[kernel] r22764 - in dists/squeeze-backports/linux: . debian debian/patches debian/patches/bugfix/all

Tue Jun 16 23:36:15 UTC 2015

Author: benh
Date: Tue Jun 16 23:36:15 2015
New Revision: 22764

Log:
Merge changes from wheezy-security up to 3.2.68-1+deb7u2

Added:
   dists/squeeze-backports/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch
      - copied unchanged from r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
      - copied unchanged from r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
      - copied unchanged from r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
   dists/squeeze-backports/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
      - copied unchanged from r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
Modified:
   dists/squeeze-backports/linux/   (props changed)
   dists/squeeze-backports/linux/debian/changelog
   dists/squeeze-backports/linux/debian/patches/series

Modified: dists/squeeze-backports/linux/debian/changelog
==============================================================================

--- dists/squeeze-backports/linux/debian/changelog	Tue Jun 16 23:31:50 2015	(r22763)
+++ dists/squeeze-backports/linux/debian/changelog	Tue Jun 16 23:36:15 2015	(r22764)
@@ -1,3 +1,29 @@
+linux (3.2.68-1+deb7u2~bpo60+1) squeeze-backports; urgency=medium
+
+  * Rebuild for squeeze:
+    - Use gcc-4.4 for all architectures
+    - Disable building of udebs
+    - Change ABI number to 0.bpo.4
+    - Monkey-patch Python collections module to add OrderedDict if necessary
+    - [armel] Disable CRYPTO_FIPS, VGA_ARB, FTRACE on iop32x and ixp4xx to
+      reduce kernel size (as suggested by Arnaud Patard)
+    - Use QUILT_PATCH_OPTS instead of missing quilt patch --fuzz option
+    - Make build target depend on build-arch only, so we don't redundantly
+      build documentation on each architecture
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Wed, 17 Jun 2015 00:35:41 +0100
+
+linux (3.2.68-1+deb7u2) wheezy-security; urgency=high
+
+  * pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
+    (CVE-2015-1805)
+  * udf: Remove repeated loads blocksize
+  * udf: Check length of extended attributes and allocation descriptors
+    (CVE-2015-4167)
+  * ipv4: Missing sk_nulls_node_init() in ping_unhash(). (CVE-2015-3636)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Mon, 15 Jun 2015 09:52:46 +0100
+
 linux (3.2.68-1+deb7u1~bpo60+1) squeeze-backports; urgency=medium
 
   * Rebuild for squeeze:

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch (from r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch	Tue Jun 16 23:36:15 2015	(r22764, copy of r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch)
@@ -0,0 +1,27 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Fri, 1 May 2015 22:02:47 -0400
+Subject: ipv4: Missing sk_nulls_node_init() in ping_unhash().
+Origin: https://git.kernel.org/linus/a134f083e79fb4c3d0a925691e732c56911b4326
+
+If we don't do that, then the poison value is left in the ->pprev
+backlink.
+
+This can cause crashes if we do a disconnect, followed by a connect().
+
+Tested-by: Linus Torvalds <torvalds at linux-foundation.org>
+Reported-by: Wen Xu <hotdog3645 at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/ping.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/ipv4/ping.c
++++ b/net/ipv4/ping.c
+@@ -139,6 +139,7 @@ static void ping_v4_unhash(struct sock *
+ 	if (sk_hashed(sk)) {
+ 		write_lock_bh(&ping_table.lock);
+ 		hlist_nulls_del(&sk->sk_nulls_node);
++		sk_nulls_node_init(&sk->sk_nulls_node);
+ 		sock_put(sk);
+ 		isk->inet_num = isk->inet_sport = 0;
+ 		sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch (from r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch	Tue Jun 16 23:36:15 2015	(r22764, copy of r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch)
@@ -0,0 +1,178 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Mon, 15 Jun 2015 03:51:55 +0100
+Subject: [PATCH] pipe: iovec: Fix memory corruption when retrying atomic copy
+ as non-atomic
+
+pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
+the first time atomically and the second time not.  The second attempt
+needs to continue from the iovec position, pipe buffer offset and
+remaining length where the first attempt failed, but currently the
+pipe buffer offset and remaining length are reset.  This will corrupt
+the piped data (possibly also leading to an information leak between
+processes) and may also corrupt kernel memory.
+
+This was fixed upstream by commits f0d1bec9d58d ("new helper:
+copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
+copy_page_to_iter()"), but those aren't suitable for stable.  This fix
+for older kernel versions was made by Seth Jennings for RHEL and I
+have extracted it from their update.
+
+CVE-2015-1805
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
+Cc: stable <stable at vger.kernel.org> # 3.14 and earlier
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/pipe.c | 55 ++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 32 insertions(+), 23 deletions(-)
+
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -103,25 +103,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
+ }
+ 
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+-			int atomic)
++pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
++			size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
++			if (__copy_from_user_inatomic(addr + *offset,
++						      iov->iov_base, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_from_user(to, iov->iov_base, copy))
++			if (copy_from_user(addr + *offset,
++					   iov->iov_base, copy))
+ 				return -EFAULT;
+ 		}
+-		to += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -129,25 +131,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+ }
+ 
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+-		      int atomic)
++pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
++		      size_t *remaining, int atomic)
+ {
+ 	unsigned long copy;
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
++			if (__copy_to_user_inatomic(iov->iov_base,
++						    addr + *offset, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_to_user(iov->iov_base, from, copy))
++			if (copy_to_user(iov->iov_base,
++					 addr + *offset, copy))
+ 				return -EFAULT;
+ 		}
+-		from += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
+ 	}
+@@ -383,7 +387,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 			struct pipe_buffer *buf = pipe->bufs + curbuf;
+ 			const struct pipe_buf_operations *ops = buf->ops;
+ 			void *addr;
+-			size_t chars = buf->len;
++			size_t chars = buf->len, remaining;
+ 			int error, atomic;
+ 
+ 			if (chars > total_len)
+@@ -397,9 +401,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 			}
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
++			remaining = chars;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
++			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+ 				/*
+@@ -414,7 +420,6 @@ redo:
+ 				break;
+ 			}
+ 			ret += chars;
+-			buf->offset += chars;
+ 			buf->len -= chars;
+ 
+ 			/* Was it a packet buffer? Clean up and exit */
+@@ -521,6 +526,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
+ 			int error, atomic = 1;
+ 			void *addr;
++			size_t remaining = chars;
+ 
+ 			error = ops->confirm(pipe, buf);
+ 			if (error)
+@@ -529,8 +535,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ 			iov_fault_in_pages_read(iov, chars);
+ redo1:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_from_user(offset + addr, iov,
+-							chars, atomic);
++			error = pipe_iov_copy_from_user(addr, &offset, iov,
++							&remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			ret = error;
+ 			do_wakeup = 1;
+@@ -565,6 +571,8 @@ redo1:
+ 			struct page *page = pipe->tmp_page;
+ 			char *src;
+ 			int error, atomic = 1;
++			int offset = 0;
++			size_t remaining;
+ 
+ 			if (!page) {
+ 				page = alloc_page(GFP_HIGHUSER);
+@@ -585,14 +593,15 @@ redo1:
+ 				chars = total_len;
+ 
+ 			iov_fault_in_pages_read(iov, chars);
++			remaining = chars;
+ redo2:
+ 			if (atomic)
+ 				src = kmap_atomic(page, KM_USER0);
+ 			else
+ 				src = kmap(page);
+ 
+-			error = pipe_iov_copy_from_user(src, iov, chars,
+-							atomic);
++			error = pipe_iov_copy_from_user(src, &offset, iov,
++							&remaining, atomic);
+ 			if (atomic)
+ 				kunmap_atomic(src, KM_USER0);
+ 			else

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch (from r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch	Tue Jun 16 23:36:15 2015	(r22764, copy of r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch)
@@ -0,0 +1,43 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: udf: Check length of extended attributes and allocation descriptors
+Origin: https://git.kernel.org/linus/925cab7b6a683f791644dfde345f91e87017a023
+
+commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+Reported-by: Carl Henrik Lunde <chlunde at ping.uio.no>
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Backported to 3.16: use make_bad_inode() instead of returning error]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/inode.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 5c996c1..e081440 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1401,6 +1401,19 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 							iinfo->i_lenEAttr;
+ 	}
+ 
++	/*
++	 * Sanity check length of allocation descriptors and extended attrs to
++	 * avoid integer overflows
++	 */
++	if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) {
++		make_bad_inode(inode);
++		return;
++	}
++	/* Now do exact checks */
++	if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) {
++		make_bad_inode(inode);
++		return;
++	}
+ 	/* Sanity checks for files in ICB so that we don't get confused later */
+ 	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ 		/*

Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch (from r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch	Tue Jun 16 23:36:15 2015	(r22764, copy of r22762, dists/wheezy-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch)
@@ -0,0 +1,85 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:46:16 +0100
+Subject: udf: Remove repeated loads blocksize
+Origin: https://git.kernel.org/linus/79144954278d4bb5989f8b903adcac7a20ff2a5a
+
+Store blocksize in a local variable in udf_fill_inode() since it is used
+a lot of times.
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Needed for the following fix. Backported to 3.16: adjust context.]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/inode.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 2a706bb..5c996c1 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1271,6 +1271,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 	struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
+ 	struct udf_inode_info *iinfo = UDF_I(inode);
+ 	unsigned int link_count;
++	int bs = inode->i_sb->s_blocksize;
+ 
+ 	fe = (struct fileEntry *)bh->b_data;
+ 	efe = (struct extendedFileEntry *)bh->b_data;
+@@ -1291,41 +1292,38 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 	if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
+ 		iinfo->i_efe = 1;
+ 		iinfo->i_use = 0;
+-		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++		if (udf_alloc_i_data(inode, bs -
+ 					sizeof(struct extendedFileEntry))) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct extendedFileEntry),
+-		       inode->i_sb->s_blocksize -
+-					sizeof(struct extendedFileEntry));
++		       bs - sizeof(struct extendedFileEntry));
+ 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
+ 		iinfo->i_efe = 0;
+ 		iinfo->i_use = 0;
+-		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+-						sizeof(struct fileEntry))) {
++		if (udf_alloc_i_data(inode, bs - sizeof(struct fileEntry))) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct fileEntry),
+-		       inode->i_sb->s_blocksize - sizeof(struct fileEntry));
++		       bs - sizeof(struct fileEntry));
+ 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) {
+ 		iinfo->i_efe = 0;
+ 		iinfo->i_use = 1;
+ 		iinfo->i_lenAlloc = le32_to_cpu(
+ 				((struct unallocSpaceEntry *)bh->b_data)->
+ 				 lengthAllocDescs);
+-		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++		if (udf_alloc_i_data(inode, bs -
+ 					sizeof(struct unallocSpaceEntry))) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct unallocSpaceEntry),
+-		       inode->i_sb->s_blocksize -
+-					sizeof(struct unallocSpaceEntry));
++		       bs - sizeof(struct unallocSpaceEntry));
+ 		return;
+ 	}
+ 
+@@ -1414,8 +1412,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 			return;
+ 		}
+ 		/* File in ICB has to fit in there... */
+-		if (inode->i_size > inode->i_sb->s_blocksize -
+-					udf_file_entry_alloc_offset(inode)) {
++		if (inode->i_size > bs - udf_file_entry_alloc_offset(inode)) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}

Modified: dists/squeeze-backports/linux/debian/patches/series
==============================================================================
--- dists/squeeze-backports/linux/debian/patches/series	Tue Jun 16 23:31:50 2015	(r22763)
+++ dists/squeeze-backports/linux/debian/patches/series	Tue Jun 16 23:36:15 2015	(r22764)
@@ -1166,3 +1166,7 @@
 bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
 bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
 bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
+bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
+bugfix/all/udf-remove-repeated-loads-blocksize.patch
+bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
+bugfix/all/ipv4-missing-sk_nulls_node_init-in-ping_unhash.patch

