Commit 24b28123 authored by Salvatore Bonaccorso's avatar Salvatore Bonaccorso

Update to 4.16.7

Refresh bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch

Drop patches applied upstream related to CVE-2018-1093

Cleanup debian/changelog entries
parent 3f624e1b
linux (4.16.6-1) UNRELEASED; urgency=medium
linux (4.16.7-1) UNRELEASED; urgency=medium
TODO: deal with ABI changes or bump ABI
......@@ -88,6 +88,107 @@ linux (4.16.6-1) UNRELEASED; urgency=medium
- [s390x] cpum_cf: rename IBM z13/z14 counter names
- kprobes: Fix random address output of blacklist file
- ACPI / video: Only default only_lcd to true on Win8-ready _desktops_
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.16.7
- ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
- ext4: set h_journal if there is a failure starting a reserved handle
- ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
- random: set up the NUMA crng instances after the CRNG is fully
initialized
- random: fix possible sleeping allocation from irq context
- random: rate limit unseeded randomness warnings
- usbip: usbip_event: fix to not print kernel pointer address
- usbip: usbip_host: fix to hold parent lock for device_attach() calls
- usbip: vhci_hcd: Fix usb device and sockfd leaks
- usbip: vhci_hcd: check rhport before using in vhci_hub_control()
- Revert "xhci: plat: Register shutdown for xhci_plat"
- xhci: Fix USB ports for Dell Inspiron 5775
- USB: serial: simple: add libtransistor console
- USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
- USB: serial: cp210x: add ID for NI USB serial console
- [arm64] serial: mvebu-uart: Fix local flags handling on termios update
- usb: typec: ucsi: Increase command completion timeout value
- usb: core: Add quirk for HP v222w 16GB Mini
- USB: Increment wakeup count on remote wakeup.
- ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
- virtio: add ability to iterate over vqs
- virtio_console: don't tie bufs to a vq
- virtio_console: free buffers after reset
- virtio_console: drop custom control queue cleanup
- virtio_console: move removal code
- virtio_console: reset on out of memory
- drm/virtio: fix vq wait_event condition
- tty: Don't call panic() at tty_ldisc_init()
- tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
- tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
- tty: Avoid possible error pointer dereference at tty_ldisc_restore().
- tty: Use __GFP_NOFAIL for tty_ldisc_get()
- ALSA: dice: fix OUI for TC group
- ALSA: dice: fix error path to destroy initialized stream data
- ALSA: hda - Skip jack and others for non-existing PCM streams
- ALSA: opl3: Hardening for potential Spectre v1
- ALSA: asihpi: Hardening for potential Spectre v1
- ALSA: hdspm: Hardening for potential Spectre v1
- ALSA: rme9652: Hardening for potential Spectre v1
- ALSA: control: Hardening for potential Spectre v1
- ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
- ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
- ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
- ALSA: seq: oss: Hardening for potential Spectre v1
- ALSA: hda: Hardening for potential Spectre v1
- ALSA: hda/realtek - Add some fixes for ALC233
- ALSA: hda/realtek - Update ALC255 depop optimize
- ALSA: hda/realtek - change the location for one of two front mics
- mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic
- mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
- mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
- mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
- mtd: rawnand: tango: Fix struct clk memory leak
- mtd: rawnand: marvell: fix the chip-select DT parsing logic
- kobject: don't use WARN for registration failures
- scsi: sd_zbc: Avoid that resetting a zone fails sporadically
- scsi: sd: Defer spinning up drive while SANITIZE is in progress
- blk-mq: start request gstate with gen 1
- bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
- block: do not use interruptible wait anywhere
- [s390x] vfio: ccw: process ssch with interrupts disabled
- [arm64] PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
- [arm64] PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
- [arm64] PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq
mode
- [arm64] PCI: aardvark: Fix PCIe Max Read Request Size setting
- [armhf,arm64] KVM: Close VMID generation race
- [powerpc*] mm: Flush cache on memory hot(un)plug
- [powerpc*] mce: Fix a bug where mce loops on memory UE.
- [powerpc*] powernv/npu: Do a PID GPU TLB flush when invalidating a large
address range
- crypto: drbg - set freed buffers to NULL
- libceph: un-backoff on tick when we have a authenticated session
- libceph: reschedule a tick in finish_hunting()
- libceph: validate con->state at the top of try_write()
- PCI / PM: Do not clear state_saved in pci_pm_freeze() when smart suspend
is set
- module: Fix display of wrong module .text address
- earlycon: Use a pointer table to fix __earlycon_table stride
- [powerpc*] cpufreq: powernv: Fix hardlockup due to synchronous smp_call
in timer interrupt
- [powerpc*] rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
- drm/edid: Reset more of the display info
- drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
- [x86] drm/i915/fbdev: Enable late fbdev initial configuration
- [x86] drm/i915/audio: set minimum CD clock to twice the BCLK
- [x86] drm/i915: Enable display WA#1183 from its correct spot
- drm/amd/display: Fix deadlock when flushing irq
- drm/amd/display: Don't read EDID in atomic_check
- drm/amd/display: Disallow enabling CRTC without primary plane with FB
- objtool, perf: Fix GCC 8 -Wrestrict error
- [x86] ipc: Fix x32 version of shmid64_ds and msqid64_ds
- [x86] smpboot: Don't use mwait_play_dead() on AMD systems
- [x86] microcode/intel: Save microcode patch unconditionally
- [x86] microcode: Do not exit early from __reload_late()
- tick/sched: Do not mess with an enqueued hrtimer
- [x86] crypto: ccp - add check to get PSP master only when PSP is
detected
- [armhf,arm64] KVM: Add PSCI version selection API
[ Romain Perier ]
* [armhf] DRM: Enable DW_HDMI_AHB_AUDIO and DW_HDMI_CEC (Closes: #897204)
From: Theodore Ts'o <tytso@mit.edu>
Date: Mon, 26 Mar 2018 23:54:10 -0400
Subject: ext4: add validity checks for bitmap block numbers
Origin: https://git.kernel.org/linus/7dac4a1726a9c64a517d595c40e95e2d0d135f6f
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-1093
An privileged attacker can cause a crash by mounting a crafted ext4
image which triggers a out-of-bounds read in the function
ext4_valid_block_bitmap() in fs/ext4/balloc.c.
This issue has been assigned CVE-2018-1093.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=199181
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1560782
Reported-by: Wen Xu <wen.xu@gatech.edu>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
---
fs/ext4/balloc.c | 16 ++++++++++++++--
fs/ext4/ialloc.c | 7 +++++++
2 files changed, 21 insertions(+), 2 deletions(-)
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -338,20 +338,25 @@ static ext4_fsblk_t ext4_valid_block_bit
/* check whether block bitmap block number is set */
blk = ext4_block_bitmap(sb, desc);
offset = blk - group_first_block;
- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
/* check whether the inode bitmap block number is set */
blk = ext4_inode_bitmap(sb, desc);
offset = blk - group_first_block;
- if (!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ !ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
/* check whether the inode table block number is set */
blk = ext4_inode_table(sb, desc);
offset = blk - group_first_block;
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
+ return blk;
next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
EXT4_B2C(sbi, offset + sbi->s_itb_per_group),
EXT4_B2C(sbi, offset));
@@ -417,6 +422,7 @@ struct buffer_head *
ext4_read_block_bitmap_nowait(struct super_block *sb, ext4_group_t block_group)
{
struct ext4_group_desc *desc;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
struct buffer_head *bh;
ext4_fsblk_t bitmap_blk;
int err;
@@ -425,6 +431,12 @@ ext4_read_block_bitmap_nowait(struct sup
if (!desc)
return ERR_PTR(-EFSCORRUPTED);
bitmap_blk = ext4_block_bitmap(sb, desc);
+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
+ ext4_error(sb, "Invalid block bitmap block %llu in "
+ "block_group %u", bitmap_blk, block_group);
+ return ERR_PTR(-EFSCORRUPTED);
+ }
bh = sb_getblk(sb, bitmap_blk);
if (unlikely(!bh)) {
ext4_error(sb, "Cannot get buffer for block bitmap - "
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -122,6 +122,7 @@ static struct buffer_head *
ext4_read_inode_bitmap(struct super_block *sb, ext4_group_t block_group)
{
struct ext4_group_desc *desc;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
struct buffer_head *bh = NULL;
ext4_fsblk_t bitmap_blk;
int err;
@@ -131,6 +132,12 @@ ext4_read_inode_bitmap(struct super_bloc
return ERR_PTR(-EFSCORRUPTED);
bitmap_blk = ext4_inode_bitmap(sb, desc);
+ if ((bitmap_blk <= le32_to_cpu(sbi->s_es->s_first_data_block)) ||
+ (bitmap_blk >= ext4_blocks_count(sbi->s_es))) {
+ ext4_error(sb, "Invalid inode bitmap blk %llu in "
+ "block_group %u", bitmap_blk, block_group);
+ return ERR_PTR(-EFSCORRUPTED);
+ }
bh = sb_getblk(sb, bitmap_blk);
if (unlikely(!bh)) {
ext4_error(sb, "Cannot read inode bitmap - "
From: Lukas Czerner <lczerner@redhat.com>
Date: Tue, 24 Apr 2018 11:31:44 -0400
Subject: ext4: fix bitmap position validation
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git/commit?id=22be37acce25d66ecf6403fc8f44df9c5ded2372
Currently in ext4_valid_block_bitmap() we expect the bitmap to be
positioned anywhere between 0 and s_blocksize clusters, but that's
wrong because the bitmap can be placed anywhere in the block group. This
causes false positives when validating bitmaps on perfectly valid file
system layouts. Fix it by checking whether the bitmap is within the group
boundary.
The problem can be reproduced using the following
mkfs -t ext3 -E stride=256 /dev/vdb1
mount /dev/vdb1 /mnt/test
cd /mnt/test
wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.16.3.tar.xz
tar xf linux-4.16.3.tar.xz
This will result in the warnings in the logs
EXT4-fs error (device vdb1): ext4_validate_block_bitmap:399: comm tar: bg 84: block 2774529: invalid block bitmap
[ Changed slightly for clarity and to not drop a overflow test -- TYT ]
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reported-by: Ilya Dryomov <idryomov@gmail.com>
Fixes: 7dac4a1726a9 ("ext4: add validity checks for bitmap block numbers")
Cc: stable@vger.kernel.org
---
fs/ext4/balloc.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
index a33d8fb1bf2a..508b905d744d 100644
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -321,6 +321,7 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
struct ext4_sb_info *sbi = EXT4_SB(sb);
ext4_grpblk_t offset;
ext4_grpblk_t next_zero_bit;
+ ext4_grpblk_t max_bit = EXT4_CLUSTERS_PER_GROUP(sb);
ext4_fsblk_t blk;
ext4_fsblk_t group_first_block;
@@ -338,7 +339,7 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
/* check whether block bitmap block number is set */
blk = ext4_block_bitmap(sb, desc);
offset = blk - group_first_block;
- if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
@@ -346,7 +347,7 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
/* check whether the inode bitmap block number is set */
blk = ext4_inode_bitmap(sb, desc);
offset = blk - group_first_block;
- if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
!ext4_test_bit(EXT4_B2C(sbi, offset), bh->b_data))
/* bad block bitmap */
return blk;
@@ -354,8 +355,8 @@ static ext4_fsblk_t ext4_valid_block_bitmap(struct super_block *sb,
/* check whether the inode table block number is set */
blk = ext4_inode_table(sb, desc);
offset = blk - group_first_block;
- if (offset < 0 || EXT4_B2C(sbi, offset) >= sb->s_blocksize ||
- EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= sb->s_blocksize)
+ if (offset < 0 || EXT4_B2C(sbi, offset) >= max_bit ||
+ EXT4_B2C(sbi, offset + sbi->s_itb_per_group) >= max_bit)
return blk;
next_zero_bit = ext4_find_next_zero_bit(bh->b_data,
EXT4_B2C(sbi, offset + sbi->s_itb_per_group),
......@@ -12,21 +12,21 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -2473,3 +2473,4 @@ late_initcall(init_btrfs_fs);
@@ -2500,3 +2500,4 @@ late_initcall(init_btrfs_fs);
module_exit(exit_btrfs_fs)
MODULE_LICENSE("GPL");
+MODULE_SOFTDEP("pre: crypto-crc32c");
--- a/fs/crypto/crypto.c
+++ b/fs/crypto/crypto.c
@@ -614,3 +614,4 @@ static void __exit fscrypt_exit(void)
@@ -468,3 +468,4 @@ static void __exit fscrypt_exit(void)
module_exit(fscrypt_exit);
MODULE_LICENSE("GPL");
+MODULE_SOFTDEP("pre: crypto-aes crypto-ecb");
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5692,5 +5692,13 @@ static void __exit ext4_exit_fs(void)
@@ -5868,6 +5868,14 @@ static void __exit ext4_exit_fs(void)
MODULE_AUTHOR("Remy Card, Stephen Tweedie, Andrew Morton, Andreas Dilger, Theodore Ts'o and others");
MODULE_DESCRIPTION("Fourth Extended Filesystem");
MODULE_LICENSE("GPL");
......@@ -38,11 +38,12 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+#endif
+MODULE_SOFTDEP("pre: crypto-crc32c" EXT4_ENC_EXTRA_SOFTDEPS);
+
MODULE_SOFTDEP("pre: crc32c");
module_init(ext4_init_fs)
module_exit(ext4_exit_fs)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2244,4 +2244,5 @@ module_exit(exit_f2fs_fs)
@@ -2990,4 +2990,5 @@ module_exit(exit_f2fs_fs)
MODULE_AUTHOR("Samsung Electronics's Praesto Team");
MODULE_DESCRIPTION("Flash Friendly File System");
MODULE_LICENSE("GPL");
......@@ -50,7 +51,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -2674,6 +2674,7 @@ static void __exit journal_exit(void)
@@ -2726,6 +2726,7 @@ static void __exit journal_exit(void)
}
MODULE_LICENSE("GPL");
......@@ -60,7 +61,7 @@ Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1308,5 +1308,8 @@ static void __exit exit_nfsd(void)
@@ -1334,5 +1334,8 @@ static void __exit exit_nfsd(void)
MODULE_AUTHOR("Olaf Kirch <okir@monad.swb.de>");
MODULE_LICENSE("GPL");
......
......@@ -142,8 +142,6 @@ features/all/lockdown/arm64-add-kernel-config-option-to-lock-down-when.patch
debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
bugfix/all/xfs-enhance-dinode-verifier.patch
bugfix/all/xfs-set-format-back-to-extents-if-xfs_bmap_extents_t.patch
bugfix/all/ext4-add-validity-checks-for-bitmap-block-numbers.patch
bugfix/all/ext4-fix-bitmap-position-validation.patch
# Fix exported symbol versions
bugfix/all/module-disable-matching-missing-version-crc.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment