[linux] 01/01: Add various security fixes
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Wed May 31 14:26:54 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 0b956005ba7a625cbf18b070e0b1ce75ff81964a
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Wed May 31 14:51:47 2017 +0100
Add various security fixes
---
debian/changelog | 20 ++
...cp-tcp-do-not-inherit-mc_list-from-parent.patch | 38 ++++
...ip6_find_1stfragopt-return-value-properly.patch | 81 ++++++++
...p-do-not-inherit-ipv6_mc_list-from-parent.patch | 60 ++++++
...-out-of-bound-writes-in-__ip6_append_data.patch | 62 ++++++
...nt-overrun-when-parsing-v6-header-options.patch | 214 +++++++++++++++++++++
.../ipx-call-ipxitf_put-in-ioctl-error-path.patch | 34 ++++
...sd-check-for-oversized-nfsv2-v3-arguments.patch | 99 ++++++++++
...icter-decoding-of-write-like-nfsv2-v3-ops.patch | 56 ++++++
...sd4-minor-nfsv2-v3-write-decoding-cleanup.patch | 79 ++++++++
...-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch | 29 +++
...-strlcpy-instead-of-strcpy-in-__trace_fin.patch | 35 ++++
...io_ti-fix-information-leak-in-completion-.patch | 31 +++
...erial-omninet-fix-reference-leaks-at-open.patch | 35 ++++
debian/patches/series | 13 ++
15 files changed, 886 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index c8c5e2e..5829be4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,23 @@
+linux (3.2.88-2) UNRELEASED; urgency=medium
+
+ * tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
+ (CVE-2017-0605)
+ * ipx: call ipxitf_put() in ioctl error path (CVE-2017-7487
+ * nfsd: check for oversized NFSv2/v3 arguments (CVE-2017-7645)
+ * nfsd4: minor NFSv2/v3 write decoding cleanup
+ * nfsd: stricter decoding of write-like NFSv2/v3 ops (CVE-2017-7895)
+ * dccp/tcp: do not inherit mc_list from parent (CVE-2017-8890)
+ * USB: serial: io_ti: fix information leak in completion handler
+ (CVE-2017-8924)
+ * USB: serial: omninet: fix reference leaks at open (CVE-2017-8925)
+ * ipv6: Prevent overrun when parsing v6 header options (CVE-2017-9074)
+ * sctp: do not inherit ipv6_{mc|ac|fl}_list from parent (CVE-2017-9075)
+ * ipv6/dccp: do not inherit ipv6_mc_list from parent (CVE-2017-9076,
+ CVE-2017-9077)
+ * ipv6: fix out of bound writes in __ip6_append_data() (CVE-2017-9242)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Wed, 31 May 2017 11:48:09 +0100
+
linux (3.2.88-1) wheezy-security; urgency=high
* New upstream stable update:
diff --git a/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch b/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
new file mode 100644
index 0000000..65b151e
--- /dev/null
+++ b/debian/patches/bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
@@ -0,0 +1,38 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Tue, 9 May 2017 06:29:19 -0700
+Subject: dccp/tcp: do not inherit mc_list from parent
+Origin: https://git.kernel.org/linus/657831ffc38e30092a2d5f03d385d710eb88b09a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8890
+
+syzkaller found a way to trigger double frees from ip_mc_drop_socket()
+
+It turns out that leave a copy of parent mc_list at accept() time,
+which is very bad.
+
+Very similar to commit 8b485ce69876 ("tcp: do not inherit
+fastopen_req from parent")
+
+Initial report from Pray3r, completed by Andrey one.
+Thanks a lot to them !
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Pray3r <pray3r.z at gmail.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: adjust context]
+---
+ net/ipv4/inet_connection_sock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/ipv4/inet_connection_sock.c
++++ b/net/ipv4/inet_connection_sock.c
+@@ -604,6 +604,8 @@ struct sock *inet_csk_clone(struct sock
+ inet_sk(newsk)->inet_sport = inet_rsk(req)->loc_port;
+ newsk->sk_write_space = sk_stream_write_space;
+
++ inet_sk(newsk)->mc_list = NULL;
++
+ newicsk->icsk_retransmits = 0;
+ newicsk->icsk_backoff = 0;
+ newicsk->icsk_probes_out = 0;
diff --git a/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch b/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
new file mode 100644
index 0000000..9a1f54d
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
@@ -0,0 +1,81 @@
+From: "David S. Miller" <davem at davemloft.net>
+Date: Wed, 17 May 2017 22:54:11 -0400
+Subject: ipv6: Check ip6_find_1stfragopt() return value properly.
+Origin: https://git.kernel.org/linus/7dd7eb9513bd02184d45f000ab69d78cb1fa1531
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+Do not use unsigned variables to see if it returns a negative
+error or not.
+
+Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
+Reported-by: Julia Lawall <julia.lawall at lip6.fr>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: adjust filenames, context]
+---
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -785,7 +785,6 @@ static struct sk_buff *ipv6_gso_segment(
+ const struct inet6_protocol *ops;
+ int proto;
+ struct frag_hdr *fptr;
+- unsigned int unfrag_ip6hlen;
+ u8 *prevhdr;
+ int offset = 0;
+
+@@ -824,11 +823,11 @@ static struct sk_buff *ipv6_gso_segment(
+ ipv6h->payload_len = htons(skb->len - skb->mac_len -
+ sizeof(*ipv6h));
+ if (proto == IPPROTO_UDP) {
+- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+- if (unfrag_ip6hlen < 0)
+- return ERR_PTR(unfrag_ip6hlen);
++ int err = ip6_find_1stfragopt(skb, &prevhdr);
++ if (err < 0)
++ return ERR_PTR(err);
+ fptr = (struct frag_hdr *)(skb_network_header(skb) +
+- unfrag_ip6hlen);
++ err);
+ fptr->frag_off = htons(offset);
+ if (skb->next != NULL)
+ fptr->frag_off |= htons(IP6_MF);
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -631,11 +631,10 @@ int ip6_fragment(struct sk_buff *skb, in
+ u8 *prevhdr, nexthdr = 0;
+ struct net *net = dev_net(skb_dst(skb)->dev);
+
+- hlen = ip6_find_1stfragopt(skb, &prevhdr);
+- if (hlen < 0) {
+- err = hlen;
++ err = ip6_find_1stfragopt(skb, &prevhdr);
++ if (err < 0)
+ goto fail;
+- }
++ hlen = err;
+ nexthdr = *prevhdr;
+
+ mtu = ip6_skb_dst_mtu(skb);
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1316,6 +1316,7 @@ static struct sk_buff *udp6_ufo_fragment
+ u8 frag_hdr_sz = sizeof(struct frag_hdr);
+ int offset;
+ __wsum csum;
++ int err;
+
+ mss = skb_shinfo(skb)->gso_size;
+ if (unlikely(skb->len <= mss))
+@@ -1352,9 +1353,10 @@ static struct sk_buff *udp6_ufo_fragment
+ /* Find the unfragmentable header and shift it left by frag_hdr_sz
+ * bytes to insert fragment header.
+ */
+- unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
+- if (unfrag_ip6hlen < 0)
+- return ERR_PTR(unfrag_ip6hlen);
++ err = ip6_find_1stfragopt(skb, &prevhdr);
++ if (err < 0)
++ return ERR_PTR(err);
++ unfrag_ip6hlen = err;
+ nexthdr = *prevhdr;
+ *prevhdr = NEXTHDR_FRAGMENT;
+ unfrag_len = skb_network_header(skb) - skb_mac_header(skb) +
diff --git a/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch b/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
new file mode 100644
index 0000000..01c6a47
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
@@ -0,0 +1,60 @@
+From: WANG Cong <xiyou.wangcong at gmail.com>
+Date: Tue, 9 May 2017 16:59:54 -0700
+Subject: ipv6/dccp: do not inherit ipv6_mc_list from parent
+Origin: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9076
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9077
+
+Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
+we should clear ipv6_mc_list etc. for IPv6 sockets too.
+
+Cc: Eric Dumazet <edumazet at google.com>
+Signed-off-by: Cong Wang <xiyou.wangcong at gmail.com>
+Acked-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: adjust context]
+---
+ net/dccp/ipv6.c | 6 ++++++
+ net/ipv6/tcp_ipv6.c | 2 ++
+ 2 files changed, 8 insertions(+)
+
+--- a/net/dccp/ipv6.c
++++ b/net/dccp/ipv6.c
+@@ -499,6 +499,9 @@ static struct sock *dccp_v6_request_recv
+ newsk->sk_backlog_rcv = dccp_v4_do_rcv;
+ newnp->pktoptions = NULL;
+ newnp->opt = NULL;
++ newnp->ipv6_mc_list = NULL;
++ newnp->ipv6_ac_list = NULL;
++ newnp->ipv6_fl_list = NULL;
+ newnp->mcast_oif = inet6_iif(skb);
+ newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
+
+@@ -574,6 +577,9 @@ static struct sock *dccp_v6_request_recv
+ /* Clone RX bits */
+ newnp->rxopt.all = np->rxopt.all;
+
++ newnp->ipv6_mc_list = NULL;
++ newnp->ipv6_ac_list = NULL;
++ newnp->ipv6_fl_list = NULL;
+ /* Clone pktoptions received with SYN */
+ newnp->pktoptions = NULL;
+ if (ireq6->pktopts != NULL) {
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -1386,6 +1386,7 @@ static struct sock * tcp_v6_syn_recv_soc
+ newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
+ #endif
+
++ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
+ newnp->pktoptions = NULL;
+@@ -1451,6 +1452,7 @@ static struct sock * tcp_v6_syn_recv_soc
+ First: no IPv4 options.
+ */
+ newinet->inet_opt = NULL;
++ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
+
diff --git a/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
new file mode 100644
index 0000000..5ef51f4
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
@@ -0,0 +1,62 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Fri, 19 May 2017 14:17:48 -0700
+Subject: ipv6: fix out of bound writes in __ip6_append_data()
+Origin: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9242
+
+Andrey Konovalov and idaifish at gmail.com reported crashes caused by
+one skb shared_info being overwritten from __ip6_append_data()
+
+Andrey program lead to following state :
+
+copy -4200 datalen 2000 fraglen 2040
+maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
+
+The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
+fraggap, 0); is overwriting skb->head and skb_shared_info
+
+Since we apparently detect this rare condition too late, move the
+code earlier to even avoid allocating skb and risking crashes.
+
+Once again, many thanks to Andrey and syzkaller team.
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Reported-by: <idaifish at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv6/ip6_output.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -1416,6 +1416,11 @@ alloc_new_skb:
+ */
+ alloclen += sizeof(struct frag_hdr);
+
++ copy = datalen - transhdrlen - fraggap;
++ if (copy < 0) {
++ err = -EINVAL;
++ goto error;
++ }
+ if (transhdrlen) {
+ skb = sock_alloc_send_skb(sk,
+ alloclen + hh_len,
+@@ -1467,13 +1472,9 @@ alloc_new_skb:
+ data += fraggap;
+ pskb_trim_unique(skb_prev, maxfraglen);
+ }
+- copy = datalen - transhdrlen - fraggap;
+-
+- if (copy < 0) {
+- err = -EINVAL;
+- kfree_skb(skb);
+- goto error;
+- } else if (copy > 0 && getfrag(from, data + transhdrlen, offset, copy, fraggap, skb) < 0) {
++ if (copy > 0 &&
++ getfrag(from, data + transhdrlen, offset,
++ copy, fraggap, skb) < 0) {
+ err = -EFAULT;
+ kfree_skb(skb);
+ goto error;
diff --git a/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch b/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
new file mode 100644
index 0000000..3e7a96a
--- /dev/null
+++ b/debian/patches/bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
@@ -0,0 +1,214 @@
+From: Craig Gallek <kraig at google.com>
+Date: Tue, 16 May 2017 14:36:23 -0400
+Subject: ipv6: Prevent overrun when parsing v6 header options
+Origin: https://git.kernel.org/linus/2423496af35d94a87156b063ea5cedffc10a70a1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9074
+
+The KASAN warning repoted below was discovered with a syzkaller
+program. The reproducer is basically:
+ int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP);
+ send(s, &one_byte_of_data, 1, MSG_MORE);
+ send(s, &more_than_mtu_bytes_data, 2000, 0);
+
+The socket() call sets the nexthdr field of the v6 header to
+NEXTHDR_HOP, the first send call primes the payload with a non zero
+byte of data, and the second send call triggers the fragmentation path.
+
+The fragmentation code tries to parse the header options in order
+to figure out where to insert the fragment option. Since nexthdr points
+to an invalid option, the calculation of the size of the network header
+can made to be much larger than the linear section of the skb and data
+is read outside of it.
+
+This fix makes ip6_find_1stfrag return an error if it detects
+running out-of-bounds.
+
+[ 42.361487] ==================================================================
+[ 42.364412] BUG: KASAN: slab-out-of-bounds in ip6_fragment+0x11c8/0x3730
+[ 42.365471] Read of size 840 at addr ffff88000969e798 by task ip6_fragment-oo/3789
+[ 42.366469]
+[ 42.366696] CPU: 1 PID: 3789 Comm: ip6_fragment-oo Not tainted 4.11.0+ #41
+[ 42.367628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
+[ 42.368824] Call Trace:
+[ 42.369183] dump_stack+0xb3/0x10b
+[ 42.369664] print_address_description+0x73/0x290
+[ 42.370325] kasan_report+0x252/0x370
+[ 42.370839] ? ip6_fragment+0x11c8/0x3730
+[ 42.371396] check_memory_region+0x13c/0x1a0
+[ 42.371978] memcpy+0x23/0x50
+[ 42.372395] ip6_fragment+0x11c8/0x3730
+[ 42.372920] ? nf_ct_expect_unregister_notifier+0x110/0x110
+[ 42.373681] ? ip6_copy_metadata+0x7f0/0x7f0
+[ 42.374263] ? ip6_forward+0x2e30/0x2e30
+[ 42.374803] ip6_finish_output+0x584/0x990
+[ 42.375350] ip6_output+0x1b7/0x690
+[ 42.375836] ? ip6_finish_output+0x990/0x990
+[ 42.376411] ? ip6_fragment+0x3730/0x3730
+[ 42.376968] ip6_local_out+0x95/0x160
+[ 42.377471] ip6_send_skb+0xa1/0x330
+[ 42.377969] ip6_push_pending_frames+0xb3/0xe0
+[ 42.378589] rawv6_sendmsg+0x2051/0x2db0
+[ 42.379129] ? rawv6_bind+0x8b0/0x8b0
+[ 42.379633] ? _copy_from_user+0x84/0xe0
+[ 42.380193] ? debug_check_no_locks_freed+0x290/0x290
+[ 42.380878] ? ___sys_sendmsg+0x162/0x930
+[ 42.381427] ? rcu_read_lock_sched_held+0xa3/0x120
+[ 42.382074] ? sock_has_perm+0x1f6/0x290
+[ 42.382614] ? ___sys_sendmsg+0x167/0x930
+[ 42.383173] ? lock_downgrade+0x660/0x660
+[ 42.383727] inet_sendmsg+0x123/0x500
+[ 42.384226] ? inet_sendmsg+0x123/0x500
+[ 42.384748] ? inet_recvmsg+0x540/0x540
+[ 42.385263] sock_sendmsg+0xca/0x110
+[ 42.385758] SYSC_sendto+0x217/0x380
+[ 42.386249] ? SYSC_connect+0x310/0x310
+[ 42.386783] ? __might_fault+0x110/0x1d0
+[ 42.387324] ? lock_downgrade+0x660/0x660
+[ 42.387880] ? __fget_light+0xa1/0x1f0
+[ 42.388403] ? __fdget+0x18/0x20
+[ 42.388851] ? sock_common_setsockopt+0x95/0xd0
+[ 42.389472] ? SyS_setsockopt+0x17f/0x260
+[ 42.390021] ? entry_SYSCALL_64_fastpath+0x5/0xbe
+[ 42.390650] SyS_sendto+0x40/0x50
+[ 42.391103] entry_SYSCALL_64_fastpath+0x1f/0xbe
+[ 42.391731] RIP: 0033:0x7fbbb711e383
+[ 42.392217] RSP: 002b:00007ffff4d34f28 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
+[ 42.393235] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbbb711e383
+[ 42.394195] RDX: 0000000000001000 RSI: 00007ffff4d34f60 RDI: 0000000000000003
+[ 42.395145] RBP: 0000000000000046 R08: 00007ffff4d34f40 R09: 0000000000000018
+[ 42.396056] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400aad
+[ 42.396598] R13: 0000000000000066 R14: 00007ffff4d34ee0 R15: 00007fbbb717af00
+[ 42.397257]
+[ 42.397411] Allocated by task 3789:
+[ 42.397702] save_stack_trace+0x16/0x20
+[ 42.398005] save_stack+0x46/0xd0
+[ 42.398267] kasan_kmalloc+0xad/0xe0
+[ 42.398548] kasan_slab_alloc+0x12/0x20
+[ 42.398848] __kmalloc_node_track_caller+0xcb/0x380
+[ 42.399224] __kmalloc_reserve.isra.32+0x41/0xe0
+[ 42.399654] __alloc_skb+0xf8/0x580
+[ 42.400003] sock_wmalloc+0xab/0xf0
+[ 42.400346] __ip6_append_data.isra.41+0x2472/0x33d0
+[ 42.400813] ip6_append_data+0x1a8/0x2f0
+[ 42.401122] rawv6_sendmsg+0x11ee/0x2db0
+[ 42.401505] inet_sendmsg+0x123/0x500
+[ 42.401860] sock_sendmsg+0xca/0x110
+[ 42.402209] ___sys_sendmsg+0x7cb/0x930
+[ 42.402582] __sys_sendmsg+0xd9/0x190
+[ 42.402941] SyS_sendmsg+0x2d/0x50
+[ 42.403273] entry_SYSCALL_64_fastpath+0x1f/0xbe
+[ 42.403718]
+[ 42.403871] Freed by task 1794:
+[ 42.404146] save_stack_trace+0x16/0x20
+[ 42.404515] save_stack+0x46/0xd0
+[ 42.404827] kasan_slab_free+0x72/0xc0
+[ 42.405167] kfree+0xe8/0x2b0
+[ 42.405462] skb_free_head+0x74/0xb0
+[ 42.405806] skb_release_data+0x30e/0x3a0
+[ 42.406198] skb_release_all+0x4a/0x60
+[ 42.406563] consume_skb+0x113/0x2e0
+[ 42.406910] skb_free_datagram+0x1a/0xe0
+[ 42.407288] netlink_recvmsg+0x60d/0xe40
+[ 42.407667] sock_recvmsg+0xd7/0x110
+[ 42.408022] ___sys_recvmsg+0x25c/0x580
+[ 42.408395] __sys_recvmsg+0xd6/0x190
+[ 42.408753] SyS_recvmsg+0x2d/0x50
+[ 42.409086] entry_SYSCALL_64_fastpath+0x1f/0xbe
+[ 42.409513]
+[ 42.409665] The buggy address belongs to the object at ffff88000969e780
+[ 42.409665] which belongs to the cache kmalloc-512 of size 512
+[ 42.410846] The buggy address is located 24 bytes inside of
+[ 42.410846] 512-byte region [ffff88000969e780, ffff88000969e980)
+[ 42.411941] The buggy address belongs to the page:
+[ 42.412405] page:ffffea000025a780 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
+[ 42.413298] flags: 0x100000000008100(slab|head)
+[ 42.413729] raw: 0100000000008100 0000000000000000 0000000000000000 00000001800c000c
+[ 42.414387] raw: ffffea00002a9500 0000000900000007 ffff88000c401280 0000000000000000
+[ 42.415074] page dumped because: kasan: bad access detected
+[ 42.415604]
+[ 42.415757] Memory state around the buggy address:
+[ 42.416222] ffff88000969e880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 42.416904] ffff88000969e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+[ 42.417591] >ffff88000969e980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+[ 42.418273] ^
+[ 42.418588] ffff88000969ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 42.419273] ffff88000969ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+[ 42.419882] ==================================================================
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Craig Gallek <kraig at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2:
+ - Adjust filenames, context]
+---
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -825,6 +825,8 @@ static struct sk_buff *ipv6_gso_segment(
+ sizeof(*ipv6h));
+ if (proto == IPPROTO_UDP) {
+ unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
++ if (unfrag_ip6hlen < 0)
++ return ERR_PTR(unfrag_ip6hlen);
+ fptr = (struct frag_hdr *)(skb_network_header(skb) +
+ unfrag_ip6hlen);
+ fptr->frag_off = htons(offset);
+--- a/net/ipv6/ip6_output.c
++++ b/net/ipv6/ip6_output.c
+@@ -562,13 +562,12 @@ static void ip6_copy_metadata(struct sk_
+ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr)
+ {
+ u16 offset = sizeof(struct ipv6hdr);
+- struct ipv6_opt_hdr *exthdr =
+- (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
+ unsigned int packet_len = skb->tail - skb->network_header;
+ int found_rhdr = 0;
+ *nexthdr = &ipv6_hdr(skb)->nexthdr;
+
+- while (offset + 1 <= packet_len) {
++ while (offset <= packet_len) {
++ struct ipv6_opt_hdr *exthdr;
+
+ switch (**nexthdr) {
+
+@@ -589,13 +588,16 @@ int ip6_find_1stfragopt(struct sk_buff *
+ return offset;
+ }
+
+- offset += ipv6_optlen(exthdr);
+- *nexthdr = &exthdr->nexthdr;
++ if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
++ return -EINVAL;
++
+ exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) +
+ offset);
++ offset += ipv6_optlen(exthdr);
++ *nexthdr = &exthdr->nexthdr;
+ }
+
+- return offset;
++ return -EINVAL;
+ }
+
+ void ipv6_select_ident(struct frag_hdr *fhdr, struct rt6_info *rt)
+@@ -630,6 +632,10 @@ int ip6_fragment(struct sk_buff *skb, in
+ struct net *net = dev_net(skb_dst(skb)->dev);
+
+ hlen = ip6_find_1stfragopt(skb, &prevhdr);
++ if (hlen < 0) {
++ err = hlen;
++ goto fail;
++ }
+ nexthdr = *prevhdr;
+
+ mtu = ip6_skb_dst_mtu(skb);
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -1353,6 +1353,8 @@ static struct sk_buff *udp6_ufo_fragment
+ * bytes to insert fragment header.
+ */
+ unfrag_ip6hlen = ip6_find_1stfragopt(skb, &prevhdr);
++ if (unfrag_ip6hlen < 0)
++ return ERR_PTR(unfrag_ip6hlen);
+ nexthdr = *prevhdr;
+ *prevhdr = NEXTHDR_FRAGMENT;
+ unfrag_len = skb_network_header(skb) - skb_mac_header(skb) +
diff --git a/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch b/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
new file mode 100644
index 0000000..407a1a1
--- /dev/null
+++ b/debian/patches/bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
@@ -0,0 +1,34 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Tue, 2 May 2017 13:58:53 +0300
+Subject: ipx: call ipxitf_put() in ioctl error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/ee0d8d8482345ff97a75a7d747efc309f13b0d80
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7487
+
+We should call ipxitf_put() if the copy_to_user() fails.
+
+Reported-by: 李强 <liqiang6-s at 360.cn>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipx/af_ipx.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/ipx/af_ipx.c
++++ b/net/ipx/af_ipx.c
+@@ -1194,11 +1194,10 @@ static int ipxitf_ioctl(unsigned int cmd
+ sipx->sipx_network = ipxif->if_netnum;
+ memcpy(sipx->sipx_node, ipxif->if_node,
+ sizeof(sipx->sipx_node));
+- rc = -EFAULT;
++ rc = 0;
+ if (copy_to_user(arg, &ifr, sizeof(ifr)))
+- break;
++ rc = -EFAULT;
+ ipxitf_put(ipxif);
+- rc = 0;
+ break;
+ }
+ case SIOCAIPXITFCRT:
diff --git a/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch b/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
new file mode 100644
index 0000000..c84e29f
--- /dev/null
+++ b/debian/patches/bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
@@ -0,0 +1,99 @@
+From: "J. Bruce Fields" <bfields at redhat.com>
+Date: Fri, 21 Apr 2017 16:10:18 -0400
+Subject: nfsd: check for oversized NFSv2/v3 arguments
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7645
+
+A client can append random data to the end of an NFSv2 or NFSv3 RPC call
+without our complaining; we'll just stop parsing at the end of the
+expected data and ignore the rest.
+
+Encoded arguments and replies are stored together in an array of pages,
+and if a call is too large it could leave inadequate space for the
+reply. This is normally OK because NFS RPC's typically have either
+short arguments and long replies (like READ) or long arguments and short
+replies (like WRITE). But a client that sends an incorrectly long reply
+can violate those assumptions. This was observed to cause crashes.
+
+Also, several operations increment rq_next_page in the decode routine
+before checking the argument size, which can leave rq_next_page pointing
+well past the end of the page array, causing trouble later in
+svc_free_pages.
+
+So, following a suggestion from Neil Brown, add a central check to
+enforce our expectation that no NFSv2/v3 call has both a large call and
+a large reply.
+
+As followup we may also want to rewrite the encoding routines to check
+more carefully that they aren't running off the end of the page array.
+
+We may also consider rejecting calls that have any extra garbage
+appended. That would be safer, and within our rights by spec, but given
+the age of our server and the NFS protocol, and the fact that we've
+never enforced this before, we may need to balance that against the
+possibility of breaking some oddball client.
+
+Reported-by: Tuomas Haanpää <thaan at synopsys.com>
+Reported-by: Ari Kauppi <ari at synopsys.com>
+Cc: stable at vger.kernel.org
+Reviewed-by: NeilBrown <neilb at suse.com>
+Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+---
+ fs/nfsd/nfssvc.c | 36 ++++++++++++++++++++++++++++++++++++
+ 1 file changed, 36 insertions(+)
+
+--- a/fs/nfsd/nfssvc.c
++++ b/fs/nfsd/nfssvc.c
+@@ -561,6 +561,37 @@ static __be32 map_new_errors(u32 vers, _
+ return nfserr;
+ }
+
++/*
++ * A write procedure can have a large argument, and a read procedure can
++ * have a large reply, but no NFSv2 or NFSv3 procedure has argument and
++ * reply that can both be larger than a page. The xdr code has taken
++ * advantage of this assumption to be a sloppy about bounds checking in
++ * some cases. Pending a rewrite of the NFSv2/v3 xdr code to fix that
++ * problem, we enforce these assumptions here:
++ */
++static bool nfs_request_too_big(struct svc_rqst *rqstp,
++ struct svc_procedure *proc)
++{
++ /*
++ * The ACL code has more careful bounds-checking and is not
++ * susceptible to this problem:
++ */
++ if (rqstp->rq_prog != NFS_PROGRAM)
++ return false;
++ /*
++ * Ditto NFSv4 (which can in theory have argument and reply both
++ * more than a page):
++ */
++ if (rqstp->rq_vers >= 4)
++ return false;
++ /* The reply will be small, we're OK: */
++ if (proc->pc_xdrressize > 0 &&
++ proc->pc_xdrressize < XDR_QUADLEN(PAGE_SIZE))
++ return false;
++
++ return rqstp->rq_arg.len > PAGE_SIZE;
++}
++
+ int
+ nfsd_dispatch(struct svc_rqst *rqstp, __be32 *statp)
+ {
+@@ -573,6 +604,11 @@ nfsd_dispatch(struct svc_rqst *rqstp, __
+ rqstp->rq_vers, rqstp->rq_proc);
+ proc = rqstp->rq_procinfo;
+
++ if (nfs_request_too_big(rqstp, proc)) {
++ dprintk("nfsd: NFSv%d argument too large\n", rqstp->rq_vers);
++ *statp = rpc_garbage_args;
++ return 1;
++ }
+ /*
+ * Give the xdr decoder a chance to change this if it wants
+ * (necessary in the NFSv4.0 compound case)
diff --git a/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch b/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
new file mode 100644
index 0000000..e07cc3f
--- /dev/null
+++ b/debian/patches/bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
@@ -0,0 +1,56 @@
+From: "J. Bruce Fields" <bfields at redhat.com>
+Date: Fri, 21 Apr 2017 15:26:30 -0400
+Subject: [2/2] nfsd: stricter decoding of write-like NFSv2/v3 ops
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
+
+The NFSv2/v3 code does not systematically check whether we decode past
+the end of the buffer. This generally appears to be harmless, but there
+are a few places where we do arithmetic on the pointers involved and
+don't account for the possibility that a length could be negative. Add
+checks to catch these.
+
+Reported-by: Tuomas Haanpää <thaan at synopsys.com>
+Reported-by: Ari Kauppi <ari at synopsys.com>
+Reviewed-by: NeilBrown <neilb at suse.com>
+Cc: stable at vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+---
+ fs/nfsd/nfs3xdr.c | 4 ++++
+ fs/nfsd/nfsxdr.c | 2 ++
+ 2 files changed, 6 insertions(+)
+
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -363,6 +363,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
+ args->count = ntohl(*p++);
+ args->stable = ntohl(*p++);
+ len = args->len = ntohl(*p++);
++ if ((void *)p > head->iov_base + head->iov_len)
++ return 0;
+ /*
+ * The count must equal the amount of data passed.
+ */
+@@ -467,6 +469,8 @@ nfs3svc_decode_symlinkargs(struct svc_rq
+ /* first copy and check from the first page */
+ old = (char*)p;
+ vec = &rqstp->rq_arg.head[0];
++ if ((void *)old > vec->iov_base + vec->iov_len)
++ return 0;
+ avail = vec->iov_len - (old - (char*)vec->iov_base);
+ while (len && avail && *old) {
+ *new++ = *old++;
+--- a/fs/nfsd/nfsxdr.c
++++ b/fs/nfsd/nfsxdr.c
+@@ -298,6 +298,8 @@ nfssvc_decode_writeargs(struct svc_rqst
+ * bytes.
+ */
+ hdr = (void*)p - head->iov_base;
++ if (hdr > head->iov_len)
++ return 0;
+ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
+
+ /*
diff --git a/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch b/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
new file mode 100644
index 0000000..c0c417c
--- /dev/null
+++ b/debian/patches/bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
@@ -0,0 +1,79 @@
+From: "J. Bruce Fields" <bfields at redhat.com>
+Date: Tue, 25 Apr 2017 16:21:34 -0400
+Subject: [1/2] nfsd4: minor NFSv2/v3 write decoding cleanup
+Origin: https://git.kernel.org/linus/db44bac41bbfc0c0d9dd943092d8bded3c9db19b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7895
+
+Use a couple shortcuts that will simplify a following bugfix.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+[bwh: Backported to 3.2: in nfs3svc_decode_writeargs(), dlen doesn't include
+ tail]
+---
+ fs/nfsd/nfs3xdr.c | 9 +++++----
+ fs/nfsd/nfsxdr.c | 8 ++++----
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -354,6 +354,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
+ {
+ unsigned int len, v, hdr, dlen;
+ u32 max_blocksize = svc_max_payload(rqstp);
++ struct kvec *head = rqstp->rq_arg.head;
+
+ if (!(p = decode_fh(p, &args->fh)))
+ return 0;
+@@ -372,9 +373,8 @@ nfs3svc_decode_writeargs(struct svc_rqst
+ * Check to make sure that we got the right number of
+ * bytes.
+ */
+- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
+- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
+- - hdr;
++ hdr = (void*)p - head->iov_base;
++ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
+ /*
+ * Round the length of the data which was specified up to
+ * the next multiple of XDR units and then compare that
+@@ -391,7 +391,7 @@ nfs3svc_decode_writeargs(struct svc_rqst
+ len = args->len = max_blocksize;
+ }
+ rqstp->rq_vec[0].iov_base = (void*)p;
+- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
++ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
+ v = 0;
+ while (len > rqstp->rq_vec[v].iov_len) {
+ len -= rqstp->rq_vec[v].iov_len;
+--- a/fs/nfsd/nfsxdr.c
++++ b/fs/nfsd/nfsxdr.c
+@@ -277,6 +277,7 @@ nfssvc_decode_writeargs(struct svc_rqst
+ struct nfsd_writeargs *args)
+ {
+ unsigned int len, hdr, dlen;
++ struct kvec *head = rqstp->rq_arg.head;
+ int v;
+
+ if (!(p = decode_fh(p, &args->fh)))
+@@ -296,9 +297,8 @@ nfssvc_decode_writeargs(struct svc_rqst
+ * Check to make sure that we got the right number of
+ * bytes.
+ */
+- hdr = (void*)p - rqstp->rq_arg.head[0].iov_base;
+- dlen = rqstp->rq_arg.head[0].iov_len + rqstp->rq_arg.page_len
+- - hdr;
++ hdr = (void*)p - head->iov_base;
++ dlen = head->iov_len + rqstp->rq_arg.page_len - hdr;
+
+ /*
+ * Round the length of the data which was specified up to
+@@ -312,7 +312,7 @@ nfssvc_decode_writeargs(struct svc_rqst
+ return 0;
+
+ rqstp->rq_vec[0].iov_base = (void*)p;
+- rqstp->rq_vec[0].iov_len = rqstp->rq_arg.head[0].iov_len - hdr;
++ rqstp->rq_vec[0].iov_len = head->iov_len - hdr;
+ v = 0;
+ while (len > rqstp->rq_vec[v].iov_len) {
+ len -= rqstp->rq_vec[v].iov_len;
diff --git a/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch b/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
new file mode 100644
index 0000000..3f5353c
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
@@ -0,0 +1,29 @@
+From: Eric Dumazet <edumazet at google.com>
+Date: Wed, 17 May 2017 07:16:40 -0700
+Subject: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
+Origin: https://git.kernel.org/linus/fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9075
+
+SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
+ipv6_mc_list from parent"), otherwise bad things can happen.
+
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/sctp/ipv6.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/sctp/ipv6.c
++++ b/net/sctp/ipv6.c
+@@ -655,6 +655,9 @@ static struct sock *sctp_v6_create_accep
+ newnp = inet6_sk(newsk);
+
+ memcpy(newnp, np, sizeof(struct ipv6_pinfo));
++ newnp->ipv6_mc_list = NULL;
++ newnp->ipv6_ac_list = NULL;
++ newnp->ipv6_fl_list = NULL;
+
+ rcu_read_lock();
+ opt = rcu_dereference(np->opt);
diff --git a/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch b/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
new file mode 100644
index 0000000..d44c388
--- /dev/null
+++ b/debian/patches/bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
@@ -0,0 +1,35 @@
+From: Amey Telawane <ameyt at codeaurora.org>
+Date: Wed, 3 May 2017 15:41:14 +0530
+Subject: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
+Origin: https://git.kernel.org/linus/e09e28671cda63e6308b31798b997639120e2a21
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-0605
+
+Strcpy is inherently not safe, and strlcpy() should be used instead.
+__trace_find_cmdline() uses strcpy() because the comms saved must have a
+terminating nul character, but it doesn't hurt to add the extra protection
+of using strlcpy() instead of strcpy().
+
+Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org
+
+Signed-off-by: Amey Telawane <ameyt at codeaurora.org>
+[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10
+https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477]
+Signed-off-by: Amit Pundir <amit.pundir at linaro.org>
+[ Updated change log and removed the "- 1" from len parameter ]
+Signed-off-by: Steven Rostedt (VMware) <rostedt at goodmis.org>
+[bwh: Backported to 3.2: adjust context]
+---
+ kernel/trace/trace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -1100,7 +1100,7 @@ void trace_find_cmdline(int pid, char co
+ arch_spin_lock(&trace_cmdline_lock);
+ map = map_pid_to_cmdline[pid];
+ if (map != NO_CMDLINE_MAP)
+- strcpy(comm, saved_cmdlines[map]);
++ strlcpy(comm, saved_cmdlines[map], TASK_COMM_LEN);
+ else
+ strcpy(comm, "<...>");
+
diff --git a/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch b/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
new file mode 100644
index 0000000..1d0c295
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
@@ -0,0 +1,31 @@
+From: Johan Hovold <johan at kernel.org>
+Date: Mon, 6 Mar 2017 17:36:40 +0100
+Subject: USB: serial: io_ti: fix information leak in completion handler
+Origin: https://git.kernel.org/linus/654b404f2a222f918af9b0cd18ad469d0c941a8e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8924
+
+Add missing sanity check to the bulk-in completion handler to avoid an
+integer underflow that can be triggered by a malicious device.
+
+This avoids leaking 128 kB of memory content from after the URB transfer
+buffer to user space.
+
+Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable at vger.kernel.org> # 2.6.30
+Signed-off-by: Johan Hovold <johan at kernel.org>
+---
+ drivers/usb/serial/io_ti.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -1762,7 +1762,7 @@ static void edge_bulk_in_callback(struct
+
+ port_number = edge_port->port->number - edge_port->port->serial->minor;
+
+- if (edge_port->lsr_event) {
++ if (urb->actual_length > 0 && edge_port->lsr_event) {
+ edge_port->lsr_event = 0;
+ dbg("%s ===== Port %u LSR Status = %02x, Data = %02x ======",
+ __func__, port_number, edge_port->lsr_mask, *data);
diff --git a/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch b/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
new file mode 100644
index 0000000..d8d2ab6
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
@@ -0,0 +1,35 @@
+From: Johan Hovold <johan at kernel.org>
+Date: Mon, 6 Mar 2017 17:36:38 +0100
+Subject: USB: serial: omninet: fix reference leaks at open
+Origin: https://git.kernel.org/linus/30572418b445d85fcfe6c8fe84c947d2606767d8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8925
+
+This driver needlessly took another reference to the tty on open, a
+reference which was then never released on close. This lead to not just
+a leak of the tty, but also a driver reference leak that prevented the
+driver from being unloaded after a port had once been opened.
+
+Fixes: 4a90f09b20f4 ("tty: usb-serial krefs")
+Cc: stable <stable at vger.kernel.org> # 2.6.28
+Signed-off-by: Johan Hovold <johan at kernel.org>
+[bwh: Backported to 3.2:
+ - The 'serial' variable is still needed for other initialisation
+ - Adjust context]
+---
+--- a/drivers/usb/serial/omninet.c
++++ b/drivers/usb/serial/omninet.c
+@@ -171,14 +171,10 @@ static int omninet_attach(struct usb_ser
+ static int omninet_open(struct tty_struct *tty, struct usb_serial_port *port)
+ {
+ struct usb_serial *serial = port->serial;
+- struct usb_serial_port *wport;
+ int result = 0;
+
+ dbg("%s - port %d", __func__, port->number);
+
+- wport = serial->port[1];
+- tty_port_tty_set(&wport->port, tty);
+-
+ /* Start reading from the device */
+ usb_fill_bulk_urb(port->read_urb, serial->dev,
+ usb_rcvbulkpipe(serial->dev,
diff --git a/debian/patches/series b/debian/patches/series
index 8b82de6..1169ce9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1127,6 +1127,19 @@ bugfix/all/crypto-hash-Fix-the-pointer-voodoo-in-unaligned-ahas.patch
bugfix/all/crypto-hash-pull-out-the-functions-to-save-restore-r.patch
bugfix/all/crypto-hash-simplify-the-ahash_finup-implementation.patch
bugfix/all/crypto-ahash-fix-einprogress-notification-callback.patch
+bugfix/all/tracing-use-strlcpy-instead-of-strcpy-in-__trace_fin.patch
+bugfix/all/ipx-call-ipxitf_put-in-ioctl-error-path.patch
+bugfix/all/nfsd-check-for-oversized-nfsv2-v3-arguments.patch
+bugfix/all/nfsd4-minor-nfsv2-v3-write-decoding-cleanup.patch
+bugfix/all/nfsd-stricter-decoding-of-write-like-nfsv2-v3-ops.patch
+bugfix/all/dccp-tcp-do-not-inherit-mc_list-from-parent.patch
+bugfix/all/usb-serial-io_ti-fix-information-leak-in-completion-.patch
+bugfix/all/usb-serial-omninet-fix-reference-leaks-at-open.patch
+bugfix/all/ipv6-prevent-overrun-when-parsing-v6-header-options.patch
+bugfix/all/ipv6-check-ip6_find_1stfragopt-return-value-properly.patch
+bugfix/all/sctp-do-not-inherit-ipv6_-mc-ac-fl-_list-from-parent.patch
+bugfix/all/ipv6-dccp-do-not-inherit-ipv6_mc_list-from-parent.patch
+bugfix/all/ipv6-fix-out-of-bound-writes-in-__ip6_append_data.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list