[linux] 01/01: Add various security fixes
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Mon Sep 18 03:01:29 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch stretch-security
in repository linux.
commit 7e7c3cae90988e28dc9a0012ec6ff211660c9041
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Mon Sep 18 03:59:34 2017 +0100
Add various security fixes
---
debian/changelog | 19 ++
...roperly-check-l2cap-config-option-output-.patch | 353 +++++++++++++++++++++
...-platform-fix-race-condition-with-driver_.patch | 59 ++++
...-the-required-netlink-attributes-presence.patch | 36 +++
...-t-write-vnet-header-beyond-end-of-buffer.patch | 68 ++++
.../sanitize-move_pages-permission-checks.patch | 71 +++++
...-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch | 55 ++++
...xxx-fix-an-integer-overflow-in-sysfs-code.patch | 58 ++++
...-out-of-bounds-reads-from-address-storage.patch | 184 +++++++++++
...alize-rcv_mss-to-tcp_min_mss-instead-of-0.patch | 35 ++
...-aty-do-not-leak-uninitialized-padding-in.patch | 30 ++
.../bugfix/all/xen-fix-bio-vec-merging.patch | 59 ++++
...REALTIME_INODE-should-be-false-if-no-rt-d.patch | 67 ++++
...don-t-allow-l2-to-access-the-hardware-cr8.patch | 34 ++
...vmx-do-not-bug-on-out-of-bounds-guest-irq.patch | 52 +++
debian/patches/series | 14 +
16 files changed, 1194 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index df874ed..d4f4f6b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,25 @@ linux (4.9.30-2+deb9u4) UNRELEASED; urgency=medium
* ipv6: Should use consistent conditional judgement for ip6 fragment
between __ip6_append_data and ip6_finish_output
* udp: consistently apply ufo or fragmentation (CVE-2017-1000112)
+ * sctp: Avoid out-of-bounds reads from address storage (CVE-2017-7558)
+ * xen: fix bio vec merging (CVE-2017-12134) (Closes: #866511)
+ * driver core: platform: fix race condition with driver_override
+ (CVE-2017-12146)
+ * nl80211: check for the required netlink attributes presence (CVE-2017-12153)
+ * [x86] kvm: nVMX: Don't allow L2 to access the hardware CR8 (CVE-2017-12154)
+ * scsi: qla2xxx: Fix an integer overflow in sysfs code (CVE-2017-14051)
+ * tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 (CVE-2017-14106)
+ * Sanitize 'move_pages()' permission checks (CVE-2017-14140)
+ * video: fbdev: aty: do not leak uninitialized padding in clk to userspace
+ (CVE-2017-14156)
+ * xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
+ (CVE-2017-14340)
+ * scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
+ (CVE-2017-14489)
+ * packet: Don't write vnet header beyond end of buffer (CVE-2017-14497)
+ * Bluetooth: Properly check L2CAP config option output buffer length
+ (CVE-2017-1000251)
+ * [x86] KVM: VMX: Do not BUG() on out-of-bounds guest IRQ (CVE-2017-1000252)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 06 Aug 2017 15:21:20 +0100
diff --git a/debian/patches/bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch b/debian/patches/bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
new file mode 100644
index 0000000..89b9146
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
@@ -0,0 +1,353 @@
+From: Ben Seri <ben at armis.com>
+Date: Sat, 9 Sep 2017 23:15:59 +0200
+Subject: Bluetooth: Properly check L2CAP config option output buffer length
+Origin: https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000251
+
+Validate the output buffer length for L2CAP config requests and responses
+to avoid overflowing the stack buffer used for building the option blocks.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Ben Seri <ben at armis.com>
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ net/bluetooth/l2cap_core.c | 80 +++++++++++++++++++++++++---------------------
+ 1 file changed, 43 insertions(+), 37 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -58,7 +58,7 @@ static struct sk_buff *l2cap_build_cmd(s
+ u8 code, u8 ident, u16 dlen, void *data);
+ static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
+ void *data);
+-static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
++static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
+ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
+
+ static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
+@@ -1473,7 +1473,7 @@ static void l2cap_conn_start(struct l2ca
+
+ set_bit(CONF_REQ_SENT, &chan->conf_state);
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf), buf);
++ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
+ chan->num_conf_req++;
+ }
+
+@@ -2977,12 +2977,15 @@ static inline int l2cap_get_conf_opt(voi
+ return len;
+ }
+
+-static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
++static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
+ {
+ struct l2cap_conf_opt *opt = *ptr;
+
+ BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
+
++ if (size < L2CAP_CONF_OPT_SIZE + len)
++ return;
++
+ opt->type = type;
+ opt->len = len;
+
+@@ -3007,7 +3010,7 @@ static void l2cap_add_conf_opt(void **pt
+ *ptr += L2CAP_CONF_OPT_SIZE + len;
+ }
+
+-static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
++static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
+ {
+ struct l2cap_conf_efs efs;
+
+@@ -3035,7 +3038,7 @@ static void l2cap_add_opt_efs(void **ptr
+ }
+
+ l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
+- (unsigned long) &efs);
++ (unsigned long) &efs, size);
+ }
+
+ static void l2cap_ack_timeout(struct work_struct *work)
+@@ -3181,11 +3184,12 @@ static inline void l2cap_txwin_setup(str
+ chan->ack_win = chan->tx_win;
+ }
+
+-static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
++static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
+ {
+ struct l2cap_conf_req *req = data;
+ struct l2cap_conf_rfc rfc = { .mode = chan->mode };
+ void *ptr = req->data;
++ void *endptr = data + data_size;
+ u16 size;
+
+ BT_DBG("chan %p", chan);
+@@ -3210,7 +3214,7 @@ static int l2cap_build_conf_req(struct l
+
+ done:
+ if (chan->imtu != L2CAP_DEFAULT_MTU)
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
+
+ switch (chan->mode) {
+ case L2CAP_MODE_BASIC:
+@@ -3229,7 +3233,7 @@ done:
+ rfc.max_pdu_size = 0;
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+- (unsigned long) &rfc);
++ (unsigned long) &rfc, endptr - ptr);
+ break;
+
+ case L2CAP_MODE_ERTM:
+@@ -3249,21 +3253,21 @@ done:
+ L2CAP_DEFAULT_TX_WINDOW);
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+- (unsigned long) &rfc);
++ (unsigned long) &rfc, endptr - ptr);
+
+ if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
+- l2cap_add_opt_efs(&ptr, chan);
++ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
+
+ if (test_bit(FLAG_EXT_CTRL, &chan->flags))
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
+- chan->tx_win);
++ chan->tx_win, endptr - ptr);
+
+ if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
+ if (chan->fcs == L2CAP_FCS_NONE ||
+ test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
+ chan->fcs = L2CAP_FCS_NONE;
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
+- chan->fcs);
++ chan->fcs, endptr - ptr);
+ }
+ break;
+
+@@ -3281,17 +3285,17 @@ done:
+ rfc.max_pdu_size = cpu_to_le16(size);
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+- (unsigned long) &rfc);
++ (unsigned long) &rfc, endptr - ptr);
+
+ if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
+- l2cap_add_opt_efs(&ptr, chan);
++ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
+
+ if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
+ if (chan->fcs == L2CAP_FCS_NONE ||
+ test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
+ chan->fcs = L2CAP_FCS_NONE;
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
+- chan->fcs);
++ chan->fcs, endptr - ptr);
+ }
+ break;
+ }
+@@ -3302,10 +3306,11 @@ done:
+ return ptr - data;
+ }
+
+-static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
++static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
+ {
+ struct l2cap_conf_rsp *rsp = data;
+ void *ptr = rsp->data;
++ void *endptr = data + data_size;
+ void *req = chan->conf_req;
+ int len = chan->conf_len;
+ int type, hint, olen;
+@@ -3407,7 +3412,7 @@ done:
+ return -ECONNREFUSED;
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+- (unsigned long) &rfc);
++ (unsigned long) &rfc, endptr - ptr);
+ }
+
+ if (result == L2CAP_CONF_SUCCESS) {
+@@ -3420,7 +3425,7 @@ done:
+ chan->omtu = mtu;
+ set_bit(CONF_MTU_DONE, &chan->conf_state);
+ }
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
+
+ if (remote_efs) {
+ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+@@ -3434,7 +3439,7 @@ done:
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
+ sizeof(efs),
+- (unsigned long) &efs);
++ (unsigned long) &efs, endptr - ptr);
+ } else {
+ /* Send PENDING Conf Rsp */
+ result = L2CAP_CONF_PENDING;
+@@ -3467,7 +3472,7 @@ done:
+ set_bit(CONF_MODE_DONE, &chan->conf_state);
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+- sizeof(rfc), (unsigned long) &rfc);
++ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
+
+ if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
+ chan->remote_id = efs.id;
+@@ -3481,7 +3486,7 @@ done:
+ le32_to_cpu(efs.sdu_itime);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
+ sizeof(efs),
+- (unsigned long) &efs);
++ (unsigned long) &efs, endptr - ptr);
+ }
+ break;
+
+@@ -3495,7 +3500,7 @@ done:
+ set_bit(CONF_MODE_DONE, &chan->conf_state);
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
+- (unsigned long) &rfc);
++ (unsigned long) &rfc, endptr - ptr);
+
+ break;
+
+@@ -3517,10 +3522,11 @@ done:
+ }
+
+ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
+- void *data, u16 *result)
++ void *data, size_t size, u16 *result)
+ {
+ struct l2cap_conf_req *req = data;
+ void *ptr = req->data;
++ void *endptr = data + size;
+ int type, olen;
+ unsigned long val;
+ struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
+@@ -3538,13 +3544,13 @@ static int l2cap_parse_conf_rsp(struct l
+ chan->imtu = L2CAP_DEFAULT_MIN_MTU;
+ } else
+ chan->imtu = val;
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
+ break;
+
+ case L2CAP_CONF_FLUSH_TO:
+ chan->flush_to = val;
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
+- 2, chan->flush_to);
++ 2, chan->flush_to, endptr - ptr);
+ break;
+
+ case L2CAP_CONF_RFC:
+@@ -3558,13 +3564,13 @@ static int l2cap_parse_conf_rsp(struct l
+ chan->fcs = 0;
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
+- sizeof(rfc), (unsigned long) &rfc);
++ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
+ break;
+
+ case L2CAP_CONF_EWS:
+ chan->ack_win = min_t(u16, val, chan->ack_win);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
+- chan->tx_win);
++ chan->tx_win, endptr - ptr);
+ break;
+
+ case L2CAP_CONF_EFS:
+@@ -3577,7 +3583,7 @@ static int l2cap_parse_conf_rsp(struct l
+ return -ECONNREFUSED;
+
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+- (unsigned long) &efs);
++ (unsigned long) &efs, endptr - ptr);
+ break;
+
+ case L2CAP_CONF_FCS:
+@@ -3682,7 +3688,7 @@ void __l2cap_connect_rsp_defer(struct l2
+ return;
+
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf), buf);
++ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
+ chan->num_conf_req++;
+ }
+
+@@ -3890,7 +3896,7 @@ sendresp:
+ u8 buf[128];
+ set_bit(CONF_REQ_SENT, &chan->conf_state);
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf), buf);
++ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
+ chan->num_conf_req++;
+ }
+
+@@ -3968,7 +3974,7 @@ static int l2cap_connect_create_rsp(stru
+ break;
+
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, req), req);
++ l2cap_build_conf_req(chan, req, sizeof(req)), req);
+ chan->num_conf_req++;
+ break;
+
+@@ -4080,7 +4086,7 @@ static inline int l2cap_config_req(struc
+ }
+
+ /* Complete config. */
+- len = l2cap_parse_conf_req(chan, rsp);
++ len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
+ if (len < 0) {
+ l2cap_send_disconn_req(chan, ECONNRESET);
+ goto unlock;
+@@ -4114,7 +4120,7 @@ static inline int l2cap_config_req(struc
+ if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
+ u8 buf[64];
+ l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf), buf);
++ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
+ chan->num_conf_req++;
+ }
+
+@@ -4174,7 +4180,7 @@ static inline int l2cap_config_rsp(struc
+ char buf[64];
+
+ len = l2cap_parse_conf_rsp(chan, rsp->data, len,
+- buf, &result);
++ buf, sizeof(buf), &result);
+ if (len < 0) {
+ l2cap_send_disconn_req(chan, ECONNRESET);
+ goto done;
+@@ -4204,7 +4210,7 @@ static inline int l2cap_config_rsp(struc
+ /* throw out any old stored conf requests */
+ result = L2CAP_CONF_SUCCESS;
+ len = l2cap_parse_conf_rsp(chan, rsp->data, len,
+- req, &result);
++ req, sizeof(req), &result);
+ if (len < 0) {
+ l2cap_send_disconn_req(chan, ECONNRESET);
+ goto done;
+@@ -4781,7 +4787,7 @@ static void l2cap_do_create(struct l2cap
+ set_bit(CONF_REQ_SENT, &chan->conf_state);
+ l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
+ L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf), buf);
++ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
+ chan->num_conf_req++;
+ }
+ }
+@@ -7457,7 +7463,7 @@ static void l2cap_security_cfm(struct hc
+ set_bit(CONF_REQ_SENT, &chan->conf_state);
+ l2cap_send_cmd(conn, l2cap_get_ident(conn),
+ L2CAP_CONF_REQ,
+- l2cap_build_conf_req(chan, buf),
++ l2cap_build_conf_req(chan, buf, sizeof(buf)),
+ buf);
+ chan->num_conf_req++;
+ }
diff --git a/debian/patches/bugfix/all/driver-core-platform-fix-race-condition-with-driver_.patch b/debian/patches/bugfix/all/driver-core-platform-fix-race-condition-with-driver_.patch
new file mode 100644
index 0000000..9aefa07
--- /dev/null
+++ b/debian/patches/bugfix/all/driver-core-platform-fix-race-condition-with-driver_.patch
@@ -0,0 +1,59 @@
+From: Adrian Salido <salidoa at google.com>
+Date: Tue, 25 Apr 2017 16:55:26 -0700
+Subject: driver core: platform: fix race condition with driver_override
+Origin: https://git.kernel.org/linus/6265539776a0810b7ce6398c27866ddb9c6bd154
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12146
+
+The driver_override implementation is susceptible to race condition when
+different threads are reading vs storing a different driver override.
+Add locking to avoid race condition.
+
+Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")
+Cc: stable at vger.kernel.org
+Signed-off-by: Adrian Salido <salidoa at google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/base/platform.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/platform.c
++++ b/drivers/base/platform.c
+@@ -856,7 +856,7 @@ static ssize_t driver_override_store(str
+ const char *buf, size_t count)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
+- char *driver_override, *old = pdev->driver_override, *cp;
++ char *driver_override, *old, *cp;
+
+ if (count > PATH_MAX)
+ return -EINVAL;
+@@ -869,12 +869,15 @@ static ssize_t driver_override_store(str
+ if (cp)
+ *cp = '\0';
+
++ device_lock(dev);
++ old = pdev->driver_override;
+ if (strlen(driver_override)) {
+ pdev->driver_override = driver_override;
+ } else {
+ kfree(driver_override);
+ pdev->driver_override = NULL;
+ }
++ device_unlock(dev);
+
+ kfree(old);
+
+@@ -885,8 +888,12 @@ static ssize_t driver_override_show(stru
+ struct device_attribute *attr, char *buf)
+ {
+ struct platform_device *pdev = to_platform_device(dev);
++ ssize_t len;
+
+- return sprintf(buf, "%s\n", pdev->driver_override);
++ device_lock(dev);
++ len = sprintf(buf, "%s\n", pdev->driver_override);
++ device_unlock(dev);
++ return len;
+ }
+ static DEVICE_ATTR_RW(driver_override);
+
diff --git a/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch b/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
new file mode 100644
index 0000000..4e6fe5f
--- /dev/null
+++ b/debian/patches/bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
@@ -0,0 +1,36 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Tue, 12 Sep 2017 22:21:21 +0000
+Subject: nl80211: check for the required netlink attributes presence
+Origin: https://marc.info/?l=linux-wireless&m=150525493517953&w=2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12153
+
+nl80211_set_rekey_data() does not check if the required attributes
+NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
+NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
+users with CAP_NET_ADMIN privilege and may result in NULL dereference
+and a system crash. Add a check for the required attributes presence.
+This patch is based on the patch by bo Zhang.
+
+This fixes CVE-2017-12153.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1491046
+Fixes: e5497d766ad ("cfg80211/nl80211: support GTK rekey offload")
+Cc: <stable at vger.kernel.org> # v3.1-rc1
+Reported-by: bo Zhang <zhangbo5891001 at gmail.com>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+---
+ net/wireless/nl80211.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10381,6 +10381,9 @@ static int nl80211_set_rekey_data(struct
+ if (err)
+ return err;
+
++ if (!tb[NL80211_REKEY_DATA_REPLAY_CTR] || !tb[NL80211_REKEY_DATA_KEK] ||
++ !tb[NL80211_REKEY_DATA_KCK])
++ return -EINVAL;
+ if (nla_len(tb[NL80211_REKEY_DATA_REPLAY_CTR]) != NL80211_REPLAY_CTR_LEN)
+ return -ERANGE;
+ if (nla_len(tb[NL80211_REKEY_DATA_KEK]) != NL80211_KEK_LEN)
diff --git a/debian/patches/bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch b/debian/patches/bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch
new file mode 100644
index 0000000..4551b40
--- /dev/null
+++ b/debian/patches/bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch
@@ -0,0 +1,68 @@
+From: Benjamin Poirier <bpoirier at suse.com>
+Date: Mon, 28 Aug 2017 14:29:41 -0400
+Subject: packet: Don't write vnet header beyond end of buffer
+Origin: https://git.kernel.org/linus/edbd58be15a957f6a760c4a514cd475217eb97fd
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14497
+
+... which may happen with certain values of tp_reserve and maclen.
+
+Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv")
+Signed-off-by: Benjamin Poirier <bpoirier at suse.com>
+Cc: Willem de Bruijn <willemb at google.com>
+Acked-by: Willem de Bruijn <willemb at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/packet/af_packet.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -2151,6 +2151,7 @@ static int tpacket_rcv(struct sk_buff *s
+ struct timespec ts;
+ __u32 ts_status;
+ bool is_drop_n_account = false;
++ bool do_vnet = false;
+
+ /* struct tpacket{2,3}_hdr is aligned to a multiple of TPACKET_ALIGNMENT.
+ * We may add members to them until current aligned size without forcing
+@@ -2201,8 +2202,10 @@ static int tpacket_rcv(struct sk_buff *s
+ netoff = TPACKET_ALIGN(po->tp_hdrlen +
+ (maclen < 16 ? 16 : maclen)) +
+ po->tp_reserve;
+- if (po->has_vnet_hdr)
++ if (po->has_vnet_hdr) {
+ netoff += sizeof(struct virtio_net_hdr);
++ do_vnet = true;
++ }
+ macoff = netoff - maclen;
+ }
+ if (po->tp_version <= TPACKET_V2) {
+@@ -2219,8 +2222,10 @@ static int tpacket_rcv(struct sk_buff *s
+ skb_set_owner_r(copy_skb, sk);
+ }
+ snaplen = po->rx_ring.frame_size - macoff;
+- if ((int)snaplen < 0)
++ if ((int)snaplen < 0) {
+ snaplen = 0;
++ do_vnet = false;
++ }
+ }
+ } else if (unlikely(macoff + snaplen >
+ GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len)) {
+@@ -2233,6 +2238,7 @@ static int tpacket_rcv(struct sk_buff *s
+ if (unlikely((int)snaplen < 0)) {
+ snaplen = 0;
+ macoff = GET_PBDQC_FROM_RB(&po->rx_ring)->max_frame_len;
++ do_vnet = false;
+ }
+ }
+ spin_lock(&sk->sk_receive_queue.lock);
+@@ -2258,7 +2264,7 @@ static int tpacket_rcv(struct sk_buff *s
+ }
+ spin_unlock(&sk->sk_receive_queue.lock);
+
+- if (po->has_vnet_hdr) {
++ if (do_vnet) {
+ if (__packet_rcv_vnet(skb, h.raw + macoff -
+ sizeof(struct virtio_net_hdr))) {
+ spin_lock(&sk->sk_receive_queue.lock);
diff --git a/debian/patches/bugfix/all/sanitize-move_pages-permission-checks.patch b/debian/patches/bugfix/all/sanitize-move_pages-permission-checks.patch
new file mode 100644
index 0000000..dc885a0
--- /dev/null
+++ b/debian/patches/bugfix/all/sanitize-move_pages-permission-checks.patch
@@ -0,0 +1,71 @@
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Sun, 20 Aug 2017 13:26:27 -0700
+Subject: Sanitize 'move_pages()' permission checks
+Origin: https://git.kernel.org/linus/197e7e521384a23b9e585178f3f11c9fa08274b9
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14140
+
+The 'move_paghes()' system call was introduced long long ago with the
+same permission checks as for sending a signal (except using
+CAP_SYS_NICE instead of CAP_SYS_KILL for the overriding capability).
+
+That turns out to not be a great choice - while the system call really
+only moves physical page allocations around (and you need other
+capabilities to do a lot of it), you can check the return value to map
+out some the virtual address choices and defeat ASLR of a binary that
+still shares your uid.
+
+So change the access checks to the more common 'ptrace_may_access()'
+model instead.
+
+This tightens the access checks for the uid, and also effectively
+changes the CAP_SYS_NICE check to CAP_SYS_PTRACE, but it's unlikely that
+anybody really _uses_ this legacy system call any more (we hav ebetter
+NUMA placement models these days), so I expect nobody to notice.
+
+Famous last words.
+
+Reported-by: Otto Ebeling <otto.ebeling at iki.fi>
+Acked-by: Eric W. Biederman <ebiederm at xmission.com>
+Cc: Willy Tarreau <w at 1wt.eu>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ mm/migrate.c | 11 +++--------
+ 1 file changed, 3 insertions(+), 8 deletions(-)
+
+--- a/mm/migrate.c
++++ b/mm/migrate.c
+@@ -40,6 +40,7 @@
+ #include <linux/mmu_notifier.h>
+ #include <linux/page_idle.h>
+ #include <linux/page_owner.h>
++#include <linux/ptrace.h>
+
+ #include <asm/tlbflush.h>
+
+@@ -1663,7 +1664,6 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
+ const int __user *, nodes,
+ int __user *, status, int, flags)
+ {
+- const struct cred *cred = current_cred(), *tcred;
+ struct task_struct *task;
+ struct mm_struct *mm;
+ int err;
+@@ -1687,14 +1687,9 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
+
+ /*
+ * Check if this process has the right to modify the specified
+- * process. The right exists if the process has administrative
+- * capabilities, superuser privileges or the same
+- * userid as the target process.
+- */
+- tcred = __task_cred(task);
+- if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
+- !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
+- !capable(CAP_SYS_NICE)) {
++ * process. Use the regular "ptrace_may_access()" checks.
++ */
++ if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
+ rcu_read_unlock();
+ err = -EPERM;
+ goto out;
diff --git a/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
new file mode 100644
index 0000000..6c4f009
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
@@ -0,0 +1,55 @@
+From: Xin Long <lucien.xin at gmail.com>
+Date: Sun, 27 Aug 2017 20:25:26 +0800
+Subject: scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
+Origin: https://patchwork.kernel.org/patch/9923803/
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14489
+
+ChunYu found a kernel crash by syzkaller:
+
+[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
+[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
+[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
+[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
+[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
+[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
+[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
+[...]
+[ 651.627260] Call Trace:
+[ 651.629156] skb_release_all+0x4f/0x60
+[ 651.629450] consume_skb+0x1a5/0x600
+[ 651.630705] netlink_unicast+0x505/0x720
+[ 651.632345] netlink_sendmsg+0xab2/0xe70
+[ 651.633704] sock_sendmsg+0xcf/0x110
+[ 651.633942] ___sys_sendmsg+0x833/0x980
+[ 651.637117] __sys_sendmsg+0xf3/0x240
+[ 651.638820] SyS_sendmsg+0x32/0x50
+[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
+
+It's caused by skb_shared_info at the end of sk_buff was overwritten by
+ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
+
+During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
+ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
+new value to skb_shinfo(SKB)->nr_frags by ev->type.
+
+This patch is to fix it by checking nlh->nlmsg_len properly there to
+avoid over accessing sk_buff.
+
+Reported-by: ChunYu Wang <chunwang at redhat.com>
+Signed-off-by: Xin Long <lucien.xin at gmail.com>
+Acked-by: Chris Leech <cleech at redhat.com>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -3696,7 +3696,7 @@ iscsi_if_rx(struct sk_buff *skb)
+ uint32_t group;
+
+ nlh = nlmsg_hdr(skb);
+- if (nlh->nlmsg_len < sizeof(*nlh) ||
++ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
+ skb->len < nlh->nlmsg_len) {
+ break;
+ }
diff --git a/debian/patches/bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch b/debian/patches/bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch
new file mode 100644
index 0000000..f2c986c
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch
@@ -0,0 +1,58 @@
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Date: Wed, 30 Aug 2017 16:30:35 +0300
+Subject: scsi: qla2xxx: Fix an integer overflow in sysfs code
+Origin: https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14051
+
+The value of "size" comes from the user. When we add "start + size" it
+could lead to an integer overflow bug.
+
+It means we vmalloc() a lot more memory than we had intended. I believe
+that on 64 bit systems vmalloc() can succeed even if we ask it to
+allocate huge 4GB buffers. So we would get memory corruption and likely
+a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().
+
+Only root can trigger this bug.
+
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061
+
+Cc: <stable at vger.kernel.org>
+Fixes: b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
+Reported-by: shqking <shqking at gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen at oracle.com>
+---
+ drivers/scsi/qla2xxx/qla_attr.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_attr.c
++++ b/drivers/scsi/qla2xxx/qla_attr.c
+@@ -310,6 +310,8 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
+ return -EINVAL;
+ if (start > ha->optrom_size)
+ return -EINVAL;
++ if (size > ha->optrom_size - start)
++ size = ha->optrom_size - start;
+
+ mutex_lock(&ha->optrom_mutex);
+ switch (val) {
+@@ -335,8 +337,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size > ha->optrom_size ?
+- ha->optrom_size - start : size;
++ ha->optrom_region_size = start + size;
+
+ ha->optrom_state = QLA_SREADING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
+@@ -409,8 +410,7 @@ qla2x00_sysfs_write_optrom_ctl(struct fi
+ }
+
+ ha->optrom_region_start = start;
+- ha->optrom_region_size = start + size > ha->optrom_size ?
+- ha->optrom_size - start : size;
++ ha->optrom_region_size = start + size;
+
+ ha->optrom_state = QLA_SWRITING;
+ ha->optrom_buffer = vmalloc(ha->optrom_region_size);
diff --git a/debian/patches/bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch b/debian/patches/bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch
new file mode 100644
index 0000000..3d37ffa
--- /dev/null
+++ b/debian/patches/bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch
@@ -0,0 +1,184 @@
+From: Stefano Brivio <sbrivio at redhat.com>
+Date: Wed, 23 Aug 2017 13:27:13 +0200
+Subject: sctp: Avoid out-of-bounds reads from address storage
+Origin: https://git.kernel.org/linus/ee6c88bb754e3d363e568da78086adfedb692447
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-7558
+
+inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info() copy
+sizeof(sockaddr_storage) bytes to fill in sockaddr structs used
+to export diagnostic information to userspace.
+
+However, the memory allocated to store sockaddr information is
+smaller than that and depends on the address family, so we leak
+up to 100 uninitialized bytes to userspace. Just use the size of
+the source structs instead, in all the three cases this is what
+userspace expects. Zero out the remaining memory.
+
+Unused bytes (i.e. when IPv4 addresses are used) in source
+structs sctp_sockaddr_entry and sctp_transport are already
+cleared by sctp_add_bind_addr() and sctp_transport_new(),
+respectively.
+
+Noticed while testing KASAN-enabled kernel with 'ss':
+
+[ 2326.885243] BUG: KASAN: slab-out-of-bounds in inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag] at addr ffff881be8779800
+[ 2326.896800] Read of size 128 by task ss/9527
+[ 2326.901564] CPU: 0 PID: 9527 Comm: ss Not tainted 4.11.0-22.el7a.x86_64 #1
+[ 2326.909236] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017
+[ 2326.917585] Call Trace:
+[ 2326.920312] dump_stack+0x63/0x8d
+[ 2326.924014] kasan_object_err+0x21/0x70
+[ 2326.928295] kasan_report+0x288/0x540
+[ 2326.932380] ? inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
+[ 2326.938500] ? skb_put+0x8b/0xd0
+[ 2326.942098] ? memset+0x31/0x40
+[ 2326.945599] check_memory_region+0x13c/0x1a0
+[ 2326.950362] memcpy+0x23/0x50
+[ 2326.953669] inet_sctp_diag_fill+0x42c/0x6c0 [sctp_diag]
+[ 2326.959596] ? inet_diag_msg_sctpasoc_fill+0x460/0x460 [sctp_diag]
+[ 2326.966495] ? __lock_sock+0x102/0x150
+[ 2326.970671] ? sock_def_wakeup+0x60/0x60
+[ 2326.975048] ? remove_wait_queue+0xc0/0xc0
+[ 2326.979619] sctp_diag_dump+0x44a/0x760 [sctp_diag]
+[ 2326.985063] ? sctp_ep_dump+0x280/0x280 [sctp_diag]
+[ 2326.990504] ? memset+0x31/0x40
+[ 2326.994007] ? mutex_lock+0x12/0x40
+[ 2326.997900] __inet_diag_dump+0x57/0xb0 [inet_diag]
+[ 2327.003340] ? __sys_sendmsg+0x150/0x150
+[ 2327.007715] inet_diag_dump+0x4d/0x80 [inet_diag]
+[ 2327.012979] netlink_dump+0x1e6/0x490
+[ 2327.017064] __netlink_dump_start+0x28e/0x2c0
+[ 2327.021924] inet_diag_handler_cmd+0x189/0x1a0 [inet_diag]
+[ 2327.028045] ? inet_diag_rcv_msg_compat+0x1b0/0x1b0 [inet_diag]
+[ 2327.034651] ? inet_diag_dump_compat+0x190/0x190 [inet_diag]
+[ 2327.040965] ? __netlink_lookup+0x1b9/0x260
+[ 2327.045631] sock_diag_rcv_msg+0x18b/0x1e0
+[ 2327.050199] netlink_rcv_skb+0x14b/0x180
+[ 2327.054574] ? sock_diag_bind+0x60/0x60
+[ 2327.058850] sock_diag_rcv+0x28/0x40
+[ 2327.062837] netlink_unicast+0x2e7/0x3b0
+[ 2327.067212] ? netlink_attachskb+0x330/0x330
+[ 2327.071975] ? kasan_check_write+0x14/0x20
+[ 2327.076544] netlink_sendmsg+0x5be/0x730
+[ 2327.080918] ? netlink_unicast+0x3b0/0x3b0
+[ 2327.085486] ? kasan_check_write+0x14/0x20
+[ 2327.090057] ? selinux_socket_sendmsg+0x24/0x30
+[ 2327.095109] ? netlink_unicast+0x3b0/0x3b0
+[ 2327.099678] sock_sendmsg+0x74/0x80
+[ 2327.103567] ___sys_sendmsg+0x520/0x530
+[ 2327.107844] ? __get_locked_pte+0x178/0x200
+[ 2327.112510] ? copy_msghdr_from_user+0x270/0x270
+[ 2327.117660] ? vm_insert_page+0x360/0x360
+[ 2327.122133] ? vm_insert_pfn_prot+0xb4/0x150
+[ 2327.126895] ? vm_insert_pfn+0x32/0x40
+[ 2327.131077] ? vvar_fault+0x71/0xd0
+[ 2327.134968] ? special_mapping_fault+0x69/0x110
+[ 2327.140022] ? __do_fault+0x42/0x120
+[ 2327.144008] ? __handle_mm_fault+0x1062/0x17a0
+[ 2327.148965] ? __fget_light+0xa7/0xc0
+[ 2327.153049] __sys_sendmsg+0xcb/0x150
+[ 2327.157133] ? __sys_sendmsg+0xcb/0x150
+[ 2327.161409] ? SyS_shutdown+0x140/0x140
+[ 2327.165688] ? exit_to_usermode_loop+0xd0/0xd0
+[ 2327.170646] ? __do_page_fault+0x55d/0x620
+[ 2327.175216] ? __sys_sendmsg+0x150/0x150
+[ 2327.179591] SyS_sendmsg+0x12/0x20
+[ 2327.183384] do_syscall_64+0xe3/0x230
+[ 2327.187471] entry_SYSCALL64_slow_path+0x25/0x25
+[ 2327.192622] RIP: 0033:0x7f41d18fa3b0
+[ 2327.196608] RSP: 002b:00007ffc3b731218 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
+[ 2327.205055] RAX: ffffffffffffffda RBX: 00007ffc3b731380 RCX: 00007f41d18fa3b0
+[ 2327.213017] RDX: 0000000000000000 RSI: 00007ffc3b731340 RDI: 0000000000000003
+[ 2327.220978] RBP: 0000000000000002 R08: 0000000000000004 R09: 0000000000000040
+[ 2327.228939] R10: 00007ffc3b730f30 R11: 0000000000000246 R12: 0000000000000003
+[ 2327.236901] R13: 00007ffc3b731340 R14: 00007ffc3b7313d0 R15: 0000000000000084
+[ 2327.244865] Object at ffff881be87797e0, in cache kmalloc-64 size: 64
+[ 2327.251953] Allocated:
+[ 2327.254581] PID = 9484
+[ 2327.257215] save_stack_trace+0x1b/0x20
+[ 2327.261485] save_stack+0x46/0xd0
+[ 2327.265179] kasan_kmalloc+0xad/0xe0
+[ 2327.269165] kmem_cache_alloc_trace+0xe6/0x1d0
+[ 2327.274138] sctp_add_bind_addr+0x58/0x180 [sctp]
+[ 2327.279400] sctp_do_bind+0x208/0x310 [sctp]
+[ 2327.284176] sctp_bind+0x61/0xa0 [sctp]
+[ 2327.288455] inet_bind+0x5f/0x3a0
+[ 2327.292151] SYSC_bind+0x1a4/0x1e0
+[ 2327.295944] SyS_bind+0xe/0x10
+[ 2327.299349] do_syscall_64+0xe3/0x230
+[ 2327.303433] return_from_SYSCALL_64+0x0/0x6a
+[ 2327.308194] Freed:
+[ 2327.310434] PID = 4131
+[ 2327.313065] save_stack_trace+0x1b/0x20
+[ 2327.317344] save_stack+0x46/0xd0
+[ 2327.321040] kasan_slab_free+0x73/0xc0
+[ 2327.325220] kfree+0x96/0x1a0
+[ 2327.328530] dynamic_kobj_release+0x15/0x40
+[ 2327.333195] kobject_release+0x99/0x1e0
+[ 2327.337472] kobject_put+0x38/0x70
+[ 2327.341266] free_notes_attrs+0x66/0x80
+[ 2327.345545] mod_sysfs_teardown+0x1a5/0x270
+[ 2327.350211] free_module+0x20/0x2a0
+[ 2327.354099] SyS_delete_module+0x2cb/0x2f0
+[ 2327.358667] do_syscall_64+0xe3/0x230
+[ 2327.362750] return_from_SYSCALL_64+0x0/0x6a
+[ 2327.367510] Memory state around the buggy address:
+[ 2327.372855] ffff881be8779700: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
+[ 2327.380914] ffff881be8779780: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00
+[ 2327.388972] >ffff881be8779800: 00 00 00 00 fc fc fc fc fb fb fb fb fb fb fb fb
+[ 2327.397031] ^
+[ 2327.401792] ffff881be8779880: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
+[ 2327.409850] ffff881be8779900: 00 00 00 00 00 04 fc fc fc fc fc fc 00 00 00 00
+[ 2327.417907] ==================================================================
+
+This fixes CVE-2017-7558.
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1480266
+Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
+Cc: Xin Long <lucien.xin at gmail.com>
+Cc: Vlad Yasevich <vyasevich at gmail.com>
+Cc: Neil Horman <nhorman at tuxdriver.com>
+Signed-off-by: Stefano Brivio <sbrivio at redhat.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
+Reviewed-by: Xin Long <lucien.xin at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/sctp/sctp_diag.c | 7 +++++--
+ net/sctp/socket.c | 3 +--
+ 2 files changed, 6 insertions(+), 4 deletions(-)
+
+--- a/net/sctp/sctp_diag.c
++++ b/net/sctp/sctp_diag.c
+@@ -70,7 +70,8 @@ static int inet_diag_msg_sctpladdrs_fill
+
+ info = nla_data(attr);
+ list_for_each_entry_rcu(laddr, address_list, list) {
+- memcpy(info, &laddr->a, addrlen);
++ memcpy(info, &laddr->a, sizeof(laddr->a));
++ memset(info + sizeof(laddr->a), 0, addrlen - sizeof(laddr->a));
+ info += addrlen;
+ }
+
+@@ -93,7 +94,9 @@ static int inet_diag_msg_sctpaddrs_fill(
+ info = nla_data(attr);
+ list_for_each_entry(from, &asoc->peer.transport_addr_list,
+ transports) {
+- memcpy(info, &from->ipaddr, addrlen);
++ memcpy(info, &from->ipaddr, sizeof(from->ipaddr));
++ memset(info + sizeof(from->ipaddr), 0,
++ addrlen - sizeof(from->ipaddr));
+ info += addrlen;
+ }
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4369,8 +4369,7 @@ int sctp_get_sctp_info(struct sock *sk,
+ info->sctpi_ictrlchunks = asoc->stats.ictrlchunks;
+
+ prim = asoc->peer.primary_path;
+- memcpy(&info->sctpi_p_address, &prim->ipaddr,
+- sizeof(struct sockaddr_storage));
++ memcpy(&info->sctpi_p_address, &prim->ipaddr, sizeof(prim->ipaddr));
+ info->sctpi_p_state = prim->state;
+ info->sctpi_p_cwnd = prim->cwnd;
+ info->sctpi_p_srtt = prim->srtt;
diff --git a/debian/patches/bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch b/debian/patches/bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
new file mode 100644
index 0000000..9711744
--- /dev/null
+++ b/debian/patches/bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
@@ -0,0 +1,35 @@
+From: Wei Wang <weiwan at google.com>
+Date: Thu, 18 May 2017 11:22:33 -0700
+Subject: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
+Origin: https://git.kernel.org/linus/499350a5a6e7512d9ed369ed63a4244b6536f4f8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14106
+
+When tcp_disconnect() is called, inet_csk_delack_init() sets
+icsk->icsk_ack.rcv_mss to 0.
+This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() =>
+__tcp_select_window() call path to have division by 0 issue.
+So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0.
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Wei Wang <weiwan at google.com>
+Signed-off-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: Neal Cardwell <ncardwell at google.com>
+Signed-off-by: Yuchung Cheng <ycheng at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/ipv4/tcp.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2294,6 +2294,10 @@ int tcp_disconnect(struct sock *sk, int
+ tcp_set_ca_state(sk, TCP_CA_Open);
+ tcp_clear_retrans(tp);
+ inet_csk_delack_init(sk);
++ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0
++ * issue in __tcp_select_window()
++ */
++ icsk->icsk_ack.rcv_mss = TCP_MIN_MSS;
+ tcp_init_send_head(sk);
+ memset(&tp->rx_opt, 0, sizeof(tp->rx_opt));
+ __sk_dst_reset(sk);
diff --git a/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch b/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
new file mode 100644
index 0000000..2d056c3
--- /dev/null
+++ b/debian/patches/bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
@@ -0,0 +1,30 @@
+From: Vladis Dronov <vdronov at redhat.com>
+Date: Mon, 4 Sep 2017 16:00:50 +0200
+Subject: video: fbdev: aty: do not leak uninitialized padding in clk to
+ userspace
+Origin: https://git.kernel.org/linus/8e75f7a7a00461ef6d91797a60b606367f6e344d
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14156
+
+'clk' is copied to a userland with padding byte(s) after 'vclk_post_div'
+field unitialized, leaking data from the stack. Fix this ensuring all of
+'clk' is initialized to zero.
+
+References: https://github.com/torvalds/linux/pull/441
+Reported-by: sohu0106 <sohu0106 at 126.com>
+Signed-off-by: Vladis Dronov <vdronov at redhat.com>
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie at samsung.com>
+---
+ drivers/video/fbdev/aty/atyfb_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/aty/atyfb_base.c
++++ b/drivers/video/fbdev/aty/atyfb_base.c
+@@ -1861,7 +1861,7 @@ static int atyfb_ioctl(struct fb_info *i
+ #if defined(DEBUG) && defined(CONFIG_FB_ATY_CT)
+ case ATYIO_CLKR:
+ if (M64_HAS(INTEGRATED)) {
+- struct atyclk clk;
++ struct atyclk clk = { 0 };
+ union aty_pll *pll = &par->pll;
+ u32 dsp_config = pll->ct.dsp_config;
+ u32 dsp_on_off = pll->ct.dsp_on_off;
diff --git a/debian/patches/bugfix/all/xen-fix-bio-vec-merging.patch b/debian/patches/bugfix/all/xen-fix-bio-vec-merging.patch
new file mode 100644
index 0000000..06d3fe4
--- /dev/null
+++ b/debian/patches/bugfix/all/xen-fix-bio-vec-merging.patch
@@ -0,0 +1,59 @@
+From: Roger Pau Monne <roger.pau at citrix.com>
+Date: Tue, 18 Jul 2017 15:01:00 +0100
+Subject: xen: fix bio vec merging
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/462cdace790ac2ed6aad1b19c9c0af0143b6aab0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12134
+
+The current test for bio vec merging is not fully accurate and can be
+tricked into merging bios when certain grant combinations are used.
+The result of these malicious bio merges is a bio that extends past
+the memory page used by any of the originating bios.
+
+Take into account the following scenario, where a guest creates two
+grant references that point to the same mfn, ie: grant 1 -> mfn A,
+grant 2 -> mfn A.
+
+These references are then used in a PV block request, and mapped by
+the backend domain, thus obtaining two different pfns that point to
+the same mfn, pfn B -> mfn A, pfn C -> mfn A.
+
+If those grants happen to be used in two consecutive sectors of a disk
+IO operation becoming two different bios in the backend domain, the
+checks in xen_biovec_phys_mergeable will succeed, because bfn1 == bfn2
+(they both point to the same mfn). However due to the bio merging,
+the backend domain will end up with a bio that expands past mfn A into
+mfn A + 1.
+
+Fix this by making sure the check in xen_biovec_phys_mergeable takes
+into account the offset and the length of the bio, this basically
+replicates whats done in __BIOVEC_PHYS_MERGEABLE using mfns (bus
+addresses). While there also remove the usage of
+__BIOVEC_PHYS_MERGEABLE, since that's already checked by the callers
+of xen_biovec_phys_mergeable.
+
+CC: stable at vger.kernel.org
+Reported-by: "Jan H. Schönherr" <jschoenh at amazon.de>
+Signed-off-by: Roger Pau Monné <roger.pau at citrix.com>
+Reviewed-by: Juergen Gross <jgross at suse.com>
+Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk at oracle.com>
+---
+ drivers/xen/biomerge.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/xen/biomerge.c b/drivers/xen/biomerge.c
+index 4da69dbf7dca..1bdd02a6d6ac 100644
+--- a/drivers/xen/biomerge.c
++++ b/drivers/xen/biomerge.c
+@@ -10,8 +10,7 @@ bool xen_biovec_phys_mergeable(const struct bio_vec *vec1,
+ unsigned long bfn1 = pfn_to_bfn(page_to_pfn(vec1->bv_page));
+ unsigned long bfn2 = pfn_to_bfn(page_to_pfn(vec2->bv_page));
+
+- return __BIOVEC_PHYS_MERGEABLE(vec1, vec2) &&
+- ((bfn1 == bfn2) || ((bfn1+1) == bfn2));
++ return bfn1 + PFN_DOWN(vec1->bv_offset + vec1->bv_len) == bfn2;
+ #else
+ /*
+ * XXX: Add support for merging bio_vec when using different page
diff --git a/debian/patches/bugfix/all/xfs-XFS_IS_REALTIME_INODE-should-be-false-if-no-rt-d.patch b/debian/patches/bugfix/all/xfs-XFS_IS_REALTIME_INODE-should-be-false-if-no-rt-d.patch
new file mode 100644
index 0000000..c1ea614
--- /dev/null
+++ b/debian/patches/bugfix/all/xfs-XFS_IS_REALTIME_INODE-should-be-false-if-no-rt-d.patch
@@ -0,0 +1,67 @@
+From: Richard Wareing <rwareing at fb.com>
+Date: Wed, 13 Sep 2017 09:09:35 +1000
+Subject: xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
+Origin: https://git.kernel.org/linus/b31ff3cdf540110da4572e3e29bd172087af65cc
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-14340
+
+If using a kernel with CONFIG_XFS_RT=y and we set the RHINHERIT flag on
+a directory in a filesystem that does not have a realtime device and
+create a new file in that directory, it gets marked as a real time file.
+When data is written and a fsync is issued, the filesystem attempts to
+flush a non-existent rt device during the fsync process.
+
+This results in a crash dereferencing a null buftarg pointer in
+xfs_blkdev_issue_flush():
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ IP: xfs_blkdev_issue_flush+0xd/0x20
+ .....
+ Call Trace:
+ xfs_file_fsync+0x188/0x1c0
+ vfs_fsync_range+0x3b/0xa0
+ do_fsync+0x3d/0x70
+ SyS_fsync+0x10/0x20
+ do_syscall_64+0x4d/0xb0
+ entry_SYSCALL64_slow_path+0x25/0x25
+
+Setting RT inode flags does not require special privileges so any
+unprivileged user can cause this oops to occur. To reproduce, confirm
+kernel is compiled with CONFIG_XFS_RT=y and run:
+
+ # mkfs.xfs -f /dev/pmem0
+ # mount /dev/pmem0 /mnt/test
+ # mkdir /mnt/test/foo
+ # xfs_io -c 'chattr +t' /mnt/test/foo
+ # xfs_io -f -c 'pwrite 0 5m' -c fsync /mnt/test/foo/bar
+
+Or just run xfstests with MKFS_OPTIONS="-d rtinherit=1" and wait.
+
+Kernels built with CONFIG_XFS_RT=n are not exposed to this bug.
+
+Fixes: f538d4da8d52 ("[XFS] write barrier support")
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Richard Wareing <rwareing at fb.com>
+Signed-off-by: Dave Chinner <david at fromorbit.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/xfs/xfs_linux.h | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_linux.h
++++ b/fs/xfs/xfs_linux.h
+@@ -363,7 +363,14 @@ static inline __uint64_t howmany_64(__ui
+ #endif /* DEBUG */
+
+ #ifdef CONFIG_XFS_RT
+-#define XFS_IS_REALTIME_INODE(ip) ((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME)
++
++/*
++ * make sure we ignore the inode flag if the filesystem doesn't have a
++ * configured realtime device.
++ */
++#define XFS_IS_REALTIME_INODE(ip) \
++ (((ip)->i_d.di_flags & XFS_DIFLAG_REALTIME) && \
++ (ip)->i_mount->m_rtdev_targp)
+ #else
+ #define XFS_IS_REALTIME_INODE(ip) (0)
+ #endif
diff --git a/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch b/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
new file mode 100644
index 0000000..9e6984e
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
@@ -0,0 +1,34 @@
+From: Jim Mattson <jmattson at google.com>
+Date: Tue, 12 Sep 2017 13:02:54 -0700
+Subject: kvm: nVMX: Don't allow L2 to access the hardware CR8
+Origin: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-12154
+
+If L1 does not specify the "use TPR shadow" VM-execution control in
+vmcs12, then L0 must specify the "CR8-load exiting" and "CR8-store
+exiting" VM-execution controls in vmcs02. Failure to do so will give
+the L2 VM unrestricted read/write access to the hardware CR8.
+
+This fixes CVE-2017-12154.
+
+Signed-off-by: Jim Mattson <jmattson at google.com>
+Reviewed-by: David Hildenbrand <david at redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/vmx.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -9992,6 +9992,11 @@ static void prepare_vmcs02(struct kvm_vc
+ vmcs_write64(VIRTUAL_APIC_PAGE_ADDR,
+ page_to_phys(vmx->nested.virtual_apic_page));
+ vmcs_write32(TPR_THRESHOLD, vmcs12->tpr_threshold);
++ } else {
++#ifdef CONFIG_X86_64
++ exec_control |= CPU_BASED_CR8_LOAD_EXITING |
++ CPU_BASED_CR8_STORE_EXITING;
++#endif
+ }
+
+ if (cpu_has_vmx_msr_bitmap() &&
diff --git a/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch b/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
new file mode 100644
index 0000000..6dea72e
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
@@ -0,0 +1,52 @@
+From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= <jschoenh at amazon.de>
+Date: Thu, 7 Sep 2017 19:02:30 +0100
+Subject: KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000252
+
+The value of the guest_irq argument to vmx_update_pi_irte() is
+ultimately coming from a KVM_IRQFD API call. Do not BUG() in
+vmx_update_pi_irte() if the value is out-of bounds. (Especially,
+since KVM as a whole seems to hang after that.)
+
+Instead, print a message only once if we find that we don't have a
+route for a certain IRQ (which can be out-of-bounds or within the
+array).
+
+This fixes CVE-2017-1000252.
+
+Fixes: efc644048ecde54 ("KVM: x86: Update IRTE for posted-interrupts")
+Signed-off-by: Jan H. Schönherr <jschoenh at amazon.de>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+---
+ arch/x86/kvm/vmx.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -11159,7 +11159,7 @@ static int vmx_update_pi_irte(struct kvm
+ struct kvm_lapic_irq irq;
+ struct kvm_vcpu *vcpu;
+ struct vcpu_data vcpu_info;
+- int idx, ret = -EINVAL;
++ int idx, ret = 0;
+
+ if (!kvm_arch_has_assigned_device(kvm) ||
+ !irq_remapping_cap(IRQ_POSTING_CAP) ||
+@@ -11168,7 +11168,12 @@ static int vmx_update_pi_irte(struct kvm
+
+ idx = srcu_read_lock(&kvm->irq_srcu);
+ irq_rt = srcu_dereference(kvm->irq_routing, &kvm->irq_srcu);
+- BUG_ON(guest_irq >= irq_rt->nr_rt_entries);
++ if (guest_irq >= irq_rt->nr_rt_entries ||
++ hlist_empty(&irq_rt->map[guest_irq])) {
++ pr_warn_once("no route for guest_irq %u/%u (broken user space?)\n",
++ guest_irq, irq_rt->nr_rt_entries);
++ goto out;
++ }
+
+ hlist_for_each_entry(e, &irq_rt->map[guest_irq], link) {
+ if (e->type != KVM_IRQ_ROUTING_MSI)
diff --git a/debian/patches/series b/debian/patches/series
index 542c385..2f6589f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -140,6 +140,20 @@ bugfix/all/xfrm-policy-check-policy-direction-value.patch
bugfix/all/packet-fix-tp_reserve-race-in-packet_set_ring.patch
bugfix/all/ipv6-should-use-consistent-conditional-judgement-for.patch
bugfix/all/udp-consistently-apply-ufo-or-fragmentation.patch
+bugfix/all/sctp-Avoid-out-of-bounds-reads-from-address-storage.patch
+bugfix/all/xen-fix-bio-vec-merging.patch
+bugfix/all/driver-core-platform-fix-race-condition-with-driver_.patch
+bugfix/all/nl80211-check-for-the-required-netlink-attributes-presence.patch
+bugfix/x86/kvm-nvmx-don-t-allow-l2-to-access-the-hardware-cr8.patch
+bugfix/all/scsi-qla2xxx-fix-an-integer-overflow-in-sysfs-code.patch
+bugfix/all/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch
+bugfix/all/sanitize-move_pages-permission-checks.patch
+bugfix/all/video-fbdev-aty-do-not-leak-uninitialized-padding-in.patch
+bugfix/all/xfs-XFS_IS_REALTIME_INODE-should-be-false-if-no-rt-d.patch
+bugfix/all/scsi-fix-the-issue-that-iscsi_if_rx-doesn-t-parse-nlmsg-properly.patch
+bugfix/all/packet-don-t-write-vnet-header-beyond-end-of-buffer.patch
+bugfix/all/bluetooth-properly-check-l2cap-config-option-output-.patch
+bugfix/x86/kvm-vmx-do-not-bug-on-out-of-bounds-guest-irq.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list