[kernel] r22230 - in dists/wheezy/linux: . debian debian/patches debian/patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Sat Dec 27 18:04:58 UTC 2014
Author: benh
Date: Sat Dec 27 18:04:58 2014
New Revision: 22230
Log:
Merge changes from wheezy-security up to 3.2.63-2+deb7u2
Added:
dists/wheezy/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch
dists/wheezy/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
dists/wheezy/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch
- copied unchanged from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch
Modified:
dists/wheezy/linux/ (props changed)
dists/wheezy/linux/debian/changelog
dists/wheezy/linux/debian/patches/series
Modified: dists/wheezy/linux/debian/changelog
==============================================================================
--- dists/wheezy/linux/debian/changelog Sat Dec 27 17:47:17 2014 (r22229)
+++ dists/wheezy/linux/debian/changelog Sat Dec 27 18:04:58 2014 (r22230)
@@ -79,7 +79,6 @@
- usb: serial: ftdi_sio: add "bricked" FTDI device PID
- nfsd4: fix crash on unknown operation number
- [x86] kvm: don't kill guest on unknown exit reason
- - kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
- posix-timers: Fix stack info leak in timer_create()
- futex: Fix a race condition between REQUEUE_PI and task death
- ALSA: pcm: Zero-clear reserved fields of PCM status ioctl in compat mode
@@ -103,15 +102,10 @@
- bnx2fc: do not add shared skbs to the fcoe_rx_list
- Revert "xhci: clear root port wake on bits if controller isn't wake-up
capable" (regression in 3.2.62)
- - [amd64] traps: Stop using IST for #SS
- - [amd64] traps: Fix the espfix64 #DF fixup and rewrite it in C
- - [amd64] traps: Rework bad_iret
- [amd64] ALSA: hda - Limit 40bit DMA for AMD HDMI controllers
- mei: add mei_quirk_probe function
- tcp: be more strict before accepting ECN negociation
- hpsa: fix a race in cmd_free/scsi_done
- - ip: Fix backport of "ip: make IP identifiers less predictable"
- (regression in 3.2.63)
- mm: Remove false WARN_ON from pagecache_isize_extended()
[ Ben Hutchings ]
@@ -128,6 +122,24 @@
-- Ben Hutchings <ben at decadent.org.uk> Thu, 13 Nov 2014 19:16:28 +0000
+linux (3.2.63-2+deb7u2) wheezy-security; urgency=high
+
+ * Revert "drivers/net: Disable UFO through virtio" in macvtap and tun.
+ This removes the need to shut down VMs if migrating to a patched
+ host.
+ * ip: Fix backport of "ip: make IP identifiers less predictable"
+ (regression in 3.2.63) (thanks to Jeffrey Knockel)
+ * net: sctp: fix NULL pointer dereference in af->from_addr_param on
+ malformed packet (CVE-2014-7841)
+ * kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
+ (CVE-2014-8369)
+ * media: ttusb-dec: buffer overflow in ioctl (CVE-2014-8884)
+ * [amd64] traps: Stop using IST for #SS (CVE-2014-9090)
+ * [amd64] traps: Fix the espfix64 #DF fixup and rewrite it in C
+ * [amd64] traps: Rework bad_iret
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 07 Dec 2014 03:42:14 +0000
+
linux (3.2.63-2+deb7u1) wheezy-security; urgency=high
* drivers/net,ipv6: Fix virtio/IPv6 regression in 3.2.63:
Copied: dists/wheezy/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch Sat Dec 27 18:04:58 2014 (r22230, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch)
@@ -0,0 +1,26 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Fri, 5 Sep 2014 09:09:28 -0300
+Subject: [media] ttusb-dec: buffer overflow in ioctl
+Origin: https://git.kernel.org/linus/f2e323ec96077642d397bb1c355def536d489d16
+
+We need to add a limit check here so we don't overflow the buffer.
+
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at osg.samsung.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/media/usb/ttusb-dec/ttusbdecfe.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
++++ b/drivers/media/dvb/ttusb-dec/ttusbdecfe.c
+@@ -154,6 +154,9 @@ static int ttusbdecfe_dvbs_diseqc_send_m
+ 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00 };
+
++ if (cmd->msg_len > sizeof(b) - 4)
++ return -EINVAL;
++
+ memcpy(&b[4], cmd->msg, cmd->msg_len);
+
+ state->config->send_command(fe, 0x72,
Copied: dists/wheezy/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch Sat Dec 27 18:04:58 2014 (r22230, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch)
@@ -0,0 +1,73 @@
+From: Daniel Borkmann <dborkman at redhat.com>
+Date: Mon, 10 Nov 2014 17:54:26 +0100
+Subject: net: sctp: fix NULL pointer dereference in af->from_addr_param on
+ malformed packet
+Origin: https://git.kernel.org/linus/e40607cbe270a9e8360907cb1e62ddf0736e4864
+
+An SCTP server doing ASCONF will panic on malformed INIT ping-of-death
+in the form of:
+
+ ------------ INIT[PARAM: SET_PRIMARY_IP] ------------>
+
+While the INIT chunk parameter verification dissects through many things
+in order to detect malformed input, it misses to actually check parameters
+inside of parameters. E.g. RFC5061, section 4.2.4 proposes a 'set primary
+IP address' parameter in ASCONF, which has as a subparameter an address
+parameter.
+
+So an attacker may send a parameter type other than SCTP_PARAM_IPV4_ADDRESS
+or SCTP_PARAM_IPV6_ADDRESS, param_type2af() will subsequently return 0
+and thus sctp_get_af_specific() returns NULL, too, which we then happily
+dereference unconditionally through af->from_addr_param().
+
+The trace for the log:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
+IP: [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+PGD 0
+Oops: 0000 [#1] SMP
+[...]
+Pid: 0, comm: swapper Not tainted 2.6.32-504.el6.x86_64 #1 Bochs Bochs
+RIP: 0010:[<ffffffffa01e9c62>] [<ffffffffa01e9c62>] sctp_process_init+0x492/0x990 [sctp]
+[...]
+Call Trace:
+ <IRQ>
+ [<ffffffffa01f2add>] ? sctp_bind_addr_copy+0x5d/0xe0 [sctp]
+ [<ffffffffa01e1fcb>] sctp_sf_do_5_1B_init+0x21b/0x340 [sctp]
+ [<ffffffffa01e3751>] sctp_do_sm+0x71/0x1210 [sctp]
+ [<ffffffffa01e5c09>] ? sctp_endpoint_lookup_assoc+0xc9/0xf0 [sctp]
+ [<ffffffffa01e61f6>] sctp_endpoint_bh_rcv+0x116/0x230 [sctp]
+ [<ffffffffa01ee986>] sctp_inq_push+0x56/0x80 [sctp]
+ [<ffffffffa01fcc42>] sctp_rcv+0x982/0xa10 [sctp]
+ [<ffffffffa01d5123>] ? ipt_local_in_hook+0x23/0x28 [iptable_filter]
+ [<ffffffff8148bdc9>] ? nf_iterate+0x69/0xb0
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+ [<ffffffff8148bf86>] ? nf_hook_slow+0x76/0x120
+ [<ffffffff81496d10>] ? ip_local_deliver_finish+0x0/0x2d0
+[...]
+
+A minimal way to address this is to check for NULL as we do on all
+other such occasions where we know sctp_get_af_specific() could
+possibly return with NULL.
+
+Fixes: d6de3097592b ("[SCTP]: Add the handling of "Set Primary IP Address" parameter to INIT")
+Signed-off-by: Daniel Borkmann <dborkman at redhat.com>
+Cc: Vlad Yasevich <vyasevich at gmail.com>
+Acked-by: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/sctp/sm_make_chunk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sctp/sm_make_chunk.c
++++ b/net/sctp/sm_make_chunk.c
+@@ -2570,6 +2570,9 @@ do_addr_param:
+ addr_param = param.v + sizeof(sctp_addip_param_t);
+
+ af = sctp_get_af_specific(param_type2af(param.p->type));
++ if (af == NULL)
++ break;
++
+ af->from_addr_param(&addr, addr_param,
+ htons(asoc->peer.port), 0);
+
Copied: dists/wheezy/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch (from r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch Sat Dec 27 18:04:58 2014 (r22230, copy of r22128, dists/wheezy-security/linux/debian/patches/bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch)
@@ -0,0 +1,96 @@
+Subject: Revert "drivers/net: Disable UFO through virtio" in macvtap and tun
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Tue, 11 Nov 2014 17:12:58 +0000
+
+This reverts commit 88e0e0e5aa722b193c8758c8b45d041de5316924 for
+the tap drivers, but leaves UFO disabled in virtio_net.
+
+libvirt at least assumes that tap features will never be dropped
+in new kernel versions, and doing so prevents migration of VMs to
+the never kernel version while they are running with virtio net
+devices.
+
+Fixes: 88e0e0e5aa7a ("drivers/net: Disable UFO through virtio")
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/drivers/net/macvtap.c
++++ b/drivers/net/macvtap.c
+@@ -579,8 +579,6 @@ static int macvtap_skb_from_vnet_hdr(str
+ gso_type = SKB_GSO_TCPV6;
+ break;
+ case VIRTIO_NET_HDR_GSO_UDP:
+- pr_warn_once("macvtap: %s: using disabled UFO feature; please fix this program\n",
+- current->comm);
+ gso_type = SKB_GSO_UDP;
+ if (skb->protocol == htons(ETH_P_IPV6))
+ ipv6_proxy_select_ident(skb);
+@@ -628,6 +626,8 @@ static int macvtap_skb_to_vnet_hdr(const
+ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
+ else if (sinfo->gso_type & SKB_GSO_TCPV6)
+ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
++ else if (sinfo->gso_type & SKB_GSO_UDP)
++ vnet_hdr->gso_type = VIRTIO_NET_HDR_GSO_UDP;
+ else
+ BUG();
+ if (sinfo->gso_type & SKB_GSO_TCP_ECN)
+@@ -965,7 +965,7 @@ static long macvtap_ioctl(struct file *f
+ case TUNSETOFFLOAD:
+ /* let the user check for future flags */
+ if (arg & ~(TUN_F_CSUM | TUN_F_TSO4 | TUN_F_TSO6 |
+- TUN_F_TSO_ECN))
++ TUN_F_TSO_ECN | TUN_F_UFO))
+ return -EINVAL;
+
+ /* TODO: only accept frames with the features that
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -128,7 +128,7 @@ struct tun_struct {
+ struct net_device *dev;
+ u32 set_features;
+ #define TUN_USER_FEATURES (NETIF_F_HW_CSUM|NETIF_F_TSO_ECN|NETIF_F_TSO| \
+- NETIF_F_TSO6)
++ NETIF_F_TSO6|NETIF_F_UFO)
+ struct fasync_struct *fasync;
+
+ struct tap_filter txflt;
+@@ -710,19 +710,10 @@ static ssize_t tun_get_user(struct tun_s
+ skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
+ break;
+ case VIRTIO_NET_HDR_GSO_UDP:
+- {
+- static bool warned;
+- if (!warned) {
+- warned = true;
+- netdev_warn(tun->dev,
+- "%s: using disabled UFO feature; please fix this program\n",
+- current->comm);
+- }
+ skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
+ if (skb->protocol == htons(ETH_P_IPV6))
+ ipv6_proxy_select_ident(skb);
+ break;
+- }
+ default:
+ tun->dev->stats.rx_frame_errors++;
+ kfree_skb(skb);
+@@ -808,6 +799,8 @@ static ssize_t tun_put_user(struct tun_s
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
+ else if (sinfo->gso_type & SKB_GSO_TCPV6)
+ gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
++ else if (sinfo->gso_type & SKB_GSO_UDP)
++ gso.gso_type = VIRTIO_NET_HDR_GSO_UDP;
+ else {
+ pr_err("unexpected GSO type: "
+ "0x%x, gso_size %d, hdr_len %d\n",
+@@ -1231,6 +1224,11 @@ static int set_offload(struct tun_struct
+ features |= NETIF_F_TSO6;
+ arg &= ~(TUN_F_TSO4|TUN_F_TSO6);
+ }
++
++ if (arg & TUN_F_UFO) {
++ features |= NETIF_F_UFO;
++ arg &= ~TUN_F_UFO;
++ }
+ }
+
+ /* This gives the user a way to test for new features in future by
Modified: dists/wheezy/linux/debian/patches/series
==============================================================================
--- dists/wheezy/linux/debian/patches/series Sat Dec 27 17:47:17 2014 (r22229)
+++ dists/wheezy/linux/debian/patches/series Sat Dec 27 18:04:58 2014 (r22230)
@@ -1136,6 +1136,9 @@
bugfix/all/drivers-net-disable-ufo-through-virtio.patch
bugfix/all/drivers-net-ipv6-select-ipv6-fragment-idents-for-vir.patch
debian/drivers-net-avoid-abi-change-for-ufo-ipv6-fix.patch
+bugfix/all/revert-drivers-net-disable-ufo-through-virtio-in-macvtap-and-tun.patch
+bugfix/all/net-sctp-fix-NULL-pointer-dereference-in-af-from_add.patch
+bugfix/all/media-ttusb-dec-buffer-overflow-in-ioctl.patch
debian/regulatory-avoid-abi-change-in-3.2.64.patch
debian/ceph-avoid-abi-change-in-3.2.64.patch
debian/perf-avoid-abi-change-in-3.2.65.patch
More information about the Kernel-svn-changes
mailing list