[linux] 01/02: Add various security fixes
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Sep 18 02:01:53 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch wheezy-security
in repository linux.
commit 8d94670ede255b4ec3ee8744699e35deb449a63b
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Sep 18 02:33:31 2017 +0100
Add various security fixes
---
debian/changelog | 10 +
...roperly-check-l2cap-config-option-output-.patch | 273 +++++++++++++++++++++
...-the-required-netlink-attributes-presence.patch | 36 +++
...-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch | 55 +++++
...-aty-do-not-leak-uninitialized-padding-in.patch | 31 +++
...realtime_inode-should-be-false-if-no-rt-d.patch | 68 +++++
...don-t-allow-l2-to-access-the-hardware-cr8.patch | 35 +++
debian/patches/series | 6 +
8 files changed, 514 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index deaf219..88caa1a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -216,6 +216,16 @@ linux (3.2.93-1) UNRELEASED; urgency=medium
[ Ben Hutchings ]
* [rt] Update to 3.2.89-rt127 (no functional change)
* ptrace, xfrm: Avoid ABI changes in 3.2.93
+ * nl80211: check for the required netlink attributes presence (CVE-2017-12153)
+ * [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154)
+ * [x86] video: fbdev: aty: do not leak uninitialized padding in clk to userspace
+ (CVE-2017-14156)
+ * xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
+ (CVE-2017-14340)
+ * scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
+ (CVE-2017-14489)
+ * Bluetooth: Properly check L2CAP config option output buffer length
+ (CVE-2017-1000251)
-- Ben Hutchings <ben at decadent.org.uk> Mon, 03 Jul 2017 17:17:55 +0100
diff --git a/debian/patches/bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch b/debian/patches/bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
new file mode 100644
index 0000000..5c025d6
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
@@ -0,0 +1,273 @@
+From: Ben Seri <ben at armis.com>
+Date: Sat, 9 Sep 2017 23:15:59 +0200
+Subject: Bluetooth: Properly check L2CAP config option output buffer length
+Origin: https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000251
+
+Validate the output buffer length for L2CAP config requests and responses
+to avoid overflowing the stack buffer used for building the option blocks.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Ben Seri <ben at armis.com>
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2:
+ - Drop changes to handling of L2CAP_CONF_EFS, L2CAP_CONF_EWS
+ - Drop changes to l2cap_do_create(), l2cap_security_cfm(), and L2CAP_CONF_PENDING
+ case in l2cap_config_rsp()
+ - In l2cap_config_rsp(), s/buf/req/
+ - Adjust context]
+---
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -68,7 +68,7 @@ static struct sk_buff *l2cap_build_cmd(s
+ u8 code, u8 ident, u16 dlen, void *data);
+ static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
+ void *data);
+-static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
++static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
+ static void l2cap_send_disconn_req(struct l2cap_conn *conn,
+ struct l2cap_chan *chan, int err);
+
+@@ -787,7 +787,7 @@ static void l2cap_conn_start(struct l2ca
+
+ set_bit(CONF_REQ_SENT, &chan->conf_state);
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf), buf);
++ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
+ chan->num_conf_req++;
+ }
+
+@@ -1825,12 +1825,15 @@ static inline int l2cap_get_conf_opt(voi
+ return len;
+ }
+
+-static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
++static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
+ {
+ struct l2cap_conf_opt *opt = *ptr;
+
+ BT_DBG("type 0x%2.2x len %d val 0x%lx", type, len, val);
+
++ if (size < L2CAP_CONF_OPT_SIZE + len)
++ return;
++
+ opt->type = type;
+ opt->len = len;
+
+@@ -1901,11 +1904,12 @@ static inline __u8 l2cap_select_mode(__u
+ }
+ }
+
+-static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
++static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
+ {
+ struct l2cap_conf_req *req = data;
+ struct l2cap_conf_rfc rfc = { .mode = chan->mode };
+ void *ptr = req->data;
++ void *endptr = data + data_size;
+
+ BT_DBG("chan %p", chan);
+
+@@ -1926,7 +1930,7 @@ static int l2cap_build_conf_req(struct l
+
+ done:
+ if (chan->imtu != L2CAP_DEFAULT_MTU)
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
+
+ switch (chan->mode) {
+ case L2CAP_MODE_BASIC:
+@@ -1942,7 +1946,7 @@ done:
+ rfc.max_pdu_size = 0;
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+- (unsigned long) &rfc);
++ (unsigned long) &rfc, endptr - ptr);
+ break;
+
+ case L2CAP_MODE_ERTM:
+@@ -1956,7 +1960,7 @@ done:
+ rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+- (unsigned long) &rfc);
++ (unsigned long) &rfc, endptr - ptr);
+
+ if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
+ break;
+@@ -1964,7 +1968,8 @@ done:
+ if (chan->fcs == L2CAP_FCS_NONE ||
+ test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
+ chan->fcs = L2CAP_FCS_NONE;
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs,
++ endptr - ptr);
+ }
+ break;
+
+@@ -1979,7 +1984,7 @@ done:
+ rfc.max_pdu_size = cpu_to_le16(chan->conn->mtu - 10);
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+- (unsigned long) &rfc);
++ (unsigned long) &rfc, endptr - ptr);
+
+ if (!(chan->conn->feat_mask & L2CAP_FEAT_FCS))
+ break;
+@@ -1987,7 +1992,8 @@ done:
+ if (chan->fcs == L2CAP_FCS_NONE ||
+ test_bit(CONF_NO_FCS_RECV, &chan->conf_state)) {
+ chan->fcs = L2CAP_FCS_NONE;
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1, chan->fcs,
++ endptr - ptr);
+ }
+ break;
+ }
+@@ -1998,10 +2004,11 @@ done:
+ return ptr - data;
+ }
+
+-static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
++static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
+ {
+ struct l2cap_conf_rsp *rsp = data;
+ void *ptr = rsp->data;
++ void *endptr = data + data_size;
+ void *req = chan->conf_req;
+ int len = chan->conf_len;
+ int type, hint, olen;
+@@ -2077,8 +2084,8 @@ done:
+ if (chan->num_conf_rsp == 1)
+ return -ECONNREFUSED;
+
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+- sizeof(rfc), (unsigned long) &rfc);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
++ (unsigned long) &rfc, endptr - ptr);
+ }
+
+
+@@ -2092,7 +2099,7 @@ done:
+ chan->omtu = mtu;
+ set_bit(CONF_MTU_DONE, &chan->conf_state);
+ }
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
+
+ switch (rfc.mode) {
+ case L2CAP_MODE_BASIC:
+@@ -2117,7 +2124,7 @@ done:
+ set_bit(CONF_MODE_DONE, &chan->conf_state);
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+- sizeof(rfc), (unsigned long) &rfc);
++ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
+
+ break;
+
+@@ -2129,8 +2136,8 @@ done:
+
+ set_bit(CONF_MODE_DONE, &chan->conf_state);
+
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+- sizeof(rfc), (unsigned long) &rfc);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
++ (unsigned long) &rfc, endptr - ptr);
+
+ break;
+
+@@ -2151,10 +2158,12 @@ done:
+ return ptr - data;
+ }
+
+-static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, void *data, u16 *result)
++static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
++ void *data, size_t size, u16 *result)
+ {
+ struct l2cap_conf_req *req = data;
+ void *ptr = req->data;
++ void *endptr = data + size;
+ int type, olen;
+ unsigned long val;
+ struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
+@@ -2171,13 +2180,13 @@ static int l2cap_parse_conf_rsp(struct l
+ chan->imtu = L2CAP_DEFAULT_MIN_MTU;
+ } else
+ chan->imtu = val;
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
+ break;
+
+ case L2CAP_CONF_FLUSH_TO:
+ chan->flush_to = val;
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
+- 2, chan->flush_to);
++ 2, chan->flush_to, endptr - ptr);
+ break;
+
+ case L2CAP_CONF_RFC:
+@@ -2191,7 +2200,7 @@ static int l2cap_parse_conf_rsp(struct l
+ chan->fcs = 0;
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+- sizeof(rfc), (unsigned long) &rfc);
++ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
+ break;
+ }
+ }
+@@ -2250,7 +2259,7 @@ void __l2cap_connect_rsp_defer(struct l2
+ return;
+
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf), buf);
++ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
+ chan->num_conf_req++;
+ }
+
+@@ -2459,7 +2468,7 @@ sendresp:
+ u8 buf[128];
+ set_bit(CONF_REQ_SENT, &chan->conf_state);
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf), buf);
++ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
+ chan->num_conf_req++;
+ }
+
+@@ -2509,7 +2518,7 @@ static int l2cap_connect_rsp(struct l2ca
+ break;
+
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, req), req);
++ l2cap_build_conf_req(chan, req, sizeof(req)), req);
+ chan->num_conf_req++;
+ break;
+
+@@ -2602,7 +2611,7 @@ static inline int l2cap_config_req(struc
+ }
+
+ /* Complete config. */
+- len = l2cap_parse_conf_req(chan, rsp);
++ len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
+ if (len < 0) {
+ l2cap_send_disconn_req(conn, chan, ECONNRESET);
+ goto unlock;
+@@ -2635,7 +2644,7 @@ static inline int l2cap_config_req(struc
+ if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
+ u8 buf[64];
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf), buf);
++ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
+ chan->num_conf_req++;
+ }
+
+@@ -2687,7 +2696,7 @@ static inline int l2cap_config_rsp(struc
+ /* throw out any old stored conf requests */
+ result = L2CAP_CONF_SUCCESS;
+ len = l2cap_parse_conf_rsp(chan, rsp->data, len,
+- req, &result);
++ req, sizeof(req), &result);
+ if (len < 0) {
+ l2cap_send_disconn_req(conn, chan, ECONNRESET);
+ goto done;
diff --git a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch b/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
new file mode 100644
index 0000000..a7d1550
--- /dev/null
+++ b/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
@@ -0,0 +1,36 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Tue, 12 Sep 2017 22:21:21 +0000
+Subject: nl80211: check for the required netlink attributes presence
+Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
+
+nl80211_set_rekey_data() does not check if the required attributes
+NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
+NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
+users with CAP_NET_ADMIN privilege and may result in NULL dereference
+and a system crash. Add a check for the required attributes presence.
+This patch is based on the patch by bo Zhang.
+
+This fixes CVE-2017-12153.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
+Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
+Cc: <stable at vger.kernel.org> # v3.1-rc1
+Reported-by: bo Zhang <zhangbo5891001 at gmail.com>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -5820,6 +5820,9 @@ static int nl80211_set_rekey_data(struct
+ if (err)
+ return err;
+
++ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
++ !tb[NL80211_REKEY_DATA_KCK])
++ return -EINVAL;
+ if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
+ return -ERANGE;
+ if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
diff --git a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
new file mode 100644
index 0000000..4af57cd
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
@@ -0,0 +1,55 @@
+From: Xin Long <lucien.xin at gmail.com>
+Date: Sun, 27 Aug 2017 20:25:26 +0800
+Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
+Origin: https://patchwork.kernel.org/patch/9923803/
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
+
+ChunYu found a kernel crash by syzkaller:
+
+[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
+[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
+[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
+[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
+[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
+[...]
+[ 651.627260] Call Trace:
+[ 651.629156] skb_release_all+0x4f/0x60
+[ 651.629450] consume_skb+0x1a5/0x600
+[ 651.630705] netlink_unicast+0x505/0x720
+[ 651.632345] netlink_sendmsg+0xab2/0xe70
+[ 651.633704] sock_sendmsg+0xcf/0x110
+[ 651.633942] ___sys_sendmsg+0x833/0x980
+[ 651.637117] __sys_sendmsg+0xf3/0x240
+[ 651.638820] SyS_sendmsg+0x32/0x50
+[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+It's caused by skb_shared_info at the end of sk_buff was overwritten by
+ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
+
+During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
+ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
+new value to skb_shinfo(SKB)->nr_frags by ev->type.
+
+This patch is to fix it by checking nlh->nlmsg_len properly there to
+avoid over accessing sk_buff.
+
+Reported-by: ChunYu Wang <chunwang at redhat.com>
+Signed-off-by: Xin Long <lucien.xin at gmail.com>
+Acked-by: Chris Leech <cleech at redhat.com>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -2079,7 +2079,7 @@ iscsi_if_rx(struct sk_buff *skb)
+ uint32_t group;
+
+ nlh = nlmsg_hdr(skb);
+- if (nlh->nlmsg_len < sizeof(*nlh) ||
++ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
+ skb->len < nlh->nlmsg_len) {
+ break;
+ }
diff --git a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch b/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
new file mode 100644
index 0000000..27f6dc4
--- /dev/null
+++ b/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
@@ -0,0 +1,31 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Mon, 4 Sep 2017 16:00:50 +0200
+Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
+ userspace
+Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
+
+'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
+field unitialized, leaking data from the stack. Fix this ensuring all of
+'clk' is initialized to zero.
+
+References: https://github.com/torvalds/linux/pull/441
+Reported-by: sohu0106 <sohu0106 at 126.com>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
+[bwh: Backported to 3.2: adjust filename]
+---
+ drivers/video/aty/atyfb_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/aty/atyfb_base.c
++++ b/drivers/video/aty/atyfb_base.c
+@@ -1852,7 +1852,7 @@ static int atyfb_ioctl(struct fb_info *i
+ #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
+ case ATYIO_CLKR:
+ if (M64_HAS(INTEGRATED)) {
+- struct atyclk clk;
++ struct atyclk clk = { 0 };
+ union aty_pll *pll = &par->pll;
+ u32 dsp_config = pll->ct.dsp_config;
+ u32 dsp_on_off = pll->ct.dsp_on_off;
diff --git a/debian/patches/bugfix/all/xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-d.patch b/debian/patches/bugfix/all/xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-d.patch
new file mode 100644
index 0000000..4c35b1c
--- /dev/null
+++ b/debian/patches/bugfix/all/xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-d.patch
@@ -0,0 +1,68 @@
+From: Richard Wareing <rwareing at fb.com>
+Date: Wed, 13 Sep 2017 09:09:35 +1000
+Subject: xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
+Origin: https://git.kernel.org/linus/b31ff3cdf540110da4572e3e29bd172087af65cc
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14340
+
+If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on
+a directory in a filesystem that does not have a realtime device and
+create a new file in that directory, it gets marked as a real time file.
+When data is written and a fsync is issued, the filesystem attempts to
+flush a non-existent rt device during the fsync process.
+
+This results in a crash dereferencing a null buftarg pointer in
+xfs_blkdev_issue_flush():
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ IP: xfs_blkdev_issue_flush+0xd/0x20
+ .....
+ Call Trace:
+ xfs_file_fsync+0x188/0x1c0
+ vfs_fsync_range+0x3b/0xa0
+ do_fsync+0x3d/0x70
+ SyS_fsync+0x10/0x20
+ do_syscall_64+0x4d/0xb0
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+Setting RT inode flags does not require special privileges so any
+unprivileged user can cause this oops to occur. To reproduce, confirm
+kernel is compiled with CONFIG_XFS_RT=y and run:
+
+ # mkfs.xfs -f /dev/pmem0
+ # mount /dev/pmem0 /mnt/test
+ # mkdir /mnt/test/foo
+ # xfs_io -c 'chattr +t' /mnt/test/foo
+ # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar
+
+Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait.
+
+Kernels built with CONFIG_XFS_RT=n are not exposed to this bug.
+
+Fixes: f538d4da8d52 ("[XFS] write barrier support")
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Richard Wareing <rwareing at fb.com>
+Signed-off-by: Dave Chinner <david at fromorbit.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Backported to 3.2: adjust filename]
+---
+ fs/xfs/xfs_dinode.h | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_dinode.h
++++ b/fs/xfs/xfs_dinode.h
+@@ -201,7 +201,14 @@ static inline void xfs_dinode_put_rdev(s
+ #define XFS_DIFLAG_FILESTREAM (1 << XFS_DIFLAG_FILESTREAM_BIT)
+
+ #ifdef CONFIG_XFS_RT
+-#define XFS_IS_REALTIME_INODE(ip) ((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME)
++
++/*
++ * make sure we ignore the inode flag if the filesystem doesn't have a
++ * configured realtime device.
++ */
++#define XFS_IS_REALTIME_INODE(ip) \
++ (((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) && \
++ (ip)->i_mount->m_rtdev_targp)
+ #else
+ #define XFS_IS_REALTIME_INODE(ip) (0)
+ #endif
diff --git a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch b/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
new file mode 100644
index 0000000..cc431f6
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
@@ -0,0 +1,35 @@
+From: Jim Mattson <jmattson at google.com>
+Date: Tue, 12 Sep 2017 13:02:54 -0700
+Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
+Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
+
+If L1 does not specify the "use TPR shadow" VM-execution control in
+vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
+exiting" VM-execution controls in vmcs02. Failure to do so will give
+the L2 VM unrestricted read/write access to the hardware CR8.
+
+This fixes CVE-2017-12154.
+
+Signed-off-by: Jim Mattson <jmattson at google.com>
+Reviewed-by: David Hildenbrand <david at redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Backported to 3.2: adjust context]
+---
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -6675,6 +6675,14 @@ static void prepare_vmcs02(struct kvm_vc
+ exec_control &= ~CPU_BASED_VIRTUAL_NMI_PENDING;
+ exec_control &= ~CPU_BASED_TPR_SHADOW;
+ exec_control |= vmcs12->cpu_based_vm_exec_control;
++
++ if (!(exec_control & CPU_BASED_TPR_SHADOW)) {
++#ifdef CONFIG_X86_64
++ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
++ CPU_BASED_CR8_STORE_EXITING;
++#endif
++ }
++
+ /*
+ * Merging of IO and MSR bitmaps not currently supported.
+ * Rather, exit every time.
diff --git a/debian/patches/series b/debian/patches/series
index ebfcaef..41c2ac1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1110,6 +1110,12 @@ bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
bugfix/x86/vmwgfx-null-pointer-dereference-in-vmw_surface_define_ioctl.patch
bugfix/x86/drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch
bugfix/arm/mm-larger-stack-guard-gap-between-vmas-arm-topdown.patch
+bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
+bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
+bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
+bugfix/all/xfs-xfs_is_realtime_inode-should-be-false-if-no-rt-d.patch
+bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
# ABI maintenance
debian/perf-hide-abi-change-in-3.2.30.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list