[linux] 01/01: Add various security fixes
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Dec 22 20:26:52 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch stretch-security
in repository linux.
commit cdcc1fe1d06ac0856d3a5ee37bec6d4399dbb3ae
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Fri Dec 22 20:26:35 2017 +0000
Add various security fixes
---
debian/changelog | 33 +++++
...vent-stack-info-leak-from-the-efs-element.patch | 48 +++++++
...-adjust-insn_aux_data-when-patching-insns.patch | 93 ++++++++++++
.../bugfix/all/bpf-fix-branch-pruning-logic.patch | 111 +++++++++++++++
...-incorrect-sign-extension-in-check_alu_op.patch | 50 +++++++
...t-out-of-bounds-stack-pointer-calculation.patch | 53 +++++++
...-require-that-the-underlying-hash-algorit.patch | 142 +++++++++++++++++++
...ypto-salsa20-fix-blkcipher_walk-API-usage.patch | 84 +++++++++++
...cve-2017-8824-use-after-free-in-dccp-code.patch | 38 +++++
...ssing-permission-check-for-request_key-de.patch | 157 +++++++++++++++++++++
...ix-stack-out-of-bounds-read-in-write_mmio.patch | 154 ++++++++++++++++++++
...sb-v2-lmedm04-Improve-logic-checking-of-w.patch | 83 +++++++++++
...sb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch | 67 +++++++++
...-fix-an-error-handling-path-in-hdpvr_prob.patch | 98 +++++++++++++
...4-fix-for-a-race-condition-in-raw_sendmsg.patch | 71 ++++++++++
...fnetlink_cthelper-add-missing-permission-.patch | 74 ++++++++++
...lter-xt_osf-add-missing-permission-checks.patch | 56 ++++++++
.../all/netlink-add-netns-check-on-taps.patch | 39 +++++
...prevent-malicious-bnuminterfaces-overflow.patch | 44 ++++++
...emove-i-o-port-0x80-bypass-on-intel-hosts.patch | 47 ++++++
debian/patches/series | 19 +++
21 files changed, 1561 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 1ecb808..2b16a41 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,36 @@
+linux (4.9.65-3+deb9u1) UNRELEASED; urgency=high
+
+ * dccp: CVE-2017-8824: use-after-free in DCCP code
+ * media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
+ (CVE-2017-16538)
+ * media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
+ (CVE-2017-16538)
+ * media: hdpvr: Fix an error handling path in hdpvr_probe() (CVE-2017-16644)
+ * bpf/verifier: Fix multiple security issues:
+ - adjust insn_aux_data when patching insns
+ - fix branch pruning logic
+ - reject out-of-bounds stack pointer calculation
+ - fix incorrect sign extension in check_alu_op() (CVE-2017-16995)
+ * netfilter: nfnetlink_cthelper: Add missing permission checks
+ (CVE-2017-17448)
+ * netlink: Add netns check on taps (CVE-2017-17449)
+ * netfilter: xt_osf: Add missing permission checks (CVE-2017-17450)
+ * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558)
+ * net: ipv4: fix for a race condition in raw_sendmsg (CVE-2017-17712)
+ * [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio
+ (CVE-2017-17741)
+ * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805)
+ * crypto: hmac - require that the underlying hash algorithm is unkeyed
+ (CVE-2017-17806)
+ * KEYS: add missing permission check for request_key() destination
+ (CVE-2017-17807)
+ * [x86] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+ (CVE-2017-1000407)
+ * bluetooth: Prevent stack info leak from the EFS element.
+ (CVE-2017-1000410)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Fri, 22 Dec 2017 17:09:35 +0000
+
linux (4.9.65-3) stretch; urgency=medium
[ Salvatore Bonaccorso ]
diff --git a/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch b/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
new file mode 100644
index 0000000..d002a4e
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
@@ -0,0 +1,48 @@
+From: Ben Seri <ben at armis.com>
+Date: Mon, 04 Dec 2017 14:13:25 +0000
+Subject: bluetooth: Prevent stack info leak from the EFS element.
+Origin: http://www.openwall.com/lists/oss-security/2017/12/06/3
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-1000410
+
+Signed-off-by: Ben Seri <ben at armis.com>
+---
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -3353,9 +3353,10 @@ static int l2cap_parse_conf_req(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- remote_efs = 1;
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
++ remote_efs = 1;
+ memcpy(&efs, (void *) val, olen);
++ }
+ break;
+
+ case L2CAP_CONF_EWS:
+@@ -3574,16 +3575,17 @@ static int l2cap_parse_conf_rsp(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
+ memcpy(&efs, (void *)val, olen);
+
+- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != chan->local_stype)
+- return -ECONNREFUSED;
++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != chan->local_stype)
++ return -ECONNREFUSED;
+
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+- (unsigned long) &efs, endptr - ptr);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
++ (unsigned long) &efs, endptr - ptr);
++ }
+ break;
+
+ case L2CAP_CONF_FCS:
diff --git a/debian/patches/bugfix/all/bpf-adjust-insn_aux_data-when-patching-insns.patch b/debian/patches/bugfix/all/bpf-adjust-insn_aux_data-when-patching-insns.patch
new file mode 100644
index 0000000..f262243
--- /dev/null
+++ b/debian/patches/bugfix/all/bpf-adjust-insn_aux_data-when-patching-insns.patch
@@ -0,0 +1,93 @@
+From: Alexei Starovoitov <ast at fb.com>
+Date: Wed, 15 Mar 2017 18:26:41 -0700
+Subject: bpf: adjust insn_aux_data when patching insns
+Origin: https://www.spinics.net/lists/stable/msg206987.html
+
+convert_ctx_accesses() replaces single bpf instruction with a set of
+instructions. Adjust corresponding insn_aux_data while patching.
+It's needed to make sure subsequent 'for(all insn)' loops
+have matching insn and insn_aux_data.
+
+Signed-off-by: Alexei Starovoitov <ast at kernel.org>
+Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ kernel/bpf/verifier.c | 44 +++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 39 insertions(+), 5 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -3210,6 +3210,41 @@ static void convert_pseudo_ld_imm64(stru
+ insn->src_reg = 0;
+ }
+
++/* single env->prog->insni[off] instruction was replaced with the range
++ * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying
++ * [0, off) and [off, end) to new locations, so the patched range stays zero
++ */
++static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len,
++ u32 off, u32 cnt)
++{
++ struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
++
++ if (cnt == 1)
++ return 0;
++ new_data = vzalloc(sizeof(struct bpf_insn_aux_data) * prog_len);
++ if (!new_data)
++ return -ENOMEM;
++ memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
++ memcpy(new_data + off + cnt - 1, old_data + off,
++ sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
++ env->insn_aux_data = new_data;
++ vfree(old_data);
++ return 0;
++}
++
++static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 off,
++ const struct bpf_insn *patch, u32 len)
++{
++ struct bpf_prog *new_prog;
++
++ new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
++ if (!new_prog)
++ return NULL;
++ if (adjust_insn_aux_data(env, new_prog->len, off, len))
++ return NULL;
++ return new_prog;
++}
++
+ /* convert load instructions that access fields of 'struct __sk_buff'
+ * into sequence of instructions that access fields of 'struct sk_buff'
+ */
+@@ -3229,10 +3264,10 @@ static int convert_ctx_accesses(struct b
+ verbose("bpf verifier is misconfigured\n");
+ return -EINVAL;
+ } else if (cnt) {
+- new_prog = bpf_patch_insn_single(env->prog, 0,
+- insn_buf, cnt);
++ new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt);
+ if (!new_prog)
+ return -ENOMEM;
++
+ env->prog = new_prog;
+ delta += cnt - 1;
+ }
+@@ -3253,7 +3288,7 @@ static int convert_ctx_accesses(struct b
+ else
+ continue;
+
+- if (env->insn_aux_data[i].ptr_type != PTR_TO_CTX)
++ if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
+ continue;
+
+ cnt = ops->convert_ctx_access(type, insn->dst_reg, insn->src_reg,
+@@ -3263,8 +3298,7 @@ static int convert_ctx_accesses(struct b
+ return -EINVAL;
+ }
+
+- new_prog = bpf_patch_insn_single(env->prog, i + delta, insn_buf,
+- cnt);
++ new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+ if (!new_prog)
+ return -ENOMEM;
+
diff --git a/debian/patches/bugfix/all/bpf-fix-branch-pruning-logic.patch b/debian/patches/bugfix/all/bpf-fix-branch-pruning-logic.patch
new file mode 100644
index 0000000..0eb2164
--- /dev/null
+++ b/debian/patches/bugfix/all/bpf-fix-branch-pruning-logic.patch
@@ -0,0 +1,111 @@
+From: Alexei Starovoitov <ast at fb.com>
+Date: Wed, 22 Nov 2017 16:42:05 -0800
+Subject: bpf: fix branch pruning logic
+Origin: https://www.spinics.net/lists/stable/msg206984.html
+
+when the verifier detects that register contains a runtime constant
+and it's compared with another constant it will prune exploration
+of the branch that is guaranteed not to be taken at runtime.
+This is all correct, but malicious program may be constructed
+in such a way that it always has a constant comparison and
+the other branch is never taken under any conditions.
+In this case such path through the program will not be explored
+by the verifier. It won't be taken at run-time either, but since
+all instructions are JITed the malicious program may cause JITs
+to complain about using reserved fields, etc.
+To fix the issue we have to track the instructions explored by
+the verifier and sanitize instructions that are dead at run time
+with NOPs. We cannot reject such dead code, since llvm generates
+it for valid C code, since it doesn't do as much data flow
+analysis as the verifier does.
+
+Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
+Signed-off-by: Alexei Starovoitov <ast at kernel.org>
+Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
+---
+ include/linux/bpf_verifier.h | 1 +
+ kernel/bpf/verifier.c | 27 +++++++++++++++++++++++++++
+ 2 files changed, 28 insertions(+)
+
+--- a/include/linux/bpf_verifier.h
++++ b/include/linux/bpf_verifier.h
+@@ -68,6 +68,7 @@ struct bpf_verifier_state_list {
+
+ struct bpf_insn_aux_data {
+ enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
++ bool seen; /* this insn was processed by the verifier */
+ };
+
+ #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2862,6 +2862,7 @@ static int do_check(struct bpf_verifier_
+ if (err)
+ return err;
+
++ env->insn_aux_data[insn_idx].seen = true;
+ if (class == BPF_ALU || class == BPF_ALU64) {
+ err = check_alu_op(env, insn);
+ if (err)
+@@ -3059,6 +3060,7 @@ process_bpf_exit:
+ return err;
+
+ insn_idx++;
++ env->insn_aux_data[insn_idx].seen = true;
+ } else {
+ verbose("invalid BPF_LD mode\n");
+ return -EINVAL;
+@@ -3218,6 +3220,7 @@ static int adjust_insn_aux_data(struct b
+ u32 off, u32 cnt)
+ {
+ struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
++ int i;
+
+ if (cnt == 1)
+ return 0;
+@@ -3227,6 +3230,8 @@ static int adjust_insn_aux_data(struct b
+ memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
+ memcpy(new_data + off + cnt - 1, old_data + off,
+ sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
++ for (i = off; i < off + cnt - 1; i++)
++ new_data[i].seen = true;
+ env->insn_aux_data = new_data;
+ vfree(old_data);
+ return 0;
+@@ -3245,6 +3250,25 @@ static struct bpf_prog *bpf_patch_insn_d
+ return new_prog;
+ }
+
++/* The verifier does more data flow analysis than llvm and will not explore
++ * branches that are dead at run time. Malicious programs can have dead code
++ * too. Therefore replace all dead at-run-time code with nops.
++ */
++static void sanitize_dead_code(struct bpf_verifier_env *env)
++{
++ struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
++ struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0);
++ struct bpf_insn *insn = env->prog->insnsi;
++ const int insn_cnt = env->prog->len;
++ int i;
++
++ for (i = 0; i < insn_cnt; i++) {
++ if (aux_data[i].seen)
++ continue;
++ memcpy(insn + i, &nop, sizeof(nop));
++ }
++}
++
+ /* convert load instructions that access fields of 'struct __sk_buff'
+ * into sequence of instructions that access fields of 'struct sk_buff'
+ */
+@@ -3407,6 +3431,9 @@ skip_full_check:
+ free_states(env);
+
+ if (ret == 0)
++ sanitize_dead_code(env);
++
++ if (ret == 0)
+ /* program is valid, convert *(u32*)(ctx + off) accesses */
+ ret = convert_ctx_accesses(env);
+
diff --git a/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch b/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
new file mode 100644
index 0000000..096543c
--- /dev/null
+++ b/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
@@ -0,0 +1,50 @@
+From: Daniel Borkmann <daniel at iogearbox.net>
+Date: Thu, 21 Dec 2017 22:42:49 +0100
+Subject: bpf: fix incorrect sign extension in check_alu_op()
+Origin: https://www.spinics.net/lists/stable/msg206986.html
+
+Distinguish between
+BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
+and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
+only perform sign extension in the first case.
+
+Starting with v4.14, this is exploitable by unprivileged users as long as
+the unprivileged_bpf_disabled sysctl isn't set.
+
+Debian assigned CVE-2017-16995 for this issue.
+
+v3:
+ - add CVE number (Ben Hutchings)
+
+Fixes: 484611357c19 ("bpf: allow access into map value arrays")
+Signed-off-by: Jann Horn <jannh at google.com>
+Acked-by: Edward Cree <ecree at solarflare.com>
+Signed-off-by: Alexei Starovoitov <ast at kernel.org>
+Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
+---
+ kernel/bpf/verifier.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1790,10 +1790,17 @@ static int check_alu_op(struct bpf_verif
+ /* case: R = imm
+ * remember the value we stored into this reg
+ */
++ u64 imm;
++
++ if (BPF_CLASS(insn->code) == BPF_ALU64)
++ imm = insn->imm;
++ else
++ imm = (u32)insn->imm;
++
+ regs[insn->dst_reg].type = CONST_IMM;
+- regs[insn->dst_reg].imm = insn->imm;
+- regs[insn->dst_reg].max_value = insn->imm;
+- regs[insn->dst_reg].min_value = insn->imm;
++ regs[insn->dst_reg].imm = imm;
++ regs[insn->dst_reg].max_value = imm;
++ regs[insn->dst_reg].min_value = imm;
+ }
+
+ } else if (opcode > BPF_END) {
diff --git a/debian/patches/bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch b/debian/patches/bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch
new file mode 100644
index 0000000..69195de
--- /dev/null
+++ b/debian/patches/bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch
@@ -0,0 +1,53 @@
+From: Jann Horn <jannh at google.com>
+Date: Mon, 18 Dec 2017 20:34:03 +0100
+Subject: bpf: reject out-of-bounds stack pointer calculation
+Origin: https://www.spinics.net/lists/stable/msg206985.html
+
+Reject programs that compute wildly out-of-bounds stack pointers.
+Otherwise, pointers can be computed with an offset that doesn't fit into an
+`int`, causing security issues in the stack memory access check (as well as
+signed integer overflow during offset addition).
+
+This is a fix specifically for the v4.9 stable tree because the mainline
+code looks very different at this point.
+
+Fixes: 7bca0a9702edf ("bpf: enhance verifier to understand stack pointer arithmetic")
+Signed-off-by: Jann Horn <jannh at google.com>
+Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+---
+ kernel/bpf/verifier.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1861,10 +1861,28 @@ static int check_alu_op(struct bpf_verif
+ ((BPF_SRC(insn->code) == BPF_X &&
+ regs[insn->src_reg].type == CONST_IMM) ||
+ BPF_SRC(insn->code) == BPF_K)) {
+- if (BPF_SRC(insn->code) == BPF_X)
++ if (BPF_SRC(insn->code) == BPF_X) {
++ /* check in case the register contains a big
++ * 64-bit value
++ */
++ if (regs[insn->src_reg].imm < -MAX_BPF_STACK ||
++ regs[insn->src_reg].imm > MAX_BPF_STACK) {
++ verbose("R%d value too big in R%d pointer arithmetic\n",
++ insn->src_reg, insn->dst_reg);
++ return -EACCES;
++ }
+ dst_reg->imm += regs[insn->src_reg].imm;
+- else
++ } else {
++ /* safe against overflow: addition of 32-bit
++ * numbers in 64-bit representation
++ */
+ dst_reg->imm += insn->imm;
++ }
++ if (dst_reg->imm > 0 || dst_reg->imm < -MAX_BPF_STACK) {
++ verbose("R%d out-of-bounds pointer arithmetic\n",
++ insn->dst_reg);
++ return -EACCES;
++ }
+ return 0;
+ } else if (opcode == BPF_ADD &&
+ BPF_CLASS(insn->code) == BPF_ALU64 &&
diff --git a/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch b/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch
new file mode 100644
index 0000000..88ccf2d
--- /dev/null
+++ b/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch
@@ -0,0 +1,142 @@
+From: Eric Biggers <ebiggers at google.com>
+Date: Tue, 28 Nov 2017 18:01:38 -0800
+Subject: crypto: hmac - require that the underlying hash algorithm is unkeyed
+Origin: https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17806
+
+Because the HMAC template didn't check that its underlying hash
+algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
+through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
+being used without having been keyed, resulting in sha3_update() being
+called without sha3_init(), causing a stack buffer overflow.
+
+This is a very old bug, but it seems to have only started causing real
+problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
+because the innermost hash's state is ->import()ed from a zeroed buffer,
+and it just so happens that other hash algorithms are fine with that,
+but SHA-3 is not. However, there could be arch or hardware-dependent
+hash algorithms also affected; I couldn't test everything.
+
+Fix the bug by introducing a function crypto_shash_alg_has_setkey()
+which tests whether a shash algorithm is keyed. Then update the HMAC
+template to require that its underlying hash algorithm is unkeyed.
+
+Here is a reproducer:
+
+ #include <linux/if_alg.h>
+ #include <sys/socket.h>
+
+ int main()
+ {
+ int algfd;
+ struct sockaddr_alg addr = {
+ .salg_type = "hash",
+ .salg_name = "hmac(hmac(sha3-512-generic))",
+ };
+ char key[4096] = { 0 };
+
+ algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
+ setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
+ }
+
+Here was the KASAN report from syzbot:
+
+ BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline]
+ BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
+ Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
+
+ CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x25b/0x340 mm/kasan/report.c:409
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ memcpy include/linux/string.h:341 [inline]
+ sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
+ crypto_shash_update+0xcb/0x220 crypto/shash.c:109
+ shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
+ crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
+ hmac_finup+0x182/0x330 crypto/hmac.c:152
+ crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
+ shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
+ crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
+ hmac_setkey+0x36a/0x690 crypto/hmac.c:66
+ crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
+ shash_async_setkey+0x47/0x60 crypto/shash.c:207
+ crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
+ hash_setkey+0x40/0x90 crypto/algif_hash.c:446
+ alg_setkey crypto/af_alg.c:221 [inline]
+ alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
+ SYSC_setsockopt net/socket.c:1851 [inline]
+ SyS_setsockopt+0x189/0x360 net/socket.c:1830
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+Reported-by: syzbot <syzkaller at googlegroups.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Eric Biggers <ebiggers at google.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ crypto/hmac.c | 6 +++++-
+ crypto/shash.c | 5 +++--
+ include/crypto/internal/hash.h | 8 ++++++++
+ 3 files changed, 16 insertions(+), 3 deletions(-)
+
+--- a/crypto/hmac.c
++++ b/crypto/hmac.c
+@@ -194,11 +194,15 @@ static int hmac_create(struct crypto_tem
+ salg = shash_attr_alg(tb[1], 0, 0);
+ if (IS_ERR(salg))
+ return PTR_ERR(salg);
++ alg = &salg->base;
+
++ /* The underlying hash algorithm must be unkeyed */
+ err = -EINVAL;
++ if (crypto_shash_alg_has_setkey(salg))
++ goto out_put_alg;
++
+ ds = salg->digestsize;
+ ss = salg->statesize;
+- alg = &salg->base;
+ if (ds > alg->cra_blocksize ||
+ ss < alg->cra_blocksize)
+ goto out_put_alg;
+--- a/crypto/shash.c
++++ b/crypto/shash.c
+@@ -24,11 +24,12 @@
+
+ static const struct crypto_type crypto_shash_type;
+
+-static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+- unsigned int keylen)
++int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
++ unsigned int keylen)
+ {
+ return -ENOSYS;
+ }
++EXPORT_SYMBOL_GPL(shash_no_setkey);
+
+ static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
+ unsigned int keylen)
+--- a/include/crypto/internal/hash.h
++++ b/include/crypto/internal/hash.h
+@@ -80,6 +80,14 @@ int ahash_register_instance(struct crypt
+ struct ahash_instance *inst);
+ void ahash_free_instance(struct crypto_instance *inst);
+
++int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
++ unsigned int keylen);
++
++static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
++{
++ return alg->setkey != shash_no_setkey;
++}
++
+ int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn,
+ struct hash_alg_common *alg,
+ struct crypto_instance *inst);
diff --git a/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
new file mode 100644
index 0000000..47888d0
--- /dev/null
+++ b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
@@ -0,0 +1,84 @@
+From: Eric Biggers <ebiggers at google.com>
+Date: Tue, 28 Nov 2017 20:56:59 -0800
+Subject: crypto: salsa20 - fix blkcipher_walk API usage
+Origin: https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17805
+
+When asked to encrypt or decrypt 0 bytes, both the generic and x86
+implementations of Salsa20 crash in blkcipher_walk_done(), either when
+doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
+because walk->buffer and walk->page have not been initialized.
+
+The bug is that Salsa20 is calling blkcipher_walk_done() even when
+nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to
+be called when a nonzero number of bytes have been provided.
+
+The broken code is part of an optimization that tries to make only one
+call to salsa20_encrypt_bytes() to process inputs that are not evenly
+divisible by 64 bytes. To fix the bug, just remove this "optimization"
+and use the blkcipher_walk API the same way all the other users do.
+
+Reproducer:
+
+ #include <linux/if_alg.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ int main()
+ {
+ int algfd, reqfd;
+ struct sockaddr_alg addr = {
+ .salg_type = "skcipher",
+ .salg_name = "salsa20",
+ };
+ char key[16] = { 0 };
+
+ algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ bind(algfd, (void *)&addr, sizeof(addr));
+ reqfd = accept(algfd, 0, 0);
+ setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
+ read(reqfd, key, sizeof(key));
+ }
+
+Reported-by: syzbot <syzkaller at googlegroups.com>
+Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
+Cc: <stable at vger.kernel.org> # v2.6.25+
+Signed-off-by: Eric Biggers <ebiggers at google.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ arch/x86/crypto/salsa20_glue.c | 7 -------
+ crypto/salsa20_generic.c | 7 -------
+ 2 files changed, 14 deletions(-)
+
+--- a/arch/x86/crypto/salsa20_glue.c
++++ b/arch/x86/crypto/salsa20_glue.c
+@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc
+
+ salsa20_ivsetup(ctx, walk.iv);
+
+- if (likely(walk.nbytes == nbytes))
+- {
+- salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
+- walk.dst.virt.addr, nbytes);
+- return blkcipher_walk_done(desc, &walk, 0);
+- }
+-
+ while (walk.nbytes >= 64) {
+ salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
+ walk.dst.virt.addr,
+--- a/crypto/salsa20_generic.c
++++ b/crypto/salsa20_generic.c
+@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc
+
+ salsa20_ivsetup(ctx, walk.iv);
+
+- if (likely(walk.nbytes == nbytes))
+- {
+- salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
+- walk.src.virt.addr, nbytes);
+- return blkcipher_walk_done(desc, &walk, 0);
+- }
+-
+ while (walk.nbytes >= 64) {
+ salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
+ walk.src.virt.addr,
diff --git a/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
new file mode 100644
index 0000000..3772ee8
--- /dev/null
+++ b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
@@ -0,0 +1,38 @@
+From: Mohamed Ghannam <simo.ghannam at gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: dccp: CVE-2017-8824: use-after-free in DCCP code
+Origin: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8824
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
+Reviewed-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -259,6 +259,7 @@ int dccp_disconnect(struct sock *sk, int
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct inet_sock *inet = inet_sk(sk);
++ struct dccp_sock *dp = dccp_sk(sk);
+ int err = 0;
+ const int old_state = sk->sk_state;
+
+@@ -278,6 +279,10 @@ int dccp_disconnect(struct sock *sk, int
+ sk->sk_err = ECONNRESET;
+
+ dccp_clear_xmit_timers(sk);
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++ dp->dccps_hc_rx_ccid = NULL;
++ dp->dccps_hc_tx_ccid = NULL;
+
+ __skb_queue_purge(&sk->sk_receive_queue);
+ __skb_queue_purge(&sk->sk_write_queue);
diff --git a/debian/patches/bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch b/debian/patches/bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch
new file mode 100644
index 0000000..0b7698e
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch
@@ -0,0 +1,157 @@
+From: Eric Biggers <ebiggers at google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: KEYS: add missing permission check for request_key() destination
+Origin: https://git.kernel.org/linus/4dca6ea1d9432052afb06baf2e3ae78188a4410b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17807
+
+When the request_key() syscall is not passed a destination keyring, it
+links the requested key (if constructed) into the "default" request-key
+keyring. This should require Write permission to the keyring. However,
+there is actually no permission check.
+
+This can be abused to add keys to any keyring to which only Search
+permission is granted. This is because Search permission allows joining
+the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
+then will set the default request-key keyring to the session keyring.
+Then, request_key() can be used to add keys to the keyring.
+
+Both negatively and positively instantiated keys can be added using this
+method. Adding negative keys is trivial. Adding a positive key is a
+bit trickier. It requires that either /sbin/request-key positively
+instantiates the key, or that another thread adds the key to the process
+keyring at just the right time, such that request_key() misses it
+initially but then finds it in construct_alloc_key().
+
+Fix this bug by checking for Write permission to the keyring in
+construct_get_dest_keyring() when the default keyring is being used.
+
+We don't do the permission check for non-default keyrings because that
+was already done by the earlier call to lookup_user_key(). Also,
+request_key_and_link() is currently passed a 'struct key *' rather than
+a key_ref_t, so the "possessed" bit is unavailable.
+
+We also don't do the permission check for the "requestor keyring", to
+continue to support the use case described by commit 8bbf4976b59f
+("KEYS: Alter use of key instantiation link-to-keyring argument") where
+/sbin/request-key recursively calls request_key() to add keys to the
+original requestor's destination keyring. (I don't know of any users
+who actually do that, though...)
+
+Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
+Signed-off-by: Eric Biggers <ebiggers at google.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ security/keys/request_key.c | 46 ++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 9 deletions(-)
+
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 5030fcf23681..cb7f8f730c6d 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -250,11 +250,12 @@ static int construct_key(struct key *key, const void *callout_info,
+ * The keyring selected is returned with an extra reference upon it which the
+ * caller must release.
+ */
+-static void construct_get_dest_keyring(struct key **_dest_keyring)
++static int construct_get_dest_keyring(struct key **_dest_keyring)
+ {
+ struct request_key_auth *rka;
+ const struct cred *cred = current_cred();
+ struct key *dest_keyring = *_dest_keyring, *authkey;
++ int ret;
+
+ kenter("%p", dest_keyring);
+
+@@ -263,6 +264,8 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
+ /* the caller supplied one */
+ key_get(dest_keyring);
+ } else {
++ bool do_perm_check = true;
++
+ /* use a default keyring; falling through the cases until we
+ * find one that we actually have */
+ switch (cred->jit_keyring) {
+@@ -277,8 +280,10 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
+ dest_keyring =
+ key_get(rka->dest_keyring);
+ up_read(&authkey->sem);
+- if (dest_keyring)
++ if (dest_keyring) {
++ do_perm_check = false;
+ break;
++ }
+ }
+
+ case KEY_REQKEY_DEFL_THREAD_KEYRING:
+@@ -313,11 +318,29 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
+ default:
+ BUG();
+ }
++
++ /*
++ * Require Write permission on the keyring. This is essential
++ * because the default keyring may be the session keyring, and
++ * joining a keyring only requires Search permission.
++ *
++ * However, this check is skipped for the "requestor keyring" so
++ * that /sbin/request-key can itself use request_key() to add
++ * keys to the original requestor's destination keyring.
++ */
++ if (dest_keyring && do_perm_check) {
++ ret = key_permission(make_key_ref(dest_keyring, 1),
++ KEY_NEED_WRITE);
++ if (ret) {
++ key_put(dest_keyring);
++ return ret;
++ }
++ }
+ }
+
+ *_dest_keyring = dest_keyring;
+ kleave(" [dk %d]", key_serial(dest_keyring));
+- return;
++ return 0;
+ }
+
+ /*
+@@ -443,11 +466,15 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
+ if (ctx->index_key.type == &key_type_keyring)
+ return ERR_PTR(-EPERM);
+
+- user = key_user_lookup(current_fsuid());
+- if (!user)
+- return ERR_PTR(-ENOMEM);
++ ret = construct_get_dest_keyring(&dest_keyring);
++ if (ret)
++ goto error;
+
+- construct_get_dest_keyring(&dest_keyring);
++ user = key_user_lookup(current_fsuid());
++ if (!user) {
++ ret = -ENOMEM;
++ goto error_put_dest_keyring;
++ }
+
+ ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
+ key_user_put(user);
+@@ -462,7 +489,7 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
+ } else if (ret == -EINPROGRESS) {
+ ret = 0;
+ } else {
+- goto couldnt_alloc_key;
++ goto error_put_dest_keyring;
+ }
+
+ key_put(dest_keyring);
+@@ -472,8 +499,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
+ construction_failed:
+ key_negate_and_link(key, key_negative_timeout, NULL, NULL);
+ key_put(key);
+-couldnt_alloc_key:
++error_put_dest_keyring:
+ key_put(dest_keyring);
++error:
+ kleave(" = %d", ret);
+ return ERR_PTR(ret);
+ }
diff --git a/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch b/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
new file mode 100644
index 0000000..45253f9
--- /dev/null
+++ b/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
@@ -0,0 +1,154 @@
+From: Wanpeng Li <wanpeng.li at hotmail.com>
+Date: Thu, 14 Dec 2017 17:40:50 -0800
+Subject: KVM: Fix stack-out-of-bounds read in write_mmio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit?id=e39d200fa5bf5b94a0948db0dae44c1b73b84a56
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17741
+
+Reported by syzkaller:
+
+ BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
+ Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
+
+ CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18
+ Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
+ Call Trace:
+ dump_stack+0xab/0xe1
+ print_address_description+0x6b/0x290
+ kasan_report+0x28a/0x370
+ write_mmio+0x11e/0x270 [kvm]
+ emulator_read_write_onepage+0x311/0x600 [kvm]
+ emulator_read_write+0xef/0x240 [kvm]
+ emulator_fix_hypercall+0x105/0x150 [kvm]
+ em_hypercall+0x2b/0x80 [kvm]
+ x86_emulate_insn+0x2b1/0x1640 [kvm]
+ x86_emulate_instruction+0x39a/0xb90 [kvm]
+ handle_exception+0x1b4/0x4d0 [kvm_intel]
+ vcpu_enter_guest+0x15a0/0x2640 [kvm]
+ kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
+ kvm_vcpu_ioctl+0x479/0x880 [kvm]
+ do_vfs_ioctl+0x142/0x9a0
+ SyS_ioctl+0x74/0x80
+ entry_SYSCALL_64_fastpath+0x23/0x9a
+
+The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
+to the guest memory, however, write_mmio tracepoint always prints 8 bytes
+through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
+leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes
+it by just accessing the bytes which we operate on.
+
+Before patch:
+
+syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
+
+After patch:
+
+syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Reviewed-by: Darren Kenny <darren.kenny at oracle.com>
+Reviewed-by: Marc Zyngier <marc.zyngier at arm.com>
+Tested-by: Marc Zyngier <marc.zyngier at arm.com>
+Cc: Paolo Bonzini <pbonzini at redhat.com>
+Cc: Radim Krčmář <rkrcmar at redhat.com>
+Cc: Marc Zyngier <marc.zyngier at arm.com>
+Cc: Christoffer Dall <christoffer.dall at linaro.org>
+Signed-off-by: Wanpeng Li <wanpeng.li at hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Backported to 4.9: adjust filename]]
+---
+ arch/arm/kvm/mmio.c | 6 +++---
+ arch/x86/kvm/x86.c | 8 ++++----
+ include/trace/events/kvm.h | 7 +++++--
+ 3 files changed, 12 insertions(+), 9 deletions(-)
+
+--- a/arch/arm/kvm/mmio.c
++++ b/arch/arm/kvm/mmio.c
+@@ -112,7 +112,7 @@ int kvm_handle_mmio_return(struct kvm_vc
+ }
+
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
+- data);
++ &data);
+ data = vcpu_data_host_to_guest(vcpu, data, len);
+ vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data);
+ }
+@@ -182,14 +182,14 @@ int io_mem_abort(struct kvm_vcpu *vcpu,
+ data = vcpu_data_guest_to_host(vcpu, vcpu_get_reg(vcpu, rt),
+ len);
+
+- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, data);
++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, len, fault_ipa, &data);
+ kvm_mmio_write_buf(data_buf, len, data);
+
+ ret = kvm_io_bus_write(vcpu, KVM_MMIO_BUS, fault_ipa, len,
+ data_buf);
+ } else {
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, len,
+- fault_ipa, 0);
++ fault_ipa, NULL);
+
+ ret = kvm_io_bus_read(vcpu, KVM_MMIO_BUS, fault_ipa, len,
+ data_buf);
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4260,7 +4260,7 @@ static int vcpu_mmio_read(struct kvm_vcp
+ addr, n, v))
+ && kvm_io_bus_read(vcpu, KVM_MMIO_BUS, addr, n, v))
+ break;
+- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
++ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
+ handled += n;
+ addr += n;
+ len -= n;
+@@ -4513,7 +4513,7 @@ static int read_prepare(struct kvm_vcpu
+ {
+ if (vcpu->mmio_read_completed) {
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
+- vcpu->mmio_fragments[0].gpa, *(u64 *)val);
++ vcpu->mmio_fragments[0].gpa, val);
+ vcpu->mmio_read_completed = 0;
+ return 1;
+ }
+@@ -4535,14 +4535,14 @@ static int write_emulate(struct kvm_vcpu
+
+ static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
+ {
+- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
+ return vcpu_mmio_write(vcpu, gpa, bytes, val);
+ }
+
+ static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
+ void *val, int bytes)
+ {
+- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
++ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
+ return X86EMUL_IO_NEEDED;
+ }
+
+--- a/include/trace/events/kvm.h
++++ b/include/trace/events/kvm.h
+@@ -208,7 +208,7 @@ TRACE_EVENT(kvm_ack_irq,
+ { KVM_TRACE_MMIO_WRITE, "write" }
+
+ TRACE_EVENT(kvm_mmio,
+- TP_PROTO(int type, int len, u64 gpa, u64 val),
++ TP_PROTO(int type, int len, u64 gpa, void *val),
+ TP_ARGS(type, len, gpa, val),
+
+ TP_STRUCT__entry(
+@@ -222,7 +222,10 @@ TRACE_EVENT(kvm_mmio,
+ __entry->type = type;
+ __entry->len = len;
+ __entry->gpa = gpa;
+- __entry->val = val;
++ __entry->val = 0;
++ if (val)
++ memcpy(&__entry->val, val,
++ min_t(u32, sizeof(__entry->val), len));
+ ),
+
+ TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
diff --git a/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
new file mode 100644
index 0000000..6807e62
--- /dev/null
+++ b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
@@ -0,0 +1,83 @@
+From: Malcolm Priestley <tvboxspy at gmail.com>
+Date: Tue, 26 Sep 2017 17:10:20 -0400
+Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm
+ start
+Origin: https://git.linuxtv.org/media_tree.git/commit?id=3d932ee27e852e4904647f15b64dedca51187ad7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538
+
+Warm start has no check as whether a genuine device has
+connected and proceeds to next execution path.
+
+Check device should read 0x47 at offset of 2 on USB descriptor read
+and it is the amount requested of 6 bytes.
+
+Fix for
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access as
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy at gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -504,18 +504,23 @@ static int lme2510_pid_filter(struct dvb
+
+ static int lme2510_return_status(struct dvb_usb_device *d)
+ {
+- int ret = 0;
++ int ret;
+ u8 *data;
+
+- data = kzalloc(10, GFP_KERNEL);
++ data = kzalloc(6, GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
+- info("Firmware Status: %x (%x)", ret , data[2]);
++ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
++ 0x06, 0x80, 0x0302, 0x00,
++ data, 0x6, 200);
++ if (ret != 6)
++ ret = -EINVAL;
++ else
++ ret = data[2];
++
++ info("Firmware Status: %6ph", data);
+
+- ret = (ret < 0) ? -ENODEV : data[2];
+ kfree(data);
+ return ret;
+ }
+@@ -1200,6 +1205,7 @@ static int lme2510_get_adapter_count(str
+ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
+ {
+ struct lme2510_state *st = d->priv;
++ int status;
+
+ usb_reset_configuration(d->udev);
+
+@@ -1208,12 +1214,16 @@ static int lme2510_identify_state(struct
+
+ st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
+
+- if (lme2510_return_status(d) == 0x44) {
++ status = lme2510_return_status(d);
++ if (status == 0x44) {
+ *name = lme_firmware_switch(d, 0);
+ return COLD;
+ }
+
+- return 0;
++ if (status != 0x47)
++ return -EINVAL;
++
++ return WARM;
+ }
+
+ static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
diff --git a/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
new file mode 100644
index 0000000..176d79d
--- /dev/null
+++ b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
@@ -0,0 +1,67 @@
+From: Malcolm Priestley <tvboxspy at gmail.com>
+Date: Tue, 26 Sep 2017 17:10:21 -0400
+Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to
+ dm04_lme2510_tuner
+Origin: https://git.linuxtv.org/media_tree.git/commit?id=7bf7a7116ed313c601307f7e585419369926ab05
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538
+
+When the tuner was split from m88rs2000 the attach function is in wrong
+place.
+
+Move to dm04_lme2510_tuner to trap errors on failure and removing
+a call to lme_coldreset.
+
+Prevents driver starting up without any tuner connected.
+
+Fixes to trap for ts2020 fail.
+LME2510(C): FE Found M88RS2000
+ts2020: probe of 0-0060 failed with error -11
+...
+LME2510(C): TUN Found RS2000 tuner
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy at gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -1084,8 +1084,6 @@ static int dm04_lme2510_frontend_attach(
+
+ if (adap->fe[0]) {
+ info("FE Found M88RS2000");
+- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
+- &d->i2c_adap);
+ st->i2c_tuner_gate_w = 5;
+ st->i2c_tuner_gate_r = 5;
+ st->i2c_tuner_addr = 0x60;
+@@ -1151,17 +1149,18 @@ static int dm04_lme2510_tuner(struct dvb
+ ret = st->tuner_config;
+ break;
+ case TUNER_RS2000:
+- ret = st->tuner_config;
++ if (dvb_attach(ts2020_attach, adap->fe[0],
++ &ts2020_config, &d->i2c_adap))
++ ret = st->tuner_config;
+ break;
+ default:
+ break;
+ }
+
+- if (ret)
++ if (ret) {
+ info("TUN Found %s tuner", tun_msg[ret]);
+- else {
+- info("TUN No tuner found --- resetting device");
+- lme_coldreset(d);
++ } else {
++ info("TUN No tuner found");
+ return -ENODEV;
+ }
+
diff --git a/debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch b/debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
new file mode 100644
index 0000000..37dc384
--- /dev/null
+++ b/debian/patches/bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
@@ -0,0 +1,98 @@
+From: Arvind Yadav <arvind.yadav.cs at gmail.com>
+Date: Fri, 22 Sep 2017 09:07:06 -0400
+Subject: media: hdpvr: Fix an error handling path in hdpvr_probe()
+Origin: https://git.linuxtv.org/media_tree.git/commit?id=c0f71bbb810237a38734607ca4599632f7f5d47f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16644
+
+Here, hdpvr_register_videodev() is responsible for setup and
+register a video device. Also defining and initializing a worker.
+hdpvr_register_videodev() is calling by hdpvr_probe at last.
+So no need to flush any work here.
+Unregister v4l2, free buffers and memory. If hdpvr_probe() will fail.
+
+Signed-off-by: Arvind Yadav <arvind.yadav.cs at gmail.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Hans Verkuil <hans.verkuil at cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/usb/hdpvr/hdpvr-core.c | 26 +++++++++++++++-----------
+ 1 file changed, 15 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/usb/hdpvr/hdpvr-core.c
++++ b/drivers/media/usb/hdpvr/hdpvr-core.c
+@@ -295,7 +295,7 @@ static int hdpvr_probe(struct usb_interf
+ /* register v4l2_device early so it can be used for printks */
+ if (v4l2_device_register(&interface->dev, &dev->v4l2_dev)) {
+ dev_err(&interface->dev, "v4l2_device_register failed\n");
+- goto error;
++ goto error_free_dev;
+ }
+
+ mutex_init(&dev->io_mutex);
+@@ -304,7 +304,7 @@ static int hdpvr_probe(struct usb_interf
+ dev->usbc_buf = kmalloc(64, GFP_KERNEL);
+ if (!dev->usbc_buf) {
+ v4l2_err(&dev->v4l2_dev, "Out of memory\n");
+- goto error;
++ goto error_v4l2_unregister;
+ }
+
+ init_waitqueue_head(&dev->wait_buffer);
+@@ -342,13 +342,13 @@ static int hdpvr_probe(struct usb_interf
+ }
+ if (!dev->bulk_in_endpointAddr) {
+ v4l2_err(&dev->v4l2_dev, "Could not find bulk-in endpoint\n");
+- goto error;
++ goto error_put_usb;
+ }
+
+ /* init the device */
+ if (hdpvr_device_init(dev)) {
+ v4l2_err(&dev->v4l2_dev, "device init failed\n");
+- goto error;
++ goto error_put_usb;
+ }
+
+ mutex_lock(&dev->io_mutex);
+@@ -356,7 +356,7 @@ static int hdpvr_probe(struct usb_interf
+ mutex_unlock(&dev->io_mutex);
+ v4l2_err(&dev->v4l2_dev,
+ "allocating transfer buffers failed\n");
+- goto error;
++ goto error_put_usb;
+ }
+ mutex_unlock(&dev->io_mutex);
+
+@@ -364,7 +364,7 @@ static int hdpvr_probe(struct usb_interf
+ retval = hdpvr_register_i2c_adapter(dev);
+ if (retval < 0) {
+ v4l2_err(&dev->v4l2_dev, "i2c adapter register failed\n");
+- goto error;
++ goto error_free_buffers;
+ }
+
+ client = hdpvr_register_ir_rx_i2c(dev);
+@@ -397,13 +397,17 @@ static int hdpvr_probe(struct usb_interf
+ reg_fail:
+ #if IS_ENABLED(CONFIG_I2C)
+ i2c_del_adapter(&dev->i2c_adapter);
++error_free_buffers:
+ #endif
++ hdpvr_free_buffers(dev);
++error_put_usb:
++ usb_put_dev(dev->udev);
++ kfree(dev->usbc_buf);
++error_v4l2_unregister:
++ v4l2_device_unregister(&dev->v4l2_dev);
++error_free_dev:
++ kfree(dev);
+ error:
+- if (dev) {
+- flush_work(&dev->worker);
+- /* this frees allocated memory */
+- hdpvr_delete(dev);
+- }
+ return retval;
+ }
+
diff --git a/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch b/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
new file mode 100644
index 0000000..bf12066
--- /dev/null
+++ b/debian/patches/bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
@@ -0,0 +1,71 @@
+From: Mohamed Ghannam <simo.ghannam at gmail.com>
+Date: Sun, 10 Dec 2017 03:50:58 +0000
+Subject: net: ipv4: fix for a race condition in raw_sendmsg
+Origin: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17712
+
+inet->hdrincl is racy, and could lead to uninitialized stack pointer
+usage, so its value should be read only once.
+
+Fixes: c008ba5bdc9f ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
+Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
+Reviewed-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 4.9: adjust context]
+---
+ net/ipv4/raw.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/raw.c
++++ b/net/ipv4/raw.c
+@@ -502,11 +502,16 @@ static int raw_sendmsg(struct sock *sk,
+ int err;
+ struct ip_options_data opt_copy;
+ struct raw_frag_vec rfv;
++ int hdrincl;
+
+ err = -EMSGSIZE;
+ if (len > 0xFFFF)
+ goto out;
+
++ /* hdrincl should be READ_ONCE(inet->hdrincl)
++ * but READ_ONCE() doesn't work with bit fields
++ */
++ hdrincl = inet->hdrincl;
+ /*
+ * Check the flags.
+ */
+@@ -582,7 +587,7 @@ static int raw_sendmsg(struct sock *sk,
+ /* Linux does not mangle headers on raw sockets,
+ * so that IP options + IP_HDRINCL is non-sense.
+ */
+- if (inet->hdrincl)
++ if (hdrincl)
+ goto done;
+ if (ipc.opt->opt.srr) {
+ if (!daddr)
+@@ -604,12 +609,12 @@ static int raw_sendmsg(struct sock *sk,
+
+ flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
+ RT_SCOPE_UNIVERSE,
+- inet->hdrincl ? IPPROTO_RAW : sk->sk_protocol,
++ hdrincl ? IPPROTO_RAW : sk->sk_protocol,
+ inet_sk_flowi_flags(sk) |
+- (inet->hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
++ (hdrincl ? FLOWI_FLAG_KNOWN_NH : 0),
+ daddr, saddr, 0, 0);
+
+- if (!inet->hdrincl) {
++ if (!hdrincl) {
+ rfv.msg = msg;
+ rfv.hlen = 0;
+
+@@ -634,7 +639,7 @@ static int raw_sendmsg(struct sock *sk,
+ goto do_confirm;
+ back_from_confirm:
+
+- if (inet->hdrincl)
++ if (hdrincl)
+ err = raw_send_hdrinc(sk, &fl4, msg, len,
+ &rt, msg->msg_flags, &ipc.sockc);
+
diff --git a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
new file mode 100644
index 0000000..a10695c
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
@@ -0,0 +1,74 @@
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Sun, 3 Dec 2017 12:12:45 -0800
+Subject: netfilter: nfnetlink_cthelper: Add missing permission checks
+Origin: https://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17448
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, nfnl_cthelper_list is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ $ nfct helper list
+ nfct v1.4.4: netlink error: Operation not permitted
+ $ vpnns -- nfct helper list
+ {
+ .name = ftp,
+ .queuenum = 0,
+ .l3protonum = 2,
+ .l4protonum = 6,
+ .priv_data_len = 24,
+ .status = enabled,
+ };
+
+Add capable() checks in nfnetlink_cthelper, as this is cleaner than
+trying to generalize the solution.
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -17,6 +17,7 @@
+ #include <linux/types.h>
+ #include <linux/list.h>
+ #include <linux/errno.h>
++#include <linux/capability.h>
+ #include <net/netlink.h>
+ #include <net/sock.h>
+
+@@ -297,6 +298,9 @@ static int nfnl_cthelper_new(struct net
+ struct nf_conntrack_tuple tuple;
+ int ret = 0, i;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ return -EINVAL;
+
+@@ -511,6 +515,9 @@ static int nfnl_cthelper_get(struct net
+ struct nf_conntrack_tuple tuple;
+ bool tuple_set = false;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
+ .dump = nfnl_cthelper_dump_table,
+@@ -583,6 +590,9 @@ static int nfnl_cthelper_del(struct net
+ bool tuple_set = false, found = false;
+ int i, j = 0, ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (tb[NFCTH_NAME])
+ helper_name = nla_data(tb[NFCTH_NAME]);
+
diff --git a/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
new file mode 100644
index 0000000..2c02d59
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
@@ -0,0 +1,56 @@
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Tue, 5 Dec 2017 15:42:41 -0800
+Subject: netfilter: xt_osf: Add missing permission checks
+Origin: https://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17450
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, xt_osf_fingers is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ vpnns -- nfnl_osf -f /tmp/pf.os
+
+ vpnns -- nfnl_osf -f /tmp/pf.os -d
+
+These non-root operations successfully modify the systemwide OS
+fingerprint list. Add new capable() checks so that they can't.
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/xt_osf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -19,6 +19,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+
++#include <linux/capability.h>
+ #include <linux/if.h>
+ #include <linux/inetdevice.h>
+ #include <linux/ip.h>
+@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct ne
+ struct xt_osf_finger *kf = NULL, *sf;
+ int err = 0;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
+@@ -113,6 +117,9 @@ static int xt_osf_remove_callback(struct
+ struct xt_osf_finger *sf;
+ int err = -ENOENT;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
diff --git a/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch
new file mode 100644
index 0000000..3fd0875
--- /dev/null
+++ b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch
@@ -0,0 +1,39 @@
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Wed, 6 Dec 2017 12:12:27 -0800
+Subject: netlink: Add netns check on taps
+Origin: https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17449
+
+Currently, a nlmon link inside a child namespace can observe systemwide
+netlink activity. Filter the traffic so that nlmon can only sniff
+netlink messages from its own netns.
+
+Test case:
+
+ vpnns -- bash -c "ip link add nlmon0 type nlmon; \
+ ip link set nlmon0 up; \
+ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
+ sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
+ spi 0x1 mode transport \
+ auth sha1 0x6162633132330000000000000000000000000000 \
+ enc aes 0x00000000000000000000000000000000
+ grep --binary abc123 /tmp/nlmon.pcap
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/netlink/af_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -223,6 +223,9 @@ static int __netlink_deliver_tap_skb(str
+ struct sock *sk = skb->sk;
+ int ret = -ENOMEM;
+
++ if (!net_eq(dev_net(dev), sock_net(sk)))
++ return 0;
++
+ dev_hold(dev);
+
+ if (is_vmalloc_addr(skb->head))
diff --git a/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
new file mode 100644
index 0000000..29218c9
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
@@ -0,0 +1,44 @@
+From: Alan Stern <stern at rowland.harvard.edu>
+Date: Tue, 12 Dec 2017 14:25:13 -0500
+Subject: USB: core: prevent malicious bNumInterfaces overflow
+Origin: https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17558
+
+A malicious USB device with crafted descriptors can cause the kernel
+to access unallocated memory by setting the bNumInterfaces value too
+high in a configuration descriptor. Although the value is adjusted
+during parsing, this adjustment is skipped in one of the error return
+paths.
+
+This patch prevents the problem by setting bNumInterfaces to 0
+initially. The existing code already sets it to the proper value
+after parsing is complete.
+
+Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+CC: <stable at vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/core/config.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -550,6 +550,9 @@ static int usb_parse_configuration(struc
+ unsigned iad_num = 0;
+
+ memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
++ nintf = nintf_orig = config->desc.bNumInterfaces;
++ config->desc.bNumInterfaces = 0; // Adjusted later
++
+ if (config->desc.bDescriptorType != USB_DT_CONFIG ||
+ config->desc.bLength < USB_DT_CONFIG_SIZE ||
+ config->desc.bLength > size) {
+@@ -563,7 +566,6 @@ static int usb_parse_configuration(struc
+ buffer += config->desc.bLength;
+ size -= config->desc.bLength;
+
+- nintf = nintf_orig = config->desc.bNumInterfaces;
+ if (nintf > USB_MAXINTERFACES) {
+ dev_warn(ddev, "config %d has too many interfaces: %d, "
+ "using maximum allowed: %d\n",
diff --git a/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch b/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
new file mode 100644
index 0000000..a84514a
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
@@ -0,0 +1,47 @@
+From 6ead44d4b5b8b1ecfcbd2302f15028dab7774da3 Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig at google.com>
+Date: Fri, 1 Dec 2017 10:21:09 -0800
+Subject: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/d59d51f088014f25c2562de59b9abff4f42a7468
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000407
+
+This fixes CVE-2017-1000407.
+
+KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
+the guest floods this port with writes it generates exceptions and
+instability in the host kernel, leading to a crash. With this change
+guest writes to port 0x80 on Intel will behave the same as they
+currently behave on AMD systems.
+
+Prevent the flooding by removing the code that sets port 0x80 as a
+passthrough port. This is essentially the same as upstream patch
+99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
+for AMD chipsets and this patch is for Intel.
+
+Signed-off-by: Andrew Honig <ahonig at google.com>
+Signed-off-by: Jim Mattson <jmattson at google.com>
+Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
+Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ arch/x86/kvm/vmx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6411,12 +6411,7 @@ static __init int hardware_setup(void)
+ memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
+ memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
+
+- /*
+- * Allow direct access to the PC debug port (it is often used for I/O
+- * delays, but the vmexits simply slow things down).
+- */
+ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
+- clear_bit(0x80, vmx_io_bitmap_a);
+
+ memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+
diff --git a/debian/patches/series b/debian/patches/series
index 4490933..20f726d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -137,6 +137,25 @@ debian/time-mark-timer_stats-as-broken.patch
bugfix/all/tracing-Use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
bugfix/all/media-cx231xx-cards-fix-NULL-deref-on-missing-associ.patch
bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch
+bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
+bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
+bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
+bugfix/all/media-hdpvr-fix-an-error-handling-path-in-hdpvr_prob.patch
+bugfix/all/bpf-adjust-insn_aux_data-when-patching-insns.patch
+bugfix/all/bpf-fix-branch-pruning-logic.patch
+bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch
+bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
+bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
+bugfix/all/netlink-add-netns-check-on-taps.patch
+bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
+bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
+bugfix/all/net-ipv4-fix-for-a-race-condition-in-raw_sendmsg.patch
+bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
+bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
+bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch
+bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch
+bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
+bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list