[linux] 01/01: Update to 3.2.89
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Jun 8 15:20:23 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 6e088c79a81f5da14e39509a05664c07c5d866c1
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Jun 8 16:19:42 2017 +0100
Update to 3.2.89
Ignore ABI changes in IB.
---
debian/changelog | 98 +++++++--
debian/config/defines | 2 +
...ash-fix-einprogress-notification-callback.patch | 226 ---------------------
...h-fully-restore-ahash-request-before-comp.patch | 35 ----
...-Fix-the-pointer-voodoo-in-unaligned-ahas.patch | 118 -----------
...-pull-out-the-functions-to-save-restore-r.patch | 152 --------------
...h-simplify-the-ahash_finup-implementation.patch | 115 -----------
...cp-tcp-do-not-inherit-mc_list-from-parent.patch | 38 ----
...ip6_find_1stfragopt-return-value-properly.patch | 81 --------
...p-do-not-inherit-ipv6_mc_list-from-parent.patch | 60 ------
...-out-of-bound-writes-in-__ip6_append_data.patch | 62 ------
...nt-overrun-when-parsing-v6-header-options.patch | 214 -------------------
.../ipx-call-ipxitf_put-in-ioctl-error-path.patch | 34 ----
...ow-keyrings-beginning-with-.-to-be-joined.patch | 76 -------
...yctl_set_reqkey_keyring-to-not-leak-threa.patch | 176 ----------------
...ate-eperm-for-a-key-type-name-beginning-w.patch | 39 ----
...special-dot-prefixed-keyring-name-bug-fix.patch | 49 -----
...y.c-fix-error-handling-in-set_mempolicy-a.patch | 72 -------
...-fix-overflow-in-check-for-priv-area-size.patch | 35 ----
...ket-fix-overflow-in-check-for-tp_frame_nr.patch | 32 ---
...cket-fix-overflow-in-check-for-tp_reserve.patch | 28 ---
...sd-check-for-oversized-nfsv2-v3-arguments.patch | 99 ---------
...icter-decoding-of-write-like-nfsv2-v3-ops.patch | 56 -----
...sd4-minor-nfsv2-v3-write-decoding-cleanup.patch | 79 -------
...cket-handle-too-big-packets-for-packet_v3.patch | 73 -------
.../bugfix/all/ping-implement-proper-locking.patch | 49 -----
...-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch | 29 ---
...-strlcpy-instead-of-strcpy-in-__trace_fin.patch | 35 ----
.../usb-iowarrior-fix-null-deref-at-probe.patch | 53 -----
...io_ti-fix-information-leak-in-completion-.patch | 31 ---
...erial-omninet-fix-reference-leaks-at-open.patch | 35 ----
...e-xfrm_msg_newae-incoming-esn-size-harder.patch | 34 ----
..._newae-xfrma_replay_esn_val-replay_window.patch | 45 ----
...eger-overflow-in-vmw_surface_define_ioctl.patch | 36 ----
...r-dereference-in-vmw_surface_define_ioctl.patch | 33 ---
debian/patches/series | 33 ---
36 files changed, 82 insertions(+), 2380 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 2369a69..435aebe 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,23 +1,85 @@
-linux (3.2.88-2) UNRELEASED; urgency=medium
-
- * tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
- (CVE-2017-0605)
- * ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487
- * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
- * nfsd4: minor NFSv2/v3 write decoding cleanup
- * nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)
- * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890)
- * USB: serial: io_ti: fix information leak in completion handler
- (CVE-2017-8924)
- * USB: serial: omninet: fix reference leaks at open (CVE-2017-8925)
- * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074)
- * ipv6: Check ip6_find_1stfragopt() return value properly.
+linux (3.2.89-1) UNRELEASED; urgency=medium
+
+ * New upstream stable update:
+ https://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.2.89
+ - adm8211: return an error if adm8211_alloc_rings() fails
+ - ath5k: drop bogus warning on drv_set_key with unsupported cipher
+ - RDMA/core: Fix incorrect structure packing for booleans
+ - IB/ipoib: Set device connection mode only when needed
+ - IB/ipoib: Change list_del to list_del_init in the tx object
+ - USB: serial: ch341: fix modem-status handling
+ - USB: serial: ark3116: fix register-accessor error handling
+ - USB: serial: ark3116: fix open error handling
+ - USB: serial: ftdi_sio: fix modem-status error handling
+ - USB: serial: ftdi_sio: fix latency-timer error handling
+ - USB: serial: io_edgeport: fix epic-descriptor handling
+ - USB: serial: io_edgeport: fix descriptor error handling
+ - USB: serial: mct_u232: fix modem-status error handling
+ - USB: serial: ssu100: fix control-message error handling
+ - USB: serial: ti_usb_3410_5052: fix control-message error handling
+ - [x86] staging: rtl: fix possible NULL pointer dereference
+ - mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print
+ - usb: gadget: f_hid: Use spinlock instead of mutex
+ - USB: serial: ftdi_sio: fix extreme low-latency setting
+ - drm/ttm: Make sure BOs being swapped out are cacheable
+ - drm/radeon: handle vfct with multiple vbios images
+ - ext4: trim allocation requests to group size
+ - ext4: use private version of page_zero_new_buffers() for data=journal mode
+ - ext4: fix data corruption in data=journal mode
+ - bcma: use (get|put)_device when probing/removing device driver
+ - USB: serial: digi_acceleport: fix OOB data sanity check
+ - USB: serial: digi_acceleport: fix OOB-event processing
+ - USB: serial: digi_acceleport: fix incomplete rx sanity check
+ - USB: serial: keyspan_pda: fix receive sanity checks
+ - [x86] pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0
+ - jbd2: don't leak modified metadata buffers on an aborted journal
+ - ext4: preserve the needs_recovery flag when the journal is aborted
+ - USB: serial: ftdi_sio: fix line-status over-reporting
+ - USB: serial: mos7840: fix another NULL-deref at open
+ - KEYS: Fix an error code in request_master_key()
+ - [x86] drivers: hv: Turn off write permission on the hypercall page
+ - [armhf/omap] mmc: host: omap_hsmmc: avoid possible overflow of timeout
+ value
+ - md linear: fix a race between linear_add() and linear_congested()
+ - md: ensure md devices are freed before module is unloaded.
+ - nlm: Ensure callback code also checks that the files match
+ - nfsd: update mtime on truncate
+ - nfsd: minor nfsd_setattr cleanup
+ - nfsd: special case truncates some more
+ - NFSv4: Fix the underestimation of delegation XDR space reservation
+ - fuse: add missing FR_FORCE
+ - rdma_cm: fail iwarp accepts w/o connection params
+ - net/dccp: fix use after free in tw_timer_handler()
+ - scsi: aacraid: Fix memory leak in fib init path
+ - scsi: aacraid: Reorder Adapter status check
+ - NFSv4: Fix range checking in __nfs4_get_acl_uncached and
+ __nfs4_proc_set_acl
+ - NFSv4: fix getacl ERANGE for some ACL buffer sizes
+ - net sched actions: decrement module reference count after table flush.
+ - ALSA: timer: Reject user params with too small ticks
+ - ALSA: ctxfi: Fallback DMA mask to 32bit
+ - ALSA: seq: Fix link corruption by event error handling
+ - tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
+ (CVE-2017-0605)
+ - ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487
+ - nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
+ - nfsd4: minor NFSv2/v3 write decoding cleanup
+ - nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)
+ - dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890)
+ - USB: serial: io_ti: fix information leak in completion handler
+ (CVE-2017-8924)
+ - USB: serial: omninet: fix reference leaks at open (CVE-2017-8925)
+ - ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074)
+ - ipv6: Check ip6_find_1stfragopt() return value properly.
+ - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075)
+ - ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076,
+ CVE-2017-9077)
+ - ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
+
+ [ Ben Hutchings ]
* ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
* ipv6: Fix leak in ipv6_gso_segment().
- * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075)
- * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076,
- CVE-2017-9077)
- * ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
+ * Ignore ABI changes in IB
-- Ben Hutchings <ben at decadent.org.uk> Wed, 31 May 2017 11:48:09 +0100
diff --git a/debian/config/defines b/debian/config/defines
index ac7a1ba..c140f5b 100644
--- a/debian/config/defines
+++ b/debian/config/defines
@@ -99,6 +99,8 @@ ignore-changes:
af_alg_*
module:drivers/net/can/can-dev
can_rx_register
+# Assume IB drivers are added/updated through OFED, which also updates IB core
+ module:drivers/infiniband/**
[base]
arches:
diff --git a/debian/patches/bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch b/debian/patches/bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
deleted file mode 100644
index 5d324c7..0000000
--- a/debian/patches/bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
+++ /dev/null
@@ -1,226 +0,0 @@
-From: Herbert Xu <herbert at gondor.apana.org.au>
-Date: Mon, 10 Apr 2017 17:27:57 +0800
-Subject: crypto: ahash - Fix EINPROGRESS notification callback
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6.git/commit?id=ef0579b64e93188710d48667cb5e014926af9f1b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7618
-
-The ahash API modifies the request's callback function in order
-to clean up after itself in some corner cases (unaligned final
-and missing finup).
-
-When the request is complete ahash will restore the original
-callback and everything is fine. However, when the request gets
-an EBUSY on a full queue, an EINPROGRESS callback is made while
-the request is still ongoing.
-
-In this case the ahash API will incorrectly call its own callback.
-
-This patch fixes the problem by creating a temporary request
-object on the stack which is used to relay EINPROGRESS back to
-the original completion function.
-
-This patch also adds code to preserve the original flags value.
-
-Fixes: ab6bf4e5e5e4 ("crypto: hash - Fix the pointer voodoo in...")
-Cc: <stable at vger.kernel.org>
-Reported-by: Sabrina Dubroca <sd at queasysnail.net>
-Tested-by: Sabrina Dubroca <sd at queasysnail.net>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 79 ++++++++++++++++++++++++++----------------
- include/crypto/internal/hash.h | 10 ++++++
- 2 files changed, 60 insertions(+), 29 deletions(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -30,6 +30,7 @@ struct ahash_request_priv {
- crypto_completion_t complete;
- void *data;
- u8 *result;
-+ u32 flags;
- void *ubuf[] CRYPTO_MINALIGN_ATTR;
- };
-
-@@ -232,6 +233,8 @@ static int ahash_save_req(struct ahash_r
- priv->result = req->result;
- priv->complete = req->base.complete;
- priv->data = req->base.data;
-+ priv->flags = req->base.flags;
-+
- /*
- * WARNING: We do not backup req->priv here! The req->priv
- * is for internal use of the Crypto API and the
-@@ -246,38 +249,44 @@ static int ahash_save_req(struct ahash_r
- return 0;
- }
-
--static void ahash_restore_req(struct ahash_request *req)
-+static void ahash_restore_req(struct ahash_request *req, int err)
- {
- struct ahash_request_priv *priv = req->priv;
-
-+ if (!err)
-+ memcpy(priv->result, req->result,
-+ crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+
- /* Restore the original crypto request. */
- req->result = priv->result;
-- req->base.complete = priv->complete;
-- req->base.data = priv->data;
-+
-+ ahash_request_set_callback(req, priv->flags,
-+ priv->complete, priv->data);
- req->priv = NULL;
-
- /* Free the req->priv.priv from the ADJUSTED request. */
- kzfree(priv);
- }
-
--static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
-+static void ahash_notify_einprogress(struct ahash_request *req)
- {
- struct ahash_request_priv *priv = req->priv;
-+ struct crypto_async_request oreq;
-
-- if (err == -EINPROGRESS)
-- return;
--
-- if (!err)
-- memcpy(priv->result, req->result,
-- crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+ oreq.data = priv->data;
-
-- ahash_restore_req(req);
-+ priv->complete(&oreq, -EINPROGRESS);
- }
-
- static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
- {
- struct ahash_request *areq = req->data;
-
-+ if (err == -EINPROGRESS) {
-+ ahash_notify_einprogress(areq);
-+ return;
-+ }
-+
- /*
- * Restore the original request, see ahash_op_unaligned() for what
- * goes where.
-@@ -288,7 +297,7 @@ static void ahash_op_unaligned_done(stru
- */
-
- /* First copy req->result into req->priv.result */
-- ahash_op_unaligned_finish(areq, err);
-+ ahash_restore_req(areq, err);
-
- /* Complete the ORIGINAL request. */
- areq->base.complete(&areq->base, err);
-@@ -304,7 +313,12 @@ static int ahash_op_unaligned(struct aha
- return err;
-
- err = op(req);
-- ahash_op_unaligned_finish(req, err);
-+ if (err == -EINPROGRESS ||
-+ (err == -EBUSY && (ahash_request_flags(req) &
-+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+ return err;
-+
-+ ahash_restore_req(req, err);
-
- return err;
- }
-@@ -339,25 +353,14 @@ int crypto_ahash_digest(struct ahash_req
- }
- EXPORT_SYMBOL_GPL(crypto_ahash_digest);
-
--static void ahash_def_finup_finish2(struct ahash_request *req, int err)
-+static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
- {
-- struct ahash_request_priv *priv = req->priv;
-+ struct ahash_request *areq = req->data;
-
- if (err == -EINPROGRESS)
- return;
-
-- if (!err)
-- memcpy(priv->result, req->result,
-- crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
--
-- ahash_restore_req(req);
--}
--
--static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
--{
-- struct ahash_request *areq = req->data;
--
-- ahash_def_finup_finish2(areq, err);
-+ ahash_restore_req(areq, err);
-
- areq->base.complete(&areq->base, err);
- }
-@@ -368,11 +371,15 @@ static int ahash_def_finup_finish1(struc
- goto out;
-
- req->base.complete = ahash_def_finup_done2;
-- req->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
-+
- err = crypto_ahash_reqtfm(req)->final(req);
-+ if (err == -EINPROGRESS ||
-+ (err == -EBUSY && (ahash_request_flags(req) &
-+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+ return err;
-
- out:
-- ahash_def_finup_finish2(req, err);
-+ ahash_restore_req(req, err);
- return err;
- }
-
-@@ -380,7 +387,16 @@ static void ahash_def_finup_done1(struct
- {
- struct ahash_request *areq = req->data;
-
-+ if (err == -EINPROGRESS) {
-+ ahash_notify_einprogress(areq);
-+ return;
-+ }
-+
-+ areq->base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
-+
- err = ahash_def_finup_finish1(areq, err);
-+ if (areq->priv)
-+ return;
-
- areq->base.complete(&areq->base, err);
- }
-@@ -395,6 +411,11 @@ static int ahash_def_finup(struct ahash_
- return err;
-
- err = tfm->update(req);
-+ if (err == -EINPROGRESS ||
-+ (err == -EBUSY && (ahash_request_flags(req) &
-+ CRYPTO_TFM_REQ_MAY_BACKLOG)))
-+ return err;
-+
- return ahash_def_finup_finish1(req, err);
- }
-
---- a/include/crypto/internal/hash.h
-+++ b/include/crypto/internal/hash.h
-@@ -149,6 +149,16 @@ static inline struct ahash_instance *aha
- return crypto_alloc_instance2(name, alg, ahash_instance_headroom());
- }
-
-+static inline void ahash_request_complete(struct ahash_request *req, int err)
-+{
-+ req->base.complete(&req->base, err);
-+}
-+
-+static inline u32 ahash_request_flags(struct ahash_request *req)
-+{
-+ return req->base.flags;
-+}
-+
- static inline struct crypto_ahash *crypto_spawn_ahash(
- struct crypto_ahash_spawn *spawn)
- {
diff --git a/debian/patches/bugfix/all/crypto-ahash-fully-restore-ahash-request-before-comp.patch b/debian/patches/bugfix/all/crypto-ahash-fully-restore-ahash-request-before-comp.patch
deleted file mode 100644
index dbac0bd..0000000
--- a/debian/patches/bugfix/all/crypto-ahash-fully-restore-ahash-request-before-comp.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Marek Vasut <marex at denx.de>
-Date: Tue, 10 Dec 2013 20:26:19 +0100
-Subject: crypto: ahash - Fully restore ahash request before completing
-Origin: https://git.kernel.org/linus/1d9a394b97b833d3ab37f49caf12d0be3c88050b
-
-When finishing the ahash request, the ahash_op_unaligned_done() will
-call complete() on the request. Yet, this will not call the correct
-complete callback. The correct complete callback was previously stored
-in the requests' private data, as seen in ahash_op_unaligned(). This
-patch restores the correct complete callback and .data field of the
-request before calling complete() on it.
-
-Signed-off-by: Marek Vasut <marex at denx.de>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: Fabio Estevam <fabio.estevam at freescale.com>
-Cc: Shawn Guo <shawn.guo at linaro.org>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -214,7 +214,10 @@ static void ahash_op_unaligned_done(stru
-
- ahash_op_unaligned_finish(areq, err);
-
-- complete(data, err);
-+ areq->base.complete = complete;
-+ areq->base.data = data;
-+
-+ complete(&areq->base, err);
- }
-
- static int ahash_op_unaligned(struct ahash_request *req,
diff --git a/debian/patches/bugfix/all/crypto-hash-Fix-the-pointer-voodoo-in-unaligned-ahas.patch b/debian/patches/bugfix/all/crypto-hash-Fix-the-pointer-voodoo-in-unaligned-ahas.patch
deleted file mode 100644
index 69bfa93..0000000
--- a/debian/patches/bugfix/all/crypto-hash-Fix-the-pointer-voodoo-in-unaligned-ahas.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From: Marek Vasut <marex at denx.de>
-Date: Fri, 14 Mar 2014 02:37:04 +0100
-Subject: crypto: hash - Fix the pointer voodoo in unaligned ahash
-Origin: https://git.kernel.org/linus/ab6bf4e5e5e4298e8649e635bee25542cccbfd97
-
-Add documentation for the pointer voodoo that is happening in crypto/ahash.c
-in ahash_op_unaligned(). This code is quite confusing, so add a beefy chunk
-of documentation.
-
-Moreover, make sure the mangled request is completely restored after finishing
-this unaligned operation. This means restoring all of .result, .base.data
-and .base.complete .
-
-Also, remove the crypto_completion_t complete = ... line present in the
-ahash_op_unaligned_done() function. This type actually declares a function
-pointer, which is very confusing.
-
-Finally, yet very important nonetheless, make sure the req->priv is free()'d
-only after the original request is restored in ahash_op_unaligned_done().
-The req->priv data must not be free()'d before that in ahash_op_unaligned_finish(),
-since we would be accessing previously free()'d data in ahash_op_unaligned_done()
-and cause corruption.
-
-Signed-off-by: Marek Vasut <marex at denx.de>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: Fabio Estevam <fabio.estevam at freescale.com>
-Cc: Herbert Xu <herbert at gondor.apana.org.au>
-Cc: Shawn Guo <shawn.guo at linaro.org>
-Cc: Tom Lendacky <thomas.lendacky at amd.com>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++-------
- 1 file changed, 49 insertions(+), 7 deletions(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -202,22 +202,34 @@ static void ahash_op_unaligned_finish(st
- memcpy(priv->result, req->result,
- crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-
-+ /* Restore the original crypto request. */
-+ req->result = priv->result;
-+ req->base.complete = priv->complete;
-+ req->base.data = priv->data;
-+ req->priv = NULL;
-+
-+ /* Free the req->priv.priv from the ADJUSTED request. */
- kzfree(priv);
- }
-
- static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
- {
- struct ahash_request *areq = req->data;
-- struct ahash_request_priv *priv = areq->priv;
-- crypto_completion_t complete = priv->complete;
-- void *data = priv->data;
-
-- ahash_op_unaligned_finish(areq, err);
-+ /*
-+ * Restore the original request, see ahash_op_unaligned() for what
-+ * goes where.
-+ *
-+ * The "struct ahash_request *req" here is in fact the "req.base"
-+ * from the ADJUSTED request from ahash_op_unaligned(), thus as it
-+ * is a pointer to self, it is also the ADJUSTED "req" .
-+ */
-
-- areq->base.complete = complete;
-- areq->base.data = data;
-+ /* First copy areq->result into areq->priv.result */
-+ ahash_op_unaligned_finish(areq, err);
-
-- complete(&areq->base, err);
-+ /* Complete the ORIGINAL request. */
-+ areq->base.complete(&areq->base, err);
- }
-
- static int ahash_op_unaligned(struct ahash_request *req,
-@@ -235,9 +247,39 @@ static int ahash_op_unaligned(struct aha
- if (!priv)
- return -ENOMEM;
-
-+ /*
-+ * WARNING: Voodoo programming below!
-+ *
-+ * The code below is obscure and hard to understand, thus explanation
-+ * is necessary. See include/crypto/hash.h and include/linux/crypto.h
-+ * to understand the layout of structures used here!
-+ *
-+ * The code here will replace portions of the ORIGINAL request with
-+ * pointers to new code and buffers so the hashing operation can store
-+ * the result in aligned buffer. We will call the modified request
-+ * an ADJUSTED request.
-+ *
-+ * The newly mangled request will look as such:
-+ *
-+ * req {
-+ * .result = ADJUSTED[new aligned buffer]
-+ * .base.complete = ADJUSTED[pointer to completion function]
-+ * .base.data = ADJUSTED[*req (pointer to self)]
-+ * .priv = ADJUSTED[new priv] {
-+ * .result = ORIGINAL(result)
-+ * .complete = ORIGINAL(base.complete)
-+ * .data = ORIGINAL(base.data)
-+ * }
-+ */
-+
- priv->result = req->result;
- priv->complete = req->base.complete;
- priv->data = req->base.data;
-+ /*
-+ * WARNING: We do not backup req->priv here! The req->priv
-+ * is for internal use of the Crypto API and the
-+ * user must _NOT_ _EVER_ depend on it's content!
-+ */
-
- req->result = PTR_ALIGN((u8 *)priv->ubuf, alignmask + 1);
- req->base.complete = ahash_op_unaligned_done;
diff --git a/debian/patches/bugfix/all/crypto-hash-pull-out-the-functions-to-save-restore-r.patch b/debian/patches/bugfix/all/crypto-hash-pull-out-the-functions-to-save-restore-r.patch
deleted file mode 100644
index 81bb8d2..0000000
--- a/debian/patches/bugfix/all/crypto-hash-pull-out-the-functions-to-save-restore-r.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From: Marek Vasut <marex at denx.de>
-Date: Fri, 14 Mar 2014 02:37:05 +0100
-Subject: crypto: hash - Pull out the functions to save/restore request
-Origin: https://git.kernel.org/linus/1ffc9fbd1e5071948b6d48f9a27d845738ee890f
-
-The functions to save original request within a newly adjusted request
-and it's counterpart to restore the original request can be re-used by
-more code in the crypto/ahash.c file. Pull these functions out from the
-code so they're available.
-
-Signed-off-by: Marek Vasut <marex at denx.de>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: Fabio Estevam <fabio.estevam at freescale.com>
-Cc: Herbert Xu <herbert at gondor.apana.org.au>
-Cc: Shawn Guo <shawn.guo at linaro.org>
-Cc: Tom Lendacky <thomas.lendacky at amd.com>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 107 +++++++++++++++++++++++++++++++++------------------------
- 1 file changed, 62 insertions(+), 45 deletions(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -191,55 +191,12 @@ static inline unsigned int ahash_align_b
- return len + (mask & ~(crypto_tfm_ctx_alignment() - 1));
- }
-
--static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
--{
-- struct ahash_request_priv *priv = req->priv;
--
-- if (err == -EINPROGRESS)
-- return;
--
-- if (!err)
-- memcpy(priv->result, req->result,
-- crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
--
-- /* Restore the original crypto request. */
-- req->result = priv->result;
-- req->base.complete = priv->complete;
-- req->base.data = priv->data;
-- req->priv = NULL;
--
-- /* Free the req->priv.priv from the ADJUSTED request. */
-- kzfree(priv);
--}
--
--static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
--{
-- struct ahash_request *areq = req->data;
--
-- /*
-- * Restore the original request, see ahash_op_unaligned() for what
-- * goes where.
-- *
-- * The "struct ahash_request *req" here is in fact the "req.base"
-- * from the ADJUSTED request from ahash_op_unaligned(), thus as it
-- * is a pointer to self, it is also the ADJUSTED "req" .
-- */
--
-- /* First copy areq->result into areq->priv.result */
-- ahash_op_unaligned_finish(areq, err);
--
-- /* Complete the ORIGINAL request. */
-- areq->base.complete(&areq->base, err);
--}
--
--static int ahash_op_unaligned(struct ahash_request *req,
-- int (*op)(struct ahash_request *))
-+static int ahash_save_req(struct ahash_request *req, crypto_completion_t cplt)
- {
- struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
- unsigned long alignmask = crypto_ahash_alignmask(tfm);
- unsigned int ds = crypto_ahash_digestsize(tfm);
- struct ahash_request_priv *priv;
-- int err;
-
- priv = kmalloc(sizeof(*priv) + ahash_align_buffer_size(ds, alignmask),
- (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
-@@ -282,10 +239,70 @@ static int ahash_op_unaligned(struct aha
- */
-
- req->result = PTR_ALIGN((u8 *)priv->ubuf, alignmask + 1);
-- req->base.complete = ahash_op_unaligned_done;
-+ req->base.complete = cplt;
- req->base.data = req;
- req->priv = priv;
-
-+ return 0;
-+}
-+
-+static void ahash_restore_req(struct ahash_request *req)
-+{
-+ struct ahash_request_priv *priv = req->priv;
-+
-+ /* Restore the original crypto request. */
-+ req->result = priv->result;
-+ req->base.complete = priv->complete;
-+ req->base.data = priv->data;
-+ req->priv = NULL;
-+
-+ /* Free the req->priv.priv from the ADJUSTED request. */
-+ kzfree(priv);
-+}
-+
-+static void ahash_op_unaligned_finish(struct ahash_request *req, int err)
-+{
-+ struct ahash_request_priv *priv = req->priv;
-+
-+ if (err == -EINPROGRESS)
-+ return;
-+
-+ if (!err)
-+ memcpy(priv->result, req->result,
-+ crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-+
-+ ahash_restore_req(req);
-+}
-+
-+static void ahash_op_unaligned_done(struct crypto_async_request *req, int err)
-+{
-+ struct ahash_request *areq = req->data;
-+
-+ /*
-+ * Restore the original request, see ahash_op_unaligned() for what
-+ * goes where.
-+ *
-+ * The "struct ahash_request *req" here is in fact the "req.base"
-+ * from the ADJUSTED request from ahash_op_unaligned(), thus as it
-+ * is a pointer to self, it is also the ADJUSTED "req" .
-+ */
-+
-+ /* First copy req->result into req->priv.result */
-+ ahash_op_unaligned_finish(areq, err);
-+
-+ /* Complete the ORIGINAL request. */
-+ areq->base.complete(&areq->base, err);
-+}
-+
-+static int ahash_op_unaligned(struct ahash_request *req,
-+ int (*op)(struct ahash_request *))
-+{
-+ int err;
-+
-+ err = ahash_save_req(req, ahash_op_unaligned_done);
-+ if (err)
-+ return err;
-+
- err = op(req);
- ahash_op_unaligned_finish(req, err);
-
diff --git a/debian/patches/bugfix/all/crypto-hash-simplify-the-ahash_finup-implementation.patch b/debian/patches/bugfix/all/crypto-hash-simplify-the-ahash_finup-implementation.patch
deleted file mode 100644
index fd65c03..0000000
--- a/debian/patches/bugfix/all/crypto-hash-simplify-the-ahash_finup-implementation.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From: Marek Vasut <marex at denx.de>
-Date: Fri, 14 Mar 2014 02:37:06 +0100
-Subject: crypto: hash - Simplify the ahash_finup implementation
-Origin: https://git.kernel.org/linus/d4a7a0fbe959e12bdd071b79b50ed34853a6db8f
-
-The ahash_def_finup() can make use of the request save/restore functions,
-thus make it so. This simplifies the code a little and unifies the code
-paths.
-
-Note that the same remark about free()ing the req->priv applies here, the
-req->priv can only be free()'d after the original request was restored.
-
-Finally, squash a bug in the invocation of completion in the ASYNC path.
-In both ahash_def_finup_done{1,2}, the function areq->base.complete(X, err);
-was called with X=areq->base.data . This is incorrect , as X=&areq->base
-is the correct value. By analysis of the data structures, we see the areq is
-of type 'struct ahash_request' , areq->base is of type 'struct crypto_async_request'
-and areq->base.completion is of type crypto_completion_t, which is defined in
-include/linux/crypto.h as:
-
- typedef void (*crypto_completion_t)(struct crypto_async_request *req, int err);
-
-This is one lead that the X should be &areq->base . Next up, we can inspect
-other code which calls the completion callback to give us kind-of statistical
-idea of how this callback is used. We can try:
-
- $ git grep base\.complete\( drivers/crypto/
-
-Finally, by inspecting ahash_request_set_callback() implementation defined
-in include/crypto/hash.h , we observe that the .data entry of 'struct
-crypto_async_request' is intended for arbitrary data, not for completion
-argument.
-
-Signed-off-by: Marek Vasut <marex at denx.de>
-Cc: David S. Miller <davem at davemloft.net>
-Cc: Fabio Estevam <fabio.estevam at freescale.com>
-Cc: Herbert Xu <herbert at gondor.apana.org.au>
-Cc: Shawn Guo <shawn.guo at linaro.org>
-Cc: Tom Lendacky <thomas.lendacky at amd.com>
-Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
----
- crypto/ahash.c | 36 +++++++++---------------------------
- 1 file changed, 9 insertions(+), 27 deletions(-)
-
---- a/crypto/ahash.c
-+++ b/crypto/ahash.c
-@@ -350,19 +350,16 @@ static void ahash_def_finup_finish2(stru
- memcpy(priv->result, req->result,
- crypto_ahash_digestsize(crypto_ahash_reqtfm(req)));
-
-- kzfree(priv);
-+ ahash_restore_req(req);
- }
-
- static void ahash_def_finup_done2(struct crypto_async_request *req, int err)
- {
- struct ahash_request *areq = req->data;
-- struct ahash_request_priv *priv = areq->priv;
-- crypto_completion_t complete = priv->complete;
-- void *data = priv->data;
-
- ahash_def_finup_finish2(areq, err);
-
-- complete(data, err);
-+ areq->base.complete(&areq->base, err);
- }
-
- static int ahash_def_finup_finish1(struct ahash_request *req, int err)
-@@ -382,38 +379,23 @@ out:
- static void ahash_def_finup_done1(struct crypto_async_request *req, int err)
- {
- struct ahash_request *areq = req->data;
-- struct ahash_request_priv *priv = areq->priv;
-- crypto_completion_t complete = priv->complete;
-- void *data = priv->data;
-
- err = ahash_def_finup_finish1(areq, err);
-
-- complete(data, err);
-+ areq->base.complete(&areq->base, err);
- }
-
- static int ahash_def_finup(struct ahash_request *req)
- {
- struct crypto_ahash *tfm = crypto_ahash_reqtfm(req);
-- unsigned long alignmask = crypto_ahash_alignmask(tfm);
-- unsigned int ds = crypto_ahash_digestsize(tfm);
-- struct ahash_request_priv *priv;
--
-- priv = kmalloc(sizeof(*priv) + ahash_align_buffer_size(ds, alignmask),
-- (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ?
-- GFP_KERNEL : GFP_ATOMIC);
-- if (!priv)
-- return -ENOMEM;
--
-- priv->result = req->result;
-- priv->complete = req->base.complete;
-- priv->data = req->base.data;
--
-- req->result = PTR_ALIGN((u8 *)priv->ubuf, alignmask + 1);
-- req->base.complete = ahash_def_finup_done1;
-- req->base.data = req;
-- req->priv = priv;
-+ int err;
-
-- return ahash_def_finup_finish1(req, tfm->update(req));
-+ err = ahash_save_req(req, ahash_def_finup_done1);
-+ if (err)
-+ return err;
-+
-+ err = tfm->update(req);
-+ return ahash_def_finup_finish1(req, err);
- }
-
- static int ahash_no_export(struct ahash_request *req, void *out)
diff --git a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch b/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
deleted file mode 100644
index 65b151e..0000000
--- a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Tue, 9 May 2017 06:29:19 -0700
-Subject: dccp/tcp: do not inherit mc_list from parent
-Origin: https://git.kernel.org/linus/657831ffc38e30092a2d5f03d385d710eb88b09a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8890
-
-syzkaller found a way to trigger double frees from ip_mc_drop_socket()
-
-It turns out that leave a copy of parent mc_list at accept() time,
-which is very bad.
-
-Very similar to commit 8b485ce69876 ("tcp: do not inherit
-fastopen_req from parent")
-
-Initial report from Pray3r, completed by Andrey one.
-Thanks a lot to them !
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Pray3r <pray3r.z at gmail.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
- net/ipv4/inet_connection_sock.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/ipv4/inet_connection_sock.c
-+++ b/net/ipv4/inet_connection_sock.c
-@@ -604,6 +604,8 @@ struct sock *inet_csk_clone(struct sock
- inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port;
- newsk->sk_write_space = sk_stream_write_space;
-
-+ inet_sk(newsk)->mc_list = NULL;
-+
- newicsk->icsk_retransmits = 0;
- newicsk->icsk_backoff = 0;
- newicsk->icsk_probes_out = 0;
diff --git a/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch b/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
deleted file mode 100644
index 9a1f54d..0000000
--- a/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From: "David S. Miller" <davem at davemloft.net>
-Date: Wed, 17 May 2017 22:54:11 -0400
-Subject: ipv6: Check ip6_find_1stfragopt() return value properly.
-Origin: https://git.kernel.org/linus/7dd7eb9513bd02184d45f000ab69d78cb1fa1531
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-Do not use unsigned variables to see if it returns a negative
-error or not.
-
-Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
-Reported-by: Julia Lawall <julia.lawall at lip6.fr>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust filenames, context]
----
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -785,7 +785,6 @@ static struct sk_buff *ipv6_gso_segment(
- const struct inet6_protocol *ops;
- int proto;
- struct frag_hdr *fptr;
-- unsigned int unfrag_ip6hlen;
- u8 *prevhdr;
- int offset = 0;
-
-@@ -824,11 +823,11 @@ static struct sk_buff *ipv6_gso_segment(
- ipv6h->payload_len = htons(skb->len - skb->mac_len -
- sizeof(*ipv6h));
- if (proto == IPPROTO_UDP) {
-- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-- if (unfrag_ip6hlen < 0)
-- return ERR_PTR(unfrag_ip6hlen);
-+ int err = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (err < 0)
-+ return ERR_PTR(err);
- fptr = (struct frag_hdr *)(skb_network_header(skb) +
-- unfrag_ip6hlen);
-+ err);
- fptr->frag_off = htons(offset);
- if (skb->next != NULL)
- fptr->frag_off |= htons(IP6_MF);
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -631,11 +631,10 @@ int ip6_fragment(struct sk_buff *skb, in
- u8 *prevhdr, nexthdr = 0;
- struct net *net = dev_net(skb_dst(skb)->dev);
-
-- hlen = ip6_find_1stfragopt(skb, &prevhdr);
-- if (hlen < 0) {
-- err = hlen;
-+ err = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (err < 0)
- goto fail;
-- }
-+ hlen = err;
- nexthdr = *prevhdr;
-
- mtu = ip6_skb_dst_mtu(skb);
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -1316,6 +1316,7 @@ static struct sk_buff *udp6_ufo_fragment
- u8 frag_hdr_sz = sizeof(struct frag_hdr);
- int offset;
- __wsum csum;
-+ int err;
-
- mss = skb_shinfo(skb)->gso_size;
- if (unlikely(skb->len <= mss))
-@@ -1352,9 +1353,10 @@ static struct sk_buff *udp6_ufo_fragment
- /* Find the unfragmentable header and shift it left by frag_hdr_sz
- * bytes to insert fragment header.
- */
-- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-- if (unfrag_ip6hlen < 0)
-- return ERR_PTR(unfrag_ip6hlen);
-+ err = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (err < 0)
-+ return ERR_PTR(err);
-+ unfrag_ip6hlen = err;
- nexthdr = *prevhdr;
- *prevhdr = NEXTHDR_FRAGMENT;
- unfrag_len = skb_network_header(skb) - skb_mac_header(skb) +
diff --git a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch b/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
deleted file mode 100644
index 01c6a47..0000000
--- a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From: WANG Cong <xiyou.wangcong at gmail.com>
-Date: Tue, 9 May 2017 16:59:54 -0700
-Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent
-Origin: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9076
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9077
-
-Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
-we should clear ipv6_mc_list etc. for IPv6 sockets too.
-
-Cc: Eric Dumazet <edumazet at google.com>
-Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
- net/dccp/ipv6.c | 6 ++++++
- net/ipv6/tcp_ipv6.c | 2 ++
- 2 files changed, 8 insertions(+)
-
---- a/net/dccp/ipv6.c
-+++ b/net/dccp/ipv6.c
-@@ -499,6 +499,9 @@ static struct sock *dccp_v6_request_recv
- newsk->sk_backlog_rcv = dccp_v4_do_rcv;
- newnp->pktoptions = NULL;
- newnp->opt = NULL;
-+ newnp->ipv6_mc_list = NULL;
-+ newnp->ipv6_ac_list = NULL;
-+ newnp->ipv6_fl_list = NULL;
- newnp->mcast_oif = inet6_iif(skb);
- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
-
-@@ -574,6 +577,9 @@ static struct sock *dccp_v6_request_recv
- /* Clone RX bits */
- newnp->rxopt.all = np->rxopt.all;
-
-+ newnp->ipv6_mc_list = NULL;
-+ newnp->ipv6_ac_list = NULL;
-+ newnp->ipv6_fl_list = NULL;
- /* Clone pktoptions received with SYN */
- newnp->pktoptions = NULL;
- if (ireq6->pktopts != NULL) {
---- a/net/ipv6/tcp_ipv6.c
-+++ b/net/ipv6/tcp_ipv6.c
-@@ -1386,6 +1386,7 @@ static struct sock * tcp_v6_syn_recv_soc
- newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
- #endif
-
-+ newnp->ipv6_mc_list = NULL;
- newnp->ipv6_ac_list = NULL;
- newnp->ipv6_fl_list = NULL;
- newnp->pktoptions = NULL;
-@@ -1451,6 +1452,7 @@ static struct sock * tcp_v6_syn_recv_soc
- First: no IPv4 options.
- */
- newinet->inet_opt = NULL;
-+ newnp->ipv6_mc_list = NULL;
- newnp->ipv6_ac_list = NULL;
- newnp->ipv6_fl_list = NULL;
-
diff --git a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
deleted file mode 100644
index 5ef51f4..0000000
--- a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
+++ /dev/null
@@ -1,62 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 19 May 2017 14:17:48 -0700
-Subject: ipv6: fix out of bound writes in __ip6_append_data()
-Origin: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9242
-
-Andrey Konovalov and idaifish at gmail.com reported crashes caused by
-one skb shared_info being overwritten from __ip6_append_data()
-
-Andrey program lead to following state :
-
-copy -4200 datalen 2000 fraglen 2040
-maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
-
-The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
-fraggap, 0); is overwriting skb->head and skb_shared_info
-
-Since we apparently detect this rare condition too late, move the
-code earlier to even avoid allocating skb and risking crashes.
-
-Once again, many thanks to Andrey and syzkaller team.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Reported-by: <idaifish at gmail.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipv6/ip6_output.c | 15 ++++++++-------
- 1 file changed, 8 insertions(+), 7 deletions(-)
-
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -1416,6 +1416,11 @@ alloc_new_skb:
- */
- alloclen += sizeof(struct frag_hdr);
-
-+ copy = datalen - transhdrlen - fraggap;
-+ if (copy < 0) {
-+ err = -EINVAL;
-+ goto error;
-+ }
- if (transhdrlen) {
- skb = sock_alloc_send_skb(sk,
- alloclen + hh_len,
-@@ -1467,13 +1472,9 @@ alloc_new_skb:
- data += fraggap;
- pskb_trim_unique(skb_prev, maxfraglen);
- }
-- copy = datalen - transhdrlen - fraggap;
--
-- if (copy < 0) {
-- err = -EINVAL;
-- kfree_skb(skb);
-- goto error;
-- } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
-+ if (copy > 0 &&
-+ getfrag(from, data + transhdrlen, offset,
-+ copy, fraggap, skb) < 0) {
- err = -EFAULT;
- kfree_skb(skb);
- goto error;
diff --git a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch b/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
deleted file mode 100644
index 3e7a96a..0000000
--- a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From: Craig Gallek <kraig at google.com>
-Date: Tue, 16 May 2017 14:36:23 -0400
-Subject: ipv6: Prevent overrun when parsing v6 header options
-Origin: https://git.kernel.org/linus/2423496af35d94a87156b063ea5cedffc10a70a1
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
-
-The KASAN warning repoted below was discovered with a syzkaller
-program. The reproducer is basically:
- int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
- send(s, &one_byte_of_data, 1, MSG_MORE);
- send(s, &more_than_mtu_bytes_data, 2000, 0);
-
-The socket() call sets the nexthdr field of the v6 header to
-NEXTHDR_HOP, the first send call primes the payload with a non zero
-byte of data, and the second send call triggers the fragmentation path.
-
-The fragmentation code tries to parse the header options in order
-to figure out where to insert the fragment option. Since nexthdr points
-to an invalid option, the calculation of the size of the network header
-can made to be much larger than the linear section of the skb and data
-is read outside of it.
-
-This fix makes ip6_find_1stfrag return an error if it detects
-running out-of-bounds.
-
-[ 42.361487] ==================================================================
-[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
-[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
-[ 42.366469]
-[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
-[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
-[ 42.368824] Call Trace:
-[ 42.369183] dump_stack+0xb3/0x10b
-[ 42.369664] print_address_description+0x73/0x290
-[ 42.370325] kasan_report+0x252/0x370
-[ 42.370839] ? ip6_fragment+0x11c8/0x3730
-[ 42.371396] check_memory_region+0x13c/0x1a0
-[ 42.371978] memcpy+0x23/0x50
-[ 42.372395] ip6_fragment+0x11c8/0x3730
-[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110
-[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0
-[ 42.374263] ? ip6_forward+0x2e30/0x2e30
-[ 42.374803] ip6_finish_output+0x584/0x990
-[ 42.375350] ip6_output+0x1b7/0x690
-[ 42.375836] ? ip6_finish_output+0x990/0x990
-[ 42.376411] ? ip6_fragment+0x3730/0x3730
-[ 42.376968] ip6_local_out+0x95/0x160
-[ 42.377471] ip6_send_skb+0xa1/0x330
-[ 42.377969] ip6_push_pending_frames+0xb3/0xe0
-[ 42.378589] rawv6_sendmsg+0x2051/0x2db0
-[ 42.379129] ? rawv6_bind+0x8b0/0x8b0
-[ 42.379633] ? _copy_from_user+0x84/0xe0
-[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290
-[ 42.380878] ? ___sys_sendmsg+0x162/0x930
-[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120
-[ 42.382074] ? sock_has_perm+0x1f6/0x290
-[ 42.382614] ? ___sys_sendmsg+0x167/0x930
-[ 42.383173] ? lock_downgrade+0x660/0x660
-[ 42.383727] inet_sendmsg+0x123/0x500
-[ 42.384226] ? inet_sendmsg+0x123/0x500
-[ 42.384748] ? inet_recvmsg+0x540/0x540
-[ 42.385263] sock_sendmsg+0xca/0x110
-[ 42.385758] SYSC_sendto+0x217/0x380
-[ 42.386249] ? SYSC_connect+0x310/0x310
-[ 42.386783] ? __might_fault+0x110/0x1d0
-[ 42.387324] ? lock_downgrade+0x660/0x660
-[ 42.387880] ? __fget_light+0xa1/0x1f0
-[ 42.388403] ? __fdget+0x18/0x20
-[ 42.388851] ? sock_common_setsockopt+0x95/0xd0
-[ 42.389472] ? SyS_setsockopt+0x17f/0x260
-[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe
-[ 42.390650] SyS_sendto+0x40/0x50
-[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe
-[ 42.391731] RIP: 0033:0x7fbbb711e383
-[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
-[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
-[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
-[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
-[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
-[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
-[ 42.397257]
-[ 42.397411] Allocated by task 3789:
-[ 42.397702] save_stack_trace+0x16/0x20
-[ 42.398005] save_stack+0x46/0xd0
-[ 42.398267] kasan_kmalloc+0xad/0xe0
-[ 42.398548] kasan_slab_alloc+0x12/0x20
-[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380
-[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0
-[ 42.399654] __alloc_skb+0xf8/0x580
-[ 42.400003] sock_wmalloc+0xab/0xf0
-[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0
-[ 42.400813] ip6_append_data+0x1a8/0x2f0
-[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0
-[ 42.401505] inet_sendmsg+0x123/0x500
-[ 42.401860] sock_sendmsg+0xca/0x110
-[ 42.402209] ___sys_sendmsg+0x7cb/0x930
-[ 42.402582] __sys_sendmsg+0xd9/0x190
-[ 42.402941] SyS_sendmsg+0x2d/0x50
-[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe
-[ 42.403718]
-[ 42.403871] Freed by task 1794:
-[ 42.404146] save_stack_trace+0x16/0x20
-[ 42.404515] save_stack+0x46/0xd0
-[ 42.404827] kasan_slab_free+0x72/0xc0
-[ 42.405167] kfree+0xe8/0x2b0
-[ 42.405462] skb_free_head+0x74/0xb0
-[ 42.405806] skb_release_data+0x30e/0x3a0
-[ 42.406198] skb_release_all+0x4a/0x60
-[ 42.406563] consume_skb+0x113/0x2e0
-[ 42.406910] skb_free_datagram+0x1a/0xe0
-[ 42.407288] netlink_recvmsg+0x60d/0xe40
-[ 42.407667] sock_recvmsg+0xd7/0x110
-[ 42.408022] ___sys_recvmsg+0x25c/0x580
-[ 42.408395] __sys_recvmsg+0xd6/0x190
-[ 42.408753] SyS_recvmsg+0x2d/0x50
-[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe
-[ 42.409513]
-[ 42.409665] The buggy address belongs to the object at ffff88000969e780
-[ 42.409665] which belongs to the cache kmalloc-512 of size 512
-[ 42.410846] The buggy address is located 24 bytes inside of
-[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980)
-[ 42.411941] The buggy address belongs to the page:
-[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
-[ 42.413298] flags: 0x100000000008100(slab|head)
-[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
-[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
-[ 42.415074] page dumped because: kasan: bad access detected
-[ 42.415604]
-[ 42.415757] Memory state around the buggy address:
-[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
-[ 42.418273] ^
-[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
-[ 42.419882] ==================================================================
-
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: Craig Gallek <kraig at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2:
- - Adjust filenames, context]
----
---- a/net/ipv6/af_inet6.c
-+++ b/net/ipv6/af_inet6.c
-@@ -825,6 +825,8 @@ static struct sk_buff *ipv6_gso_segment(
- sizeof(*ipv6h));
- if (proto == IPPROTO_UDP) {
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (unfrag_ip6hlen < 0)
-+ return ERR_PTR(unfrag_ip6hlen);
- fptr = (struct frag_hdr *)(skb_network_header(skb) +
- unfrag_ip6hlen);
- fptr->frag_off = htons(offset);
---- a/net/ipv6/ip6_output.c
-+++ b/net/ipv6/ip6_output.c
-@@ -562,13 +562,12 @@ static void ip6_copy_metadata(struct sk_
- int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
- {
- u16 offset = sizeof(struct ipv6hdr);
-- struct ipv6_opt_hdr *exthdr =
-- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
- unsigned int packet_len = skb->tail - skb->network_header;
- int found_rhdr = 0;
- *nexthdr = &ipv6_hdr(skb)->nexthdr;
-
-- while (offset + 1 <= packet_len) {
-+ while (offset <= packet_len) {
-+ struct ipv6_opt_hdr *exthdr;
-
- switch (**nexthdr) {
-
-@@ -589,13 +588,16 @@ int ip6_find_1stfragopt(struct sk_buff *
- return offset;
- }
-
-- offset += ipv6_optlen(exthdr);
-- *nexthdr = &exthdr->nexthdr;
-+ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
-+ return -EINVAL;
-+
- exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
- offset);
-+ offset += ipv6_optlen(exthdr);
-+ *nexthdr = &exthdr->nexthdr;
- }
-
-- return offset;
-+ return -EINVAL;
- }
-
- void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
-@@ -630,6 +632,10 @@ int ip6_fragment(struct sk_buff *skb, in
- struct net *net = dev_net(skb_dst(skb)->dev);
-
- hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (hlen < 0) {
-+ err = hlen;
-+ goto fail;
-+ }
- nexthdr = *prevhdr;
-
- mtu = ip6_skb_dst_mtu(skb);
---- a/net/ipv6/udp.c
-+++ b/net/ipv6/udp.c
-@@ -1353,6 +1353,8 @@ static struct sk_buff *udp6_ufo_fragment
- * bytes to insert fragment header.
- */
- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
-+ if (unfrag_ip6hlen < 0)
-+ return ERR_PTR(unfrag_ip6hlen);
- nexthdr = *prevhdr;
- *prevhdr = NEXTHDR_FRAGMENT;
- unfrag_len = skb_network_header(skb) - skb_mac_header(skb) +
diff --git a/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch b/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
deleted file mode 100644
index 407a1a1..0000000
--- a/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Dan Carpenter <dan.carpenter at oracle.com>
-Date: Tue, 2 May 2017 13:58:53 +0300
-Subject: ipx: call ipxitf_put() in ioctl error path
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/ee0d8d8482345ff97a75a7d747efc309f13b0d80
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7487
-
-We should call ipxitf_put() if the copy_to_user() fails.
-
-Reported-by: 李强 <liqiang6-s at 360.cn>
-Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/ipx/af_ipx.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
---- a/net/ipx/af_ipx.c
-+++ b/net/ipx/af_ipx.c
-@@ -1194,11 +1194,10 @@ static int ipxitf_ioctl(unsigned int cmd
- sipx->sipx_network = ipxif->if_netnum;
- memcpy(sipx->sipx_node, ipxif->if_node,
- sizeof(sipx->sipx_node));
-- rc = -EFAULT;
-+ rc = 0;
- if (copy_to_user(arg, &ifr, sizeof(ifr)))
-- break;
-+ rc = -EFAULT;
- ipxitf_put(ipxif);
-- rc = 0;
- break;
- }
- case SIOCAIPXITFCRT:
diff --git a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch b/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
deleted file mode 100644
index 496bd33..0000000
--- a/debian/patches/bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Tue, 18 Apr 2017 15:31:07 +0100
-Subject: KEYS: Disallow keyrings beginning with '.' to be joined as session
- keyrings
-Origin: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-9604
-
-This fixes CVE-2016-9604.
-
-Keyrings whose name begin with a '.' are special internal keyrings and so
-userspace isn't allowed to create keyrings by this name to prevent
-shadowing. However, the patch that added the guard didn't fix
-KEYCTL_JOIN_SESSION_KEYRING. Not only can that create dot-named keyrings,
-it can also subscribe to them as a session keyring if they grant SEARCH
-permission to the user.
-
-This, for example, allows a root process to set .builtin_trusted_keys as
-its session keyring, at which point it has full access because now the
-possessor permissions are added. This permits root to add extra public
-keys, thereby bypassing module verification.
-
-This also affects kexec and IMA.
-
-This can be tested by (as root):
-
- keyctl session .builtin_trusted_keys
- keyctl add user a a @s
- keyctl list @s
-
-which on my test box gives me:
-
- 2 keys in keyring:
- 180010936: ---lswrv 0 0 asymmetric: Build time autogenerated kernel key: ae3d4a31b82daa8e1a75b49dc2bba949fd992a05
- 801382539: --alswrv 0 0 user: a
-
-
-Fix this by rejecting names beginning with a '.' in the keyctl.
-
-Signed-off-by: David Howells <dhowells at redhat.com>
-Acked-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
-cc: linux-ima-devel at lists.sourceforge.net
-cc: stable at vger.kernel.org
----
- security/keys/keyctl.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -263,7 +263,8 @@ error:
- * Create and join an anonymous session keyring or join a named session
- * keyring, creating it if necessary. A named session keyring must have Search
- * permission for it to be joined. Session keyrings without this permit will
-- * be skipped over.
-+ * be skipped over. It is not permitted for userspace to create or join
-+ * keyrings whose name begin with a dot.
- *
- * If successful, the ID of the joined session keyring will be returned.
- */
-@@ -280,12 +281,16 @@ long keyctl_join_session_keyring(const c
- ret = PTR_ERR(name);
- goto error;
- }
-+
-+ ret = -EPERM;
-+ if (name[0] == '.')
-+ goto error_name;
- }
-
- /* join the session */
- ret = join_session_keyring(name);
-+error_name:
- kfree(name);
--
- error:
- return ret;
- }
diff --git a/debian/patches/bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch b/debian/patches/bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
deleted file mode 100644
index e397f80..0000000
--- a/debian/patches/bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
+++ /dev/null
@@ -1,176 +0,0 @@
-From: Eric Biggers <ebiggers at google.com>
-Date: Tue, 18 Apr 2017 15:31:09 +0100
-Subject: KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
-Origin: https://git.kernel.org/linus/c9f838d104fed6f2f61d68164712e3204bf5271b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7472
-
-This fixes CVE-2017-7472.
-
-Running the following program as an unprivileged user exhausts kernel
-memory by leaking thread keyrings:
-
- #include <keyutils.h>
-
- int main()
- {
- for (;;)
- keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
- }
-
-Fix it by only creating a new thread keyring if there wasn't one before.
-To make things more consistent, make install_thread_keyring_to_cred()
-and install_process_keyring_to_cred() both return 0 if the corresponding
-keyring is already present.
-
-Fixes: d84f4f992cbd ("CRED: Inaugurate COW credentials")
-Cc: stable at vger.kernel.org # 2.6.29+
-Signed-off-by: Eric Biggers <ebiggers at google.com>
-Signed-off-by: David Howells <dhowells at redhat.com>
-[bwh: Backported to 3.2: adjust context]
----
- security/keys/keyctl.c | 11 ++++-------
- security/keys/process_keys.c | 44 +++++++++++++++++++++++++++-----------------
- 2 files changed, 31 insertions(+), 24 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -1183,8 +1183,8 @@ error:
- * Read or set the default keyring in which request_key() will cache keys and
- * return the old setting.
- *
-- * If a process keyring is specified then this will be created if it doesn't
-- * yet exist. The old setting will be returned if successful.
-+ * If a thread or process keyring is specified then it will be created if it
-+ * doesn't yet exist. The old setting will be returned if successful.
- */
- long keyctl_set_reqkey_keyring(int reqkey_defl)
- {
-@@ -1209,11 +1209,8 @@ long keyctl_set_reqkey_keyring(int reqke
-
- case KEY_REQKEY_DEFL_PROCESS_KEYRING:
- ret = install_process_keyring_to_cred(new);
-- if (ret < 0) {
-- if (ret != -EEXIST)
-- goto error;
-- ret = 0;
-- }
-+ if (ret < 0)
-+ goto error;
- goto set;
-
- case KEY_REQKEY_DEFL_DEFAULT:
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -121,13 +121,18 @@ error:
- }
-
- /*
-- * Install a fresh thread keyring directly to new credentials. This keyring is
-- * allowed to overrun the quota.
-+ * Install a thread keyring to the given credentials struct if it didn't have
-+ * one already. This is allowed to overrun the quota.
-+ *
-+ * Return: 0 if a thread keyring is now present; -errno on failure.
- */
- int install_thread_keyring_to_cred(struct cred *new)
- {
- struct key *keyring;
-
-+ if (new->thread_keyring)
-+ return 0;
-+
- keyring = keyring_alloc("_tid", new->uid, new->gid, new,
- KEY_ALLOC_QUOTA_OVERRUN, NULL);
- if (IS_ERR(keyring))
-@@ -138,7 +143,9 @@ int install_thread_keyring_to_cred(struc
- }
-
- /*
-- * Install a fresh thread keyring, discarding the old one.
-+ * Install a thread keyring to the current task if it didn't have one already.
-+ *
-+ * Return: 0 if a thread keyring is now present; -errno on failure.
- */
- static int install_thread_keyring(void)
- {
-@@ -149,8 +156,6 @@ static int install_thread_keyring(void)
- if (!new)
- return -ENOMEM;
-
-- BUG_ON(new->thread_keyring);
--
- ret = install_thread_keyring_to_cred(new);
- if (ret < 0) {
- abort_creds(new);
-@@ -161,10 +166,10 @@ static int install_thread_keyring(void)
- }
-
- /*
-- * Install a process keyring directly to a credentials struct.
-+ * Install a process keyring to the given credentials struct if it didn't have
-+ * one already. This is allowed to overrun the quota.
- *
-- * Returns -EEXIST if there was already a process keyring, 0 if one installed,
-- * and other value on any other error
-+ * Return: 0 if a process keyring is now present; -errno on failure.
- */
- int install_process_keyring_to_cred(struct cred *new)
- {
-@@ -172,7 +177,7 @@ int install_process_keyring_to_cred(stru
- int ret;
-
- if (new->tgcred->process_keyring)
-- return -EEXIST;
-+ return 0;
-
- keyring = keyring_alloc("_pid", new->uid, new->gid,
- new, KEY_ALLOC_QUOTA_OVERRUN, NULL);
-@@ -193,11 +198,9 @@ int install_process_keyring_to_cred(stru
- }
-
- /*
-- * Make sure a process keyring is installed for the current process. The
-- * existing process keyring is not replaced.
-+ * Install a process keyring to the current task if it didn't have one already.
- *
-- * Returns 0 if there is a process keyring by the end of this function, some
-- * error otherwise.
-+ * Return: 0 if a process keyring is now present; -errno on failure.
- */
- static int install_process_keyring(void)
- {
-@@ -211,14 +214,18 @@ static int install_process_keyring(void)
- ret = install_process_keyring_to_cred(new);
- if (ret < 0) {
- abort_creds(new);
-- return ret != -EEXIST ? ret : 0;
-+ return ret;
- }
-
- return commit_creds(new);
- }
-
- /*
-- * Install a session keyring directly to a credentials struct.
-+ * Install the given keyring as the session keyring of the given credentials
-+ * struct, replacing the existing one if any. If the given keyring is NULL,
-+ * then install a new anonymous session keyring.
-+ *
-+ * Return: 0 on success; -errno on failure.
- */
- int install_session_keyring_to_cred(struct cred *cred, struct key *keyring)
- {
-@@ -258,8 +265,11 @@ int install_session_keyring_to_cred(stru
- }
-
- /*
-- * Install a session keyring, discarding the old one. If a keyring is not
-- * supplied, an empty one is invented.
-+ * Install the given keyring as the session keyring of the current task,
-+ * replacing the existing one if any. If the given keyring is NULL, then
-+ * install a new anonymous session keyring.
-+ *
-+ * Return: 0 on success; -errno on failure.
- */
- static int install_session_keyring(struct key *keyring)
- {
diff --git a/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch b/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
deleted file mode 100644
index 31c3553..0000000
--- a/debian/patches/bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: David Howells <dhowells at redhat.com>
-Date: Tue, 16 Sep 2014 17:29:03 +0100
-Subject: KEYS: Reinstate EPERM for a key type name beginning with a '.'
-Origin: https://git.kernel.org/linus/54e2c2c1a9d6cbb270b0999a38545fa9a69bee43
-
-Reinstate the generation of EPERM for a key type name beginning with a '.' in
-a userspace call. Types whose name begins with a '.' are internal only.
-
-The test was removed by:
-
- commit a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
- Author: Mimi Zohar <zohar at linux.vnet.ibm.com>
- Date: Thu May 22 14:02:23 2014 -0400
- Subject: KEYS: special dot prefixed keyring name bug fix
-
-I think we want to keep the restriction on type name so that userspace can't
-add keys of a special internal type.
-
-Note that removal of the test causes several of the tests in the keyutils
-testsuite to fail.
-
-Signed-off-by: David Howells <dhowells at redhat.com>
-Acked-by: Vivek Goyal <vgoyal at redhat.com>
-cc: Mimi Zohar <zohar at linux.vnet.ibm.com>
----
- security/keys/keyctl.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -35,6 +35,8 @@ static int key_get_type_from_user(char *
- return ret;
- if (ret == 0 || ret >= len)
- return -EINVAL;
-+ if (type[0] == '.')
-+ return -EPERM;
- type[len - 1] = '\0';
- return 0;
- }
diff --git a/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch b/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
deleted file mode 100644
index 16bb626..0000000
--- a/debian/patches/bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: Mimi Zohar <zohar at linux.vnet.ibm.com>
-Date: Thu, 22 May 2014 14:02:23 -0400
-Subject: KEYS: special dot prefixed keyring name bug fix
-Origin: https://git.kernel.org/linus/a4e3b8d79a5c6d40f4a9703abf7fe3abcc6c3b8d
-
-Dot prefixed keyring names are supposed to be reserved for the
-kernel, but add_key() calls key_get_type_from_user(), which
-incorrectly verifies the 'type' field, not the 'description' field.
-This patch verifies the 'description' field isn't dot prefixed,
-when creating a new keyring, and removes the dot prefix test in
-key_get_type_from_user().
-
-Changelog v6:
-- whitespace and other cleanup
-
-Changelog v5:
-- Only prevent userspace from creating a dot prefixed keyring, not
- regular keys - Dmitry
-
-Reported-by: Dmitry Kasatkin <d.kasatkin at samsung.com>
-Signed-off-by: Mimi Zohar <zohar at linux.vnet.ibm.com>
-Acked-by: David Howells <dhowells at redhat.com>
-[bwh: Backported to 3.2: adjust context, indentation]
----
- security/keys/keyctl.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
---- a/security/keys/keyctl.c
-+++ b/security/keys/keyctl.c
-@@ -35,8 +35,6 @@ static int key_get_type_from_user(char *
- return ret;
- if (ret == 0 || ret >= len)
- return -EINVAL;
-- if (type[0] == '.')
-- return -EPERM;
- type[len - 1] = '\0';
- return 0;
- }
-@@ -75,6 +73,10 @@ SYSCALL_DEFINE5(add_key, const char __us
- if (IS_ERR(description)) {
- ret = PTR_ERR(description);
- goto error;
-+ } else if ((description[0] == '.') &&
-+ (strncmp(type, "keyring", 7) == 0)) {
-+ ret = -EPERM;
-+ goto error2;
- }
-
- /* pull the payload in if one was supplied */
diff --git a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch b/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
deleted file mode 100644
index c1d314c..0000000
--- a/debian/patches/bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Chris Salls <salls at cs.ucsb.edu>
-Date: Fri, 7 Apr 2017 23:48:11 -0700
-Subject: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
-Origin: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7616
-
-In the case that compat_get_bitmap fails we do not want to copy the
-bitmap to the user as it will contain uninitialized stack data and leak
-sensitive data.
-
-Signed-off-by: Chris Salls <salls at cs.ucsb.edu>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- mm/mempolicy.c | 20 ++++++++------------
- 1 file changed, 8 insertions(+), 12 deletions(-)
-
---- a/mm/mempolicy.c
-+++ b/mm/mempolicy.c
-@@ -1446,7 +1446,6 @@ asmlinkage long compat_sys_get_mempolicy
- asmlinkage long compat_sys_set_mempolicy(int mode, compat_ulong_t __user *nmask,
- compat_ulong_t maxnode)
- {
-- long err = 0;
- unsigned long __user *nm = NULL;
- unsigned long nr_bits, alloc_size;
- DECLARE_BITMAP(bm, MAX_NUMNODES);
-@@ -1455,14 +1454,13 @@ asmlinkage long compat_sys_set_mempolicy
- alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
-
- if (nmask) {
-- err = compat_get_bitmap(bm, nmask, nr_bits);
-+ if (compat_get_bitmap(bm, nmask, nr_bits))
-+ return -EFAULT;
- nm = compat_alloc_user_space(alloc_size);
-- err |= copy_to_user(nm, bm, alloc_size);
-+ if (copy_to_user(nm, bm, alloc_size))
-+ return -EFAULT;
- }
-
-- if (err)
-- return -EFAULT;
--
- return sys_set_mempolicy(mode, nm, nr_bits+1);
- }
-
-@@ -1470,7 +1468,6 @@ asmlinkage long compat_sys_mbind(compat_
- compat_ulong_t mode, compat_ulong_t __user *nmask,
- compat_ulong_t maxnode, compat_ulong_t flags)
- {
-- long err = 0;
- unsigned long __user *nm = NULL;
- unsigned long nr_bits, alloc_size;
- nodemask_t bm;
-@@ -1479,14 +1476,13 @@ asmlinkage long compat_sys_mbind(compat_
- alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
-
- if (nmask) {
-- err = compat_get_bitmap(nodes_addr(bm), nmask, nr_bits);
-+ if (compat_get_bitmap(nodes_addr(bm), nmask, nr_bits))
-+ return -EFAULT;
- nm = compat_alloc_user_space(alloc_size);
-- err |= copy_to_user(nm, nodes_addr(bm), alloc_size);
-+ if (copy_to_user(nm, nodes_addr(bm), alloc_size))
-+ return -EFAULT;
- }
-
-- if (err)
-- return -EFAULT;
--
- return sys_mbind(start, len, mode, nm, nr_bits+1, flags);
- }
-
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
deleted file mode 100644
index c17248b..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:20 +0200
-Subject: [1/3] net/packet: fix overflow in check for priv area size
-Origin: https://git.kernel.org/linus/2b6867c2ce76c596676bec7d2d525af525fdc6e2
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-Subtracting tp_sizeof_priv from tp_block_size and casting to int
-to check whether one is less then the other doesn't always work
-(both of them are unsigned ints).
-
-Compare them as is instead.
-
-Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
-it can overflow inside BLK_PLUS_PRIV otherwise.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3637,8 +3637,8 @@ static int packet_set_ring(struct sock *
- if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
- goto out;
- if (po->tp_version >= TPACKET_V3 &&
-- (int)(req->tp_block_size -
-- BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
-+ req->tp_block_size <=
-+ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
- goto out;
- if (unlikely(req->tp_frame_size < po->tp_hdrlen +
- po->tp_reserve))
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
deleted file mode 100644
index 9e6b4f3..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:21 +0200
-Subject: [2/3] net/packet: fix overflow in check for tp_frame_nr
-Origin: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-When calculating rb->frames_per_block * req->tp_block_nr the result
-can overflow.
-
-Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
-
-Since frames_per_block <= tp_block_size, the expression would
-never overflow.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3649,6 +3649,8 @@ static int packet_set_ring(struct sock *
- rb->frames_per_block = req->tp_block_size/req->tp_frame_size;
- if (unlikely(rb->frames_per_block <= 0))
- goto out;
-+ if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
-+ goto out;
- if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
- req->tp_frame_nr))
- goto out;
diff --git a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch b/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
deleted file mode 100644
index 981a8d1..0000000
--- a/debian/patches/bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From: Andrey Konovalov <andreyknvl at google.com>
-Date: Wed, 29 Mar 2017 16:11:22 +0200
-Subject: [3/3] net/packet: fix overflow in check for tp_reserve
-Origin: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7308
-
-When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
-
-Fix by checking that tp_reserve <= INT_MAX on assign.
-
-Signed-off-by: Andrey Konovalov <andreyknvl at google.com>
-Acked-by: Eric Dumazet <edumazet at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/packet/af_packet.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -3136,6 +3136,8 @@ packet_setsockopt(struct socket *sock, i
- return -EBUSY;
- if (copy_from_user(&val, optval, sizeof(val)))
- return -EFAULT;
-+ if (val > INT_MAX)
-+ return -EINVAL;
- po->tp_reserve = val;
- return 0;
- }
diff --git a/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch b/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
deleted file mode 100644
index c84e29f..0000000
--- a/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Fri, 21 Apr 2017 16:10:18 -0400
-Subject: nfsd: check for oversized NFSv2/v3 arguments
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7645
-
-A client can append random data to the end of an NFSv2 or NFSv3 RPC call
-without our complaining; we'll just stop parsing at the end of the
-expected data and ignore the rest.
-
-Encoded arguments and replies are stored together in an array of pages,
-and if a call is too large it could leave inadequate space for the
-reply. This is normally OK because NFS RPC's typically have either
-short arguments and long replies (like READ) or long arguments and short
-replies (like WRITE). But a client that sends an incorrectly long reply
-can violate those assumptions. This was observed to cause crashes.
-
-Also, several operations increment rq_next_page in the decode routine
-before checking the argument size, which can leave rq_next_page pointing
-well past the end of the page array, causing trouble later in
-svc_free_pages.
-
-So, following a suggestion from Neil Brown, add a central check to
-enforce our expectation that no NFSv2/v3 call has both a large call and
-a large reply.
-
-As followup we may also want to rewrite the encoding routines to check
-more carefully that they aren't running off the end of the page array.
-
-We may also consider rejecting calls that have any extra garbage
-appended. That would be safer, and within our rights by spec, but given
-the age of our server and the NFS protocol, and the fact that we've
-never enforced this before, we may need to balance that against the
-possibility of breaking some oddball client.
-
-Reported-by: Tuomas Haanpää <thaan at synopsys.com>
-Reported-by: Ari Kauppi <ari at synopsys.com>
-Cc: stable at vger.kernel.org
-Reviewed-by: NeilBrown <neilb at suse.com>
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
- 1 file changed, 36 insertions(+)
-
---- a/fs/nfsd/nfssvc.c
-+++ b/fs/nfsd/nfssvc.c
-@@ -561,6 +561,37 @@ static __be32 map_new_errors(u32 vers, _
- return nfserr;
- }
-
-+/*
-+ * A write procedure can have a large argument, and a read procedure can
-+ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
-+ * reply that can both be larger than a page. The xdr code has taken
-+ * advantage of this assumption to be a sloppy about bounds checking in
-+ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
-+ * problem, we enforce these assumptions here:
-+ */
-+static bool nfs_request_too_big(struct svc_rqst *rqstp,
-+ struct svc_procedure *proc)
-+{
-+ /*
-+ * The ACL code has more careful bounds-checking and is not
-+ * susceptible to this problem:
-+ */
-+ if (rqstp->rq_prog != NFS_PROGRAM)
-+ return false;
-+ /*
-+ * Ditto NFSv4 (which can in theory have argument and reply both
-+ * more than a page):
-+ */
-+ if (rqstp->rq_vers >= 4)
-+ return false;
-+ /* The reply will be small, we're OK: */
-+ if (proc->pc_xdrressize > 0 &&
-+ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
-+ return false;
-+
-+ return rqstp->rq_arg.len > PAGE_SIZE;
-+}
-+
- int
- nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
- {
-@@ -573,6 +604,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __
- rqstp->rq_vers, rqstp->rq_proc);
- proc = rqstp->rq_procinfo;
-
-+ if (nfs_request_too_big(rqstp, proc)) {
-+ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
-+ *statp = rpc_garbage_args;
-+ return 1;
-+ }
- /*
- * Give the xdr decoder a chance to change this if it wants
- * (necessary in the NFSv4.0 compound case)
diff --git a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch b/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
deleted file mode 100644
index e07cc3f..0000000
--- a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
+++ /dev/null
@@ -1,56 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Fri, 21 Apr 2017 15:26:30 -0400
-Subject: [2/2] nfsd: stricter decoding of write-like NFSv2/v3 ops
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Origin: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
-
-The NFSv2/v3 code does not systematically check whether we decode past
-the end of the buffer. This generally appears to be harmless, but there
-are a few places where we do arithmetic on the pointers involved and
-don't account for the possibility that a length could be negative. Add
-checks to catch these.
-
-Reported-by: Tuomas Haanpää <thaan at synopsys.com>
-Reported-by: Ari Kauppi <ari at synopsys.com>
-Reviewed-by: NeilBrown <neilb at suse.com>
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
----
- fs/nfsd/nfs3xdr.c | 4 ++++
- fs/nfsd/nfsxdr.c | 2 ++
- 2 files changed, 6 insertions(+)
-
---- a/fs/nfsd/nfs3xdr.c
-+++ b/fs/nfsd/nfs3xdr.c
-@@ -363,6 +363,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
- args->count = ntohl(*p++);
- args->stable = ntohl(*p++);
- len = args->len = ntohl(*p++);
-+ if ((void *)p > head->iov_base + head->iov_len)
-+ return 0;
- /*
- * The count must equal the amount of data passed.
- */
-@@ -467,6 +469,8 @@ nfs3svc_decode_symlinkargs(struct svc_rq
- /* first copy and check from the first page */
- old = (char*)p;
- vec = &rqstp->rq_arg.head[0];
-+ if ((void *)old > vec->iov_base + vec->iov_len)
-+ return 0;
- avail = vec->iov_len - (old - (char*)vec->iov_base);
- while (len && avail && *old) {
- *new++ = *old++;
---- a/fs/nfsd/nfsxdr.c
-+++ b/fs/nfsd/nfsxdr.c
-@@ -298,6 +298,8 @@ nfssvc_decode_writeargs(struct svc_rqst
- * bytes.
- */
- hdr = (void*)p - head->iov_base;
-+ if (hdr > head->iov_len)
-+ return 0;
- dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
-
- /*
diff --git a/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch b/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
deleted file mode 100644
index c0c417c..0000000
--- a/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From: "J. Bruce Fields" <bfields at redhat.com>
-Date: Tue, 25 Apr 2017 16:21:34 -0400
-Subject: [1/2] nfsd4: minor NFSv2/v3 write decoding cleanup
-Origin: https://git.kernel.org/linus/db44bac41bbfc0c0d9dd943092d8bded3c9db19b
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
-
-Use a couple shortcuts that will simplify a following bugfix.
-
-Cc: stable at vger.kernel.org
-Signed-off-by: J. Bruce Fields <bfields at redhat.com>
-[bwh: Backported to 3.2: in nfs3svc_decode_writeargs(), dlen doesn't include
- tail]
----
- fs/nfsd/nfs3xdr.c | 9 +++++----
- fs/nfsd/nfsxdr.c | 8 ++++----
- 2 files changed, 9 insertions(+), 8 deletions(-)
-
---- a/fs/nfsd/nfs3xdr.c
-+++ b/fs/nfsd/nfs3xdr.c
-@@ -354,6 +354,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
- {
- unsigned int len, v, hdr, dlen;
- u32 max_blocksize = svc_max_payload(rqstp);
-+ struct kvec *head = rqstp->rq_arg.head;
-
- if (!(p = decode_fh(p, &args->fh)))
- return 0;
-@@ -372,9 +373,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
- * Check to make sure that we got the right number of
- * bytes.
- */
-- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
-- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
-- - hdr;
-+ hdr = (void*)p - head->iov_base;
-+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
- /*
- * Round the length of the data which was specified up to
- * the next multiple of XDR units and then compare that
-@@ -391,7 +391,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
- len = args->len = max_blocksize;
- }
- rqstp->rq_vec[0].iov_base = (void*)p;
-- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
-+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
- v = 0;
- while (len > rqstp->rq_vec[v].iov_len) {
- len -= rqstp->rq_vec[v].iov_len;
---- a/fs/nfsd/nfsxdr.c
-+++ b/fs/nfsd/nfsxdr.c
-@@ -277,6 +277,7 @@ nfssvc_decode_writeargs(struct svc_rqst
- struct nfsd_writeargs *args)
- {
- unsigned int len, hdr, dlen;
-+ struct kvec *head = rqstp->rq_arg.head;
- int v;
-
- if (!(p = decode_fh(p, &args->fh)))
-@@ -296,9 +297,8 @@ nfssvc_decode_writeargs(struct svc_rqst
- * Check to make sure that we got the right number of
- * bytes.
- */
-- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
-- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
-- - hdr;
-+ hdr = (void*)p - head->iov_base;
-+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
-
- /*
- * Round the length of the data which was specified up to
-@@ -312,7 +312,7 @@ nfssvc_decode_writeargs(struct svc_rqst
- return 0;
-
- rqstp->rq_vec[0].iov_base = (void*)p;
-- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
-+ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
- v = 0;
- while (len > rqstp->rq_vec[v].iov_len) {
- len -= rqstp->rq_vec[v].iov_len;
diff --git a/debian/patches/bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch b/debian/patches/bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch
deleted file mode 100644
index f5991e2..0000000
--- a/debian/patches/bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 15 Aug 2014 09:16:04 -0700
-Subject: packet: handle too big packets for PACKET_V3
-Origin: https://git.kernel.org/linus/dc808110bb62b64a448696ecac3938902c92e1ab
-
-af_packet can currently overwrite kernel memory by out of bound
-accesses, because it assumed a [new] block can always hold one frame.
-
-This is not generally the case, even if most existing tools do it right.
-
-This patch clamps too long frames as API permits, and issue a one time
-error on syslog.
-
-[ 394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82
-
-In this example, packet header tp_snaplen was set to 3966,
-and tp_len was set to 5042 (skb->len)
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
-Acked-by: Daniel Borkmann <dborkman at redhat.com>
-Acked-by: Neil Horman <nhorman at tuxdriver.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust filename]
----
---- a/net/packet/af_packet.c
-+++ b/net/packet/af_packet.c
-@@ -195,6 +195,7 @@ struct tpacket_kbdq_core {
- char *pkblk_start;
- char *pkblk_end;
- int kblk_size;
-+ unsigned int max_frame_len;
- unsigned int knum_blocks;
- uint64_t knxt_seq_num;
- char *prev;
-@@ -616,6 +617,7 @@ static void init_prb_bdqc(struct packet_
- p1->tov_in_jiffies = msecs_to_jiffies(p1->retire_blk_tov);
- p1->blk_sizeof_priv = req_u->req3.tp_sizeof_priv;
-
-+ p1->max_frame_len = p1->kblk_size - BLK_PLUS_PRIV(p1->blk_sizeof_priv);
- prb_init_ft_ops(p1, req_u);
- prb_setup_retire_blk_timer(po, tx_ring);
- prb_open_block(p1, pbd);
-@@ -1775,6 +1777,18 @@ static int tpacket_rcv(struct sk_buff *s
- if ((int)snaplen < 0)
- snaplen = 0;
- }
-+ } else if (unlikely(macoff + snaplen >
-+ GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
-+ u32 nval;
-+
-+ nval = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len - macoff;
-+ pr_err_once("tpacket_rcv: packet too big, clamped from %u to %u. macoff=%u\n",
-+ snaplen, nval, macoff);
-+ snaplen = nval;
-+ if (unlikely((int)snaplen < 0)) {
-+ snaplen = 0;
-+ macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
-+ }
- }
- spin_lock(&sk->sk_receive_queue.lock);
- h.raw = packet_current_rx_frame(po, skb,
-@@ -3622,6 +3636,10 @@ static int packet_set_ring(struct sock *
- goto out;
- if (unlikely(req->tp_block_size & (PAGE_SIZE - 1)))
- goto out;
-+ if (po->tp_version >= TPACKET_V3 &&
-+ (int)(req->tp_block_size -
-+ BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
-+ goto out;
- if (unlikely(req->tp_frame_size < po->tp_hdrlen +
- po->tp_reserve))
- goto out;
diff --git a/debian/patches/bugfix/all/ping-implement-proper-locking.patch b/debian/patches/bugfix/all/ping-implement-proper-locking.patch
deleted file mode 100644
index d403747..0000000
--- a/debian/patches/bugfix/all/ping-implement-proper-locking.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Fri, 24 Mar 2017 19:36:13 -0700
-Subject: ping: implement proper locking
-Origin: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-2671
-
-We got a report of yet another bug in ping
-
-http://www.openwall.com/lists/oss-security/2017/03/24/6
-
-->disconnect() is not called with socket lock held.
-
-Fix this by acquiring ping rwlock earlier.
-
-Thanks to Daniel, Alexander and Andrey for letting us know this problem.
-
-Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Daniel Jiang <danieljiang0415 at gmail.com>
-Reported-by: Solar Designer <solar at openwall.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-[bwh: Backported to 3.2: adjust context]
----
- net/ipv4/ping.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/net/ipv4/ping.c
-+++ b/net/ipv4/ping.c
-@@ -135,16 +135,17 @@ static void ping_v4_hash(struct sock *sk
- static void ping_v4_unhash(struct sock *sk)
- {
- struct inet_sock *isk = inet_sk(sk);
-+
- pr_debug("ping_v4_unhash(isk=%p,isk->num=%u)\n", isk, isk->inet_num);
-+ write_lock_bh(&ping_table.lock);
- if (sk_hashed(sk)) {
-- write_lock_bh(&ping_table.lock);
- hlist_nulls_del(&sk->sk_nulls_node);
- sk_nulls_node_init(&sk->sk_nulls_node);
- sock_put(sk);
- isk->inet_num = isk->inet_sport = 0;
- sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
-- write_unlock_bh(&ping_table.lock);
- }
-+ write_unlock_bh(&ping_table.lock);
- }
-
- static struct sock *ping_v4_lookup(struct net *net, u32 saddr, u32 daddr,
diff --git a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch b/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
deleted file mode 100644
index 3f5353c..0000000
--- a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Eric Dumazet <edumazet at google.com>
-Date: Wed, 17 May 2017 07:16:40 -0700
-Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
-Origin: https://git.kernel.org/linus/fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9075
-
-SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
-ipv6_mc_list from parent"), otherwise bad things can happen.
-
-Signed-off-by: Eric Dumazet <edumazet at google.com>
-Reported-by: Andrey Konovalov <andreyknvl at google.com>
-Tested-by: Andrey Konovalov <andreyknvl at google.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
----
- net/sctp/ipv6.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/sctp/ipv6.c
-+++ b/net/sctp/ipv6.c
-@@ -655,6 +655,9 @@ static struct sock *sctp_v6_create_accep
- newnp = inet6_sk(newsk);
-
- memcpy(newnp, np, sizeof(struct ipv6_pinfo));
-+ newnp->ipv6_mc_list = NULL;
-+ newnp->ipv6_ac_list = NULL;
-+ newnp->ipv6_fl_list = NULL;
-
- rcu_read_lock();
- opt = rcu_dereference(np->opt);
diff --git a/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch b/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
deleted file mode 100644
index d44c388..0000000
--- a/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Amey Telawane <ameyt at codeaurora.org>
-Date: Wed, 3 May 2017 15:41:14 +0530
-Subject: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
-Origin: https://git.kernel.org/linus/e09e28671cda63e6308b31798b997639120e2a21
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0605
-
-Strcpy is inherently not safe, and strlcpy() should be used instead.
-__trace_find_cmdline() uses strcpy() because the comms saved must have a
-terminating nul character, but it doesn't hurt to add the extra protection
-of using strlcpy() instead of strcpy().
-
-Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org
-
-Signed-off-by: Amey Telawane <ameyt at codeaurora.org>
-[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
-https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
-Signed-off-by: Amit Pundir <amit.pundir at linaro.org>
-[ Updated change log and removed the "- 1" from len parameter ]
-Signed-off-by: Steven Rostedt (VMware) <rostedt at goodmis.org>
-[bwh: Backported to 3.2: adjust context]
----
- kernel/trace/trace.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/kernel/trace/trace.c
-+++ b/kernel/trace/trace.c
-@@ -1100,7 +1100,7 @@ void trace_find_cmdline(int pid, char co
- arch_spin_lock(&trace_cmdline_lock);
- map = map_pid_to_cmdline[pid];
- if (map != NO_CMDLINE_MAP)
-- strcpy(comm, saved_cmdlines[map]);
-+ strlcpy(comm, saved_cmdlines[map], TASK_COMM_LEN);
- else
- strcpy(comm, "<...>");
-
diff --git a/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch b/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
deleted file mode 100644
index a880c1f..0000000
--- a/debian/patches/bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Tue, 7 Mar 2017 16:11:03 +0100
-Subject: USB: iowarrior: fix NULL-deref at probe
-Origin: https://git.kernel.org/linus/b7321e81fc369abe353cf094d4f0dc2fe11ab95f
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2016-2188
-
-Make sure to check for the required interrupt-in endpoint to avoid
-dereferencing a NULL-pointer should a malicious device lack such an
-endpoint.
-
-Note that a fairly recent change purported to fix this issue, but added
-an insufficient test on the number of endpoints only, a test which can
-now be removed.
-
-Fixes: 4ec0ef3a8212 ("USB: iowarrior: fix oops with malicious USB descriptors")
-Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
-Cc: stable <stable at vger.kernel.org> # 2.6.21
-Signed-off-by: Johan Hovold <johan at kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
-[bwh: Backported to 3.2: adjust context]
----
- drivers/usb/misc/iowarrior.c | 13 +++++++------
- 1 file changed, 7 insertions(+), 6 deletions(-)
-
---- a/drivers/usb/misc/iowarrior.c
-+++ b/drivers/usb/misc/iowarrior.c
-@@ -792,12 +792,6 @@ static int iowarrior_probe(struct usb_in
- iface_desc = interface->cur_altsetting;
- dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
-
-- if (iface_desc->desc.bNumEndpoints < 1) {
-- dev_err(&interface->dev, "Invalid number of endpoints\n");
-- retval = -EINVAL;
-- goto error;
-- }
--
- /* set up the endpoint information */
- for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
- endpoint = &iface_desc->endpoint[i].desc;
-@@ -808,6 +802,13 @@ static int iowarrior_probe(struct usb_in
- /* this one will match for the IOWarrior56 only */
- dev->int_out_endpoint = endpoint;
- }
-+
-+ if (!dev->int_in_endpoint) {
-+ dev_err(&interface->dev, "no interrupt-in endpoint found\n");
-+ retval = -ENODEV;
-+ goto error;
-+ }
-+
- /* we have to check the report_size often, so remember it in the endianess suitable for our machine */
- dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
- if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
diff --git a/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch b/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
deleted file mode 100644
index 1d0c295..0000000
--- a/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Mon, 6 Mar 2017 17:36:40 +0100
-Subject: USB: serial: io_ti: fix information leak in completion handler
-Origin: https://git.kernel.org/linus/654b404f2a222f918af9b0cd18ad469d0c941a8e
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8924
-
-Add missing sanity check to the bulk-in completion handler to avoid an
-integer underflow that can be triggered by a malicious device.
-
-This avoids leaking 128 kB of memory content from after the URB transfer
-buffer to user space.
-
-Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
-Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
-Cc: stable <stable at vger.kernel.org> # 2.6.30
-Signed-off-by: Johan Hovold <johan at kernel.org>
----
- drivers/usb/serial/io_ti.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/usb/serial/io_ti.c
-+++ b/drivers/usb/serial/io_ti.c
-@@ -1762,7 +1762,7 @@ static void edge_bulk_in_callback(struct
-
- port_number = edge_port->port->number - edge_port->port->serial->minor;
-
-- if (edge_port->lsr_event) {
-+ if (urb->actual_length > 0 && edge_port->lsr_event) {
- edge_port->lsr_event = 0;
- dbg("%s ===== Port %u LSR Status = %02x, Data = %02x ======",
- __func__, port_number, edge_port->lsr_mask, *data);
diff --git a/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch b/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
deleted file mode 100644
index d8d2ab6..0000000
--- a/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From: Johan Hovold <johan at kernel.org>
-Date: Mon, 6 Mar 2017 17:36:38 +0100
-Subject: USB: serial: omninet: fix reference leaks at open
-Origin: https://git.kernel.org/linus/30572418b445d85fcfe6c8fe84c947d2606767d8
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8925
-
-This driver needlessly took another reference to the tty on open, a
-reference which was then never released on close. This lead to not just
-a leak of the tty, but also a driver reference leak that prevented the
-driver from being unloaded after a port had once been opened.
-
-Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
-Cc: stable <stable at vger.kernel.org> # 2.6.28
-Signed-off-by: Johan Hovold <johan at kernel.org>
-[bwh: Backported to 3.2:
- - The 'serial' variable is still needed for other initialisation
- - Adjust context]
----
---- a/drivers/usb/serial/omninet.c
-+++ b/drivers/usb/serial/omninet.c
-@@ -171,14 +171,10 @@ static int omninet_attach(struct usb_ser
- static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port)
- {
- struct usb_serial *serial = port->serial;
-- struct usb_serial_port *wport;
- int result = 0;
-
- dbg("%s - port %d", __func__, port->number);
-
-- wport = serial->port[1];
-- tty_port_tty_set(&wport->port, tty);
--
- /* Start reading from the device */
- usb_fill_bulk_urb(port->read_urb, serial->dev,
- usb_rcvbulkpipe(serial->dev,
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
deleted file mode 100644
index 59f64e6..0000000
--- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Andy Whitcroft <apw at canonical.com>
-Date: Thu, 23 Mar 2017 07:45:44 +0000
-Subject: [2/2] xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
-Origin: https://git.kernel.org/linus/f843ee6dd019bcece3e74e76ad9df0155655d0df
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
-
-Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
-wrapping issues. To ensure we are correctly ensuring that the two ESN
-structures are the same size compare both the overall size as reported
-by xfrm_replay_state_esn_len() and the internal length are the same.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw at canonical.com>
-Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- net/xfrm/xfrm_user.c | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -390,7 +390,11 @@ static inline int xfrm_replay_verify_len
- up = nla_data(rp);
- ulen = xfrm_replay_state_esn_len(up);
-
-- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
-+ /* Check the overall length and the internal bitmap length to avoid
-+ * potential overflow. */
-+ if (nla_len(rp) < ulen ||
-+ xfrm_replay_state_esn_len(replay_esn) != ulen ||
-+ replay_esn->bmp_len != up->bmp_len)
- return -EINVAL;
-
- if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
diff --git a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch b/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
deleted file mode 100644
index 296b110..0000000
--- a/debian/patches/bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From: Andy Whitcroft <apw at canonical.com>
-Date: Wed, 22 Mar 2017 07:29:31 +0000
-Subject: [1/2] xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL
- replay_window
-Origin: https://git.kernel.org/linus/677e806da4d916052585301785d847c3b3e6186a
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7184
-
-When a new xfrm state is created during an XFRM_MSG_NEWSA call we
-validate the user supplied replay_esn to ensure that the size is valid
-and to ensure that the replay_window size is within the allocated
-buffer. However later it is possible to update this replay_esn via a
-XFRM_MSG_NEWAE call. There we again validate the size of the supplied
-buffer matches the existing state and if so inject the contents. We do
-not at this point check that the replay_window is within the allocated
-memory. This leads to out-of-bounds reads and writes triggered by
-netlink packets. This leads to memory corruption and the potential for
-priviledge escalation.
-
-We already attempt to validate the incoming replay information in
-xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user
-is not trying to change the size of the replay state buffer which
-includes the replay_esn. It however does not check the replay_window
-remains within that buffer. Add validation of the contained
-replay_window.
-
-CVE-2017-7184
-Signed-off-by: Andy Whitcroft <apw at canonical.com>
-Acked-by: Steffen Klassert <steffen.klassert at secunet.com>
-Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
----
- net/xfrm/xfrm_user.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/net/xfrm/xfrm_user.c
-+++ b/net/xfrm/xfrm_user.c
-@@ -393,6 +393,9 @@ static inline int xfrm_replay_verify_len
- if (nla_len(rp) < ulen || xfrm_replay_state_esn_len(replay_esn) != ulen)
- return -EINVAL;
-
-+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
-+ return -EINVAL;
-+
- return 0;
- }
-
diff --git a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
deleted file mode 100644
index a710645..0000000
--- a/debian/patches/bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Li Qiang <liq3ea at gmail.com>
-Date: Mon, 27 Mar 2017 20:10:53 -0700
-Subject: drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
-Origin: https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7294
-
-In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
-'req->mip_levels' array. This array can be assigned any value from
-the user space. As both the 'num_sizes' and the array is uint32_t,
-it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
-used as the loop count. This can lead an oob write. Add the check of
-'req->mip_levels' to avoid this.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Li Qiang <liqiang6-s at 360.cn>
-Reviewed-by: Thomas Hellstrom <thellstrom at vmware.com>
-[bwh: Backported to 3.2: adjust filename]
----
- drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-@@ -1304,8 +1304,11 @@ int vmw_surface_define_ioctl(struct drm_
- 128;
-
- num_sizes = 0;
-- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
-+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
-+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
-+ return -EINVAL;
- num_sizes += req->mip_levels[i];
-+ }
-
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
- num_sizes == 0)
diff --git a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch b/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
deleted file mode 100644
index d7fbb06..0000000
--- a/debian/patches/bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Murray McAllister <murray.mcallister at insomniasec.com>
-Date: Mon, 27 Mar 2017 11:12:53 +0200
-Subject: drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
-Origin: https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7261
-
-Before memory allocations vmw_surface_define_ioctl() checks the
-upper-bounds of a user-supplied size, but does not check if the
-supplied size is 0.
-
-Add check to avoid NULL pointer dereferences.
-
-Cc: <stable at vger.kernel.org>
-Signed-off-by: Murray McAllister <murray.mcallister at insomniasec.com>
-Reviewed-by: Sinclair Yeh <syeh at vmware.com>
-[bwh: Backported to 3.2: adjust filename]
----
- drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-@@ -1307,8 +1307,8 @@ int vmw_surface_define_ioctl(struct drm_
- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
- num_sizes += req->mip_levels[i];
-
-- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
-- DRM_VMW_MAX_MIP_LEVELS)
-+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
-+ num_sizes == 0)
- return -EINVAL;
-
- size = vmw_user_surface_size + 128 +
diff --git a/debian/patches/series b/debian/patches/series
index a371fc7..c509b9b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1107,41 +1107,8 @@ bugfix/all/netfilter-ipset-Check-and-reject-crazy-0-input-param.patch
bugfix/all/KEYS-Don-t-permit-request_key-to-construct-a-new-key.patch
bugfix/all/ecryptfs-fix-handling-of-directory-opening.patch
bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
-bugfix/all/usb-iowarrior-fix-null-deref-at-probe.patch
-bugfix/all/keys-special-dot-prefixed-keyring-name-bug-fix.patch
-bugfix/all/keys-reinstate-eperm-for-a-key-type-name-beginning-w.patch
-bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
-bugfix/all/ping-implement-proper-locking.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-xfrma_replay_esn_val-replay_window.patch
-bugfix/all/xfrm_user-validate-xfrm_msg_newae-incoming-esn-size-harder.patch
-bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
-bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
-bugfix/all/packet-handle-too-big-packets-for-packet_v3.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-priv-area-size.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_frame_nr.patch
-bugfix/all/net-packet-fix-overflow-in-check-for-tp_reserve.patch
-bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
-bugfix/all/mm-mempolicy.c-fix-error-handling-in-set_mempolicy-a.patch
-bugfix/all/crypto-ahash-fully-restore-ahash-request-before-comp.patch
-bugfix/all/crypto-hash-Fix-the-pointer-voodoo-in-unaligned-ahas.patch
-bugfix/all/crypto-hash-pull-out-the-functions-to-save-restore-r.patch
-bugfix/all/crypto-hash-simplify-the-ahash_finup-implementation.patch
-bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
-bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
-bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
-bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
-bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
-bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
-bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
-bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
-bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
-bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
-bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
bugfix/all/ipv6-xfrm-handle-errors-reported-by-xfrm6_find_1stfr.patch
bugfix/all/ipv6-fix-leak-in-ipv6_gso_segment.patch
-bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
-bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
-bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list