[linux] 01/03: Add various upstream fixes with known or probable security impact
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon May 16 02:34:57 UTC 2016
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit efbab1e4bf73ac7094f2f6044b8e567b7f471123
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon May 16 03:02:51 2016 +0100
Add various upstream fixes with known or probable security impact
---
debian/changelog | 5 ++
...ash-fix-page-length-clamping-in-hash-walk.patch | 31 +++++++++++
...o-cap-the-size-before-passing-to-splice_r.patch | 24 +++++++++
...idge_filename-handle-malformed-nm-entries.patch | 60 ++++++++++++++++++++++
.../bugfix/all/net-fix-infoleak-in-rtnetlink.patch | 45 ++++++++++++++++
...k-avoid-kernel-pointer-value-leak-in-slab.patch | 45 ++++++++++++++++
debian/patches/series | 5 ++
7 files changed, 215 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 4ff48c8..2151ea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -115,6 +115,11 @@ linux (4.5.4-1) UNRELEASED; urgency=medium
profile
* debian/control: Remove alternate build-dependency on binutils-dev that was
used for backports to wheezy
+ * net: fix infoleak in rtnetlink (CVE-2016-4486)
+ * nf_conntrack: avoid kernel pointer value leak in slab name
+ * vfs: do_splice_to(): cap the size before passing to ->splice_read()
+ * crypto: hash - Fix page length clamping in hash walk
+ * isofs: get_rock_ridge_filename(): handle malformed NM entries
-- Aurelien Jarno <aurel32 at debian.org> Tue, 10 May 2016 23:58:07 +0200
diff --git a/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch b/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
new file mode 100644
index 0000000..aa54020
--- /dev/null
+++ b/debian/patches/bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
@@ -0,0 +1,31 @@
+From: Herbert Xu <herbert at gondor.apana.org.au>
+Date: Wed, 4 May 2016 17:52:56 +0800
+Subject: crypto: hash - Fix page length clamping in hash walk
+Origin: https://git.kernel.org/linus/13f4bb78cf6a312bbdec367ba3da044b09bf0e29
+
+The crypto hash walk code is broken when supplied with an offset
+greater than or equal to PAGE_SIZE. This patch fixes it by adjusting
+walk->pg and walk->offset when this happens.
+
+Cc: <stable at vger.kernel.org>
+Reported-by: Steffen Klassert <steffen.klassert at secunet.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ crypto/ahash.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/ahash.c b/crypto/ahash.c
+index 5fc1f172963d..3887a98abcc3 100644
+--- a/crypto/ahash.c
++++ b/crypto/ahash.c
+@@ -69,8 +69,9 @@ static int hash_walk_new_entry(struct crypto_hash_walk *walk)
+ struct scatterlist *sg;
+
+ sg = walk->sg;
+- walk->pg = sg_page(sg);
+ walk->offset = sg->offset;
++ walk->pg = sg_page(walk->sg) + (walk->offset >> PAGE_SHIFT);
++ walk->offset = offset_in_page(walk->offset);
+ walk->entrylen = sg->length;
+
+ if (walk->entrylen > walk->total)
diff --git a/debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch b/debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
new file mode 100644
index 0000000..f95a77e
--- /dev/null
+++ b/debian/patches/bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
@@ -0,0 +1,24 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Sat, 2 Apr 2016 14:56:58 -0400
+Subject: do_splice_to(): cap the size before passing to ->splice_read()
+Origin: https://git.kernel.org/linus/03cc0789a690eb9ab07070376252961caeae7441
+
+pipe capacity won't exceed 2G anyway.
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/splice.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1144,6 +1144,9 @@ long do_splice_to(struct file *in, loff_
+ if (unlikely(ret < 0))
+ return ret;
+
++ if (unlikely(len > MAX_RW_COUNT))
++ len = MAX_RW_COUNT;
++
+ if (in->f_op->splice_read)
+ splice_read = in->f_op->splice_read;
+ else
diff --git a/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
new file mode 100644
index 0000000..9958226
--- /dev/null
+++ b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
@@ -0,0 +1,60 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Thu, 5 May 2016 16:25:35 -0400
+Subject: get_rock_ridge_filename(): handle malformed NM entries
+Origin: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6
+
+Payloads of NM entries are not supposed to contain NUL. When we run
+into such, only the part prior to the first NUL goes into the
+concatenation (i.e. the directory entry name being encoded by a bunch
+of NM entries). We do stop when the amount collected so far + the
+claimed amount in the current NM entry exceed 254. So far, so good,
+but what we return as the total length is the sum of *claimed*
+sizes, not the actual amount collected. And that can grow pretty
+large - not unlimited, since you'd need to put CE entries in
+between to be able to get more than the maximum that could be
+contained in one isofs directory entry / continuation chunk and
+we are stop once we'd encountered 32 CEs, but you can get about 8Kb
+easily. And that's what will be passed to readdir callback as the
+name length. 8Kb __copy_to_user() from a buffer allocated by
+__get_free_page()
+
+Cc: stable at vger.kernel.org # 0.98pl6+ (yes, really)
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/isofs/rock.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index 5384ceb35b1c..98b3eb7d8eaf 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
+ int retnamlen = 0;
+ int truncate = 0;
+ int ret = 0;
++ char *p;
++ int len;
+
+ if (!ISOFS_SB(inode->i_sb)->s_rock)
+ return 0;
+@@ -267,12 +269,17 @@ repeat:
+ rr->u.NM.flags);
+ break;
+ }
+- if ((strlen(retname) + rr->len - 5) >= 254) {
++ len = rr->len - 5;
++ if (retnamlen + len >= 254) {
+ truncate = 1;
+ break;
+ }
+- strncat(retname, rr->u.NM.name, rr->len - 5);
+- retnamlen += rr->len - 5;
++ p = memchr(rr->u.NM.name, '\0', len);
++ if (unlikely(p))
++ len = p - rr->u.NM.name;
++ memcpy(retname + retnamlen, rr->u.NM.name, len);
++ retnamlen += len;
++ retname[retnamlen] = '\0';
+ break;
+ case SIG('R', 'E'):
+ kfree(rs.buffer);
diff --git a/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch b/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch
new file mode 100644
index 0000000..097daef
--- /dev/null
+++ b/debian/patches/bugfix/all/net-fix-infoleak-in-rtnetlink.patch
@@ -0,0 +1,45 @@
+From: Kangjie Lu <kangjielu at gmail.com>
+Date: Tue, 3 May 2016 16:46:24 -0400
+Subject: net: fix infoleak in rtnetlink
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/5f8e44741f9f216e33736ea4ec65ca9ac03036e6
+
+The stack object “map” has a total size of 32 bytes. Its last 4
+bytes are padding generated by compiler. These padding bytes are
+not initialized and sent out via “nla_put”.
+
+Signed-off-by: Kangjie Lu <kjlu at gatech.edu>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/core/rtnetlink.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -1176,14 +1176,16 @@ static noinline_for_stack int rtnl_fill_
+
+ static int rtnl_fill_link_ifmap(struct sk_buff *skb, struct net_device *dev)
+ {
+- struct rtnl_link_ifmap map = {
+- .mem_start = dev->mem_start,
+- .mem_end = dev->mem_end,
+- .base_addr = dev->base_addr,
+- .irq = dev->irq,
+- .dma = dev->dma,
+- .port = dev->if_port,
+- };
++ struct rtnl_link_ifmap map;
++
++ memset(&map, 0, sizeof(map));
++ map.mem_start = dev->mem_start;
++ map.mem_end = dev->mem_end;
++ map.base_addr = dev->base_addr;
++ map.irq = dev->irq;
++ map.dma = dev->dma;
++ map.port = dev->if_port;
++
+ if (nla_put(skb, IFLA_MAP, sizeof(map), &map))
+ return -EMSGSIZE;
+
diff --git a/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch b/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
new file mode 100644
index 0000000..84c2beb
--- /dev/null
+++ b/debian/patches/bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
@@ -0,0 +1,45 @@
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sat, 14 May 2016 11:11:44 -0700
+Subject: nf_conntrack: avoid kernel pointer value leak in slab name
+Origin: https://git.kernel.org/linus/31b0b385f69d8d5491a4bca288e25e63f1d945d0
+
+The slab name ends up being visible in the directory structure under
+/sys, and even if you don't have access rights to the file you can see
+the filenames.
+
+Just use a 64-bit counter instead of the pointer to the 'net' structure
+to generate a unique name.
+
+This code will go away in 4.7 when the conntrack code moves to a single
+kmemcache, but this is the backportable simple solution to avoiding
+leaking kernel pointers to user space.
+
+Fixes: 5b3501faa874 ("netfilter: nf_conntrack: per netns nf_conntrack_cachep")
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: Eric Dumazet <eric.dumazet at gmail.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/netfilter/nf_conntrack_core.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -1780,6 +1780,7 @@ void nf_conntrack_init_end(void)
+
+ int nf_conntrack_init_net(struct net *net)
+ {
++ static atomic64_t unique_id;
+ int ret = -ENOMEM;
+ int cpu;
+
+@@ -1802,7 +1803,8 @@ int nf_conntrack_init_net(struct net *ne
+ if (!net->ct.stat)
+ goto err_pcpu_lists;
+
+- net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
++ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%llu",
++ (u64)atomic64_inc_return(&unique_id));
+ if (!net->ct.slabname)
+ goto err_slabname;
+
diff --git a/debian/patches/series b/debian/patches/series
index 12b0f39..05548ed 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -137,6 +137,11 @@ bugfix/all/bpf-fix-refcnt-overflow.patch
bugfix/all/bpf-fix-check_map_func_compatibility-logic.patch
bugfix/all/KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
bugfix/all/net-fix-infoleak-in-llc.patch
+bugfix/all/net-fix-infoleak-in-rtnetlink.patch
+bugfix/all/nf_conntrack-avoid-kernel-pointer-value-leak-in-slab.patch
+bugfix/all/do_splice_to-cap-the-size-before-passing-to-splice_r.patch
+bugfix/all/crypto-hash-fix-page-length-clamping-in-hash-walk.patch
+bugfix/all/get_rock_ridge_filename-handle-malformed-nm-entries.patch
# ABI maintenance
debian/ib-fix-abi-change-in-4.5.3.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list