[linux] 01/01: Add various security fixes
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Dec 9 19:37:54 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit bca461e4ee1d096c40ffc59f89fccd75d0dee658
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Dec 9 19:37:34 2017 +0000
Add various security fixes
---
debian/changelog | 10 ++++
...nep-bnep_add_connection-should-verify-tha.patch | 28 ++++++++++
...mtp-cmtp_add_connection-should-verify-tha.patch | 28 ++++++++++
.../all/bluetooth-hidp-verify-l2cap-sockets.patch | 60 ++++++++++++++++++++++
...cve-2017-8824-use-after-free-in-dccp-code.patch | 38 ++++++++++++++
.../ipsec-fix-aborted-xfrm-policy-dump-crash.patch | 36 +++++++++++++
...x-crash-in-xfrm_msg_getsa-netlink-handler.patch | 37 +++++++++++++
...emove-i-o-port-0x80-bypass-on-intel-hosts.patch | 46 +++++++++++++++++
debian/patches/series | 7 +++
9 files changed, 290 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 411806e..3d6d6d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -218,6 +218,16 @@ linux (3.2.96-1) UNRELEASED; urgency=medium
* mmap: Remember the MAP_FIXED flag as VM_FIXED
* [x86] mmap: Add an exception to the stack gap for Hotspot JVM compatibility
(Closes: #865303)
+ * dccp: CVE-2017-8824: use-after-free in DCCP code
+ * Bluetooth: hidp: verify l2cap sockets
+ * Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with
+ l2cap socket
+ * Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with
+ l2cap socket (CVE-2017-15868)
+ * xfrm: fix crash in XFRM_MSG_GETSA netlink handler
+ * ipsec: Fix aborted xfrm policy dump crash (CVE-2017-16939)
+ * [x86] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+ (CVE-2017-1000407)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 26 Nov 2017 20:43:54 +0000
diff --git a/debian/patches/bugfix/all/bluetooth-bnep-bnep_add_connection-should-verify-tha.patch b/debian/patches/bugfix/all/bluetooth-bnep-bnep_add_connection-should-verify-tha.patch
new file mode 100644
index 0000000..27f9fdf
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-bnep-bnep_add_connection-should-verify-tha.patch
@@ -0,0 +1,28 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 19 Dec 2014 06:20:59 +0000
+Subject: Bluetooth: bnep: bnep_add_connection() should verify that it's
+ dealing with l2cap socket
+Origin: https://git.kernel.org/linus/71bb99a02b32b4cc4265118e85f6035ca72923f0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15868
+
+same story as cmtp
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+[bwh: Backported to 3.2: adjust context]
+---
+ net/bluetooth/bnep/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -560,6 +560,9 @@ int bnep_add_connection(struct bnep_conn
+
+ BT_DBG("");
+
++ if (!l2cap_is_socket(sock))
++ return -EBADFD;
++
+ baswap((void *) dst, &bt_sk(sock->sk)->dst);
+ baswap((void *) src, &bt_sk(sock->sk)->src);
+
diff --git a/debian/patches/bugfix/all/bluetooth-cmtp-cmtp_add_connection-should-verify-tha.patch b/debian/patches/bugfix/all/bluetooth-cmtp-cmtp_add_connection-should-verify-tha.patch
new file mode 100644
index 0000000..eb5d8b5
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-cmtp-cmtp_add_connection-should-verify-tha.patch
@@ -0,0 +1,28 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 19 Dec 2014 06:20:58 +0000
+Subject: Bluetooth: cmtp: cmtp_add_connection() should verify that it's
+ dealing with l2cap socket
+Origin: https://git.kernel.org/linus/96c26653ce65bf84f3212f8b00d4316c1efcbf4c
+
+... rather than relying on ciptool(8) never passing it anything else. Give
+it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops,
+trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+---
+ net/bluetooth/cmtp/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/cmtp/core.c
++++ b/net/bluetooth/cmtp/core.c
+@@ -336,6 +336,9 @@ int cmtp_add_connection(struct cmtp_conn
+
+ BT_DBG("");
+
++ if (!l2cap_is_socket(sock))
++ return -EBADFD;
++
+ session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL);
+ if (!session)
+ return -ENOMEM;
diff --git a/debian/patches/bugfix/all/bluetooth-hidp-verify-l2cap-sockets.patch b/debian/patches/bugfix/all/bluetooth-hidp-verify-l2cap-sockets.patch
new file mode 100644
index 0000000..a6d337a
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-hidp-verify-l2cap-sockets.patch
@@ -0,0 +1,60 @@
+From: David Herrmann <dh.herrmann at gmail.com>
+Date: Fri, 5 Apr 2013 14:57:34 +0200
+Subject: Bluetooth: hidp: verify l2cap sockets
+Origin: https://git.kernel.org/linus/b3916db32c4a3124eee9f3742a2f4723731d7602
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15868
+
+We need to verify that the given sockets actually are l2cap sockets. If
+they aren't, we are not supposed to access bt_sk(sock) and we shouldn't
+start the session if the offsets turn out to be valid local BT addresses.
+
+That is, if someone passes a TCP socket to HIDCONNADD, then we access some
+random offset in the TCP socket (which isn't even guaranteed to be valid).
+
+Fix this by checking that the socket is an l2cap socket.
+
+Signed-off-by: David Herrmann <dh.herrmann at gmail.com>
+Acked-by: Marcel Holtmann <marcel at holtmann.org>
+Signed-off-by: Gustavo Padovan <gustavo.padovan at collabora.co.uk>
+---
+ include/net/bluetooth/l2cap.h | 1 +
+ net/bluetooth/hidp/core.c | 2 ++
+ net/bluetooth/l2cap_sock.c | 6 ++++++
+ 3 files changed, 9 insertions(+)
+
+--- a/include/net/bluetooth/l2cap.h
++++ b/include/net/bluetooth/l2cap.h
+@@ -496,6 +496,7 @@ extern int disable_ertm;
+
+ int l2cap_init_sockets(void);
+ void l2cap_cleanup_sockets(void);
++bool l2cap_is_socket(struct socket *sock);
+
+ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan);
+ int __l2cap_wait_ack(struct sock *sk);
+--- a/net/bluetooth/hidp/core.c
++++ b/net/bluetooth/hidp/core.c
+@@ -972,6 +972,8 @@ int hidp_add_connection(struct hidp_conn
+
+ BT_DBG("");
+
++ if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
++ return -EINVAL;
+ if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) ||
+ bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
+ return -ENOTUNIQ;
+--- a/net/bluetooth/l2cap_sock.c
++++ b/net/bluetooth/l2cap_sock.c
+@@ -38,6 +38,12 @@ static const struct proto_ops l2cap_sock
+ static void l2cap_sock_init(struct sock *sk, struct sock *parent);
+ static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, int proto, gfp_t prio);
+
++bool l2cap_is_socket(struct socket *sock)
++{
++ return sock && sock->ops == &l2cap_sock_ops;
++}
++EXPORT_SYMBOL(l2cap_is_socket);
++
+ static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
+ {
+ struct sock *sk = sock->sk;
diff --git a/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
new file mode 100644
index 0000000..88b0ba6
--- /dev/null
+++ b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
@@ -0,0 +1,38 @@
+From: Mohamed Ghannam <simo.ghannam at gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: dccp: CVE-2017-8824: use-after-free in DCCP code
+Origin: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8824
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
+Reviewed-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -252,6 +252,7 @@ int dccp_disconnect(struct sock *sk, int
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct inet_sock *inet = inet_sk(sk);
++ struct dccp_sock *dp = dccp_sk(sk);
+ int err = 0;
+ const int old_state = sk->sk_state;
+
+@@ -271,6 +272,10 @@ int dccp_disconnect(struct sock *sk, int
+ sk->sk_err = ECONNRESET;
+
+ dccp_clear_xmit_timers(sk);
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++ dp->dccps_hc_rx_ccid = NULL;
++ dp->dccps_hc_tx_ccid = NULL;
+
+ __skb_queue_purge(&sk->sk_receive_queue);
+ __skb_queue_purge(&sk->sk_write_queue);
diff --git a/debian/patches/bugfix/all/ipsec-fix-aborted-xfrm-policy-dump-crash.patch b/debian/patches/bugfix/all/ipsec-fix-aborted-xfrm-policy-dump-crash.patch
new file mode 100644
index 0000000..25d20ff
--- /dev/null
+++ b/debian/patches/bugfix/all/ipsec-fix-aborted-xfrm-policy-dump-crash.patch
@@ -0,0 +1,36 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 09 Dec 2017 19:24:58 +0000
+Subject: ipsec: Fix aborted xfrm policy dump crash
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16939
+
+This is a fix for CVE-2017-16939 suitable for older stable branches.
+The upstream fix is commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2,
+from which the following explanation is taken:
+
+ An independent security researcher, Mohamed Ghannam, has reported
+ this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
+ program.
+
+ The xfrm_dump_policy_done function expects xfrm_dump_policy to
+ have been called at least once or it will crash. This can be
+ triggered if a dump fails because the target socket's receive
+ buffer is full.
+
+It was not possible to define a 'start' callback for netlink dumps
+until Linux 4.5, so instead add a check for the initialisation flag in
+the 'done' callback.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1531,7 +1531,8 @@ static int xfrm_dump_policy_done(struct
+ {
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+
+- xfrm_policy_walk_done(walk);
++ if (cb->args[0])
++ xfrm_policy_walk_done(walk);
+ return 0;
+ }
+
diff --git a/debian/patches/bugfix/all/xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch b/debian/patches/bugfix/all/xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch
new file mode 100644
index 0000000..0f197c0
--- /dev/null
+++ b/debian/patches/bugfix/all/xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch
@@ -0,0 +1,37 @@
+From: Vegard Nossum <vegard.nossum at oracle.com>
+Date: Tue, 5 Jul 2016 10:18:08 +0200
+Subject: xfrm: fix crash in XFRM_MSG_GETSA netlink handler
+Origin: https://git.kernel.org/linus/1ba5bf993c6a3142e18e68ea6452b347f9cb5635
+
+If we hit any of the error conditions inside xfrm_dump_sa(), then
+xfrm_state_walk_init() never gets called. However, we still call
+xfrm_state_walk_done() from xfrm_dump_sa_done(), which will crash
+because the state walk was never initialized properly.
+
+We can fix this by setting cb->args[0] only after we've processed the
+first element and checking this before calling xfrm_state_walk_done().
+
+Fixes: d3623099d3 ("ipsec: add support of limited SA dump")
+Cc: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
+Cc: Steffen Klassert <steffen.klassert at secunet.com>
+Signed-off-by: Vegard Nossum <vegard.nossum at oracle.com>
+Acked-by: Nicolas Dichtel <nicolas.dichtel at 6wind.com>
+Signed-off-by: Steffen Klassert <steffen.klassert at secunet.com>
+[bwh: Backported to 3.2: There is no filtering in xfrm_dump_sa(), but this crash
+ does seem to be possible if no SA is present at all.]
+---
+ net/xfrm/xfrm_user.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -860,7 +860,8 @@ nla_put_failure:
+ static int xfrm_dump_sa_done(struct netlink_callback *cb)
+ {
+ struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1];
+- xfrm_state_walk_done(walk);
++ if (cb->args[0])
++ xfrm_state_walk_done(walk);
+ return 0;
+ }
+
diff --git a/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch b/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
new file mode 100644
index 0000000..6fdc080
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
@@ -0,0 +1,46 @@
+From: Andrew Honig <ahonig at google.com>
+Date: Fri, 1 Dec 2017 10:21:09 -0800
+Subject: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/d59d51f088014f25c2562de59b9abff4f42a7468
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000407
+
+This fixes CVE-2017-1000407.
+
+KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
+the guest floods this port with writes it generates exceptions and
+instability in the host kernel, leading to a crash. With this change
+guest writes to port 0x80 on Intel will behave the same as they
+currently behave on AMD systems.
+
+Prevent the flooding by removing the code that sets port 0x80 as a
+passthrough port. This is essentially the same as upstream patch
+99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
+for AMD chipsets and this patch is for Intel.
+
+Signed-off-by: Andrew Honig <ahonig at google.com>
+Signed-off-by: Jim Mattson <jmattson at google.com>
+Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
+---
+ arch/x86/kvm/vmx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -7289,12 +7289,7 @@ static int __init vmx_init(void)
+ goto out2;
+ }
+
+- /*
+- * Allow direct access to the PC debug port (it is often used for I/O
+- * delays, but the vmexits simply slow things down).
+- */
+ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
+- clear_bit(0x80, vmx_io_bitmap_a);
+
+ memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+
diff --git a/debian/patches/series b/debian/patches/series
index 875d273..71ee934 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1113,6 +1113,13 @@ bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
bugfix/arm/mm-larger-stack-guard-gap-between-vmas-arm-topdown.patch
+bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
+bugfix/all/bluetooth-hidp-verify-l2cap-sockets.patch
+bugfix/all/bluetooth-cmtp-cmtp_add_connection-should-verify-tha.patch
+bugfix/all/bluetooth-bnep-bnep_add_connection-should-verify-tha.patch
+bugfix/all/xfrm-fix-crash-in-xfrm_msg_getsa-netlink-handler.patch
+bugfix/all/ipsec-fix-aborted-xfrm-policy-dump-crash.patch
+bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list