2017 12:12:45 -0800
|
||||
Subject: netfilter: nfnetlink_cthelper: Add missing permission checks
|
||||
Origin: https://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17448
|
||||
|
||||
The capability check in nfnetlink_rcv() verifies that the caller
|
||||
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
|
||||
However, nfnl_cthelper_list is shared by all net namespaces on the
|
||||
system. An unprivileged user can create user and net namespaces
|
||||
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
|
||||
check:
|
||||
|
||||
$ nfct helper list
|
||||
nfct v1.4.4: netlink error: Operation not permitted
|
||||
$ vpnns -- nfct helper list
|
||||
{
|
||||
.name = ftp,
|
||||
.queuenum = 0,
|
||||
.l3protonum = 2,
|
||||
.l4protonum = 6,
|
||||
.priv_data_len = 24,
|
||||
.status = enabled,
|
||||
};
|
||||
|
||||
Add capable() checks in nfnetlink_cthelper, as this is cleaner than
|
||||
trying to generalize the solution.
|
||||
|
||||
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
|
||||
1 file changed, 10 insertions(+)
|
||||
|
||||
--- a/net/netfilter/nfnetlink_cthelper.c
|
||||
+++ b/net/netfilter/nfnetlink_cthelper.c
|
||||
@@ -17,6 +17,7 @@
|
||||
#include <linux/types.h>
|
||||
#include <linux/list.h>
|
||||
#include <linux/errno.h>
|
||||
+#include <linux/capability.h>
|
||||
#include <net/netlink.h>
|
||||
#include <net/sock.h>
|
||||
|
||||
@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net
|
||||
struct nfnl_cthelper *nlcth;
|
||||
int ret = 0;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
|
||||
return -EINVAL;
|
||||
|
||||
@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net
|
||||
struct nfnl_cthelper *nlcth;
|
||||
bool tuple_set = false;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (nlh->nlmsg_flags & NLM_F_DUMP) {
|
||||
struct netlink_dump_control c = {
|
||||
.dump = nfnl_cthelper_dump_table,
|
||||
@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net
|
||||
struct nfnl_cthelper *nlcth, *n;
|
||||
int j = 0, ret;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (tb[NFCTH_NAME])
|
||||
helper_name = nla_data(tb[NFCTH_NAME]);
|
||||
|
56
debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
vendored
Normal file
56
debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
vendored
Normal file
|
@ -0,0 +1,56 @@
|
|||
From: Kevin Cernekee <cernekee@chromium.org>
|
||||
Date: Tue, 5 Dec 2017 15:42:41 -0800
|
||||
Subject: netfilter: xt_osf: Add missing permission checks
|
||||
Origin: https://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17450
|
||||
|
||||
The capability check in nfnetlink_rcv() verifies that the caller
|
||||
has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
|
||||
However, xt_osf_fingers is shared by all net namespaces on the
|
||||
system. An unprivileged user can create user and net namespaces
|
||||
in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
|
||||
check:
|
||||
|
||||
vpnns -- nfnl_osf -f /tmp/pf.os
|
||||
|
||||
vpnns -- nfnl_osf -f /tmp/pf.os -d
|
||||
|
||||
These non-root operations successfully modify the systemwide OS
|
||||
fingerprint list. Add new capable() checks so that they can't.
|
||||
|
||||
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
||||
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||||
---
|
||||
net/netfilter/xt_osf.c | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
--- a/net/netfilter/xt_osf.c
|
||||
+++ b/net/netfilter/xt_osf.c
|
||||
@@ -19,6 +19,7 @@
|
||||
#include <linux/module.h>
|
||||
#include <linux/kernel.h>
|
||||
|
||||
+#include <linux/capability.h>
|
||||
#include <linux/if.h>
|
||||
#include <linux/inetdevice.h>
|
||||
#include <linux/ip.h>
|
||||
@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct ne
|
||||
struct xt_osf_finger *kf = NULL, *sf;
|
||||
int err = 0;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!osf_attrs[OSF_ATTR_FINGER])
|
||||
return -EINVAL;
|
||||
|
||||
@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct
|
||||
struct xt_osf_finger *sf;
|
||||
int err = -ENOENT;
|
||||
|
||||
+ if (!capable(CAP_NET_ADMIN))
|
||||
+ return -EPERM;
|
||||
+
|
||||
if (!osf_attrs[OSF_ATTR_FINGER])
|
||||
return -EINVAL;
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
From: Kevin Cernekee <cernekee@chromium.org>
|
||||
Date: Wed, 6 Dec 2017 12:12:27 -0800
|
||||
Subject: netlink: Add netns check on taps
|
||||
Origin: https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17449
|
||||
|
||||
Currently, a nlmon link inside a child namespace can observe systemwide
|
||||
netlink activity. Filter the traffic so that nlmon can only sniff
|
||||
netlink messages from its own netns.
|
||||
|
||||
Test case:
|
||||
|
||||
vpnns -- bash -c "ip link add nlmon0 type nlmon; \
|
||||
ip link set nlmon0 up; \
|
||||
tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
|
||||
sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
|
||||
spi 0x1 mode transport \
|
||||
auth sha1 0x6162633132330000000000000000000000000000 \
|
||||
enc aes 0x00000000000000000000000000000000
|
||||
grep --binary abc123 /tmp/nlmon.pcap
|
||||
|
||||
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
---
|
||||
net/netlink/af_netlink.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/net/netlink/af_netlink.c
|
||||
+++ b/net/netlink/af_netlink.c
|
||||
@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(str
|
||||
struct sock *sk = skb->sk;
|
||||
int ret = -ENOMEM;
|
||||
|
||||
+ if (!net_eq(dev_net(dev), sock_net(sk)))
|
||||
+ return 0;
|
||||
+
|
||||
dev_hold(dev);
|
||||
|
||||
if (is_vmalloc_addr(skb->head))
|
44
debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
vendored
Normal file
44
debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
vendored
Normal file
|
@ -0,0 +1,44 @@
|
|||
From: Alan Stern <stern@rowland.harvard.edu>
|
||||
Date: Tue, 12 Dec 2017 14:25:13 -0500
|
||||
Subject: USB: core: prevent malicious bNumInterfaces overflow
|
||||
Origin: https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17558
|
||||
|
||||
A malicious USB device with crafted descriptors can cause the kernel
|
||||
to access unallocated memory by setting the bNumInterfaces value too
|
||||
high in a configuration descriptor. Although the value is adjusted
|
||||
during parsing, this adjustment is skipped in one of the error return
|
||||
paths.
|
||||
|
||||
This patch prevents the problem by setting bNumInterfaces to 0
|
||||
initially. The existing code already sets it to the proper value
|
||||
after parsing is complete.
|
||||
|
||||
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
|
||||
Reported-by: Andrey Konovalov <andreyknvl@google.com>
|
||||
CC: <stable@vger.kernel.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
drivers/usb/core/config.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/drivers/usb/core/config.c
|
||||
+++ b/drivers/usb/core/config.c
|
||||
@@ -555,6 +555,9 @@ static int usb_parse_configuration(struc
|
||||
unsigned iad_num = 0;
|
||||
|
||||
memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
|
||||
+ nintf = nintf_orig = config->desc.bNumInterfaces;
|
||||
+ config->desc.bNumInterfaces = 0; // Adjusted later
|
||||
+
|
||||
if (config->desc.bDescriptorType != USB_DT_CONFIG ||
|
||||
config->desc.bLength < USB_DT_CONFIG_SIZE ||
|
||||
config->desc.bLength > size) {
|
||||
@@ -568,7 +571,6 @@ static int usb_parse_configuration(struc
|
||||
buffer += config->desc.bLength;
|
||||
size -= config->desc.bLength;
|
||||
|
||||
- nintf = nintf_orig = config->desc.bNumInterfaces;
|
||||
if (nintf > USB_MAXINTERFACES) {
|
||||
dev_warn(ddev, "config %d has too many interfaces: %d, "
|
||||
"using maximum allowed: %d\n",
|
|
@ -116,6 +116,17 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
|
|||
|
||||
# Security fixes
|
||||
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
|
||||
bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
|
||||
bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
|
||||
bugfix/all/netlink-add-netns-check-on-taps.patch
|
||||
bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
|
||||
bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
|
||||
bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
|
||||
bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
|
||||
bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
|
||||
bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
|
||||
bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
|
||||
bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
|
||||
|
||||
# Fix exported symbol versions
|
||||
bugfix/all/module-disable-matching-missing-version-crc.patch
|
||||
|
|
Loading…
Reference in New Issue