[kernel] r21662 - in dists/wheezy/linux: . debian debian/patches debian/patches/bugfix/all debian/patches/bugfix/s390
Ben Hutchings
benh at moszumanska.debian.org
Thu Jul 31 03:23:31 UTC 2014
Author: benh
Date: Thu Jul 31 03:23:30 2014
New Revision: 21662
Log:
Merge changes from wheezy-security up to 3.2.60-1+deb7u3
Added:
dists/wheezy/linux/debian/patches/bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
- copied unchanged from r21624, dists/wheezy-security/linux/debian/patches/bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
dists/wheezy/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
- copied unchanged from r21624, dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
Modified:
dists/wheezy/linux/ (props changed)
dists/wheezy/linux/debian/changelog
dists/wheezy/linux/debian/patches/series
Modified: dists/wheezy/linux/debian/changelog
==============================================================================
--- dists/wheezy/linux/debian/changelog Thu Jul 31 03:19:57 2014 (r21661)
+++ dists/wheezy/linux/debian/changelog Thu Jul 31 03:23:30 2014 (r21662)
@@ -55,7 +55,6 @@
- netlink: rate-limit leftover bytes warning and print process name
- net: tunnels - enable module autoloading
- net: fix inet_getid() and ipv6_select_ident() bugs
- - sctp: Fix sk_ack_backlog wrap-around problem
- target: Explicitly clear ramdisk_mcp backend pages
- iommu/vt-d: Fix missing IOTLB flush in intel_iommu_unmap()
@@ -72,6 +71,14 @@
-- Ben Hutchings <ben at decadent.org.uk> Mon, 21 Jul 2014 02:42:10 +0100
+linux (3.2.60-1+deb7u3) wheezy-security; urgency=medium
+
+ * net/l2tp: don't fall back on UDP [get|set]sockopt (CVE-2014-4943)
+ * sctp: Fix sk_ack_backlog wrap-around problem (CVE-2014-4667)
+ * [s390,s390x] ptrace: fix PSW mask check (CVE-2014-3534) (Closes: #728705)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Wed, 23 Jul 2014 13:12:02 +0100
+
linux (3.2.60-1+deb7u2) wheezy-security; urgency=medium
* Revert "net: ipv4: ip_forward: fix inverted local_df test"
Copied: dists/wheezy/linux/debian/patches/bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch (from r21624, dists/wheezy-security/linux/debian/patches/bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch Thu Jul 31 03:23:30 2014 (r21662, copy of r21624, dists/wheezy-security/linux/debian/patches/bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch)
@@ -0,0 +1,49 @@
+From: Sasha Levin <sasha.levin at oracle.com>
+Date: Mon, 14 Jul 2014 17:02:31 -0700
+Subject: net/l2tp: don't fall back on UDP [get|set]sockopt
+Origin: https://git.kernel.org/linus/3cf521f7dc87c031617fd47e4b7aa2593c2f3daf
+
+The l2tp [get|set]sockopt() code has fallen back to the UDP functions
+for socket option levels != SOL_PPPOL2TP since day one, but that has
+never actually worked, since the l2tp socket isn't an inet socket.
+
+As David Miller points out:
+
+ "If we wanted this to work, it'd have to look up the tunnel and then
+ use tunnel->sk, but I wonder how useful that would be"
+
+Since this can never have worked so nobody could possibly have depended
+on that functionality, just remove the broken code and return -EINVAL.
+
+Reported-by: Sasha Levin <sasha.levin at oracle.com>
+Acked-by: James Chapman <jchapman at katalix.com>
+Acked-by: David Miller <davem at davemloft.net>
+Cc: Phil Turnbull <phil.turnbull at oracle.com>
+Cc: Vegard Nossum <vegard.nossum at oracle.com>
+Cc: Willy Tarreau <w at 1wt.eu>
+Cc: stable at vger.kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ net/l2tp/l2tp_ppp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/l2tp/l2tp_ppp.c
++++ b/net/l2tp/l2tp_ppp.c
+@@ -1351,7 +1351,7 @@ static int pppol2tp_setsockopt(struct so
+ int err;
+
+ if (level != SOL_PPPOL2TP)
+- return udp_prot.setsockopt(sk, level, optname, optval, optlen);
++ return -EINVAL;
+
+ if (optlen < sizeof(int))
+ return -EINVAL;
+@@ -1477,7 +1477,7 @@ static int pppol2tp_getsockopt(struct so
+ struct pppol2tp_session *ps;
+
+ if (level != SOL_PPPOL2TP)
+- return udp_prot.getsockopt(sk, level, optname, optval, optlen);
++ return -EINVAL;
+
+ if (get_user(len, (int __user *) optlen))
+ return -EFAULT;
Copied: dists/wheezy/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch (from r21624, dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch Thu Jul 31 03:23:30 2014 (r21662, copy of r21624, dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch)
@@ -0,0 +1,40 @@
+From: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Date: Mon, 23 Jun 2014 14:43:06 +0200
+Subject: s390/ptrace: fix PSW mask check
+
+The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
+For the default user_mode=home address space layout the psw_user_bits
+variable has the home space address-space-control bits set. But the
+PSW_MASK_USER contains PSW_MASK_ASC, the ptrace validity check for the
+PSW mask will therefore always fail.
+
+Fixes CVE-2014-3534
+
+Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+---
+
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -292,7 +292,9 @@ static int __poke_user(struct task_struc
+ * psw and gprs are stored on the stack
+ */
+ if (addr == (addr_t) &dummy->regs.psw.mask &&
+- ((data & ~PSW_MASK_USER) != psw_user_bits ||
++ (((data^psw_user_bits) & ~PSW_MASK_USER) ||
++ (((data^psw_user_bits) & PSW_MASK_ASC) &&
++ ((data|psw_user_bits) & PSW_MASK_ASC) == PSW_MASK_ASC) ||
+ ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))))
+ /* Invalid psw mask. */
+ return -EINVAL;
+@@ -595,7 +597,10 @@ static int __poke_user_compat(struct tas
+ */
+ if (addr == (addr_t) &dummy32->regs.psw.mask) {
+ /* Build a 64 bit psw mask from 31 bit mask. */
+- if ((tmp & ~PSW32_MASK_USER) != psw32_user_bits)
++ if (((tmp^psw32_user_bits) & ~PSW32_MASK_USER) ||
++ (((tmp^psw32_user_bits) & PSW32_MASK_ASC) &&
++ ((tmp|psw32_user_bits) & PSW32_MASK_ASC)
++ == PSW32_MASK_ASC))
+ /* Invalid psw mask. */
+ return -EINVAL;
+ regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
Modified: dists/wheezy/linux/debian/patches/series
==============================================================================
--- dists/wheezy/linux/debian/patches/series Thu Jul 31 03:19:57 2014 (r21661)
+++ dists/wheezy/linux/debian/patches/series Thu Jul 31 03:23:30 2014 (r21662)
@@ -1126,6 +1126,8 @@
bugfix/all/revert-net-ipv4-ip_forward-fix-inverted-local_df-tes.patch
bugfix/all/revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch
+bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
+bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
debian/irq-avoid-abi-change-in-3.2.61.patch
debian/ptrace-avoid-abi-change-in-3.2.61.patch
debian/trace-syscall-avoid-abi-change-in-3.2.61.patch
More information about the Kernel-svn-changes
mailing list