[linux] 01/01: Update to 4.14-rc3

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sun Oct 1 22:23:32 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch master
in repository linux.

commit 335613b4d625d99e8874c685e6ed2b4779cb41a5
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sun Oct 1 23:23:22 2017 +0100

    Update to 4.14-rc3
---
 debian/changelog                                   |  2 +-
 .../bugfix/all/fix-infoleak-in-waitid-2.patch      | 66 ----------------------
 ...-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch | 55 ------------------
 debian/patches/series                              |  2 -
 4 files changed, 1 insertion(+), 124 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 560f604..a55902a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-linux (4.14~rc2-1~exp1) UNRELEASED; urgency=medium
+linux (4.14~rc3-1~exp1) UNRELEASED; urgency=medium
 
   * New upstream release candidate
 
diff --git a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch b/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
deleted file mode 100644
index b713b3f..0000000
--- a/debian/patches/bugfix/all/fix-infoleak-in-waitid-2.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From: Al Viro <viro at zeniv.linux.org.uk>
-Date: Fri, 29 Sep 2017 13:43:15 -0400
-Subject: fix infoleak in waitid(2)
-Origin: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14954
-
-kernel_waitid() can return a PID, an error or 0.  rusage is filled in the first
-case and waitid(2) rusage should've been copied out exactly in that case, *not*
-whenever kernel_waitid() has not returned an error.  Compat variant shares that
-braino; none of kernel_wait4() callers do, so the below ought to fix it.
-
-Reported-and-tested-by: Alexander Potapenko <glider at google.com>
-Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
-Cc: stable at vger.kernel.org # v4.13
-Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
----
- kernel/exit.c | 23 ++++++++++-------------
- 1 file changed, 10 insertions(+), 13 deletions(-)
-
-diff --git a/kernel/exit.c b/kernel/exit.c
-index 3481ababd06a..f2cd53e92147 100644
---- a/kernel/exit.c
-+++ b/kernel/exit.c
-@@ -1600,12 +1600,10 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
- 	struct waitid_info info = {.status = 0};
- 	long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
- 	int signo = 0;
-+
- 	if (err > 0) {
- 		signo = SIGCHLD;
- 		err = 0;
--	}
--
--	if (!err) {
- 		if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
- 			return -EFAULT;
- 	}
-@@ -1723,16 +1721,15 @@ COMPAT_SYSCALL_DEFINE5(waitid,
- 	if (err > 0) {
- 		signo = SIGCHLD;
- 		err = 0;
--	}
--
--	if (!err && uru) {
--		/* kernel_waitid() overwrites everything in ru */
--		if (COMPAT_USE_64BIT_TIME)
--			err = copy_to_user(uru, &ru, sizeof(ru));
--		else
--			err = put_compat_rusage(&ru, uru);
--		if (err)
--			return -EFAULT;
-+		if (uru) {
-+			/* kernel_waitid() overwrites everything in ru */
-+			if (COMPAT_USE_64BIT_TIME)
-+				err = copy_to_user(uru, &ru, sizeof(ru));
-+			else
-+				err = put_compat_rusage(&ru, uru);
-+			if (err)
-+				return -EFAULT;
-+		}
- 	}
- 
- 	if (!infop)
--- 
-2.14.2
-
diff --git a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
deleted file mode 100644
index 2b63f46..0000000
--- a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From: Xin Long <lucien.xin at gmail.com>
-Date: Sun, 27 Aug 2017 20:25:26 +0800
-Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
-Origin: https://patchwork.kernel.org/patch/9923803/
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
-
-ChunYu found a kernel crash by syzkaller:
-
-[  651.617875] kasan: CONFIG_KASAN_INLINE enabled
-[  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
-[  651.618731] general protection fault: 0000 [#1] SMP KASAN
-[  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
-[  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
-[  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
-[  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
-[...]
-[  651.627260] Call Trace:
-[  651.629156]  skb_release_all+0x4f/0x60
-[  651.629450]  consume_skb+0x1a5/0x600
-[  651.630705]  netlink_unicast+0x505/0x720
-[  651.632345]  netlink_sendmsg+0xab2/0xe70
-[  651.633704]  sock_sendmsg+0xcf/0x110
-[  651.633942]  ___sys_sendmsg+0x833/0x980
-[  651.637117]  __sys_sendmsg+0xf3/0x240
-[  651.638820]  SyS_sendmsg+0x32/0x50
-[  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2
-
-It's caused by skb_shared_info at the end of sk_buff was overwritten by
-ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
-
-During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
-ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
-new value to skb_shinfo(SKB)->nr_frags by ev->type.
-
-This patch is to fix it by checking nlh->nlmsg_len properly there to
-avoid over accessing sk_buff.
-
-Reported-by: ChunYu Wang <chunwang at redhat.com>
-Signed-off-by: Xin Long <lucien.xin at gmail.com>
-Acked-by: Chris Leech <cleech at redhat.com>
----
- drivers/scsi/scsi_transport_iscsi.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/drivers/scsi/scsi_transport_iscsi.c
-+++ b/drivers/scsi/scsi_transport_iscsi.c
-@@ -3689,7 +3689,7 @@ iscsi_if_rx(struct sk_buff *skb)
- 		uint32_t group;
- 
- 		nlh = nlmsg_hdr(skb);
--		if (nlh->nlmsg_len < sizeof(*nlh) ||
-+		if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
- 		    skb->len < nlh->nlmsg_len) {
- 			break;
- 		}
diff --git a/debian/patches/series b/debian/patches/series
index 6a11588..0bc5793 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -111,8 +111,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
 
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
-bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
-bugfix/all/fix-infoleak-in-waitid-2.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list