[linux] 02/03: Update to 4.10-rc6

Mon Jan 30 16:33:20 UTC 2017

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit 6b038a62acbd83b600b19f00e15b1e65163dd8a7
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Mon Jan 30 03:48:25 2017 +0000

    Update to 4.10-rc6
---
 debian/changelog                                   |  2 +-
 .../fbdev-color-map-coying-bounds-checking.patch   | 80 ----------------------
 ...r-overflow-in-temporary-allocation-layout.patch | 36 ----------
 ...urn-einval-on-the-overflow-checks-failing.patch | 27 --------
 debian/patches/series                              |  3 -
 5 files changed, 1 insertion(+), 147 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 4114cb8..33684cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (4.10~rc5-1~exp1) UNRELEASED; urgency=medium
+linux (4.10~rc6-1~exp1) UNRELEASED; urgency=medium
 
   * New upstream release candidate
 
diff --git a/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch b/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch
deleted file mode 100644
index 10c6e2a..0000000
--- a/debian/patches/bugfix/all/fbdev-color-map-coying-bounds-checking.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From: Kees Cook <keescook at chromium.org>
-Date: Tue, 24 Jan 2017 15:18:24 -0800
-Subject: fbdev: color map copying bounds checking
-Origin: https://git.kernel.org/linus/2dc705a9930b4806250fbf5a76e55266e59389f2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-8405
-
-Copying color maps to userspace doesn't check the value of to->start,
-which will cause kernel heap buffer OOB read due to signedness wraps.
-
-CVE-2016-8405
-
-Link: http://lkml.kernel.org/r/20170105224249.GA50925@beast
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Signed-off-by: Kees Cook <keescook at chromium.org>
-Reported-by: Peter Pi (@heisecode) of Trend Micro
-Cc: Min Chong <mchong at google.com>
-Cc: Dan Carpenter <dan.carpenter at oracle.com>
-Cc: Tomi Valkeinen <tomi.valkeinen at ti.com>
-Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- drivers/video/fbdev/core/fbcmap.c | 26 ++++++++++++++------------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/drivers/video/fbdev/core/fbcmap.c b/drivers/video/fbdev/core/fbcmap.c
-index f89245b8ba8e..68a113594808 100644
---- a/drivers/video/fbdev/core/fbcmap.c
-+++ b/drivers/video/fbdev/core/fbcmap.c
-@@ -163,17 +163,18 @@ void fb_dealloc_cmap(struct fb_cmap *cmap)
- 
- int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
- {
--	int tooff = 0, fromoff = 0;
--	int size;
-+	unsigned int tooff = 0, fromoff = 0;
-+	size_t size;
- 
- 	if (to->start > from->start)
- 		fromoff = to->start - from->start;
- 	else
- 		tooff = from->start - to->start;
--	size = to->len - tooff;
--	if (size > (int) (from->len - fromoff))
--		size = from->len - fromoff;
--	if (size <= 0)
-+	if (fromoff >= from->len || tooff >= to->len)
-+		return -EINVAL;
-+
-+	size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+	if (size == 0)
- 		return -EINVAL;
- 	size *= sizeof(u16);
- 
-@@ -187,17 +188,18 @@ int fb_copy_cmap(const struct fb_cmap *from, struct fb_cmap *to)
- 
- int fb_cmap_to_user(const struct fb_cmap *from, struct fb_cmap_user *to)
- {
--	int tooff = 0, fromoff = 0;
--	int size;
-+	unsigned int tooff = 0, fromoff = 0;
-+	size_t size;
- 
- 	if (to->start > from->start)
- 		fromoff = to->start - from->start;
- 	else
- 		tooff = from->start - to->start;
--	size = to->len - tooff;
--	if (size > (int) (from->len - fromoff))
--		size = from->len - fromoff;
--	if (size <= 0)
-+	if (fromoff >= from->len || tooff >= to->len)
-+		return -EINVAL;
-+
-+	size = min_t(size_t, to->len - tooff, from->len - fromoff);
-+	if (size == 0)
- 		return -EINVAL;
- 	size *= sizeof(u16);
- 
diff --git a/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch b/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
deleted file mode 100644
index be77360..0000000
--- a/debian/patches/bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Eric Anholt <eric at anholt.net>
-Date: Wed, 18 Jan 2017 07:20:49 +1100
-Subject: drm/vc4: Fix an integer overflow in temporary allocation layout.
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5576
-Origin: https://lkml.org/lkml/2017/1/17/761
-
-We copy the unvalidated ioctl arguments from the user into kernel
-temporary memory to run the validation from, to avoid a race where the
-user updates the unvalidate contents in between validating them and
-copying them into the validated BO.
-
-However, in setting up the layout of the kernel side, we failed to
-check one of the additions (the roundup() for shader_rec_offset)
-against integer overflow, allowing a nearly MAX_UINT value of
-bin_cl_size to cause us to under-allocate the temporary space that we
-then copy_from_user into.
-
-Reported-by: Murray McAllister <murray.mcallister at insomniasec.com>
-Signed-off-by: Eric Anholt <eric at anholt.net>
-Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
----
- drivers/gpu/drm/vc4/vc4_gem.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/vc4/vc4_gem.c
-+++ b/drivers/gpu/drm/vc4/vc4_gem.c
-@@ -594,7 +594,8 @@ vc4_get_bcl(struct drm_device *dev, stru
- 					  args->shader_rec_count);
- 	struct vc4_bo *bo;
- 
--	if (uniforms_offset < shader_rec_offset ||
-+	if (shader_rec_offset < args->bin_cl_size ||
-+	    uniforms_offset < shader_rec_offset ||
- 	    exec_size < uniforms_offset ||
- 	    args->shader_rec_count >= (UINT_MAX /
- 					  sizeof(struct vc4_shader_state)) ||
diff --git a/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch b/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
deleted file mode 100644
index 95dc721..0000000
--- a/debian/patches/bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Eric Anholt <eric at anholt.net>
-Date: Wed, 18 Jan 2017 07:20:50 +1100
-Subject: drm/vc4: Return -EINVAL on the overflow checks failing.
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-5577
-Origin: https://lkml.org/lkml/2017/1/17/759
-
-By failing to set the errno, we'd continue on to trying to set up the
-RCL, and then oops on trying to dereference the tile_bo that binning
-validation should have set up.
-
-Reported-by: Ingo Molnar <mingo at kernel.org>
-Signed-off-by: Eric Anholt <eric at anholt.net>
-Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.")
----
- drivers/gpu/drm/vc4/vc4_gem.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/drivers/gpu/drm/vc4/vc4_gem.c
-+++ b/drivers/gpu/drm/vc4/vc4_gem.c
-@@ -601,6 +601,7 @@ vc4_get_bcl(struct drm_device *dev, stru
- 					  sizeof(struct vc4_shader_state)) ||
- 	    temp_size < exec_size) {
- 		DRM_ERROR("overflow in exec arguments\n");
-+		ret = -EINVAL;
- 		goto fail;
- 	}
- 
diff --git a/debian/patches/series b/debian/patches/series
index 0032a56..945b4ce 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -92,9 +92,6 @@ features/all/securelevel/arm64-add-kernel-config-option-to-set-securelevel-wh.pa
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/fbdev-color-map-coying-bounds-checking.patch
-bugfix/arm/drm-vc4-fix-an-integer-overflow-in-temporary-allocation-layout.patch
-bugfix/arm/drm/vc4-return-einval-on-the-overflow-checks-failing.patch
 
 # Fix exported symbol versions
 bugfix/ia64/revert-ia64-move-exports-to-definitions.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

