[kernel] r22933 - in dists/wheezy/linux: . debian debian/patches debian/patches/bugfix/all debian/patches/bugfix/x86
Ben Hutchings
benh at moszumanska.debian.org
Fri Aug 7 18:47:01 UTC 2015
Author: benh
Date: Fri Aug 7 18:47:01 2015
New Revision: 22933
Log:
Merge changes from wheezy-security up to 3.2.68-1+deb7u3
Added:
dists/wheezy/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
dists/wheezy/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch
dists/wheezy/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
dists/wheezy/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
dists/wheezy/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch
dists/wheezy/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
dists/wheezy/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
dists/wheezy/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
dists/wheezy/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch
dists/wheezy/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
dists/wheezy/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
- copied unchanged from r22927, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
Modified:
dists/wheezy/linux/ (props changed)
dists/wheezy/linux/debian/changelog
dists/wheezy/linux/debian/patches/series
Modified: dists/wheezy/linux/debian/changelog
==============================================================================
--- dists/wheezy/linux/debian/changelog Tue Aug 4 23:37:34 2015 (r22932)
+++ dists/wheezy/linux/debian/changelog Fri Aug 7 18:47:01 2015 (r22933)
@@ -1,4 +1,26 @@
-linux (3.2.68-2) UNRELEASED; urgency=medium
+linux (3.2.68-1+deb7u3) wheezy-security; urgency=medium
+
+ * udp: fix behavior of wrong checksums (CVE-2015-5364, CVE-2015-5366)
+ * sctp: fix ASCONF list handling (CVE-2015-3212)
+ * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700)
+ * sg_start_req(): make sure that there's not too many elements in iovec
+ (CVE-2015-5707)
+ * md: use kzalloc() when bitmap is disabled (CVE-2015-5697)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Tue, 04 Aug 2015 02:41:28 +0100
+
+linux (3.2.68-1+deb7u2) wheezy-security; urgency=high
+
+ * pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
+ (CVE-2015-1805)
+ * udf: Remove repeated loads blocksize
+ * udf: Check length of extended attributes and allocation descriptors
+ (CVE-2015-4167)
+ * ipv4: Missing sk_nulls_node_init() in ping_unhash(). (CVE-2015-3636)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Mon, 15 Jun 2015 09:52:46 +0100
+
+linux (3.2.68-1+deb7u1) wheezy-security; urgency=high
* IB/core: Prevent integer overflow in ib_umem_get address arithmetic
(CVE-2014-8159)
@@ -11,8 +33,12 @@
* [amd64] asm/entry: Remove a bogus 'ret_from_fork' optimization
(CVE-2015-2830)
* ipv6: Don't reduce hop limit for an interface (CVE-2015-2922)
+ * [x86] crypto: aesni - fix memory usage in GCM decryption (Closes: #782561)
+ (CVE-2015-3331)
+ * fs: take i_mutex during prepare_binprm for set[ug]id executables
+ (CVE-2015-3339)
- -- Ben Hutchings <ben at decadent.org.uk> Mon, 13 Apr 2015 00:33:14 +0100
+ -- Ben Hutchings <ben at decadent.org.uk> Fri, 24 Apr 2015 16:21:37 +0100
linux (3.2.68-1) wheezy; urgency=medium
Copied: dists/wheezy/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch)
@@ -0,0 +1,105 @@
+From: Jann Horn <jann at thejh.net>
+Date: Sun, 19 Apr 2015 02:48:39 +0200
+Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables
+Origin: https://git.kernel.org/linus/8b01fc86b9f425899f8a3a8fc1c47d73c2c20543
+
+This prevents a race between chown() and execve(), where chowning a
+setuid-user binary to root would momentarily make the binary setuid
+root.
+
+This patch was mostly written by Linus Torvalds.
+
+Signed-off-by: Jann Horn <jann at thejh.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2:
+ - Drop the task_no_new_privs() and user namespace checks
+ - Open-code file_inode()
+ - s/READ_ONCE/ACCESS_ONCE/
+ - Adjust context]
+---
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1282,6 +1282,45 @@ int check_unsafe_exec(struct linux_binpr
+ return res;
+ }
+
++static void bprm_fill_uid(struct linux_binprm *bprm)
++{
++ struct inode *inode;
++ unsigned int mode;
++ uid_t uid;
++ gid_t gid;
++
++ /* clear any previous set[ug]id data from a previous binary */
++ bprm->cred->euid = current_euid();
++ bprm->cred->egid = current_egid();
++
++ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
++ return;
++
++ inode = bprm->file->f_path.dentry->d_inode;
++ mode = ACCESS_ONCE(inode->i_mode);
++ if (!(mode & (S_ISUID|S_ISGID)))
++ return;
++
++ /* Be careful if suid/sgid is set */
++ mutex_lock(&inode->i_mutex);
++
++ /* reload atomically mode/uid/gid now that lock held */
++ mode = inode->i_mode;
++ uid = inode->i_uid;
++ gid = inode->i_gid;
++ mutex_unlock(&inode->i_mutex);
++
++ if (mode & S_ISUID) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->euid = uid;
++ }
++
++ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->egid = gid;
++ }
++}
++
+ /*
+ * Fill the binprm structure from the inode.
+ * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+@@ -1290,36 +1329,12 @@ int check_unsafe_exec(struct linux_binpr
+ */
+ int prepare_binprm(struct linux_binprm *bprm)
+ {
+- umode_t mode;
+- struct inode * inode = bprm->file->f_path.dentry->d_inode;
+ int retval;
+
+- mode = inode->i_mode;
+ if (bprm->file->f_op == NULL)
+ return -EACCES;
+
+- /* clear any previous set[ug]id data from a previous binary */
+- bprm->cred->euid = current_euid();
+- bprm->cred->egid = current_egid();
+-
+- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)) {
+- /* Set-uid? */
+- if (mode & S_ISUID) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->euid = inode->i_uid;
+- }
+-
+- /* Set-gid? */
+- /*
+- * If setgid is set but no group execute bit then this
+- * is a candidate for mandatory locking, not a setgid
+- * executable.
+- */
+- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->egid = inode->i_gid;
+- }
+- }
++ bprm_fill_uid(bprm);
+
+ /* fill in binprm security blob */
+ retval = security_bprm_set_creds(bprm);
Copied: dists/wheezy/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch)
@@ -0,0 +1,27 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Fri, 1 May 2015 22:02:47 -0400
+Subject: ipv4: Missing sk_nulls_node_init() in ping_unhash().
+Origin: https://git.kernel.org/linus/a134f083e79fb4c3d0a925691e732c56911b4326
+
+If we don't do that, then the poison value is left in the ->pprev
+backlink.
+
+This can cause crashes if we do a disconnect, followed by a connect().
+
+Tested-by: Linus Torvalds <torvalds at linux-foundation.org>
+Reported-by: Wen Xu <hotdog3645 at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/ping.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -139,6 +139,7 @@ static void ping_v4_unhash(struct sock *
+ if (sk_hashed(sk)) {
+ write_lock_bh(&ping_table.lock);
+ hlist_nulls_del(&sk->sk_nulls_node);
++ sk_nulls_node_init(&sk->sk_nulls_node);
+ sock_put(sk);
+ isk->inet_num = isk->inet_sport = 0;
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
Copied: dists/wheezy/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch)
@@ -0,0 +1,47 @@
+From: Benjamin Randazzo <benjamin at randazzo.fr>
+Date: Sat, 25 Jul 2015 16:36:50 +0200
+Subject: md: use kzalloc() when bitmap is disabled
+Origin: http://git.neil.brown.name/?p=md.git;a=commit;h=77ba0569d4c8389c0a2162ab0c7c16a6f3b199e4
+
+In drivers/md/md.c get_bitmap_file() uses kmalloc() for creating a
+mdu_bitmap_file_t called "file".
+
+5769 file = kmalloc(sizeof(*file), GFP_NOIO);
+5770 if (!file)
+5771 return -ENOMEM;
+
+This structure is copied to user space at the end of the function.
+
+5786 if (err == 0 &&
+5787 copy_to_user(arg, file, sizeof(*file)))
+5788 err = -EFAULT
+
+But if bitmap is disabled only the first byte of "file" is initialized
+with zero, so it's possible to read some bytes (up to 4095) of kernel
+space memory from user space. This is an information leak.
+
+5775 /* bitmap disabled, zero the first byte and copy out */
+5776 if (!mddev->bitmap_info.file)
+5777 file->pathname[0] = '\0';
+
+Signed-off-by: Benjamin Randazzo <benjamin at randazzo.fr>
+Signed-off-by: NeilBrown <neilb at suse.com>
+[bwh: Backported to 3.2:
+ - Don't touch anything but the allocation call, as the following code is
+ significantly different here
+ - Patch both possible allocation calls]
+---
+--- a/drivers/md/md.c
++++ b/drivers/md/md.c
+@@ -5384,9 +5384,9 @@ static int get_bitmap_file(struct mddev
+ int err = -ENOMEM;
+
+ if (md_allow_write(mddev))
+- file = kmalloc(sizeof(*file), GFP_NOIO);
++ file = kzalloc(sizeof(*file), GFP_NOIO);
+ else
+- file = kmalloc(sizeof(*file), GFP_KERNEL);
++ file = kzalloc(sizeof(*file), GFP_KERNEL);
+
+ if (!file)
+ goto out;
Copied: dists/wheezy/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch)
@@ -0,0 +1,178 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 15 Jun 2015 03:51:55 +0100
+Subject: [PATCH] pipe: iovec: Fix memory corruption when retrying atomic copy
+ as non-atomic
+
+pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
+the first time atomically and the second time not. The second attempt
+needs to continue from the iovec position, pipe buffer offset and
+remaining length where the first attempt failed, but currently the
+pipe buffer offset and remaining length are reset. This will corrupt
+the piped data (possibly also leading to an information leak between
+processes) and may also corrupt kernel memory.
+
+This was fixed upstream by commits f0d1bec9d58d ("new helper:
+copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
+copy_page_to_iter()"), but those aren't suitable for stable. This fix
+for older kernel versions was made by Seth Jennings for RHEL and I
+have extracted it from their update.
+
+CVE-2015-1805
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
+Cc: stable <stable at vger.kernel.org> # 3.14 and earlier
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/pipe.c | 55 ++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 32 insertions(+), 23 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -103,25 +103,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
+ }
+
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+- int atomic)
++pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
++ size_t *remaining, int atomic)
+ {
+ unsigned long copy;
+
+- while (len > 0) {
++ while (*remaining > 0) {
+ while (!iov->iov_len)
+ iov++;
+- copy = min_t(unsigned long, len, iov->iov_len);
++ copy = min_t(unsigned long, *remaining, iov->iov_len);
+
+ if (atomic) {
+- if (__copy_from_user_inatomic(to, iov->iov_base, copy))
++ if (__copy_from_user_inatomic(addr + *offset,
++ iov->iov_base, copy))
+ return -EFAULT;
+ } else {
+- if (copy_from_user(to, iov->iov_base, copy))
++ if (copy_from_user(addr + *offset,
++ iov->iov_base, copy))
+ return -EFAULT;
+ }
+- to += copy;
+- len -= copy;
++ *offset += copy;
++ *remaining -= copy;
+ iov->iov_base += copy;
+ iov->iov_len -= copy;
+ }
+@@ -129,25 +131,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+ }
+
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+- int atomic)
++pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
++ size_t *remaining, int atomic)
+ {
+ unsigned long copy;
+
+- while (len > 0) {
++ while (*remaining > 0) {
+ while (!iov->iov_len)
+ iov++;
+- copy = min_t(unsigned long, len, iov->iov_len);
++ copy = min_t(unsigned long, *remaining, iov->iov_len);
+
+ if (atomic) {
+- if (__copy_to_user_inatomic(iov->iov_base, from, copy))
++ if (__copy_to_user_inatomic(iov->iov_base,
++ addr + *offset, copy))
+ return -EFAULT;
+ } else {
+- if (copy_to_user(iov->iov_base, from, copy))
++ if (copy_to_user(iov->iov_base,
++ addr + *offset, copy))
+ return -EFAULT;
+ }
+- from += copy;
+- len -= copy;
++ *offset += copy;
++ *remaining -= copy;
+ iov->iov_base += copy;
+ iov->iov_len -= copy;
+ }
+@@ -383,7 +387,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ struct pipe_buffer *buf = pipe->bufs + curbuf;
+ const struct pipe_buf_operations *ops = buf->ops;
+ void *addr;
+- size_t chars = buf->len;
++ size_t chars = buf->len, remaining;
+ int error, atomic;
+
+ if (chars > total_len)
+@@ -397,9 +401,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ }
+
+ atomic = !iov_fault_in_pages_write(iov, chars);
++ remaining = chars;
+ redo:
+ addr = ops->map(pipe, buf, atomic);
+- error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
++ error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++ &remaining, atomic);
+ ops->unmap(pipe, buf, addr);
+ if (unlikely(error)) {
+ /*
+@@ -414,7 +420,6 @@ redo:
+ break;
+ }
+ ret += chars;
+- buf->offset += chars;
+ buf->len -= chars;
+
+ /* Was it a packet buffer? Clean up and exit */
+@@ -521,6 +526,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ if (ops->can_merge && offset + chars <= PAGE_SIZE) {
+ int error, atomic = 1;
+ void *addr;
++ size_t remaining = chars;
+
+ error = ops->confirm(pipe, buf);
+ if (error)
+@@ -529,8 +535,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ iov_fault_in_pages_read(iov, chars);
+ redo1:
+ addr = ops->map(pipe, buf, atomic);
+- error = pipe_iov_copy_from_user(offset + addr, iov,
+- chars, atomic);
++ error = pipe_iov_copy_from_user(addr, &offset, iov,
++ &remaining, atomic);
+ ops->unmap(pipe, buf, addr);
+ ret = error;
+ do_wakeup = 1;
+@@ -565,6 +571,8 @@ redo1:
+ struct page *page = pipe->tmp_page;
+ char *src;
+ int error, atomic = 1;
++ int offset = 0;
++ size_t remaining;
+
+ if (!page) {
+ page = alloc_page(GFP_HIGHUSER);
+@@ -585,14 +593,15 @@ redo1:
+ chars = total_len;
+
+ iov_fault_in_pages_read(iov, chars);
++ remaining = chars;
+ redo2:
+ if (atomic)
+ src = kmap_atomic(page, KM_USER0);
+ else
+ src = kmap(page);
+
+- error = pipe_iov_copy_from_user(src, iov, chars,
+- atomic);
++ error = pipe_iov_copy_from_user(src, &offset, iov,
++ &remaining, atomic);
+ if (atomic)
+ kunmap_atomic(src, KM_USER0);
+ else
Copied: dists/wheezy/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/sctp-fix-asconf-list-handling.patch)
@@ -0,0 +1,176 @@
+From: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Date: Fri, 12 Jun 2015 10:16:41 -0300
+Subject: sctp: fix ASCONF list handling
+Origin: https://git.kernel.org/linus/2d45a02d0166caf2627fe91897c6ffc3b19514c4
+
+->auto_asconf_splist is per namespace and mangled by functions like
+sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
+
+Also, the call to inet_sk_copy_descendant() was backuping
+->auto_asconf_list through the copy but was not honoring
+->do_auto_asconf, which could lead to list corruption if it was
+different between both sockets.
+
+This commit thus fixes the list handling by using ->addr_wq_lock
+spinlock to protect the list. A special handling is done upon socket
+creation and destruction for that. Error handlig on sctp_init_sock()
+will never return an error after having initialized asconf, so
+sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
+will be take on sctp_close_sock(), before locking the socket, so we
+don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
+
+Instead of taking the lock on sctp_sock_migrate() for copying and
+restoring the list values, it's preferred to avoid rewritting it by
+implementing sctp_copy_descendant().
+
+Issue was found with a test application that kept flipping sysctl
+default_auto_asconf on and off, but one could trigger it by issuing
+simultaneous setsockopt() calls on multiple sockets or by
+creating/destroying sockets fast enough. This is only triggerable
+locally.
+
+Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
+Reported-by: Ji Jianwen <jiji at redhat.com>
+Suggested-by: Neil Horman <nhorman at tuxdriver.com>
+Suggested-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Acked-by: Hannes Frederic Sowa <hannes at stressinduktion.org>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2:
+ - Adjust filename, context
+ - Most per-netns state is global]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/include/net/sctp/structs.h
++++ b/include/net/sctp/structs.h
+@@ -209,6 +209,7 @@ extern struct sctp_globals {
+ struct list_head addr_waitq;
+ struct timer_list addr_wq_timer;
+ struct list_head auto_asconf_splist;
++ /* Lock that protects both addr_waitq and auto_asconf_splist */
+ spinlock_t addr_wq_lock;
+
+ /* Lock that protects the local_addr_list writers */
+@@ -355,6 +356,10 @@ struct sctp_sock {
+ atomic_t pd_mode;
+ /* Receive to here while partial delivery is in effect. */
+ struct sk_buff_head pd_lobby;
++
++ /* These must be the last fields, as they will skipped on copies,
++ * like on accept and peeloff operations
++ */
+ struct list_head auto_asconf_list;
+ int do_auto_asconf;
+ };
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1539,8 +1539,10 @@ SCTP_STATIC void sctp_close(struct sock
+
+ /* Supposedly, no process has access to the socket, but
+ * the net layers still may.
++ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
++ * held and that should be grabbed before socket lock.
+ */
+- sctp_local_bh_disable();
++ spin_lock_bh(&sctp_globals.addr_wq_lock);
+ sctp_bh_lock_sock(sk);
+
+ /* Hold the sock, since sk_common_release() will put sock_put()
+@@ -1550,7 +1552,7 @@ SCTP_STATIC void sctp_close(struct sock
+ sk_common_release(sk);
+
+ sctp_bh_unlock_sock(sk);
+- sctp_local_bh_enable();
++ spin_unlock_bh(&sctp_globals.addr_wq_lock);
+
+ sock_put(sk);
+
+@@ -3499,6 +3501,7 @@ static int sctp_setsockopt_auto_asconf(s
+ if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
+ return 0;
+
++ spin_lock_bh(&sctp_globals.addr_wq_lock);
+ if (val == 0 && sp->do_auto_asconf) {
+ list_del(&sp->auto_asconf_list);
+ sp->do_auto_asconf = 0;
+@@ -3507,6 +3510,7 @@ static int sctp_setsockopt_auto_asconf(s
+ &sctp_auto_asconf_splist);
+ sp->do_auto_asconf = 1;
+ }
++ spin_unlock_bh(&sctp_globals.addr_wq_lock);
+ return 0;
+ }
+
+@@ -3942,18 +3946,28 @@ SCTP_STATIC int sctp_init_sock(struct so
+ local_bh_disable();
+ percpu_counter_inc(&sctp_sockets_allocated);
+ sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
++
++ /* Nothing can fail after this block, otherwise
++ * sctp_destroy_sock() will be called without addr_wq_lock held
++ */
+ if (sctp_default_auto_asconf) {
++ spin_lock(&sctp_globals.addr_wq_lock);
+ list_add_tail(&sp->auto_asconf_list,
+ &sctp_auto_asconf_splist);
+ sp->do_auto_asconf = 1;
+- } else
++ spin_unlock(&sctp_globals.addr_wq_lock);
++ } else {
+ sp->do_auto_asconf = 0;
++ }
++
+ local_bh_enable();
+
+ return 0;
+ }
+
+-/* Cleanup any SCTP per socket resources. */
++/* Cleanup any SCTP per socket resources. Must be called with
++ * sctp_globals.addr_wq_lock held if sp->do_auto_asconf is true
++ */
+ SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
+ {
+ struct sctp_sock *sp;
+@@ -6713,6 +6727,19 @@ void sctp_copy_sock(struct sock *newsk,
+ newinet->mc_list = NULL;
+ }
+
++static inline void sctp_copy_descendant(struct sock *sk_to,
++ const struct sock *sk_from)
++{
++ int ancestor_size = sizeof(struct inet_sock) +
++ sizeof(struct sctp_sock) -
++ offsetof(struct sctp_sock, auto_asconf_list);
++
++ if (sk_from->sk_family == PF_INET6)
++ ancestor_size += sizeof(struct ipv6_pinfo);
++
++ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
++}
++
+ /* Populate the fields of the newsk from the oldsk and migrate the assoc
+ * and its messages to the newsk.
+ */
+@@ -6727,7 +6754,6 @@ static void sctp_sock_migrate(struct soc
+ struct sk_buff *skb, *tmp;
+ struct sctp_ulpevent *event;
+ struct sctp_bind_hashbucket *head;
+- struct list_head tmplist;
+
+ /* Migrate socket buffer sizes and all the socket level options to the
+ * new socket.
+@@ -6735,12 +6761,7 @@ static void sctp_sock_migrate(struct soc
+ newsk->sk_sndbuf = oldsk->sk_sndbuf;
+ newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
+ /* Brute force copy old sctp opt. */
+- if (oldsp->do_auto_asconf) {
+- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
+- inet_sk_copy_descendant(newsk, oldsk);
+- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
+- } else
+- inet_sk_copy_descendant(newsk, oldsk);
++ sctp_copy_descendant(newsk, oldsk);
+
+ /* Restore the ep value that was overwritten with the above structure
+ * copy.
Copied: dists/wheezy/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch)
@@ -0,0 +1,34 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Sat, 21 Mar 2015 20:08:18 -0400
+Subject: sg_start_req(): make sure that there's not too many elements in iovec
+Origin: https://git.kernel.org/linus/451a2886b6bf90e2fb378f7c46c655450fb96e81
+
+unfortunately, allowing an arbitrary 16bit value means a possibility of
+overflow in the calculation of total number of pages in bio_map_user_iov() -
+we rely on there being no more than PAGE_SIZE members of sum in the
+first loop there. If that sum wraps around, we end up allocating
+too small array of pointers to pages and it's easy to overflow it in
+the second loop.
+
+X-Coverup: TINC (and there's no lumber cartel either)
+Cc: stable at vger.kernel.org # way, way back
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+[bwh: s/MAX_UIOVEC/UIO_MAXIOV/. This was fixed upstream by commit
+ fdc81f45e9f5 ("sg_start_req(): use import_iovec()"), but we don't have
+ that function.]
+---
+ drivers/scsi/sg.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -1687,6 +1687,9 @@ static int sg_start_req(Sg_request *srp,
+ md->from_user = 0;
+ }
+
++ if (unlikely(iov_count > UIO_MAXIOV))
++ return -EINVAL;
++
+ if (iov_count) {
+ int len, size = sizeof(struct sg_iovec) * iov_count;
+ struct iovec *iov;
Copied: dists/wheezy/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch)
@@ -0,0 +1,43 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: udf: Check length of extended attributes and allocation descriptors
+Origin: https://git.kernel.org/linus/925cab7b6a683f791644dfde345f91e87017a023
+
+commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+Reported-by: Carl Henrik Lunde <chlunde at ping.uio.no>
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Backported to 3.16: use make_bad_inode() instead of returning error]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/inode.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 5c996c1..e081440 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1401,6 +1401,19 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ iinfo->i_lenEAttr;
+ }
+
++ /*
++ * Sanity check length of allocation descriptors and extended attrs to
++ * avoid integer overflows
++ */
++ if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) {
++ make_bad_inode(inode);
++ return;
++ }
++ /* Now do exact checks */
++ if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) {
++ make_bad_inode(inode);
++ return;
++ }
+ /* Sanity checks for files in ICB so that we don't get confused later */
+ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ /*
Copied: dists/wheezy/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch)
@@ -0,0 +1,85 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:46:16 +0100
+Subject: udf: Remove repeated loads blocksize
+Origin: https://git.kernel.org/linus/79144954278d4bb5989f8b903adcac7a20ff2a5a
+
+Store blocksize in a local variable in udf_fill_inode() since it is used
+a lot of times.
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Needed for the following fix. Backported to 3.16: adjust context.]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/inode.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 2a706bb..5c996c1 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1271,6 +1271,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
+ struct udf_inode_info *iinfo = UDF_I(inode);
+ unsigned int link_count;
++ int bs = inode->i_sb->s_blocksize;
+
+ fe = (struct fileEntry *)bh->b_data;
+ efe = (struct extendedFileEntry *)bh->b_data;
+@@ -1291,41 +1292,38 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
+ iinfo->i_efe = 1;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ if (udf_alloc_i_data(inode, bs -
+ sizeof(struct extendedFileEntry))) {
+ make_bad_inode(inode);
+ return;
+ }
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct extendedFileEntry),
+- inode->i_sb->s_blocksize -
+- sizeof(struct extendedFileEntry));
++ bs - sizeof(struct extendedFileEntry));
+ } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
+ iinfo->i_efe = 0;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+- sizeof(struct fileEntry))) {
++ if (udf_alloc_i_data(inode, bs - sizeof(struct fileEntry))) {
+ make_bad_inode(inode);
+ return;
+ }
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct fileEntry),
+- inode->i_sb->s_blocksize - sizeof(struct fileEntry));
++ bs - sizeof(struct fileEntry));
+ } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) {
+ iinfo->i_efe = 0;
+ iinfo->i_use = 1;
+ iinfo->i_lenAlloc = le32_to_cpu(
+ ((struct unallocSpaceEntry *)bh->b_data)->
+ lengthAllocDescs);
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ if (udf_alloc_i_data(inode, bs -
+ sizeof(struct unallocSpaceEntry))) {
+ make_bad_inode(inode);
+ return;
+ }
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct unallocSpaceEntry),
+- inode->i_sb->s_blocksize -
+- sizeof(struct unallocSpaceEntry));
++ bs - sizeof(struct unallocSpaceEntry));
+ return;
+ }
+
+@@ -1414,8 +1412,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ return;
+ }
+ /* File in ICB has to fit in there... */
+- if (inode->i_size > inode->i_sb->s_blocksize -
+- udf_file_entry_alloc_offset(inode)) {
++ if (inode->i_size > bs - udf_file_entry_alloc_offset(inode)) {
+ make_bad_inode(inode);
+ return;
+ }
Copied: dists/wheezy/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/all/udp-fix-behavior-of-wrong-checksums.patch)
@@ -0,0 +1,58 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Sat, 30 May 2015 09:16:53 -0700
+Subject: udp: fix behavior of wrong checksums
+Origin: https://git.kernel.org/linus/beb39db59d14990e401e235faf66a6b9b31240b0
+
+We have two problems in UDP stack related to bogus checksums :
+
+1) We return -EAGAIN to application even if receive queue is not empty.
+ This breaks applications using edge trigger epoll()
+
+2) Under UDP flood, we can loop forever without yielding to other
+ processes, potentially hanging the host, especially on non SMP.
+
+This patch is an attempt to make things better.
+
+We might in the future add extra support for rt applications
+wanting to better control time spent doing a recv() in a hostile
+environment. For example we could validate checksums before queuing
+packets in socket receive queue.
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Cc: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/udp.c | 6 ++----
+ net/ipv6/udp.c | 6 ++----
+ 2 files changed, 4 insertions(+), 8 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -1248,10 +1248,8 @@ csum_copy_err:
+ UDP_INC_STATS_USER(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
+ unlock_sock_fast(sk, slow);
+
+- if (noblock)
+- return -EAGAIN;
+-
+- /* starting over for a new packet */
++ /* starting over for a new packet, but check if we need to yield */
++ cond_resched();
+ msg->msg_flags &= ~MSG_TRUNC;
+ goto try_again;
+ }
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -451,10 +451,8 @@ csum_copy_err:
+ }
+ unlock_sock_fast(sk, slow);
+
+- if (noblock)
+- return -EAGAIN;
+-
+- /* starting over for a new packet */
++ /* starting over for a new packet, but check if we need to yield */
++ cond_resched();
+ msg->msg_flags &= ~MSG_TRUNC;
+ goto try_again;
+ }
Copied: dists/wheezy/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch)
@@ -0,0 +1,61 @@
+From: Stephan Mueller <smueller at chronox.de>
+Date: Thu, 12 Mar 2015 09:17:51 +0100
+Subject: crypto: aesni - fix memory usage in GCM decryption
+Origin: https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a
+Bug-Debian: https://bugs.debian.org/782561
+
+The kernel crypto API logic requires the caller to provide the
+length of (ciphertext || authentication tag) as cryptlen for the
+AEAD decryption operation. Thus, the cipher implementation must
+calculate the size of the plaintext output itself and cannot simply use
+cryptlen.
+
+The RFC4106 GCM decryption operation tries to overwrite cryptlen memory
+in req->dst. As the destination buffer for decryption only needs to hold
+the plaintext memory but cryptlen references the input buffer holding
+(ciphertext || authentication tag), the assumption of the destination
+buffer length in RFC4106 GCM operation leads to a too large size. This
+patch simply uses the already calculated plaintext size.
+
+In addition, this patch fixes the offset calculation of the AAD buffer
+pointer: as mentioned before, cryptlen already includes the size of the
+tag. Thus, the tag does not need to be added. With the addition, the AAD
+will be written beyond the already allocated buffer.
+
+Note, this fixes a kernel crash that can be triggered from user space
+via AF_ALG(aead) -- simply use the libkcapi test application
+from [1] and update it to use rfc4106-gcm-aes.
+
+Using [1], the changes were tested using CAVS vectors to demonstrate
+that the crypto operation still delivers the right results.
+
+[1] http://www.chronox.de/libkcapi.html
+
+CC: Tadeusz Struk <tadeusz.struk at intel.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: Stephan Mueller <smueller at chronox.de>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ arch/x86/crypto/aesni-intel_glue.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/crypto/aesni-intel_glue.c
++++ b/arch/x86/crypto/aesni-intel_glue.c
+@@ -1203,7 +1203,7 @@ static int __driver_rfc4106_decrypt(stru
+ src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC);
+ if (!src)
+ return -ENOMEM;
+- assoc = (src + req->cryptlen + auth_tag_len);
++ assoc = (src + req->cryptlen);
+ scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0);
+ scatterwalk_map_and_copy(assoc, req->assoc, 0,
+ req->assoclen, 0);
+@@ -1228,7 +1228,7 @@ static int __driver_rfc4106_decrypt(stru
+ scatterwalk_done(&src_sg_walk, 0, 0);
+ scatterwalk_done(&assoc_sg_walk, 0, 0);
+ } else {
+- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1);
++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1);
+ kfree(src);
+ }
+ return retval;
Copied: dists/wheezy/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch (from r22927, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch Fri Aug 7 18:47:01 2015 (r22933, copy of r22927, dists/wheezy-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch)
@@ -0,0 +1,43 @@
+From: Alexei Starovoitov <ast at plumgrid.com>
+Date: Fri, 22 May 2015 15:42:55 -0700
+Subject: x86: bpf_jit: fix compilation of large bpf programs
+Origin: https://git.kernel.org/linus/3f7352bf21f8fd7ba3e2fcef9488756f188e12be
+
+x86 has variable length encoding. x86 JIT compiler is trying
+to pick the shortest encoding for given bpf instruction.
+While doing so the jump targets are changing, so JIT is doing
+multiple passes over the program. Typical program needs 3 passes.
+Some very short programs converge with 2 passes. Large programs
+may need 4 or 5. But specially crafted bpf programs may hit the
+pass limit and if the program converges on the last iteration
+the JIT compiler will be producing an image full of 'int 3' insns.
+Fix this corner case by doing final iteration over bpf program.
+
+Fixes: 0a14842f5a3c ("net: filter: Just In Time compiler for x86-64")
+Reported-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast at plumgrid.com>
+Tested-by: Daniel Borkmann <daniel at iogearbox.net>
+Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/net/bpf_jit_comp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -150,7 +150,12 @@ void bpf_jit_compile(struct sk_filter *f
+ }
+ cleanup_addr = proglen; /* epilogue address */
+
+- for (pass = 0; pass < 10; pass++) {
++ /* JITed image shrinks with every pass and the loop iterates
++ * until the image stops shrinking. Very large bpf programs
++ * may converge on the last pass. In such case do one more
++ * pass to emit the final image
++ */
++ for (pass = 0; pass < 10 || image; pass++) {
+ u8 seen_or_pass0 = (pass == 0) ? (SEEN_XREG | SEEN_DATAREF | SEEN_MEM) : seen;
+ /* no prologue/epilogue for trivial filters (RET something) */
+ proglen = 0;
Modified: dists/wheezy/linux/debian/patches/series
==============================================================================
--- dists/wheezy/linux/debian/patches/series Tue Aug 4 23:37:34 2015 (r22932)
+++ dists/wheezy/linux/debian/patches/series Fri Aug 7 18:47:01 2015 (r22933)
@@ -1164,3 +1164,14 @@
bugfix/all/xen-pciback-limit-guest-control-of-command-register.patch
bugfix/x86/x86-asm-entry-64-remove-a-bogus-ret_from_fork-optimi.patch
bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
+bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
+bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
+bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
+bugfix/all/udf-remove-repeated-loads-blocksize.patch
+bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
+bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch
+bugfix/all/udp-fix-behavior-of-wrong-checksums.patch
+bugfix/all/sctp-fix-asconf-list-handling.patch
+bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
+bugfix/all/sg_start_req-make-sure-that-there-s-not-too-many-ele.patch
+bugfix/all/md-use-kzalloc-when-bitmap-is-disabled.patch
More information about the Kernel-svn-changes
mailing list