[linux] 01/03: Add various upstream fixes with known or probable security impact

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Mon May 16 02:34:57 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit efbab1e4bf73ac7094f2f6044b8e567b7f471123
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Mon May 16 03:02:51 2016 +0100

    Add various upstream fixes with known or probable security impact
---
 debian/changelog                                   |  5 ++
 ...ash-fix-page-length-clamping-in-hash-walk.patch | 31 +++++++++++
 ...o-cap-the-size-before-passing-to-splice_r.patch | 24 +++++++++
 ...idge_filename-handle-malformed-nm-entries.patch | 60 ++++++++++++++++++++++
 .../bugfix/all/net-fix-infoleak-in-rtnetlink.patch | 45 ++++++++++++++++
 ...k-avoid-kernel-pointer-value-leak-in-slab.patch | 45 ++++++++++++++++
 debian/patches/series                              |  5 ++
 7 files changed, 215 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 4ff48c8..2151ea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -115,6 +115,11 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
     profile
   * debian/control: Remove alternate build-dependency on binutils-dev that was
     used for backports to wheezy
+  * net: fix infoleak in rtnetlink (CVE-2016-4486)
+  * nf_conntrack: avoid kernel pointer value leak in slab name
+  * vfs: do_splice_to(): cap the size before passing to ->splice_read()
+  * crypto: hash - Fix page length clamping in hash walk
+  * isofs: get_rock_ridge_filename(): handle malformed NM entries
 
  -- Aurelien Jarno <aurel32 at debian.org>  Tue, 10 May 2016 23:58:07 +0200
 
diff --git a/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch b/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
new file mode 100644
index 0000000..aa54020
--- /dev/null
+++ b/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
@@ -0,0 +1,31 @@
+From: Herbert Xu <herbert at gondor.apana.org.au>
+Date: Wed, 4 May 2016 17:52:56 +0800
+Subject: crypto: hash - Fix page length clamping in hash walk
+Origin: https://git.kernel.org/linus/13f4bb78cf6a312bbdec367ba3da044b09bf0e29
+
+The crypto hash walk code is broken when supplied with an offset
+greater than or equal to PAGE_SIZE.  This patch fixes it by adjusting
+walk->pg and walk->offset when this happens.
+
+Cc: <stable at vger.kernel.org>
+Reported-by: Steffen Klassert <steffen.klassert at secunet.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ crypto/ahash.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/ahash.c b/crypto/ahash.c
+index 5fc1f172963d..3887a98abcc3 100644
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -69,8 +69,9 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk)
+ 	struct scatterlist *sg;
+ 
+ 	sg = walk->sg;
+-	walk->pg = sg_page(sg);
+ 	walk->offset = sg->offset;
++	walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT);
++	walk->offset = offset_in_page(walk->offset);
+ 	walk->entrylen = sg->length;
+ 
+ 	if (walk->entrylen > walk->total)
diff --git a/debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch b/debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
new file mode 100644
index 0000000..f95a77e
--- /dev/null
+++ b/debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
@@ -0,0 +1,24 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Sat, 2 Apr 2016 14:56:58 -0400
+Subject: do_splice_to(): cap the size before passing to ->splice_read()
+Origin: https://git.kernel.org/linus/03cc0789a690eb9ab07070376252961caeae7441
+
+pipe capacity won't exceed 2G anyway.
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/splice.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1144,6 +1144,9 @@ long do_splice_to(struct file *in, loff_
+ 	if (unlikely(ret < 0))
+ 		return ret;
+ 
++	if (unlikely(len > MAX_RW_COUNT))
++		len = MAX_RW_COUNT;
++
+ 	if (in->f_op->splice_read)
+ 		splice_read = in->f_op->splice_read;
+ 	else
diff --git a/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
new file mode 100644
index 0000000..9958226
--- /dev/null
+++ b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
@@ -0,0 +1,60 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Thu, 5 May 2016 16:25:35 -0400
+Subject: get_rock_ridge_filename(): handle malformed NM entries
+Origin: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6
+
+Payloads of NM entries are not supposed to contain NUL.  When we run
+into such, only the part prior to the first NUL goes into the
+concatenation (i.e. the directory entry name being encoded by a bunch
+of NM entries).  We do stop when the amount collected so far + the
+claimed amount in the current NM entry exceed 254.  So far, so good,
+but what we return as the total length is the sum of *claimed*
+sizes, not the actual amount collected.  And that can grow pretty
+large - not unlimited, since you'd need to put CE entries in
+between to be able to get more than the maximum that could be
+contained in one isofs directory entry / continuation chunk and
+we are stop once we'd encountered 32 CEs, but you can get about 8Kb
+easily.  And that's what will be passed to readdir callback as the
+name length.  8Kb __copy_to_user() from a buffer allocated by
+__get_free_page()
+
+Cc: stable at vger.kernel.org # 0.98pl6+ (yes, really)
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/isofs/rock.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index 5384ceb35b1c..98b3eb7d8eaf 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
+ 	int retnamlen = 0;
+ 	int truncate = 0;
+ 	int ret = 0;
++	char *p;
++	int len;
+ 
+ 	if (!ISOFS_SB(inode->i_sb)->s_rock)
+ 		return 0;
+@@ -267,12 +269,17 @@ repeat:
+ 					rr->u.NM.flags);
+ 				break;
+ 			}
+-			if ((strlen(retname) + rr->len - 5) >= 254) {
++			len = rr->len - 5;
++			if (retnamlen + len >= 254) {
+ 				truncate = 1;
+ 				break;
+ 			}
+-			strncat(retname, rr->u.NM.name, rr->len - 5);
+-			retnamlen += rr->len - 5;
++			p = memchr(rr->u.NM.name, '\0', len);
++			if (unlikely(p))
++				len = p - rr->u.NM.name;
++			memcpy(retname + retnamlen, rr->u.NM.name, len);
++			retnamlen += len;
++			retname[retnamlen] = '\0';
+ 			break;
+ 		case SIG('R', 'E'):
+ 			kfree(rs.buffer);
diff --git a/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch b/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch
new file mode 100644
index 0000000..097daef
--- /dev/null
+++ b/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch
@@ -0,0 +1,45 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:46:24 -0400
+Subject: net: fix infoleak in rtnetlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/5f8e44741f9f216e33736ea4ec65ca9ac03036e6
+
+The stack object “map” has a total size of 32 bytes. Its last 4
+bytes are padding generated by compiler. These padding bytes are
+not initialized and sent out via “nla_put”.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/core/rtnetlink.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1176,14 +1176,16 @@ static noinline_for_stack int rtnl_fill_
+ 
+ static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
+ {
+-	struct rtnl_link_ifmap map = {
+-		.mem_start   = dev->mem_start,
+-		.mem_end     = dev->mem_end,
+-		.base_addr   = dev->base_addr,
+-		.irq         = dev->irq,
+-		.dma         = dev->dma,
+-		.port        = dev->if_port,
+-	};
++	struct rtnl_link_ifmap map;
++
++	memset(&map, 0, sizeof(map));
++	map.mem_start   = dev->mem_start;
++	map.mem_end     = dev->mem_end;
++	map.base_addr   = dev->base_addr;
++	map.irq         = dev->irq;
++	map.dma         = dev->dma;
++	map.port        = dev->if_port;
++
+ 	if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
+ 		return -EMSGSIZE;
+ 
diff --git a/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch b/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
new file mode 100644
index 0000000..84c2beb
--- /dev/null
+++ b/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
@@ -0,0 +1,45 @@
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat, 14 May 2016 11:11:44 -0700
+Subject: nf_conntrack: avoid kernel pointer value leak in slab name
+Origin: https://git.kernel.org/linus/31b0b385f69d8d5491a4bca288e25e63f1d945d0
+
+The slab name ends up being visible in the directory structure under
+/sys, and even if you don't have access rights to the file you can see
+the filenames.
+
+Just use a 64-bit counter instead of the pointer to the 'net' structure
+to generate a unique name.
+
+This code will go away in 4.7 when the conntrack code moves to a single
+kmemcache, but this is the backportable simple solution to avoiding
+leaking kernel pointers to user space.
+
+Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep")
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: Eric Dumazet <eric.dumazet at gmail.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/netfilter/nf_conntrack_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1780,6 +1780,7 @@ void nf_conntrack_init_end(void)
+ 
+ int nf_conntrack_init_net(struct net *net)
+ {
++	static atomic64_t unique_id;
+ 	int ret = -ENOMEM;
+ 	int cpu;
+ 
+@@ -1802,7 +1803,8 @@ int nf_conntrack_init_net(struct net *ne
+ 	if (!net->ct.stat)
+ 		goto err_pcpu_lists;
+ 
+-	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
++	net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%llu",
++				(u64)atomic64_inc_return(&unique_id));
+ 	if (!net->ct.slabname)
+ 		goto err_slabname;
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 12b0f39..05548ed 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -137,6 +137,11 @@ bugfix/all/bpf-fix-refcnt-overflow.patch
 bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
 bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
 bugfix/all/net-fix-infoleak-in-llc.patch
+bugfix/all/net-fix-infoleak-in-rtnetlink.patch
+bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
+bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
+bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
+bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
 
 # ABI maintenance
 debian/ib-fix-abi-change-in-4.5.3.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list