[linux] 01/01: Add security fixes
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed Dec 20 19:27:29 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit fc7f6fafd826ae0ca73493cc7d0b032dafe3e792
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed Dec 20 19:27:18 2017 +0000
Add security fixes
---
debian/changelog | 15 ++
...vent-stack-info-leak-from-the-efs-element.patch | 48 +++++++
...cve-2017-8824-use-after-free-in-dccp-code.patch | 38 +++++
...ix-stack-out-of-bounds-read-in-write_mmio.patch | 153 +++++++++++++++++++++
...sb-v2-lmedm04-Improve-logic-checking-of-w.patch | 83 +++++++++++
...sb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch | 67 +++++++++
...-fix-an-error-handling-path-in-hdpvr_prob.patch | 98 +++++++++++++
...4-fix-for-a-race-condition-in-raw_sendmsg.patch | 70 ++++++++++
...fnetlink_cthelper-add-missing-permission-.patch | 74 ++++++++++
...lter-xt_osf-add-missing-permission-checks.patch | 56 ++++++++
.../all/netlink-add-netns-check-on-taps.patch | 39 ++++++
...prevent-malicious-bnuminterfaces-overflow.patch | 44 ++++++
debian/patches/series | 11 ++
13 files changed, 796 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 558586e..b81e583 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -518,6 +518,21 @@ linux (4.14.7-1) UNRELEASED; urgency=medium
+ Fix use-after-free in trigger removal
- mm/slub: close possible memory-leak in kmem_cache_alloc_bulk()
- crypto: limit more FPU-enabled sections
+ * dccp: CVE-2017-8824: use-after-free in DCCP code
+ * netfilter: nfnetlink_cthelper: Add missing permission checks
+ (CVE-2017-17448)
+ * netlink: Add netns check on taps (CVE-2017-17449)
+ * netfilter: xt_osf: Add missing permission checks (CVE-2017-17450)
+ * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558)
+ * net: ipv4: fix for a race condition in raw_sendmsg (CVE-2017-17712)
+ * media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
+ (CVE-2017-16538)
+ * media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
+ (CVE-2017-16538)
+ * media: hdpvr: Fix an error handling path in hdpvr_probe() (CVE-2017-16644)
+ * [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio
+ (CVE-2017-17741)
+ * bluetooth: Prevent stack info leak from the EFS element. CVE-2017-1000410)
-- Salvatore Bonaccorso <carnil at debian.org> Sun, 03 Dec 2017 10:18:39 +0100
diff --git a/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch b/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
new file mode 100644
index 0000000..3082048
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
@@ -0,0 +1,48 @@
+From: Ben Seri <ben at armis.com>
+Date: Mon, 04 Dec 2017 14:13:25 +0000
+Subject: bluetooth: Prevent stack info leak from the EFS element.
+Origin: http://www.openwall.com/lists/oss-security/2017/12/06/3
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-1000410
+
+Signed-off-by: Ben Seri <ben at armis.com>
+---
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -3363,9 +3363,10 @@ static int l2cap_parse_conf_req(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- remote_efs = 1;
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
++ remote_efs = 1;
+ memcpy(&efs, (void *) val, olen);
++ }
+ break;
+
+ case L2CAP_CONF_EWS:
+@@ -3584,16 +3585,17 @@ static int l2cap_parse_conf_rsp(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
+ memcpy(&efs, (void *)val, olen);
+
+- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != chan->local_stype)
+- return -ECONNREFUSED;
++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != chan->local_stype)
++ return -ECONNREFUSED;
+
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+- (unsigned long) &efs, endptr - ptr);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
++ (unsigned long) &efs, endptr - ptr);
++ }
+ break;
+
+ case L2CAP_CONF_FCS:
diff --git a/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
new file mode 100644
index 0000000..3772ee8
--- /dev/null
+++ b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
@@ -0,0 +1,38 @@
+From: Mohamed Ghannam <simo.ghannam at gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: dccp: CVE-2017-8824: use-after-free in DCCP code
+Origin: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8824
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
+Reviewed-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct inet_sock *inet = inet_sk(sk);
++ struct dccp_sock *dp = dccp_sk(sk);
+ int err = 0;
+ const int old_state = sk->sk_state;
+
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int
+ sk->sk_err = ECONNRESET;
+
+ dccp_clear_xmit_timers(sk);
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++ dp->dccps_hc_rx_ccid = NULL;
++ dp->dccps_hc_tx_ccid = NULL;
+
+ __skb_queue_purge(&sk->sk_receive_queue);
+ __skb_queue_purge(&sk->sk_write_queue);
diff --git a/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch b/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
new file mode 100644
index 0000000..c460e89
--- /dev/null
+++ b/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
@@ -0,0 +1,153 @@
+From: Wanpeng Li <wanpeng.li at hotmail.com>
+Date: Thu, 14 Dec 2017 17:40:50 -0800
+Subject: KVM: Fix stack-out-of-bounds read in write_mmio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit?id=e39d200fa5bf5b94a0948db0dae44c1b73b84a56
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17741
+
+Reported by syzkaller:
+
+ BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
+ Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
+
+ CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18
+ Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
+ Call Trace:
+ dump_stack+0xab/0xe1
+ print_address_description+0x6b/0x290
+ kasan_report+0x28a/0x370
+ write_mmio+0x11e/0x270 [kvm]
+ emulator_read_write_onepage+0x311/0x600 [kvm]
+ emulator_read_write+0xef/0x240 [kvm]
+ emulator_fix_hypercall+0x105/0x150 [kvm]
+ em_hypercall+0x2b/0x80 [kvm]
+ x86_emulate_insn+0x2b1/0x1640 [kvm]
+ x86_emulate_instruction+0x39a/0xb90 [kvm]
+ handle_exception+0x1b4/0x4d0 [kvm_intel]
+ vcpu_enter_guest+0x15a0/0x2640 [kvm]
+ kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
+ kvm_vcpu_ioctl+0x479/0x880 [kvm]
+ do_vfs_ioctl+0x142/0x9a0
+ SyS_ioctl+0x74/0x80
+ entry_SYSCALL_64_fastpath+0x23/0x9a
+
+The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
+to the guest memory, however, write_mmio tracepoint always prints 8 bytes
+through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
+leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes
+it by just accessing the bytes which we operate on.
+
+Before patch:
+
+syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
+
+After patch:
+
+syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Reviewed-by: Darren Kenny <darren.kenny at oracle.com>
+Reviewed-by: Marc Zyngier <marc.zyngier at arm.com>
+Tested-by: Marc Zyngier <marc.zyngier at arm.com>
+Cc: Paolo Bonzini <pbonzini at redhat.com>
+Cc: Radim Krčmář <rkrcmar at redhat.com>
+Cc: Marc Zyngier <marc.zyngier at arm.com>
+Cc: Christoffer Dall <christoffer.dall at linaro.org>
+Signed-off-by: Wanpeng Li <wanpeng.li at hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/x86.c | 8 ++++----
+ include/trace/events/kvm.h | 7 +++++--
+ virt/kvm/arm/mmio.c | 6 +++---
+ 3 files changed, 12 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4362,7 +4362,7 @@ static int vcpu_mmio_read(struct kvm_vcp
+ addr, n, v))
+ && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
+ break;
+- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
++ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
+ handled += n;
+ addr += n;
+ len -= n;
+@@ -4621,7 +4621,7 @@ static int read_prepare(struct kvm_vcpu
+ {
+ if (vcpu->mmio_read_completed) {
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
+- vcpu->mmio_fragments[0].gpa, *(u64 *)val);
++ vcpu->mmio_fragments[0].gpa, val);
+ vcpu->mmio_read_completed = 0;
+ return 1;
+ }
+@@ -4643,14 +4643,14 @@ static int write_emulate(struct kvm_vcpu
+
+ static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
+ {
+- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
+ return vcpu_mmio_write(vcpu, gpa, bytes, val);
+ }
+
+ static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
+ void *val, int bytes)
+ {
+- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
++ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
+ return X86EMUL_IO_NEEDED;
+ }
+
+--- a/include/trace/events/kvm.h
++++ b/include/trace/events/kvm.h
+@@ -211,7 +211,7 @@ TRACE_EVENT(kvm_ack_irq,
+ { KVM_TRACE_MMIO_WRITE, "write" }
+
+ TRACE_EVENT(kvm_mmio,
+- TP_PROTO(int type, int len, u64 gpa, u64 val),
++ TP_PROTO(int type, int len, u64 gpa, void *val),
+ TP_ARGS(type, len, gpa, val),
+
+ TP_STRUCT__entry(
+@@ -225,7 +225,10 @@ TRACE_EVENT(kvm_mmio,
+ __entry->type = type;
+ __entry->len = len;
+ __entry->gpa = gpa;
+- __entry->val = val;
++ __entry->val = 0;
++ if (val)
++ memcpy(&__entry->val, val,
++ min_t(u32, sizeof(__entry->val), len));
+ ),
+
+ TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
+--- a/virt/kvm/arm/mmio.c
++++ b/virt/kvm/arm/mmio.c
+@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vc
+ }
+
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
+- data);
++ &data);
+ data = vcpu_data_host_to_guest(vcpu, data, len);
+ vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
+ }
+@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu,
+ data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
+ len);
+
+- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
+ kvm_mmio_write_buf(data_buf, len, data);
+
+ ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
+ data_buf);
+ } else {
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
+- fault_ipa, 0);
++ fault_ipa, NULL);
+
+ ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
+ data_buf);
diff --git a/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
new file mode 100644
index 0000000..7942e8d
--- /dev/null
+++ b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
@@ -0,0 +1,83 @@
+From: Malcolm Priestley <tvboxspy at gmail.com>
+Date: Tue, 26 Sep 2017 17:10:20 -0400
+Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm
+ start
+Origin: https://git.linuxtv.org/media_tree.git/commit?id=3d932ee27e852e4904647f15b64dedca51187ad7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538
+
+Warm start has no check as whether a genuine device has
+connected and proceeds to next execution path.
+
+Check device should read 0x47 at offset of 2 on USB descriptor read
+and it is the amount requested of 6 bytes.
+
+Fix for
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access as
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy at gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -494,18 +494,23 @@ static int lme2510_pid_filter(struct dvb
+
+ static int lme2510_return_status(struct dvb_usb_device *d)
+ {
+- int ret = 0;
++ int ret;
+ u8 *data;
+
+- data = kzalloc(10, GFP_KERNEL);
++ data = kzalloc(6, GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
+- info("Firmware Status: %x (%x)", ret , data[2]);
++ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
++ 0x06, 0x80, 0x0302, 0x00,
++ data, 0x6, 200);
++ if (ret != 6)
++ ret = -EINVAL;
++ else
++ ret = data[2];
++
++ info("Firmware Status: %6ph", data);
+
+- ret = (ret < 0) ? -ENODEV : data[2];
+ kfree(data);
+ return ret;
+ }
+@@ -1189,6 +1194,7 @@ static int lme2510_get_adapter_count(str
+ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
+ {
+ struct lme2510_state *st = d->priv;
++ int status;
+
+ usb_reset_configuration(d->udev);
+
+@@ -1197,12 +1203,16 @@ static int lme2510_identify_state(struct
+
+ st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
+
+- if (lme2510_return_status(d) == 0x44) {
++ status = lme2510_return_status(d);
++ if (status == 0x44) {
+ *name = lme_firmware_switch(d, 0);
+ return COLD;
+ }
+
+- return 0;
++ if (status != 0x47)
++ return -EINVAL;
++
++ return WARM;
+ }
+
+ static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
diff --git a/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
new file mode 100644
index 0000000..143f870
--- /dev/null
+++ b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
@@ -0,0 +1,67 @@
+From: Malcolm Priestley <tvboxspy at gmail.com>
+Date: Tue, 26 Sep 2017 17:10:21 -0400
+Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to
+ dm04_lme2510_tuner
+Origin: https://git.linuxtv.org/media_tree.git/commit?id=7bf7a7116ed313c601307f7e585419369926ab05
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538
+
+When the tuner was split from m88rs2000 the attach function is in wrong
+place.
+
+Move to dm04_lme2510_tuner to trap errors on failure and removing
+a call to lme_coldreset.
+
+Prevents driver starting up without any tuner connected.
+
+Fixes to trap for ts2020 fail.
+LME2510(C): FE Found M88RS2000
+ts2020: probe of 0-0060 failed with error -11
+...
+LME2510(C): TUN Found RS2000 tuner
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy at gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -1076,8 +1076,6 @@ static int dm04_lme2510_frontend_attach(
+
+ if (adap->fe[0]) {
+ info("FE Found M88RS2000");
+- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
+- &d->i2c_adap);
+ st->i2c_tuner_gate_w = 5;
+ st->i2c_tuner_gate_r = 5;
+ st->i2c_tuner_addr = 0x60;
+@@ -1143,17 +1141,18 @@ static int dm04_lme2510_tuner(struct dvb
+ ret = st->tuner_config;
+ break;
+ case TUNER_RS2000:
+- ret = st->tuner_config;
++ if (dvb_attach(ts2020_attach, adap->fe[0],
++ &ts2020_config, &d->i2c_adap))
++ ret = st->tuner_config;
+ break;
+ default:
+ break;
+ }
+
+- if (ret)
++ if (ret) {
+ info("TUN Found %s tuner", tun_msg[ret]);
+- else {
+- info("TUN No tuner found --- resetting device");
+- lme_coldreset(d);
++ } else {
++ info("TUN No tuner found");
+ return -ENODEV;
+ }
+
diff --git a/debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch b/debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
new file mode 100644
index 0000000..88ba95e
--- /dev/null
+++ b/debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
@@ -0,0 +1,98 @@
+From: Arvind Yadav <arvind.yadav.cs at gmail.com>
+Date: Fri, 22 Sep 2017 09:07:06 -0400
+Subject: media: hdpvr: Fix an error handling path in hdpvr_probe()
+Origin: https://git.linuxtv.org/media_tree.git/commit?id=c0f71bbb810237a38734607ca4599632f7f5d47f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16644
+
+Here, hdpvr_register_videodev() is responsible for setup and
+register a video device. Also defining and initializing a worker.
+hdpvr_register_videodev() is calling by hdpvr_probe at last.
+So no need to flush any work here.
+Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs at gmail.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/usb/hdpvr/hdpvr-core.c
++++ b/drivers/media/usb/hdpvr/hdpvr-core.c
+@@ -292,7 +292,7 @@ static int hdpvr_probe(struct usb_interf
+ /* register v4l2_device early so it can be used for printks */
+ if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
+ dev_err(&interface->dev, "v4l2_device_register failed\n");
+- goto error;
++ goto error_free_dev;
+ }
+
+ mutex_init(&dev->io_mutex);
+@@ -301,7 +301,7 @@ static int hdpvr_probe(struct usb_interf
+ dev->usbc_buf = kmalloc(64, GFP_KERNEL);
+ if (!dev->usbc_buf) {
+ v4l2_err(&dev->v4l2_dev, "Out of memory\n");
+- goto error;
++ goto error_v4l2_unregister;
+ }
+
+ init_waitqueue_head(&dev->wait_buffer);
+@@ -339,13 +339,13 @@ static int hdpvr_probe(struct usb_interf
+ }
+ if (!dev->bulk_in_endpointAddr) {
+ v4l2_err(&dev->v4l2_dev, "Could not find bulk-in endpoint\n");
+- goto error;
++ goto error_put_usb;
+ }
+
+ /* init the device */
+ if (hdpvr_device_init(dev)) {
+ v4l2_err(&dev->v4l2_dev, "device init failed\n");
+- goto error;
++ goto error_put_usb;
+ }
+
+ mutex_lock(&dev->io_mutex);
+@@ -353,7 +353,7 @@ static int hdpvr_probe(struct usb_interf
+ mutex_unlock(&dev->io_mutex);
+ v4l2_err(&dev->v4l2_dev,
+ "allocating transfer buffers failed\n");
+- goto error;
++ goto error_put_usb;
+ }
+ mutex_unlock(&dev->io_mutex);
+
+@@ -361,7 +361,7 @@ static int hdpvr_probe(struct usb_interf
+ retval = hdpvr_register_i2c_adapter(dev);
+ if (retval < 0) {
+ v4l2_err(&dev->v4l2_dev, "i2c adapter register failed\n");
+- goto error;
++ goto error_free_buffers;
+ }
+
+ client = hdpvr_register_ir_rx_i2c(dev);
+@@ -394,13 +394,17 @@ static int hdpvr_probe(struct usb_interf
+ reg_fail:
+ #if IS_ENABLED(CONFIG_I2C)
+ i2c_del_adapter(&dev->i2c_adapter);
++error_free_buffers:
+ #endif
++ hdpvr_free_buffers(dev);
++error_put_usb:
++ usb_put_dev(dev->udev);
++ kfree(dev->usbc_buf);
++error_v4l2_unregister:
++ v4l2_device_unregister(&dev->v4l2_dev);
++error_free_dev:
++ kfree(dev);
+ error:
+- if (dev) {
+- flush_work(&dev->worker);
+- /* this frees allocated memory */
+- hdpvr_delete(dev);
+- }
+ return retval;
+ }
+
diff --git a/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
new file mode 100644
index 0000000..23ec669
--- /dev/null
+++ b/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
@@ -0,0 +1,70 @@
+From: Mohamed Ghannam <simo.ghannam at gmail.com>
+Date: Sun, 10 Dec 2017 03:50:58 +0000
+Subject: net: ipv4: fix for a race condition in raw_sendmsg
+Origin: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17712
+
+inet->hdrincl is racy, and could lead to uninitialized stack pointer
+usage, so its value should be read only once.
+
+Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
+Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
+Reviewed-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/raw.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -513,11 +513,16 @@ static int raw_sendmsg(struct sock *sk,
+ int err;
+ struct ip_options_data opt_copy;
+ struct raw_frag_vec rfv;
++ int hdrincl;
+
+ err = -EMSGSIZE;
+ if (len > 0xFFFF)
+ goto out;
+
++ /* hdrincl should be READ_ONCE(inet->hdrincl)
++ * but READ_ONCE() doesn't work with bit fields
++ */
++ hdrincl = inet->hdrincl;
+ /*
+ * Check the flags.
+ */
+@@ -593,7 +598,7 @@ static int raw_sendmsg(struct sock *sk,
+ /* Linux does not mangle headers on raw sockets,
+ * so that IP options + IP_HDRINCL is non-sense.
+ */
+- if (inet->hdrincl)
++ if (hdrincl)
+ goto done;
+ if (ipc.opt->opt.srr) {
+ if (!daddr)
+@@ -615,12 +620,12 @@ static int raw_sendmsg(struct sock *sk,
+
+ flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
+ RT_SCOPE_UNIVERSE,
+- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
++ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+ inet_sk_flowi_flags(sk) |
+- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
++ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+ daddr, saddr, 0, 0, sk->sk_uid);
+
+- if (!inet->hdrincl) {
++ if (!hdrincl) {
+ rfv.msg = msg;
+ rfv.hlen = 0;
+
+@@ -645,7 +650,7 @@ static int raw_sendmsg(struct sock *sk,
+ goto do_confirm;
+ back_from_confirm:
+
+- if (inet->hdrincl)
++ if (hdrincl)
+ err = raw_send_hdrinc(sk, &fl4, msg, len,
+ &rt, msg->msg_flags, &ipc.sockc);
+
diff --git a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
new file mode 100644
index 0000000..effd659
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
@@ -0,0 +1,74 @@
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Sun, 3 Dec 2017 12:12:45 -0800
+Subject: netfilter: nfnetlink_cthelper: Add missing permission checks
+Origin: https://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17448
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, nfnl_cthelper_list is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ $ nfct helper list
+ nfct v1.4.4: netlink error: Operation not permitted
+ $ vpnns -- nfct helper list
+ {
+ .name = ftp,
+ .queuenum = 0,
+ .l3protonum = 2,
+ .l4protonum = 6,
+ .priv_data_len = 24,
+ .status = enabled,
+ };
+
+Add capable() checks in nfnetlink_cthelper, as this is cleaner than
+trying to generalize the solution.
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -17,6 +17,7 @@
+ #include <linux/types.h>
+ #include <linux/list.h>
+ #include <linux/errno.h>
++#include <linux/capability.h>
+ #include <net/netlink.h>
+ #include <net/sock.h>
+
+@@ -407,6 +408,9 @@ static int nfnl_cthelper_new(struct net
+ struct nfnl_cthelper *nlcth;
+ int ret = 0;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ return -EINVAL;
+
+@@ -611,6 +615,9 @@ static int nfnl_cthelper_get(struct net
+ struct nfnl_cthelper *nlcth;
+ bool tuple_set = false;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
+ .dump = nfnl_cthelper_dump_table,
+@@ -678,6 +685,9 @@ static int nfnl_cthelper_del(struct net
+ struct nfnl_cthelper *nlcth, *n;
+ int j = 0, ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (tb[NFCTH_NAME])
+ helper_name = nla_data(tb[NFCTH_NAME]);
+
diff --git a/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
new file mode 100644
index 0000000..fcaacd7
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
@@ -0,0 +1,56 @@
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Tue, 5 Dec 2017 15:42:41 -0800
+Subject: netfilter: xt_osf: Add missing permission checks
+Origin: https://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17450
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, xt_osf_fingers is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ vpnns -- nfnl_osf -f /tmp/pf.os
+
+ vpnns -- nfnl_osf -f /tmp/pf.os -d
+
+These non-root operations successfully modify the systemwide OS
+fingerprint list. Add new capable() checks so that they can't.
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/xt_osf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -19,6 +19,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+
++#include <linux/capability.h>
+ #include <linux/if.h>
+ #include <linux/inetdevice.h>
+ #include <linux/ip.h>
+@@ -70,6 +71,9 @@ static int xt_osf_add_callback(struct ne
+ struct xt_osf_finger *kf = NULL, *sf;
+ int err = 0;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
+@@ -115,6 +119,9 @@ static int xt_osf_remove_callback(struct
+ struct xt_osf_finger *sf;
+ int err = -ENOENT;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
diff --git a/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch
new file mode 100644
index 0000000..d037380
--- /dev/null
+++ b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch
@@ -0,0 +1,39 @@
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Wed, 6 Dec 2017 12:12:27 -0800
+Subject: netlink: Add netns check on taps
+Origin: https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17449
+
+Currently, a nlmon link inside a child namespace can observe systemwide
+netlink activity. Filter the traffic so that nlmon can only sniff
+netlink messages from its own netns.
+
+Test case:
+
+ vpnns -- bash -c "ip link add nlmon0 type nlmon; \
+ ip link set nlmon0 up; \
+ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
+ sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
+ spi 0x1 mode transport \
+ auth sha1 0x6162633132330000000000000000000000000000 \
+ enc aes 0x00000000000000000000000000000000
+ grep --binary abc123 /tmp/nlmon.pcap
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/netlink/af_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -254,6 +254,9 @@ static int __netlink_deliver_tap_skb(str
+ struct sock *sk = skb->sk;
+ int ret = -ENOMEM;
+
++ if (!net_eq(dev_net(dev), sock_net(sk)))
++ return 0;
++
+ dev_hold(dev);
+
+ if (is_vmalloc_addr(skb->head))
diff --git a/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
new file mode 100644
index 0000000..13e050e
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
@@ -0,0 +1,44 @@
+From: Alan Stern <stern at rowland.harvard.edu>
+Date: Tue, 12 Dec 2017 14:25:13 -0500
+Subject: USB: core: prevent malicious bNumInterfaces overflow
+Origin: https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17558
+
+A malicious USB device with crafted descriptors can cause the kernel
+to access unallocated memory by setting the bNumInterfaces value too
+high in a configuration descriptor. Although the value is adjusted
+during parsing, this adjustment is skipped in one of the error return
+paths.
+
+This patch prevents the problem by setting bNumInterfaces to 0
+initially. The existing code already sets it to the proper value
+after parsing is complete.
+
+Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+CC: <stable at vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/core/config.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -555,6 +555,9 @@ static int usb_parse_configuration(struc
+ unsigned iad_num = 0;
+
+ memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
++ nintf = nintf_orig = config->desc.bNumInterfaces;
++ config->desc.bNumInterfaces = 0; // Adjusted later
++
+ if (config->desc.bDescriptorType != USB_DT_CONFIG ||
+ config->desc.bLength < USB_DT_CONFIG_SIZE ||
+ config->desc.bLength > size) {
+@@ -568,7 +571,6 @@ static int usb_parse_configuration(struc
+ buffer += config->desc.bLength;
+ size -= config->desc.bLength;
+
+- nintf = nintf_orig = config->desc.bNumInterfaces;
+ if (nintf > USB_MAXINTERFACES) {
+ dev_warn(ddev, "config %d has too many interfaces: %d, "
+ "using maximum allowed: %d\n",
diff --git a/debian/patches/series b/debian/patches/series
index ed8e850..2becbc1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -116,6 +116,17 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
+bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
+bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
+bugfix/all/netlink-add-netns-check-on-taps.patch
+bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
+bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
+bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
+bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
+bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
+bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
+bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
+bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list