[linux] 01/01: Update to 3.16.43
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Apr 8 00:26:34 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie
in repository linux.
commit b0ba2afe2437a37d42eaf2123b13824ecedb877d
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Fri Apr 7 20:50:43 2017 +0100
Update to 3.16.43
Drop patches applied upstream.
---
debian/changelog | 13 +-
.../bugfix/all/aio-mark-aio-pseudo-fs-noexec.patch | 58 -------
...to-never-having-exectuables-on-proc-and-s.patch | 183 ---------------------
debian/patches/series | 2 -
4 files changed, 10 insertions(+), 246 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index eb3553c..4febea4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (3.16.42-1) UNRELEASED; urgency=medium
+linux (3.16.43-1) UNRELEASED; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.40
@@ -556,6 +556,15 @@ linux (3.16.42-1) UNRELEASED; urgency=medium
- igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
- [x86] Revert "KVM: x86: expose MSR_TSC_AUX to userspace"
(regression in 3.16.7-ckt24)
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.16.43
+ - crypto: improve gcc optimization flags for serpent and wp512
+ - mmc: sunxi: avoid invalid pointer calculation
+ - [mips*] Zero variable read by get_user / __get_user in case of an error.
+ - netlink: remove mmapped netlink support
+ - vfs: Commit to never having exectuables on proc and sysfs.
+ - aio: mark AIO pseudo-fs noexec (CVE-2016-10044)
+ - keys: Guard against null match function in keyring_search_aux()
+ (CVE-2017-2647 / CVE-2017-6951)
[ Ben Hutchings ]
* locking/mutex: Don't assume TASK_RUNNING (Closes: #841171)
@@ -570,8 +579,6 @@ linux (3.16.42-1) UNRELEASED; urgency=medium
* timer: Restrict timer_stats to initial PID namespace (CVE-2017-5967)
* mbcache: Reschedule before restarting iteration in mb_cache_entry_alloc()
(mitigates CVE-2015-8952)
- * vfs: Commit to never having executables on proc and sysfs
- * aio: mark AIO pseudo-fs noexec (CVE-2016-10044)
[ Salvatore Bonaccorso ]
* sunrpc: fix refcounting problems with auth_gss messages.
diff --git a/debian/patches/bugfix/all/aio-mark-aio-pseudo-fs-noexec.patch b/debian/patches/bugfix/all/aio-mark-aio-pseudo-fs-noexec.patch
deleted file mode 100644
index 50c0e33..0000000
--- a/debian/patches/bugfix/all/aio-mark-aio-pseudo-fs-noexec.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From: Jann Horn <jann at thejh.net>
-Date: Fri, 16 Sep 2016 00:31:22 +0200
-Subject: aio: mark AIO pseudo-fs noexec
-Origin: https://git.kernel.org/linus/22f6b4d34fcf039c63a94e7670e0da24f8575a5a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-10044
-
-This ensures that do_mmap() won't implicitly make AIO memory mappings
-executable if the READ_IMPLIES_EXEC personality flag is set. Such
-behavior is problematic because the security_mmap_file LSM hook doesn't
-catch this case, potentially permitting an attacker to bypass a W^X
-policy enforced by SELinux.
-
-I have tested the patch on my machine.
-
-To test the behavior, compile and run this:
-
- #define _GNU_SOURCE
- #include <unistd.h>
- #include <sys/personality.h>
- #include <linux/aio_abi.h>
- #include <err.h>
- #include <stdlib.h>
- #include <stdio.h>
- #include <sys/syscall.h>
-
- int main(void) {
- personality(READ_IMPLIES_EXEC);
- aio_context_t ctx = 0;
- if (syscall(__NR_io_setup, 1, &ctx))
- err(1, "io_setup");
-
- char cmd[1000];
- sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
- (int)getpid());
- system(cmd);
- return 0;
- }
-
-In the output, "rw-s" is good, "rwxs" is bad.
-
-Signed-off-by: Jann Horn <jann at thejh.net>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-[bwh: Backported to 3.16: we don't have super_block::s_iflags; use
- file_system_type::fs_flags instead]
----
- fs/aio.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -226,6 +226,7 @@ static int __init aio_setup(void)
- .name = "aio",
- .mount = aio_mount,
- .kill_sb = kill_anon_super,
-+ .fs_flags = FS_NOEXEC,
- };
- aio_mnt = kern_mount(&aio_fs);
- if (IS_ERR(aio_mnt))
diff --git a/debian/patches/bugfix/all/vfs-commit-to-never-having-exectuables-on-proc-and-s.patch b/debian/patches/bugfix/all/vfs-commit-to-never-having-exectuables-on-proc-and-s.patch
deleted file mode 100644
index e0f854b..0000000
--- a/debian/patches/bugfix/all/vfs-commit-to-never-having-exectuables-on-proc-and-s.patch
+++ /dev/null
@@ -1,183 +0,0 @@
-From: "Eric W. Biederman" <ebiederm at xmission.com>
-Date: Mon, 29 Jun 2015 14:42:03 -0500
-Subject: vfs: Commit to never having exectuables on proc and sysfs.
-Origin: https://git.kernel.org/linus/90f8572b0f021fdd1baa68e00a8c30482ee9e5f4
-
-Today proc and sysfs do not contain any executable files. Several
-applications today mount proc or sysfs without noexec and nosuid and
-then depend on there being no exectuables files on proc or sysfs.
-Having any executable files show on proc or sysfs would cause
-a user space visible regression, and most likely security problems.
-
-Therefore commit to never allowing executables on proc and sysfs by
-adding a new flag to mark them as filesystems without executables and
-enforce that flag.
-
-Test the flag where MNT_NOEXEC is tested today, so that the only user
-visible effect will be that exectuables will be treated as if the
-execute bit is cleared.
-
-The filesystems proc and sysfs do not currently incoporate any
-executable files so this does not result in any user visible effects.
-
-This makes it unnecessary to vet changes to proc and sysfs tightly for
-adding exectuable files or changes to chattr that would modify
-existing files, as no matter what the individual file say they will
-not be treated as exectuable files by the vfs.
-
-Not having to vet changes to closely is important as without this we
-are only one proc_create call (or another goof up in the
-implementation of notify_change) from having problematic executables
-on proc. Those mistakes are all too easy to make and would create
-a situation where there are security issues or the assumptions of
-some program having to be broken (and cause userspace regressions).
-
-Signed-off-by: "Eric W. Biederman" <ebiederm at xmission.com>
-[bwh: Backported to 3.16: we don't have super_block::s_iflags; use
- file_system_type::fs_flags instead]
----
---- a/fs/exec.c
-+++ b/fs/exec.c
-@@ -98,6 +98,12 @@ static inline void put_binfmt(struct lin
- module_put(fmt->module);
- }
-
-+bool path_noexec(const struct path *path)
-+{
-+ return (path->mnt->mnt_flags & MNT_NOEXEC) ||
-+ (path->mnt->mnt_sb->s_type->fs_flags & FS_NOEXEC);
-+}
-+
- #ifdef CONFIG_USELIB
- /*
- * Note that a shared library must be both readable and executable due to
-@@ -132,7 +138,7 @@ SYSCALL_DEFINE1(uselib, const char __use
- goto exit;
-
- error = -EACCES;
-- if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
-+ if (path_noexec(&file->f_path))
- goto exit;
-
- fsnotify_open(file);
-@@ -773,7 +779,7 @@ static struct file *do_open_exec(struct
- if (!S_ISREG(file_inode(file)->i_mode))
- goto exit;
-
-- if (file->f_path.mnt->mnt_flags & MNT_NOEXEC)
-+ if (path_noexec(&file->f_path))
- goto exit;
-
- fsnotify_open(file);
---- a/fs/open.c
-+++ b/fs/open.c
-@@ -361,7 +361,7 @@ retry:
- * with the "noexec" flag.
- */
- res = -EACCES;
-- if (path.mnt->mnt_flags & MNT_NOEXEC)
-+ if (path_noexec(&path))
- goto out_path_release;
- }
-
---- a/fs/proc/root.c
-+++ b/fs/proc/root.c
-@@ -161,7 +161,7 @@ static struct file_system_type proc_fs_t
- .name = "proc",
- .mount = proc_mount,
- .kill_sb = proc_kill_sb,
-- .fs_flags = FS_USERNS_VISIBLE | FS_USERNS_MOUNT,
-+ .fs_flags = FS_USERNS_VISIBLE | FS_USERNS_MOUNT | FS_NOEXEC,
- };
-
- void __init proc_root_init(void)
---- a/fs/sysfs/mount.c
-+++ b/fs/sysfs/mount.c
-@@ -40,6 +40,7 @@ static struct dentry *sysfs_mount(struct
- SYSFS_MAGIC, &new_sb, ns);
- if (IS_ERR(root) || !new_sb)
- kobj_ns_drop(KOBJ_NS_TYPE_NET, ns);
-+
- return root;
- }
-
-@@ -55,7 +56,7 @@ static struct file_system_type sysfs_fs_
- .name = "sysfs",
- .mount = sysfs_mount,
- .kill_sb = sysfs_kill_sb,
-- .fs_flags = FS_USERNS_VISIBLE | FS_USERNS_MOUNT,
-+ .fs_flags = FS_USERNS_VISIBLE | FS_USERNS_MOUNT | FS_NOEXEC,
- };
-
- int __init sysfs_init(void)
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -1794,6 +1794,7 @@ struct file_system_type {
- #define FS_USERNS_MOUNT 8 /* Can be mounted by userns root */
- #define FS_USERNS_DEV_MOUNT 16 /* A userns mount does not imply MNT_NODEV */
- #define FS_USERNS_VISIBLE 32 /* FS must already be visible */
-+#define FS_NOEXEC 64 /* Ignore executables on this fs */
- #define FS_RENAME_DOES_D_MOVE 32768 /* FS will handle d_move() during rename() internally. */
- struct dentry *(*mount) (struct file_system_type *, int,
- const char *, void *);
-@@ -2810,4 +2811,6 @@ static inline bool dir_relax(struct inod
- return !IS_DEADDIR(inode);
- }
-
-+extern bool path_noexec(const struct path *path);
-+
- #endif /* _LINUX_FS_H */
---- a/kernel/sys.c
-+++ b/kernel/sys.c
-@@ -1646,8 +1646,7 @@ static int prctl_set_mm_exe_file(struct
- * overall picture.
- */
- err = -EACCES;
-- if (!S_ISREG(inode->i_mode) ||
-- exe.file->f_path.mnt->mnt_flags & MNT_NOEXEC)
-+ if (!S_ISREG(inode->i_mode) || path_noexec(&exe.file->f_path))
- goto exit;
-
- err = inode_permission(inode, MAY_EXEC);
---- a/mm/mmap.c
-+++ b/mm/mmap.c
-@@ -1250,7 +1250,7 @@ unsigned long do_mmap_pgoff(struct file
- * mounted, in which case we dont add PROT_EXEC.)
- */
- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
-- if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
-+ if (!(file && path_noexec(&file->f_path)))
- prot |= PROT_EXEC;
-
- if (!len)
-@@ -1322,7 +1322,7 @@ unsigned long do_mmap_pgoff(struct file
- case MAP_PRIVATE:
- if (!(file->f_mode & FMODE_READ))
- return -EACCES;
-- if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) {
-+ if (path_noexec(&file->f_path)) {
- if (vm_flags & VM_EXEC)
- return -EPERM;
- vm_flags &= ~VM_MAYEXEC;
---- a/mm/nommu.c
-+++ b/mm/nommu.c
-@@ -1043,7 +1043,7 @@ static int validate_mmap_request(struct
-
- /* handle executable mappings and implied executable
- * mappings */
-- if (file->f_path.mnt->mnt_flags & MNT_NOEXEC) {
-+ if (path_noexec(&file->f_path)) {
- if (prot & PROT_EXEC)
- return -EPERM;
- } else if ((prot & PROT_READ) && !(prot & PROT_EXEC)) {
---- a/security/security.c
-+++ b/security/security.c
-@@ -737,7 +737,7 @@ static inline unsigned long mmap_prot(st
- * ditto if it's not on noexec mount, except that on !MMU we need
- * BDI_CAP_EXEC_MMAP (== VM_MAYEXEC) in this case
- */
-- if (!(file->f_path.mnt->mnt_flags & MNT_NOEXEC)) {
-+ if (!path_noexec(&file->f_path)) {
- #ifndef CONFIG_MMU
- unsigned long caps = 0;
- struct address_space *mapping = file->f_mapping;
diff --git a/debian/patches/series b/debian/patches/series
index 5799f95..16dfaa0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -661,8 +661,6 @@ features/all/chaoskey/chaoskey-3.16-no-hwrng-quality.patch
# Security fixes
bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
bugfix/all/mbcache-reschedule-before-restarting-iteration-in-mb_cache_entry_alloc.patch
-bugfix/all/vfs-commit-to-never-having-exectuables-on-proc-and-s.patch
-bugfix/all/aio-mark-aio-pseudo-fs-noexec.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list