[linux] 01/03: Add various security fixes
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Jan 5 16:48:00 UTC 2018
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch jessie-security
in repository linux.
commit 7d55fcdc0e6af74bd48b6444e79d2f40a6568605
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Fri Jan 5 16:37:52 2018 +0000
Add various security fixes
---
debian/changelog | 31 ++++
...nep-bnep_add_connection-should-verify-tha.patch | 28 ++++
...mtp-cmtp_add_connection-should-verify-tha.patch | 28 ++++
...vent-stack-info-leak-from-the-efs-element.patch | 48 +++++++
...-require-that-the-underlying-hash-algorit.patch | 148 +++++++++++++++++++
...ypto-salsa20-fix-blkcipher_walk-API-usage.patch | 88 ++++++++++++
...cve-2017-8824-use-after-free-in-dccp-code.patch | 38 +++++
.../ipsec-fix-aborted-xfrm-policy-dump-crash.patch | 41 ++++++
...ssing-permission-check-for-request_key-de.patch | 158 +++++++++++++++++++++
...ix-stack-out-of-bounds-read-in-write_mmio.patch | 150 +++++++++++++++++++
...sb-v2-lmedm04-Improve-logic-checking-of-w.patch | 83 +++++++++++
...sb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch | 67 +++++++++
...fnetlink_cthelper-add-missing-permission-.patch | 76 ++++++++++
...lter-xt_osf-add-missing-permission-checks.patch | 58 ++++++++
.../all/netlink-add-netns-check-on-taps.patch | 41 ++++++
...prevent-malicious-bnuminterfaces-overflow.patch | 46 ++++++
...emove-i-o-port-0x80-bypass-on-intel-hosts.patch | 46 ++++++
.../crypto-fix-abi-change-in-3.16.7-ckt25.patch | 23 +--
debian/patches/series | 16 +++
19 files changed, 1195 insertions(+), 19 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index b0670ab..8c4bf54 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,34 @@
+linux (3.16.51-3+deb8u1) UNRELEASED; urgency=high
+
+ * dccp: CVE-2017-8824: use-after-free in DCCP code
+ * Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with
+ l2cap socket
+ * Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with
+ l2cap socket (CVE-2017-15868)
+ * media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
+ (CVE-2017-16538)
+ * media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
+ (CVE-2017-16538)
+ * ipsec: Fix aborted xfrm policy dump crash (CVE-2017-16939)
+ * netfilter: nfnetlink_cthelper: Add missing permission checks
+ (CVE-2017-17448)
+ * netlink: Add netns check on taps (CVE-2017-17449)
+ * netfilter: xt_osf: Add missing permission checks (CVE-2017-17450)
+ * USB: core: prevent malicious bNumInterfaces overflow (CVE-2017-17558)
+ * [armhf,arm64,x86] KVM: Fix stack-out-of-bounds read in write_mmio
+ (CVE-2017-17741)
+ * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805)
+ * crypto: hmac - require that the underlying hash algorithm is unkeyed
+ (CVE-2017-17806)
+ * KEYS: add missing permission check for request_key() destination
+ (CVE-2017-17807)
+ * [x86] KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+ (CVE-2017-1000407)
+ * bluetooth: Prevent stack info leak from the EFS element.
+ (CVE-2017-1000410)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Fri, 05 Jan 2018 16:12:55 +0000
+
linux (3.16.51-3) jessie; urgency=medium
* sched/topology: Add missing pieces of the fixes included in 3.16.49
diff --git a/debian/patches/bugfix/all/bluetooth-bnep-bnep_add_connection-should-verify-tha.patch b/debian/patches/bugfix/all/bluetooth-bnep-bnep_add_connection-should-verify-tha.patch
new file mode 100644
index 0000000..2969b5a
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-bnep-bnep_add_connection-should-verify-tha.patch
@@ -0,0 +1,28 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 19 Dec 2014 06:20:59 +0000
+Subject: Bluetooth: bnep: bnep_add_connection() should verify that it's
+ dealing with l2cap socket
+Origin: https://git.kernel.org/linus/71bb99a02b32b4cc4265118e85f6035ca72923f0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-15868
+
+same story as cmtp
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+[bwh: Backported to 3.2: adjust context]
+---
+ net/bluetooth/bnep/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/bnep/core.c
++++ b/net/bluetooth/bnep/core.c
+@@ -533,6 +533,9 @@ int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
+
+ BT_DBG("");
+
++ if (!l2cap_is_socket(sock))
++ return -EBADFD;
++
+ baswap((void *) dst, &l2cap_pi(sock->sk)->chan->dst);
+ baswap((void *) src, &l2cap_pi(sock->sk)->chan->src);
+
diff --git a/debian/patches/bugfix/all/bluetooth-cmtp-cmtp_add_connection-should-verify-tha.patch b/debian/patches/bugfix/all/bluetooth-cmtp-cmtp_add_connection-should-verify-tha.patch
new file mode 100644
index 0000000..d93e170
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-cmtp-cmtp_add_connection-should-verify-tha.patch
@@ -0,0 +1,28 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Fri, 19 Dec 2014 06:20:58 +0000
+Subject: Bluetooth: cmtp: cmtp_add_connection() should verify that it's
+ dealing with l2cap socket
+Origin: https://git.kernel.org/linus/96c26653ce65bf84f3212f8b00d4316c1efcbf4c
+
+... rather than relying on ciptool(8) never passing it anything else. Give
+it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops,
+trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+---
+ net/bluetooth/cmtp/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/cmtp/core.c
++++ b/net/bluetooth/cmtp/core.c
+@@ -334,6 +334,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
+
+ BT_DBG("");
+
++ if (!l2cap_is_socket(sock))
++ return -EBADFD;
++
+ session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL);
+ if (!session)
+ return -ENOMEM;
diff --git a/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch b/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
new file mode 100644
index 0000000..5220481
--- /dev/null
+++ b/debian/patches/bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
@@ -0,0 +1,48 @@
+From: Ben Seri <ben at armis.com>
+Date: Mon, 04 Dec 2017 14:13:25 +0000
+Subject: bluetooth: Prevent stack info leak from the EFS element.
+Origin: http://www.openwall.com/lists/oss-security/2017/12/06/3
+Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-1000410
+
+Signed-off-by: Ben Seri <ben at armis.com>
+---
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -3349,9 +3349,10 @@ static int l2cap_parse_conf_req(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- remote_efs = 1;
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
++ remote_efs = 1;
+ memcpy(&efs, (void *) val, olen);
++ }
+ break;
+
+ case L2CAP_CONF_EWS:
+@@ -3570,16 +3571,17 @@ static int l2cap_parse_conf_rsp(struct l
+ break;
+
+ case L2CAP_CONF_EFS:
+- if (olen == sizeof(efs))
++ if (olen == sizeof(efs)) {
+ memcpy(&efs, (void *)val, olen);
+
+- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != L2CAP_SERV_NOTRAFIC &&
+- efs.stype != chan->local_stype)
+- return -ECONNREFUSED;
++ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != L2CAP_SERV_NOTRAFIC &&
++ efs.stype != chan->local_stype)
++ return -ECONNREFUSED;
+
+- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
+- (unsigned long) &efs, endptr - ptr);
++ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
++ (unsigned long) &efs, endptr - ptr);
++ }
+ break;
+
+ case L2CAP_CONF_FCS:
diff --git a/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch b/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch
new file mode 100644
index 0000000..0a916d6
--- /dev/null
+++ b/debian/patches/bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch
@@ -0,0 +1,148 @@
+From: Eric Biggers <ebiggers at google.com>
+Date: Tue, 28 Nov 2017 18:01:38 -0800
+Subject: crypto: hmac - require that the underlying hash algorithm is unkeyed
+Origin: https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17806
+
+Because the HMAC template didn't check that its underlying hash
+algorithm is unkeyed, trying to use "hmac(hmac(sha3-512-generic))"
+through AF_ALG or through KEYCTL_DH_COMPUTE resulted in the inner HMAC
+being used without having been keyed, resulting in sha3_update() being
+called without sha3_init(), causing a stack buffer overflow.
+
+This is a very old bug, but it seems to have only started causing real
+problems when SHA-3 support was added (requires CONFIG_CRYPTO_SHA3)
+because the innermost hash's state is ->import()ed from a zeroed buffer,
+and it just so happens that other hash algorithms are fine with that,
+but SHA-3 is not. However, there could be arch or hardware-dependent
+hash algorithms also affected; I couldn't test everything.
+
+Fix the bug by introducing a function crypto_shash_alg_has_setkey()
+which tests whether a shash algorithm is keyed. Then update the HMAC
+template to require that its underlying hash algorithm is unkeyed.
+
+Here is a reproducer:
+
+ #include <linux/if_alg.h>
+ #include <sys/socket.h>
+
+ int main()
+ {
+ int algfd;
+ struct sockaddr_alg addr = {
+ .salg_type = "hash",
+ .salg_name = "hmac(hmac(sha3-512-generic))",
+ };
+ char key[4096] = { 0 };
+
+ algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ bind(algfd, (const struct sockaddr *)&addr, sizeof(addr));
+ setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
+ }
+
+Here was the KASAN report from syzbot:
+
+ BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:341 [inline]
+ BUG: KASAN: stack-out-of-bounds in sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
+ Write of size 4096 at addr ffff8801cca07c40 by task syzkaller076574/3044
+
+ CPU: 1 PID: 3044 Comm: syzkaller076574 Not tainted 4.14.0-mm1+ #25
+ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+ Call Trace:
+ __dump_stack lib/dump_stack.c:17 [inline]
+ dump_stack+0x194/0x257 lib/dump_stack.c:53
+ print_address_description+0x73/0x250 mm/kasan/report.c:252
+ kasan_report_error mm/kasan/report.c:351 [inline]
+ kasan_report+0x25b/0x340 mm/kasan/report.c:409
+ check_memory_region_inline mm/kasan/kasan.c:260 [inline]
+ check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
+ memcpy+0x37/0x50 mm/kasan/kasan.c:303
+ memcpy include/linux/string.h:341 [inline]
+ sha3_update+0xdf/0x2e0 crypto/sha3_generic.c:161
+ crypto_shash_update+0xcb/0x220 crypto/shash.c:109
+ shash_finup_unaligned+0x2a/0x60 crypto/shash.c:151
+ crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
+ hmac_finup+0x182/0x330 crypto/hmac.c:152
+ crypto_shash_finup+0xc4/0x120 crypto/shash.c:165
+ shash_digest_unaligned+0x9e/0xd0 crypto/shash.c:172
+ crypto_shash_digest+0xc4/0x120 crypto/shash.c:186
+ hmac_setkey+0x36a/0x690 crypto/hmac.c:66
+ crypto_shash_setkey+0xad/0x190 crypto/shash.c:64
+ shash_async_setkey+0x47/0x60 crypto/shash.c:207
+ crypto_ahash_setkey+0xaf/0x180 crypto/ahash.c:200
+ hash_setkey+0x40/0x90 crypto/algif_hash.c:446
+ alg_setkey crypto/af_alg.c:221 [inline]
+ alg_setsockopt+0x2a1/0x350 crypto/af_alg.c:254
+ SYSC_setsockopt net/socket.c:1851 [inline]
+ SyS_setsockopt+0x189/0x360 net/socket.c:1830
+ entry_SYSCALL_64_fastpath+0x1f/0x96
+
+Reported-by: syzbot <syzkaller at googlegroups.com>
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Eric Biggers <ebiggers at google.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ crypto/hmac.c | 6 +++++-
+ crypto/shash.c | 5 +++--
+ include/crypto/internal/hash.h | 8 ++++++++
+ 3 files changed, 16 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/hmac.c b/crypto/hmac.c
+index ade790b454e9..758688b4bc6b 100644
+--- a/crypto/hmac.c
++++ b/crypto/hmac.c
+@@ -197,11 +197,15 @@ static int hmac_create(struct crypto_template *tmpl, struct rtattr **tb)
+ salg = shash_attr_alg(tb[1], 0, 0);
+ if (IS_ERR(salg))
+ return PTR_ERR(salg);
++ alg = &salg->base;
+
++ /* The underlying hash algorithm must be unkeyed */
+ err = -EINVAL;
++ if (crypto_shash_alg_has_setkey(salg))
++ goto out_put_alg;
++
+ ds = salg->digestsize;
+ ss = salg->statesize;
+- alg = &salg->base;
+ if (ds > alg->cra_blocksize ||
+ ss < alg->cra_blocksize)
+ goto out_put_alg;
+diff --git a/crypto/shash.c b/crypto/shash.c
+index 17510eaf0a36..73c065321867 100644
+--- a/crypto/shash.c
++++ b/crypto/shash.c
+@@ -24,11 +24,12 @@
+
+ static const struct crypto_type crypto_shash_type;
+
+-static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+- unsigned int keylen)
++int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
++ unsigned int keylen)
+ {
+ return -ENOSYS;
+ }
++EXPORT_SYMBOL_GPL(shash_no_setkey);
+
+ static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
+ unsigned int keylen)
+diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
+index 66fc42c57aff..27f5fa488ad0 100644
+--- a/include/crypto/internal/hash.h
++++ b/include/crypto/internal/hash.h
+@@ -83,6 +83,14 @@ int ahash_register_instance(struct crypto_template *tmpl,
+ struct ahash_instance *inst);
+ void ahash_free_instance(struct crypto_instance *inst);
+
++int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
++ unsigned int keylen);
++
++static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
++{
++ return alg->setkey != shash_no_setkey;
++}
++
+ int crypto_init_ahash_spawn(struct crypto_ahash_spawn *spawn,
+ struct hash_alg_common *alg,
+ struct crypto_instance *inst);
diff --git a/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
new file mode 100644
index 0000000..019634f
--- /dev/null
+++ b/debian/patches/bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
@@ -0,0 +1,88 @@
+From: Eric Biggers <ebiggers at google.com>
+Date: Tue, 28 Nov 2017 20:56:59 -0800
+Subject: crypto: salsa20 - fix blkcipher_walk API usage
+Origin: https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17805
+
+When asked to encrypt or decrypt 0 bytes, both the generic and x86
+implementations of Salsa20 crash in blkcipher_walk_done(), either when
+doing 'kfree(walk->buffer)' or 'free_page((unsigned long)walk->page)',
+because walk->buffer and walk->page have not been initialized.
+
+The bug is that Salsa20 is calling blkcipher_walk_done() even when
+nothing is in 'walk.nbytes'. But blkcipher_walk_done() is only meant to
+be called when a nonzero number of bytes have been provided.
+
+The broken code is part of an optimization that tries to make only one
+call to salsa20_encrypt_bytes() to process inputs that are not evenly
+divisible by 64 bytes. To fix the bug, just remove this "optimization"
+and use the blkcipher_walk API the same way all the other users do.
+
+Reproducer:
+
+ #include <linux/if_alg.h>
+ #include <sys/socket.h>
+ #include <unistd.h>
+
+ int main()
+ {
+ int algfd, reqfd;
+ struct sockaddr_alg addr = {
+ .salg_type = "skcipher",
+ .salg_name = "salsa20",
+ };
+ char key[16] = { 0 };
+
+ algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
+ bind(algfd, (void *)&addr, sizeof(addr));
+ reqfd = accept(algfd, 0, 0);
+ setsockopt(algfd, SOL_ALG, ALG_SET_KEY, key, sizeof(key));
+ read(reqfd, key, sizeof(key));
+ }
+
+Reported-by: syzbot <syzkaller at googlegroups.com>
+Fixes: eb6f13eb9f81 ("[CRYPTO] salsa20_generic: Fix multi-page processing")
+Cc: <stable at vger.kernel.org> # v2.6.25+
+Signed-off-by: Eric Biggers <ebiggers at google.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+---
+ arch/x86/crypto/salsa20_glue.c | 7 -------
+ crypto/salsa20_generic.c | 7 -------
+ 2 files changed, 14 deletions(-)
+
+diff --git a/arch/x86/crypto/salsa20_glue.c b/arch/x86/crypto/salsa20_glue.c
+index 399a29d067d6..cb91a64a99e7 100644
+--- a/arch/x86/crypto/salsa20_glue.c
++++ b/arch/x86/crypto/salsa20_glue.c
+@@ -59,13 +59,6 @@ static int encrypt(struct blkcipher_desc *desc,
+
+ salsa20_ivsetup(ctx, walk.iv);
+
+- if (likely(walk.nbytes == nbytes))
+- {
+- salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
+- walk.dst.virt.addr, nbytes);
+- return blkcipher_walk_done(desc, &walk, 0);
+- }
+-
+ while (walk.nbytes >= 64) {
+ salsa20_encrypt_bytes(ctx, walk.src.virt.addr,
+ walk.dst.virt.addr,
+diff --git a/crypto/salsa20_generic.c b/crypto/salsa20_generic.c
+index f550b5d94630..d7da0eea5622 100644
+--- a/crypto/salsa20_generic.c
++++ b/crypto/salsa20_generic.c
+@@ -188,13 +188,6 @@ static int encrypt(struct blkcipher_desc *desc,
+
+ salsa20_ivsetup(ctx, walk.iv);
+
+- if (likely(walk.nbytes == nbytes))
+- {
+- salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
+- walk.src.virt.addr, nbytes);
+- return blkcipher_walk_done(desc, &walk, 0);
+- }
+-
+ while (walk.nbytes >= 64) {
+ salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
+ walk.src.virt.addr,
diff --git a/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
new file mode 100644
index 0000000..88b0ba6
--- /dev/null
+++ b/debian/patches/bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
@@ -0,0 +1,38 @@
+From: Mohamed Ghannam <simo.ghannam at gmail.com>
+Date: Tue, 5 Dec 2017 20:58:35 +0000
+Subject: dccp: CVE-2017-8824: use-after-free in DCCP code
+Origin: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-8824
+
+Whenever the sock object is in DCCP_CLOSED state,
+dccp_disconnect() must free dccps_hc_tx_ccid and
+dccps_hc_rx_ccid and set to NULL.
+
+Signed-off-by: Mohamed Ghannam <simo.ghannam at gmail.com>
+Reviewed-by: Eric Dumazet <edumazet at google.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/dccp/proto.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/dccp/proto.c
++++ b/net/dccp/proto.c
+@@ -252,6 +252,7 @@ int dccp_disconnect(struct sock *sk, int
+ {
+ struct inet_connection_sock *icsk = inet_csk(sk);
+ struct inet_sock *inet = inet_sk(sk);
++ struct dccp_sock *dp = dccp_sk(sk);
+ int err = 0;
+ const int old_state = sk->sk_state;
+
+@@ -271,6 +272,10 @@ int dccp_disconnect(struct sock *sk, int
+ sk->sk_err = ECONNRESET;
+
+ dccp_clear_xmit_timers(sk);
++ ccid_hc_rx_delete(dp->dccps_hc_rx_ccid, sk);
++ ccid_hc_tx_delete(dp->dccps_hc_tx_ccid, sk);
++ dp->dccps_hc_rx_ccid = NULL;
++ dp->dccps_hc_tx_ccid = NULL;
+
+ __skb_queue_purge(&sk->sk_receive_queue);
+ __skb_queue_purge(&sk->sk_write_queue);
diff --git a/debian/patches/bugfix/all/ipsec-fix-aborted-xfrm-policy-dump-crash.patch b/debian/patches/bugfix/all/ipsec-fix-aborted-xfrm-policy-dump-crash.patch
new file mode 100644
index 0000000..015a7f2
--- /dev/null
+++ b/debian/patches/bugfix/all/ipsec-fix-aborted-xfrm-policy-dump-crash.patch
@@ -0,0 +1,41 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 09 Dec 2017 19:24:58 +0000
+Subject: ipsec: Fix aborted xfrm policy dump crash
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16939
+
+This is a fix for CVE-2017-16939 suitable for older stable branches.
+The upstream fix is commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2,
+from which the following explanation is taken:
+
+ An independent security researcher, Mohamed Ghannam, has reported
+ this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
+ program.
+
+ The xfrm_dump_policy_done function expects xfrm_dump_policy to
+ have been called at least once or it will crash. This can be
+ triggered if a dump fails because the target socket's receive
+ buffer is full.
+
+It was not possible to define a 'start' callback for netlink dumps
+until Linux 4.5, so instead add a check for the initialisation flag in
+the 'done' callback.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/xfrm/xfrm_user.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
+index c28716452211..316c27f70560 100644
+--- a/net/xfrm/xfrm_user.c
++++ b/net/xfrm/xfrm_user.c
+@@ -1570,7 +1570,8 @@ static int xfrm_dump_policy_done(struct netlink_callback *cb)
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct net *net = sock_net(cb->skb->sk);
+
+- xfrm_policy_walk_done(walk, net);
++ if (cb->args[0])
++ xfrm_policy_walk_done(walk, net);
+ return 0;
+ }
+
diff --git a/debian/patches/bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch b/debian/patches/bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch
new file mode 100644
index 0000000..d918dca
--- /dev/null
+++ b/debian/patches/bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch
@@ -0,0 +1,158 @@
+From: Eric Biggers <ebiggers at google.com>
+Date: Fri, 8 Dec 2017 15:13:27 +0000
+Subject: KEYS: add missing permission check for request_key() destination
+Origin: https://git.kernel.org/linus/4dca6ea1d9432052afb06baf2e3ae78188a4410b
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17807
+
+When the request_key() syscall is not passed a destination keyring, it
+links the requested key (if constructed) into the "default" request-key
+keyring. This should require Write permission to the keyring. However,
+there is actually no permission check.
+
+This can be abused to add keys to any keyring to which only Search
+permission is granted. This is because Search permission allows joining
+the keyring. keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_SESSION_KEYRING)
+then will set the default request-key keyring to the session keyring.
+Then, request_key() can be used to add keys to the keyring.
+
+Both negatively and positively instantiated keys can be added using this
+method. Adding negative keys is trivial. Adding a positive key is a
+bit trickier. It requires that either /sbin/request-key positively
+instantiates the key, or that another thread adds the key to the process
+keyring at just the right time, such that request_key() misses it
+initially but then finds it in construct_alloc_key().
+
+Fix this bug by checking for Write permission to the keyring in
+construct_get_dest_keyring() when the default keyring is being used.
+
+We don't do the permission check for non-default keyrings because that
+was already done by the earlier call to lookup_user_key(). Also,
+request_key_and_link() is currently passed a 'struct key *' rather than
+a key_ref_t, so the "possessed" bit is unavailable.
+
+We also don't do the permission check for the "requestor keyring", to
+continue to support the use case described by commit 8bbf4976b59f
+("KEYS: Alter use of key instantiation link-to-keyring argument") where
+/sbin/request-key recursively calls request_key() to add keys to the
+original requestor's destination keyring. (I don't know of any users
+who actually do that, though...)
+
+Fixes: 3e30148c3d52 ("[PATCH] Keys: Make request-key create an authorisation key")
+Signed-off-by: Eric Biggers <ebiggers at google.com>
+Signed-off-by: David Howells <dhowells at redhat.com>
+[bwh: Backported to 3.16: adjust context]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ security/keys/request_key.c | 46 ++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 37 insertions(+), 9 deletions(-)
+
+diff --git a/security/keys/request_key.c b/security/keys/request_key.c
+index 9ea60a7bac78..c120a393ff2d 100644
+--- a/security/keys/request_key.c
++++ b/security/keys/request_key.c
+@@ -268,11 +268,12 @@ static int construct_key(struct key *key, const void *callout_info,
+ * The keyring selected is returned with an extra reference upon it which the
+ * caller must release.
+ */
+-static void construct_get_dest_keyring(struct key **_dest_keyring)
++static int construct_get_dest_keyring(struct key **_dest_keyring)
+ {
+ struct request_key_auth *rka;
+ const struct cred *cred = current_cred();
+ struct key *dest_keyring = *_dest_keyring, *authkey;
++ int ret;
+
+ kenter("%p", dest_keyring);
+
+@@ -281,6 +282,8 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
+ /* the caller supplied one */
+ key_get(dest_keyring);
+ } else {
++ bool do_perm_check = true;
++
+ /* use a default keyring; falling through the cases until we
+ * find one that we actually have */
+ switch (cred->jit_keyring) {
+@@ -295,8 +298,10 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
+ dest_keyring =
+ key_get(rka->dest_keyring);
+ up_read(&authkey->sem);
+- if (dest_keyring)
++ if (dest_keyring) {
++ do_perm_check = false;
+ break;
++ }
+ }
+
+ case KEY_REQKEY_DEFL_THREAD_KEYRING:
+@@ -331,11 +336,29 @@ static void construct_get_dest_keyring(struct key **_dest_keyring)
+ default:
+ BUG();
+ }
++
++ /*
++ * Require Write permission on the keyring. This is essential
++ * because the default keyring may be the session keyring, and
++ * joining a keyring only requires Search permission.
++ *
++ * However, this check is skipped for the "requestor keyring" so
++ * that /sbin/request-key can itself use request_key() to add
++ * keys to the original requestor's destination keyring.
++ */
++ if (dest_keyring && do_perm_check) {
++ ret = key_permission(make_key_ref(dest_keyring, 1),
++ KEY_NEED_WRITE);
++ if (ret) {
++ key_put(dest_keyring);
++ return ret;
++ }
++ }
+ }
+
+ *_dest_keyring = dest_keyring;
+ kleave(" [dk %d]", key_serial(dest_keyring));
+- return;
++ return 0;
+ }
+
+ /*
+@@ -460,11 +483,15 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
+ if (ctx->index_key.type == &key_type_keyring)
+ return ERR_PTR(-EPERM);
+
+- user = key_user_lookup(current_fsuid());
+- if (!user)
+- return ERR_PTR(-ENOMEM);
++ ret = construct_get_dest_keyring(&dest_keyring);
++ if (ret)
++ goto error;
+
+- construct_get_dest_keyring(&dest_keyring);
++ user = key_user_lookup(current_fsuid());
++ if (!user) {
++ ret = -ENOMEM;
++ goto error_put_dest_keyring;
++ }
+
+ ret = construct_alloc_key(ctx, dest_keyring, flags, user, &key);
+ key_user_put(user);
+@@ -479,7 +506,7 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
+ } else if (ret == -EINPROGRESS) {
+ ret = 0;
+ } else {
+- goto couldnt_alloc_key;
++ goto error_put_dest_keyring;
+ }
+
+ key_put(dest_keyring);
+@@ -489,8 +516,9 @@ static struct key *construct_key_and_link(struct keyring_search_context *ctx,
+ construction_failed:
+ key_negate_and_link(key, key_negative_timeout, NULL, NULL);
+ key_put(key);
+-couldnt_alloc_key:
++error_put_dest_keyring:
+ key_put(dest_keyring);
++error:
+ kleave(" = %d", ret);
+ return ERR_PTR(ret);
+ }
diff --git a/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch b/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
new file mode 100644
index 0000000..e9a0be6
--- /dev/null
+++ b/debian/patches/bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
@@ -0,0 +1,150 @@
+From: Wanpeng Li <wanpeng.li at hotmail.com>
+Date: Thu, 14 Dec 2017 17:40:50 -0800
+Subject: KVM: Fix stack-out-of-bounds read in write_mmio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit?id=e39d200fa5bf5b94a0948db0dae44c1b73b84a56
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17741
+
+Reported by syzkaller:
+
+ BUG: KASAN: stack-out-of-bounds in write_mmio+0x11e/0x270 [kvm]
+ Read of size 8 at addr ffff8803259df7f8 by task syz-executor/32298
+
+ CPU: 6 PID: 32298 Comm: syz-executor Tainted: G OE 4.15.0-rc2+ #18
+ Hardware name: LENOVO ThinkCentre M8500t-N000/SHARKBAY, BIOS FBKTC1AUS 02/16/2016
+ Call Trace:
+ dump_stack+0xab/0xe1
+ print_address_description+0x6b/0x290
+ kasan_report+0x28a/0x370
+ write_mmio+0x11e/0x270 [kvm]
+ emulator_read_write_onepage+0x311/0x600 [kvm]
+ emulator_read_write+0xef/0x240 [kvm]
+ emulator_fix_hypercall+0x105/0x150 [kvm]
+ em_hypercall+0x2b/0x80 [kvm]
+ x86_emulate_insn+0x2b1/0x1640 [kvm]
+ x86_emulate_instruction+0x39a/0xb90 [kvm]
+ handle_exception+0x1b4/0x4d0 [kvm_intel]
+ vcpu_enter_guest+0x15a0/0x2640 [kvm]
+ kvm_arch_vcpu_ioctl_run+0x549/0x7d0 [kvm]
+ kvm_vcpu_ioctl+0x479/0x880 [kvm]
+ do_vfs_ioctl+0x142/0x9a0
+ SyS_ioctl+0x74/0x80
+ entry_SYSCALL_64_fastpath+0x23/0x9a
+
+The path of patched vmmcall will patch 3 bytes opcode 0F 01 C1(vmcall)
+to the guest memory, however, write_mmio tracepoint always prints 8 bytes
+through *(u64 *)val since kvm splits the mmio access into 8 bytes. This
+leaks 5 bytes from the kernel stack (CVE-2017-17741). This patch fixes
+it by just accessing the bytes which we operate on.
+
+Before patch:
+
+syz-executor-5567 [007] .... 51370.561696: kvm_mmio: mmio write len 3 gpa 0x10 val 0x1ffff10077c1010f
+
+After patch:
+
+syz-executor-13416 [002] .... 51302.299573: kvm_mmio: mmio write len 3 gpa 0x10 val 0xc1010f
+
+Reported-by: Dmitry Vyukov <dvyukov at google.com>
+Reviewed-by: Darren Kenny <darren.kenny at oracle.com>
+Reviewed-by: Marc Zyngier <marc.zyngier at arm.com>
+Tested-by: Marc Zyngier <marc.zyngier at arm.com>
+Cc: Paolo Bonzini <pbonzini at redhat.com>
+Cc: Radim Krčmář <rkrcmar at redhat.com>
+Cc: Marc Zyngier <marc.zyngier at arm.com>
+Cc: Christoffer Dall <christoffer.dall at linaro.org>
+Signed-off-by: Wanpeng Li <wanpeng.li at hotmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
+[bwh: Backported to 3.16:
+ - ARM implementation combines the KVM_TRACE_MMIO_WRITE and
+ KVM_TRACE_MMIO_READ_UNSATISFIED cases
+ - Adjust filename]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/arm/kvm/mmio.c | 4 ++--
+ arch/x86/kvm/x86.c | 8 ++++----
+ include/trace/events/kvm.h | 7 +++++--
+ 3 files changed, 11 insertions(+), 8 deletions(-)
+
+--- a/arch/arm/kvm/mmio.c
++++ b/arch/arm/kvm/mmio.c
+@@ -113,7 +113,7 @@ int kvm_handle_mmio_return(struct kvm_vc
+ }
+
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, len, run->mmio.phys_addr,
+- data);
++ &data);
+ data = vcpu_data_host_to_guest(vcpu, data, len);
+ *vcpu_reg(vcpu, vcpu->arch.mmio_decode.rt) = data;
+ }
+@@ -192,7 +192,7 @@ int io_mem_abort(struct kvm_vcpu *vcpu,
+ trace_kvm_mmio((mmio.is_write) ? KVM_TRACE_MMIO_WRITE :
+ KVM_TRACE_MMIO_READ_UNSATISFIED,
+ mmio.len, fault_ipa,
+- (mmio.is_write) ? data : 0);
++ (mmio.is_write) ? &data : NULL);
+
+ if (mmio.is_write)
+ mmio_write_buf(mmio.data, mmio.len, data);
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -4066,7 +4066,7 @@ static int vcpu_mmio_read(struct kvm_vcp
+ !kvm_iodevice_read(&vcpu->arch.apic->dev, addr, n, v))
+ && kvm_io_bus_read(vcpu->kvm, KVM_MMIO_BUS, addr, n, v))
+ break;
+- trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, *(u64 *)v);
++ trace_kvm_mmio(KVM_TRACE_MMIO_READ, n, addr, v);
+ handled += n;
+ addr += n;
+ len -= n;
+@@ -4290,7 +4290,7 @@ static int read_prepare(struct kvm_vcpu
+ {
+ if (vcpu->mmio_read_completed) {
+ trace_kvm_mmio(KVM_TRACE_MMIO_READ, bytes,
+- vcpu->mmio_fragments[0].gpa, *(u64 *)val);
++ vcpu->mmio_fragments[0].gpa, val);
+ vcpu->mmio_read_completed = 0;
+ return 1;
+ }
+@@ -4312,14 +4312,14 @@ static int write_emulate(struct kvm_vcpu
+
+ static int write_mmio(struct kvm_vcpu *vcpu, gpa_t gpa, int bytes, void *val)
+ {
+- trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, *(u64 *)val);
++ trace_kvm_mmio(KVM_TRACE_MMIO_WRITE, bytes, gpa, val);
+ return vcpu_mmio_write(vcpu, gpa, bytes, val);
+ }
+
+ static int read_exit_mmio(struct kvm_vcpu *vcpu, gpa_t gpa,
+ void *val, int bytes)
+ {
+- trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, 0);
++ trace_kvm_mmio(KVM_TRACE_MMIO_READ_UNSATISFIED, bytes, gpa, NULL);
+ return X86EMUL_IO_NEEDED;
+ }
+
+--- a/include/trace/events/kvm.h
++++ b/include/trace/events/kvm.h
+@@ -163,7 +163,7 @@ TRACE_EVENT(kvm_ack_irq,
+ { KVM_TRACE_MMIO_WRITE, "write" }
+
+ TRACE_EVENT(kvm_mmio,
+- TP_PROTO(int type, int len, u64 gpa, u64 val),
++ TP_PROTO(int type, int len, u64 gpa, void *val),
+ TP_ARGS(type, len, gpa, val),
+
+ TP_STRUCT__entry(
+@@ -177,7 +177,10 @@ TRACE_EVENT(kvm_mmio,
+ __entry->type = type;
+ __entry->len = len;
+ __entry->gpa = gpa;
+- __entry->val = val;
++ __entry->val = 0;
++ if (val)
++ memcpy(&__entry->val, val,
++ min_t(u32, sizeof(__entry->val), len));
+ ),
+
+ TP_printk("mmio %s len %u gpa 0x%llx val 0x%llx",
diff --git a/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
new file mode 100644
index 0000000..b95b663
--- /dev/null
+++ b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
@@ -0,0 +1,83 @@
+From: Malcolm Priestley <tvboxspy at gmail.com>
+Date: Tue, 26 Sep 2017 17:10:20 -0400
+Subject: [1/2] media: dvb-usb-v2: lmedm04: Improve logic checking of warm
+ start
+Origin: https://git.linuxtv.org/media_tree.git/commit?id=3d932ee27e852e4904647f15b64dedca51187ad7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538
+
+Warm start has no check as whether a genuine device has
+connected and proceeds to next execution path.
+
+Check device should read 0x47 at offset of 2 on USB descriptor read
+and it is the amount requested of 6 bytes.
+
+Fix for
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access as
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy at gmail.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -434,18 +434,23 @@ static int lme2510_pid_filter(struct dvb
+
+ static int lme2510_return_status(struct dvb_usb_device *d)
+ {
+- int ret = 0;
++ int ret;
+ u8 *data;
+
+- data = kzalloc(10, GFP_KERNEL);
++ data = kzalloc(6, GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
+- info("Firmware Status: %x (%x)", ret , data[2]);
++ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
++ 0x06, 0x80, 0x0302, 0x00,
++ data, 0x6, 200);
++ if (ret != 6)
++ ret = -EINVAL;
++ else
++ ret = data[2];
++
++ info("Firmware Status: %6ph", data);
+
+- ret = (ret < 0) ? -ENODEV : data[2];
+ kfree(data);
+ return ret;
+ }
+@@ -1228,6 +1233,7 @@ static int lme2510_get_adapter_count(str
+ static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
+ {
+ struct lme2510_state *st = d->priv;
++ int status;
+
+ usb_reset_configuration(d->udev);
+
+@@ -1236,12 +1242,16 @@ static int lme2510_identify_state(struct
+
+ st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
+
+- if (lme2510_return_status(d) == 0x44) {
++ status = lme2510_return_status(d);
++ if (status == 0x44) {
+ *name = lme_firmware_switch(d, 0);
+ return COLD;
+ }
+
+- return 0;
++ if (status != 0x47)
++ return -EINVAL;
++
++ return WARM;
+ }
+
+ static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
diff --git a/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
new file mode 100644
index 0000000..aa04eea
--- /dev/null
+++ b/debian/patches/bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
@@ -0,0 +1,67 @@
+From: Malcolm Priestley <tvboxspy at gmail.com>
+Date: Tue, 26 Sep 2017 17:10:21 -0400
+Subject: [2/2] media: dvb-usb-v2: lmedm04: move ts2020 attach to
+ dm04_lme2510_tuner
+Origin: https://git.linuxtv.org/media_tree.git/commit?id=7bf7a7116ed313c601307f7e585419369926ab05
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16538
+
+When the tuner was split from m88rs2000 the attach function is in wrong
+place.
+
+Move to dm04_lme2510_tuner to trap errors on failure and removing
+a call to lme_coldreset.
+
+Prevents driver starting up without any tuner connected.
+
+Fixes to trap for ts2020 fail.
+LME2510(C): FE Found M88RS2000
+ts2020: probe of 0-0060 failed with error -11
+...
+LME2510(C): TUN Found RS2000 tuner
+kasan: CONFIG_KASAN_INLINE enabled
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Malcolm Priestley <tvboxspy at gmail.com>
+Tested-by: Andrey Konovalov <andreyknvl at google.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab at s-opensource.com>
+---
+ drivers/media/usb/dvb-usb-v2/lmedm04.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
++++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
+@@ -1115,8 +1115,6 @@ static int dm04_lme2510_frontend_attach(
+
+ if (adap->fe[0]) {
+ info("FE Found M88RS2000");
+- dvb_attach(ts2020_attach, adap->fe[0], &ts2020_config,
+- &d->i2c_adap);
+ st->i2c_tuner_gate_w = 5;
+ st->i2c_tuner_gate_r = 5;
+ st->i2c_tuner_addr = 0x60;
+@@ -1179,17 +1177,18 @@ static int dm04_lme2510_tuner(struct dvb
+ ret = st->tuner_config;
+ break;
+ case TUNER_RS2000:
+- ret = st->tuner_config;
++ if (dvb_attach(ts2020_attach, adap->fe[0],
++ &ts2020_config, &d->i2c_adap))
++ ret = st->tuner_config;
+ break;
+ default:
+ break;
+ }
+
+- if (ret)
++ if (ret) {
+ info("TUN Found %s tuner", tun_msg[ret]);
+- else {
+- info("TUN No tuner found --- resetting device");
+- lme_coldreset(d);
++ } else {
++ info("TUN No tuner found");
+ return -ENODEV;
+ }
+
diff --git a/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
new file mode 100644
index 0000000..f42919e
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
@@ -0,0 +1,76 @@
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Sun, 3 Dec 2017 12:12:45 -0800
+Subject: netfilter: nfnetlink_cthelper: Add missing permission checks
+Origin: https://git.kernel.org/linus/4b380c42f7d00a395feede754f0bc2292eebe6e5
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17448
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, nfnl_cthelper_list is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ $ nfct helper list
+ nfct v1.4.4: netlink error: Operation not permitted
+ $ vpnns -- nfct helper list
+ {
+ .name = ftp,
+ .queuenum = 0,
+ .l3protonum = 2,
+ .l4protonum = 6,
+ .priv_data_len = 24,
+ .status = enabled,
+ };
+
+Add capable() checks in nfnetlink_cthelper, as this is cleaner than
+trying to generalize the solution.
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/nfnetlink_cthelper.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
+index 54330fb5efaf..17d9c9df3129 100644
+--- a/net/netfilter/nfnetlink_cthelper.c
++++ b/net/netfilter/nfnetlink_cthelper.c
+@@ -17,6 +17,7 @@
+ #include <linux/types.h>
+ #include <linux/list.h>
+ #include <linux/errno.h>
++#include <linux/capability.h>
+ #include <net/netlink.h>
+ #include <net/sock.h>
+
+@@ -295,6 +296,9 @@ nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb,
+ struct nf_conntrack_tuple tuple;
+ int ret = 0, i;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
+ return -EINVAL;
+
+@@ -509,6 +513,9 @@ nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb,
+ struct nf_conntrack_tuple tuple;
+ bool tuple_set = false;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (nlh->nlmsg_flags & NLM_F_DUMP) {
+ struct netlink_dump_control c = {
+ .dump = nfnl_cthelper_dump_table,
+@@ -581,6 +588,9 @@ nfnl_cthelper_del(struct sock *nfnl, struct sk_buff *skb,
+ bool tuple_set = false, found = false;
+ int i, j = 0, ret;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (tb[NFCTH_NAME])
+ helper_name = nla_data(tb[NFCTH_NAME]);
+
diff --git a/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
new file mode 100644
index 0000000..aa27f7c
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
@@ -0,0 +1,58 @@
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Tue, 5 Dec 2017 15:42:41 -0800
+Subject: netfilter: xt_osf: Add missing permission checks
+Origin: https://git.kernel.org/linus/916a27901de01446bcf57ecca4783f6cff493309
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17450
+
+The capability check in nfnetlink_rcv() verifies that the caller
+has CAP_NET_ADMIN in the namespace that "owns" the netlink socket.
+However, xt_osf_fingers is shared by all net namespaces on the
+system. An unprivileged user can create user and net namespaces
+in which he holds CAP_NET_ADMIN to bypass the netlink_net_capable()
+check:
+
+ vpnns -- nfnl_osf -f /tmp/pf.os
+
+ vpnns -- nfnl_osf -f /tmp/pf.os -d
+
+These non-root operations successfully modify the systemwide OS
+fingerprint list. Add new capable() checks so that they can't.
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/xt_osf.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/netfilter/xt_osf.c b/net/netfilter/xt_osf.c
+index c529161cdbf8..99f3146b7337 100644
+--- a/net/netfilter/xt_osf.c
++++ b/net/netfilter/xt_osf.c
+@@ -19,6 +19,7 @@
+ #include <linux/module.h>
+ #include <linux/kernel.h>
+
++#include <linux/capability.h>
+ #include <linux/if.h>
+ #include <linux/inetdevice.h>
+ #include <linux/ip.h>
+@@ -69,6 +70,9 @@ static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
+ struct xt_osf_finger *kf = NULL, *sf;
+ int err = 0;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
+@@ -112,6 +116,9 @@ static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb,
+ struct xt_osf_finger *sf;
+ int err = -ENOENT;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (!osf_attrs[OSF_ATTR_FINGER])
+ return -EINVAL;
+
diff --git a/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch
new file mode 100644
index 0000000..254de1a
--- /dev/null
+++ b/debian/patches/bugfix/all/netlink-add-netns-check-on-taps.patch
@@ -0,0 +1,41 @@
+From: Kevin Cernekee <cernekee at chromium.org>
+Date: Wed, 6 Dec 2017 12:12:27 -0800
+Subject: netlink: Add netns check on taps
+Origin: https://git.kernel.org/linus/93c647643b48f0131f02e45da3bd367d80443291
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17449
+
+Currently, a nlmon link inside a child namespace can observe systemwide
+netlink activity. Filter the traffic so that nlmon can only sniff
+netlink messages from its own netns.
+
+Test case:
+
+ vpnns -- bash -c "ip link add nlmon0 type nlmon; \
+ ip link set nlmon0 up; \
+ tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
+ sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
+ spi 0x1 mode transport \
+ auth sha1 0x6162633132330000000000000000000000000000 \
+ enc aes 0x00000000000000000000000000000000
+ grep --binary abc123 /tmp/nlmon.pcap
+
+Signed-off-by: Kevin Cernekee <cernekee at chromium.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/netlink/af_netlink.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
+index 3bf0c16023ec..2eafcffb5f8e 100644
+--- a/net/netlink/af_netlink.c
++++ b/net/netlink/af_netlink.c
+@@ -216,6 +216,9 @@ static int __netlink_deliver_tap_skb(struct sk_buff *skb,
+ struct sock *sk = skb->sk;
+ int ret = -ENOMEM;
+
++ if (!net_eq(dev_net(dev), sock_net(sk)))
++ return 0;
++
+ dev_hold(dev);
+
+ if (is_vmalloc_addr(skb->head))
diff --git a/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
new file mode 100644
index 0000000..cb09a4a
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
@@ -0,0 +1,46 @@
+From: Alan Stern <stern at rowland.harvard.edu>
+Date: Tue, 12 Dec 2017 14:25:13 -0500
+Subject: USB: core: prevent malicious bNumInterfaces overflow
+Origin: https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17558
+
+A malicious USB device with crafted descriptors can cause the kernel
+to access unallocated memory by setting the bNumInterfaces value too
+high in a configuration descriptor. Although the value is adjusted
+during parsing, this adjustment is skipped in one of the error return
+paths.
+
+This patch prevents the problem by setting bNumInterfaces to 0
+initially. The existing code already sets it to the proper value
+after parsing is complete.
+
+Signed-off-by: Alan Stern <stern at rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl at google.com>
+CC: <stable at vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/usb/core/config.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
+index 03285ae14036..13d31422d6b7 100644
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -519,6 +519,9 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
+ unsigned iad_num = 0;
+
+ memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
++ nintf = nintf_orig = config->desc.bNumInterfaces;
++ config->desc.bNumInterfaces = 0; // Adjusted later
++
+ if (config->desc.bDescriptorType != USB_DT_CONFIG ||
+ config->desc.bLength < USB_DT_CONFIG_SIZE ||
+ config->desc.bLength > size) {
+@@ -532,7 +535,6 @@ static int usb_parse_configuration(struct usb_device *dev, int cfgidx,
+ buffer += config->desc.bLength;
+ size -= config->desc.bLength;
+
+- nintf = nintf_orig = config->desc.bNumInterfaces;
+ if (nintf > USB_MAXINTERFACES) {
+ dev_warn(ddev, "config %d has too many interfaces: %d, "
+ "using maximum allowed: %d\n",
diff --git a/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch b/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
new file mode 100644
index 0000000..3ae50e8
--- /dev/null
+++ b/debian/patches/bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
@@ -0,0 +1,46 @@
+From: Andrew Honig <ahonig at google.com>
+Date: Fri, 1 Dec 2017 10:21:09 -0800
+Subject: KVM: VMX: remove I/O port 0x80 bypass on Intel hosts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Origin: https://git.kernel.org/linus/d59d51f088014f25c2562de59b9abff4f42a7468
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-1000407
+
+This fixes CVE-2017-1000407.
+
+KVM allows guests to directly access I/O port 0x80 on Intel hosts. If
+the guest floods this port with writes it generates exceptions and
+instability in the host kernel, leading to a crash. With this change
+guest writes to port 0x80 on Intel will behave the same as they
+currently behave on AMD systems.
+
+Prevent the flooding by removing the code that sets port 0x80 as a
+passthrough port. This is essentially the same as upstream patch
+99f85a28a78e96d28907fe036e1671a218fee597, except that patch was
+for AMD chipsets and this patch is for Intel.
+
+Signed-off-by: Andrew Honig <ahonig at google.com>
+Signed-off-by: Jim Mattson <jmattson at google.com>
+Fixes: fdef3ad1b386 ("KVM: VMX: Enable io bitmaps to avoid IO port 0x80 VMEXITs")
+Cc: <stable at vger.kernel.org>
+Signed-off-by: Radim Krčmář <rkrcmar at redhat.com>
+---
+ arch/x86/kvm/vmx.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -9024,12 +9024,7 @@ static int __init vmx_init(void)
+ memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
+ memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
+
+- /*
+- * Allow direct access to the PC debug port (it is often used for I/O
+- * delays, but the vmexits simply slow things down).
+- */
+ memset(vmx_io_bitmap_a, 0xff, PAGE_SIZE);
+- clear_bit(0x80, vmx_io_bitmap_a);
+
+ memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
+
diff --git a/debian/patches/debian/crypto-fix-abi-change-in-3.16.7-ckt25.patch b/debian/patches/debian/crypto-fix-abi-change-in-3.16.7-ckt25.patch
index 9dd57f4..1ffb0c1 100644
--- a/debian/patches/debian/crypto-fix-abi-change-in-3.16.7-ckt25.patch
+++ b/debian/patches/debian/crypto-fix-abi-change-in-3.16.7-ckt25.patch
@@ -32,7 +32,7 @@ crypto_{ahash,ablkcipher}_has_setkey() functions.
}
--- a/crypto/ahash.c
+++ b/crypto/ahash.c
-@@ -444,7 +444,6 @@ static int crypto_ahash_init_tfm(struct
+@@ -466,7 +466,6 @@ static int crypto_ahash_init_tfm(struct
struct ahash_alg *alg = crypto_ahash_alg(hash);
hash->setkey = ahash_nosetkey;
@@ -40,7 +40,7 @@ crypto_{ahash,ablkcipher}_has_setkey() functions.
hash->export = ahash_no_export;
hash->import = ahash_no_import;
-@@ -457,10 +456,8 @@ static int crypto_ahash_init_tfm(struct
+@@ -479,10 +478,8 @@ static int crypto_ahash_init_tfm(struct
hash->finup = alg->finup ?: ahash_def_finup;
hash->digest = alg->digest;
@@ -54,7 +54,7 @@ crypto_{ahash,ablkcipher}_has_setkey() functions.
if (alg->import)
--- a/crypto/blkcipher.c
+++ b/crypto/blkcipher.c
-@@ -471,7 +471,6 @@ static int crypto_init_blkcipher_ops_asy
+@@ -472,7 +472,6 @@ static int crypto_init_blkcipher_ops_asy
}
crt->base = __crypto_ablkcipher_cast(tfm);
crt->ivsize = alg->ivsize;
@@ -64,22 +64,7 @@ crypto_{ahash,ablkcipher}_has_setkey() functions.
}
--- a/crypto/shash.c
+++ b/crypto/shash.c
-@@ -24,11 +24,12 @@
-
- static const struct crypto_type crypto_shash_type;
-
--static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-- unsigned int keylen)
-+int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-+ unsigned int keylen)
- {
- return -ENOSYS;
- }
-+EXPORT_SYMBOL_GPL(shash_no_setkey);
-
- static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
- unsigned int keylen)
-@@ -356,8 +357,6 @@ int crypto_init_shash_ops_async(struct c
+@@ -357,8 +357,6 @@ int crypto_init_shash_ops_async(struct c
crt->digest = shash_async_digest;
crt->setkey = shash_async_setkey;
diff --git a/debian/patches/series b/debian/patches/series
index 0655b59..b3ab83d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -687,6 +687,22 @@ bugfix/all/pie-aslr/mm-revert-x86_64-and-arm64-elf_et_dyn_base-base-chan.patch
bugfix/all/timer-restrict-timer_stats-to-initial-pid-namespace.patch
bugfix/all/mbcache-reschedule-before-restarting-iteration-in-mb_cache_entry_alloc.patch
bugfix/all/mm-thp-Do-not-make-page-table-dirty-unconditionally-.patch
+bugfix/all/dccp-cve-2017-8824-use-after-free-in-dccp-code.patch
+bugfix/all/bluetooth-cmtp-cmtp_add_connection-should-verify-tha.patch
+bugfix/all/bluetooth-bnep-bnep_add_connection-should-verify-tha.patch
+bugfix/all/media-dvb-usb-v2-lmedm04-Improve-logic-checking-of-w.patch
+bugfix/all/media-dvb-usb-v2-lmedm04-move-ts2020-attach-to-dm04_.patch
+bugfix/all/ipsec-fix-aborted-xfrm-policy-dump-crash.patch
+bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
+bugfix/all/netlink-add-netns-check-on-taps.patch
+bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
+bugfix/all/usb-core-prevent-malicious-bnuminterfaces-overflow.patch
+bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch
+bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch
+bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch
+bugfix/all/keys-add-missing-permission-check-for-request_key-de.patch
+bugfix/x86/kvm-vmx-remove-i-o-port-0x80-bypass-on-intel-hosts.patch
+bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch
# Fix ABI changes
debian/of-fix-abi-changes.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list