[linux] 01/01: Update to 4.14-rc3
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sun Oct 1 22:23:32 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux.
commit 335613b4d625d99e8874c685e6ed2b4779cb41a5
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sun Oct 1 23:23:22 2017 +0100
Update to 4.14-rc3
---
debian/changelog | 2 +-
.../bugfix/all/fix-infoleak-in-waitid-2.patch | 66 ----------------------
...-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch | 55 ------------------
debian/patches/series | 2 -
4 files changed, 1 insertion(+), 124 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 560f604..a55902a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (4.14~rc2-1~exp1) UNRELEASED; urgency=medium
+linux (4.14~rc3-1~exp1) UNRELEASED; urgency=medium
* New upstream release candidate
diff --git a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
deleted file mode 100644
index b713b3f..0000000
--- a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Fri, 29 Sep 2017 13:43:15 -0400
-Subject: fix infoleak in waitid(2)
-Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
-
-kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
-case and waitid(2) rusage should've been copied out exactly in that case, *not*
-whenever kernel_waitid() has not returned an error. Compat variant shares that
-braino; none of kernel_wait4() callers do, so the below ought to fix it.
-
-Reported-and-tested-by: Alexander Potapenko <glider at google.com>
-Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
-Cc: stable at vger.kernel.org # v4.13
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
----
- kernel/exit.c | 23 ++++++++++-------------
- 1 file changed, 10 insertions(+), 13 deletions(-)
-
-diff --git a/kernel/exit.c b/kernel/exit.c
-index 3481ababd06a..f2cd53e92147 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
- struct waitid_info info = {.status = 0};
- long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
- int signo = 0;
-+
- if (err > 0) {
- signo = SIGCHLD;
- err = 0;
-- }
--
-- if (!err) {
- if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
- return -EFAULT;
- }
-@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
- if (err > 0) {
- signo = SIGCHLD;
- err = 0;
-- }
--
-- if (!err && uru) {
-- /* kernel_waitid() overwrites everything in ru */
-- if (COMPAT_USE_64BIT_TIME)
-- err = copy_to_user(uru, &ru, sizeof(ru));
-- else
-- err = put_compat_rusage(&ru, uru);
-- if (err)
-- return -EFAULT;
-+ if (uru) {
-+ /* kernel_waitid() overwrites everything in ru */
-+ if (COMPAT_USE_64BIT_TIME)
-+ err = copy_to_user(uru, &ru, sizeof(ru));
-+ else
-+ err = put_compat_rusage(&ru, uru);
-+ if (err)
-+ return -EFAULT;
-+ }
- }
-
- if (!infop)
---
-2.14.2
-
diff --git a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
deleted file mode 100644
index 2b63f46..0000000
--- a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Xin Long <lucien.xin at gmail.com>
-Date: Sun, 27 Aug 2017 20:25:26 +0800
-Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
-Origin: https://patchwork.kernel.org/patch/9923803/
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
-
-ChunYu found a kernel crash by syzkaller:
-
-[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
-[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
-[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
-[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
-[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
-[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
-[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
-[...]
-[ 651.627260] Call Trace:
-[ 651.629156] skb_release_all+0x4f/0x60
-[ 651.629450] consume_skb+0x1a5/0x600
-[ 651.630705] netlink_unicast+0x505/0x720
-[ 651.632345] netlink_sendmsg+0xab2/0xe70
-[ 651.633704] sock_sendmsg+0xcf/0x110
-[ 651.633942] ___sys_sendmsg+0x833/0x980
-[ 651.637117] __sys_sendmsg+0xf3/0x240
-[ 651.638820] SyS_sendmsg+0x32/0x50
-[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
-
-It's caused by skb_shared_info at the end of sk_buff was overwritten by
-ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
-
-During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
-ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
-new value to skb_shinfo(SKB)->nr_frags by ev->type.
-
-This patch is to fix it by checking nlh->nlmsg_len properly there to
-avoid over accessing sk_buff.
-
-Reported-by: ChunYu Wang <chunwang at redhat.com>
-Signed-off-by: Xin Long <lucien.xin at gmail.com>
-Acked-by: Chris Leech <cleech at redhat.com>
----
- drivers/scsi/scsi_transport_iscsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/scsi/scsi_transport_iscsi.c
-+++ b/drivers/scsi/scsi_transport_iscsi.c
-@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
- uint32_t group;
-
- nlh = nlmsg_hdr(skb);
-- if (nlh->nlmsg_len < sizeof(*nlh) ||
-+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
- skb->len < nlh->nlmsg_len) {
- break;
- }
diff --git a/debian/patches/series b/debian/patches/series
index 6a11588..0bc5793 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -111,8 +111,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
# Security fixes
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
-bugfix/all/fix-infoleak-in-waitid-2.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list