Commit cedf52ad authored by Ben Hutchings's avatar Ben Hutchings

Merge tag 'debian/4.14.13-1' into stretch-backports

Release linux (4.14.13-1).
parents 3e081d88 2ae3c9e4
......@@ -19,6 +19,7 @@ default_url_base = "http://deb.debian.org/debian/"
default_url_base_incoming = "http://incoming.debian.org/debian-buildd/"
default_url_base_ports = "http://ftp.ports.debian.org/debian-ports/"
default_url_base_ports_incoming = "http://incoming.ports.debian.org/"
default_url_base_security = "http://security.debian.org/"
class url_debian_flat(object):
......@@ -44,6 +45,11 @@ class url_debian_ports_pool(url_debian_pool):
return self.base + "pool-" + arch + "/main/" + source[0] + "/" + source + "/" + filename
class url_debian_security_pool(url_debian_pool):
def __call__(self, source, filename, arch):
return self.base + "pool/updates/main/" + source[0] + "/" + source + "/" + filename
class Main(object):
dir = None
......@@ -182,10 +188,12 @@ if __name__ == '__main__':
options.add_option("-i", "--incoming", action="store_true", dest="incoming")
options.add_option("--incoming-config", action="store_true", dest="incoming_config")
options.add_option("--ports", action="store_true", dest="ports")
options.add_option("--security", action="store_true", dest="security")
options.add_option("-u", "--url-base", dest="url_base", default=default_url_base)
options.add_option("--url-base-incoming", dest="url_base_incoming", default=default_url_base_incoming)
options.add_option("--url-base-ports", dest="url_base_ports", default=default_url_base_ports)
options.add_option("--url-base-ports-incoming", dest="url_base_ports_incoming", default=default_url_base_ports_incoming)
options.add_option("--url-base-security", dest="url_base_security", default=default_url_base_security)
opts, args = options.parse_args()
......@@ -201,11 +209,14 @@ if __name__ == '__main__':
url_base_incoming = url_debian_pool(opts.url_base_incoming)
url_base_ports = url_debian_ports_pool(opts.url_base_ports)
url_base_ports_incoming = url_debian_flat(opts.url_base_ports_incoming)
url_base_security = url_debian_security_pool(opts.url_base_security)
if opts.incoming_config:
url = url_config = url_base_incoming
else:
url_config = url_base
if opts.ports:
if opts.security:
url = url_base_security
elif opts.ports:
url = url_base_ports_incoming if opts.incoming else url_base_ports
else:
url = url_base_incoming if opts.incoming else url_base
......
linux (4.14.13-1~bpo9+1) stretch-backports; urgency=medium
* Rebuild for stretch-backports:
- Change ABI number to 0.bpo.3
- Revert changes to use gcc-7 compiler, not found in stretch
-- Ben Hutchings <ben@decadent.org.uk> Sun, 14 Jan 2018 23:48:54 +0000
linux (4.14.13-1) unstable; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.13
- [x86] mm: Set MODULES_END to 0xffffffffff000000
- [x86] mm: Map cpu_entry_area at the same place on 4/5 level
- [x86] kaslr: Fix the vaddr_end mess
- [x86] events/intel/ds: Use the proper cache flush method for mapping ds
buffers
- [x86] alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
- [x86] pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
- kernel/acct.c: fix the acct->needcheck check in check_free_space()
- mm/mprotect: add a cond_resched() inside change_pmd_range()
- mm/sparse.c: wrong allocation for mem_section
- userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails
- btrfs: fix refcount_t usage when deleting btrfs_delayed_nodes
- efi/capsule-loader: Reinstate virtual capsule mapping
- [sparc*] crypto: n2 - cure use after free
- crypto: chacha20poly1305 - validate the digest size
- crypto: pcrypt - fix freeing pcrypt instances
- crypto: chelsio - select CRYPTO_GF128MUL
- [x86] drm/i915: Disable DC states around GMBUS on GLK
- [x86] drm/i915: Apply Display WA #1183 on skl, kbl, and cfl
- fscache: Fix the default for fscache_maybe_release_page()
- [x86] CPU: Avoid unnecessary IPIs in arch_freq_get_on_cpu()
- [x86] CPU: Always show current CPU frequency in /proc/cpuinfo
- kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL
- kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from
!sig_kernel_only() signals
- kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in
complete_signal()
- [arm64] iommu/arm-smmu-v3: Don't free page table ops twice
- [arm64] iommu/arm-smmu-v3: Cope with duplicated Stream IDs
- [powerpc* ]mm: Fix SEGV on mapped region to return SEGV_ACCERR
- Input: elantech - add new icbody type 15
- [x86] microcode/AMD: Add support for fam17h microcode loading
- apparmor: fix regression in mount mediation when feature set is pinned
- [hppa/parisc] Fix alignment of pa_tlb_lock in assembly on 32-bit SMP
kernel
- [hppa/parisc] qemu idle sleep support
- mtd: nand: pxa3xx: Fix READOOB implementation
- [s390x] KVM: fix cmma migration for multiple memory slots
- [s390x] KVM: prevent buffer overrun on memory hotplug during migration
[ Salvatore Bonaccorso ]
* libsas: Disable asynchronous aborts for SATA devices
* drm/nouveau/disp/gf119: add missing drive vfunc ptr (Closes: #880660)
[ Riku Voipio ]
* [arm64] disable CONFIG_HW_RANDOM_OMAP until the IRQ storm bug is fixed
[ Ben Hutchings ]
* abiupdate.py: Add support for security mirrors
* Fix dependencies related to objtool (Closes: #886474):
- linux-headers: Add versioned dependency on linux-kbuild
- Revert "objtool: Fix CONFIG_STACK_VALIDATION=y warning for out-of-tree
modules"
-- Ben Hutchings <ben@decadent.org.uk> Sun, 14 Jan 2018 19:45:05 +0000
linux (4.14.12-2) unstable; urgency=medium
[ Ben Hutchings ]
* linux-kbuild: Add objtool
* linux-headers: Add symlink to linux-kbuild tools directory for objtool
[ Salvatore Bonaccorso ]
* linux-headers: Add symlink to linux-kbuild tools directory for objtool in
architecture-specific headers package.
Thanks to Luca Boccassi (Closes: #886366)
-- Salvatore Bonaccorso <carnil@debian.org> Sat, 06 Jan 2018 09:08:42 +0100
linux (4.14.12-1) unstable; urgency=medium
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.8
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.9
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.10
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.11
- x86/cpufeatures: Add X86_BUG_CPU_INSECURE
- x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y
- x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3
switching
- x86/mm/pti: Add infrastructure for page table isolation
- x86/pti: Add the pti= cmdline option and documentation
- x86/mm/pti: Add mapping helper functions
- x86/mm/pti: Allow NX poison to be set in p4d/pgd
- x86/mm/pti: Allocate a separate user PGD
- x86/mm/pti: Populate user PGD
- x86/mm/pti: Add functions to clone kernel PMDs
- x86/mm/pti: Force entry through trampoline when PTI active
- x86/mm/pti: Share cpu_entry_area with user space page tables
- x86/entry: Align entry text section to PMD boundary
- x86/mm/pti: Share entry text PMD
- x86/mm/pti: Map ESPFIX into user space
- x86/cpu_entry_area: Add debugstore entries to cpu_entry_area
- x86/events/intel/ds: Map debug buffers in cpu_entry_area
- x86/mm/64: Make a full PGD-entry size hole in the memory map
- x86/pti: Put the LDT in its own PGD if PTI is on
- x86/pti: Map the vsyscall page if needed
- x86/mm: Allow flushing for future ASID switches
- x86/mm: Abstract switching CR3
- x86/mm: Use/Fix PCID to optimize user/kernel switches
- x86/mm: Optimize RESTORE_CR3
- x86/mm: Use INVPCID for __native_flush_tlb_single()
- x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming
- x86/dumpstack: Indicate in Oops whether PTI is configured and enabled
- x86/mm/pti: Add Kconfig
- net: Fix double free and memory corruption in get_net_ns_by_id()
(CVE-2017-15129)
* [amd64] Implement Kernel Page Table Isolation (KPTI, aka KAISER)
(CVE-2017-5754)
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.12
- exec: Weaken dumpability for secureexec
- capabilities: fix buffer overread on very short xattr
- x86/cpu, x86/pti: Do not enable PTI on AMD processors
- x86/pti: Make sure the user/kernel PTEs match
- x86/dumpstack: Fix partial register dumps
- x86/dumpstack: Print registers for first stack frame
- x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat()
- x86/process: Define cpu_tss_rw in same section as declaration
[ Ben Hutchings ]
* e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
(Closes: #885348)
[ Vagrant Cascadian ]
* [arm64] Backport patch from linux-next to support SMP on tegra210
systems.
[ Salvatore Bonaccorso ]
* [rt] Update to 4.14.8-rt9
* Bump ABI to 3
* Revert "scsi: libsas: allow async aborts"
Fixes "Oops: NULL pointer dereference - RIP:
isci_task_abort_task+0x30/0x3e0 [isci]" (Closes: #882414)
* x86/tlb: Drop the _GPL from the cpu_tlbstate export
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 05 Jan 2018 21:20:26 +0100
linux (4.14.7-1~bpo9+1) stretch-backports; urgency=medium
* Rebuild for stretch-backports:
......@@ -104,7 +104,7 @@ CONFIG_TEGRA_ACONNECT=y
## file: drivers/char/hw_random/Kconfig
##
CONFIG_HW_RANDOM_BCM2835=m
CONFIG_HW_RANDOM_OMAP=m
# CONFIG_HW_RANDOM_OMAP is not set
CONFIG_HW_RANDOM_HISI=m
CONFIG_HW_RANDOM_MSM=m
CONFIG_HW_RANDOM_XGENE=m
......
[abi]
abiname: 0.bpo.2
abiname: 0.bpo.3
ignore-changes:
__cpuhp_*
__xive_vm_h_*
......
From: Jann Horn <jannh@google.com>
Date: Mon, 18 Dec 2017 20:11:59 -0800
Subject: [7/9] bpf: don't prune branches when a scalar is replaced with a
pointer
Origin: https://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14
This could be made safe by passing through a reference to env and checking
for env->allow_ptr_leaks, but it would only work one way and is probably
not worth the hassle - not doing it will not directly lead to program
rejection.
Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
kernel/bpf/verifier.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3366,15 +3366,14 @@ static bool regsafe(struct bpf_reg_state
return range_within(rold, rcur) &&
tnum_in(rold->var_off, rcur->var_off);
} else {
- /* if we knew anything about the old value, we're not
- * equal, because we can't know anything about the
- * scalar value of the pointer in the new value.
+ /* We're trying to use a pointer in place of a scalar.
+ * Even if the scalar was unbounded, this could lead to
+ * pointer leaks because scalars are allowed to leak
+ * while pointers are not. We could make this safe in
+ * special cases if root is calling us, but it's
+ * probably not worth the hassle.
*/
- return rold->umin_value == 0 &&
- rold->umax_value == U64_MAX &&
- rold->smin_value == S64_MIN &&
- rold->smax_value == S64_MAX &&
- tnum_is_unknown(rold->var_off);
+ return false;
}
case PTR_TO_MAP_VALUE:
/* If the new min/max/var_off satisfy the old ones and
From: Jann Horn <jannh@google.com>
Date: Mon, 18 Dec 2017 20:11:56 -0800
Subject: [4/9] bpf: fix 32-bit ALU op verification
Origin: https://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a
32-bit ALU ops operate on 32-bit values and have 32-bit outputs.
Adjust the verifier accordingly.
Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
kernel/bpf/verifier.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2010,6 +2010,10 @@ static int adjust_ptr_min_max_vals(struc
return 0;
}
+/* WARNING: This function does calculations on 64-bit values, but the actual
+ * execution may occur on 32-bit values. Therefore, things like bitshifts
+ * need extra checks in the 32-bit case.
+ */
static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
struct bpf_insn *insn,
struct bpf_reg_state *dst_reg,
@@ -2020,12 +2024,8 @@ static int adjust_scalar_min_max_vals(st
bool src_known, dst_known;
s64 smin_val, smax_val;
u64 umin_val, umax_val;
+ u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
- if (BPF_CLASS(insn->code) != BPF_ALU64) {
- /* 32-bit ALU ops are (32,32)->64 */
- coerce_reg_to_size(dst_reg, 4);
- coerce_reg_to_size(&src_reg, 4);
- }
smin_val = src_reg.smin_value;
smax_val = src_reg.smax_value;
umin_val = src_reg.umin_value;
@@ -2161,9 +2161,9 @@ static int adjust_scalar_min_max_vals(st
__update_reg_bounds(dst_reg);
break;
case BPF_LSH:
- if (umax_val > 63) {
- /* Shifts greater than 63 are undefined. This includes
- * shifts by a negative number.
+ if (umax_val >= insn_bitness) {
+ /* Shifts greater than 31 or 63 are undefined.
+ * This includes shifts by a negative number.
*/
mark_reg_unknown(env, regs, insn->dst_reg);
break;
@@ -2189,9 +2189,9 @@ static int adjust_scalar_min_max_vals(st
__update_reg_bounds(dst_reg);
break;
case BPF_RSH:
- if (umax_val > 63) {
- /* Shifts greater than 63 are undefined. This includes
- * shifts by a negative number.
+ if (umax_val >= insn_bitness) {
+ /* Shifts greater than 31 or 63 are undefined.
+ * This includes shifts by a negative number.
*/
mark_reg_unknown(env, regs, insn->dst_reg);
break;
@@ -2227,6 +2227,12 @@ static int adjust_scalar_min_max_vals(st
break;
}
+ if (BPF_CLASS(insn->code) != BPF_ALU64) {
+ /* 32-bit ALU ops are (32,32)->32 */
+ coerce_reg_to_size(dst_reg, 4);
+ coerce_reg_to_size(&src_reg, 4);
+ }
+
__reg_deduce_bounds(dst_reg);
__reg_bound_offset(dst_reg);
return 0;
From: Alexei Starovoitov <ast@fb.com>
Date: Wed, 22 Nov 2017 16:42:05 -0800
Subject: bpf: fix branch pruning logic
Origin: https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467
when the verifier detects that register contains a runtime constant
and it's compared with another constant it will prune exploration
of the branch that is guaranteed not to be taken at runtime.
This is all correct, but malicious program may be constructed
in such a way that it always has a constant comparison and
the other branch is never taken under any conditions.
In this case such path through the program will not be explored
by the verifier. It won't be taken at run-time either, but since
all instructions are JITed the malicious program may cause JITs
to complain about using reserved fields, etc.
To fix the issue we have to track the instructions explored by
the verifier and sanitize instructions that are dead at run time
with NOPs. We cannot reject such dead code, since llvm generates
it for valid C code, since it doesn't do as much data flow
analysis as the verifier does.
Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
include/linux/bpf_verifier.h | 2 +-
kernel/bpf/verifier.c | 27 +++++++++++++++++++++++++++
2 files changed, 28 insertions(+), 1 deletion(-)
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -110,7 +110,7 @@ struct bpf_insn_aux_data {
struct bpf_map *map_ptr; /* pointer for call insn into lookup_elem */
};
int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
- int converted_op_size; /* the valid value width after perceived conversion */
+ bool seen; /* this insn was processed by the verifier */
};
#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3695,6 +3695,7 @@ static int do_check(struct bpf_verifier_
if (err)
return err;
+ env->insn_aux_data[insn_idx].seen = true;
if (class == BPF_ALU || class == BPF_ALU64) {
err = check_alu_op(env, insn);
if (err)
@@ -3885,6 +3886,7 @@ process_bpf_exit:
return err;
insn_idx++;
+ env->insn_aux_data[insn_idx].seen = true;
} else {
verbose(env, "invalid BPF_LD mode\n");
return -EINVAL;
@@ -4067,6 +4069,7 @@ static int adjust_insn_aux_data(struct b
u32 off, u32 cnt)
{
struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
+ int i;
if (cnt == 1)
return 0;
@@ -4076,6 +4079,8 @@ static int adjust_insn_aux_data(struct b
memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
memcpy(new_data + off + cnt - 1, old_data + off,
sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
+ for (i = off; i < off + cnt - 1; i++)
+ new_data[i].seen = true;
env->insn_aux_data = new_data;
vfree(old_data);
return 0;
@@ -4094,6 +4099,25 @@ static struct bpf_prog *bpf_patch_insn_d
return new_prog;
}
+/* The verifier does more data flow analysis than llvm and will not explore
+ * branches that are dead at run time. Malicious programs can have dead code
+ * too. Therefore replace all dead at-run-time code with nops.
+ */
+static void sanitize_dead_code(struct bpf_verifier_env *env)
+{
+ struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
+ struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0);
+ struct bpf_insn *insn = env->prog->insnsi;
+ const int insn_cnt = env->prog->len;
+ int i;
+
+ for (i = 0; i < insn_cnt; i++) {
+ if (aux_data[i].seen)
+ continue;
+ memcpy(insn + i, &nop, sizeof(nop));
+ }
+}
+
/* convert load instructions that access fields of 'struct __sk_buff'
* into sequence of instructions that access fields of 'struct sk_buff'
*/
@@ -4410,6 +4434,9 @@ skip_full_check:
free_states(env);
if (ret == 0)
+ sanitize_dead_code(env);
+
+ if (ret == 0)
/* program is valid, convert *(u32*)(ctx + off) accesses */
ret = convert_ctx_accesses(env);
From: Jann Horn <jannh@google.com>
Date: Mon, 18 Dec 2017 20:11:54 -0800
Subject: [2/9] bpf: fix incorrect sign extension in check_alu_op()
Origin: https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f
Distinguish between
BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
only perform sign extension in the first case.
Starting with v4.14, this is exploitable by unprivileged users as long as
the unprivileged_bpf_disabled sysctl isn't set.
Debian assigned CVE-2017-16995 for this issue.
v3:
- add CVE number (Ben Hutchings)
Fixes: 484611357c19 ("bpf: allow access into map value arrays")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
---
kernel/bpf/verifier.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2401,7 +2401,13 @@ static int check_alu_op(struct bpf_verif
* remember the value we stored into this reg
*/
regs[insn->dst_reg].type = SCALAR_VALUE;
- __mark_reg_known(regs + insn->dst_reg, insn->imm);
+ if (BPF_CLASS(insn->code) == BPF_ALU64) {
+ __mark_reg_known(regs + insn->dst_reg,
+ insn->imm);
+ } else {
+ __mark_reg_known(regs + insn->dst_reg,
+ (u32)insn->imm);
+ }
}
} else if (opcode > BPF_END) {
From: Jann Horn <jannh@google.com>
Date: Mon, 18 Dec 2017 20:11:55 -0800
Subject: [3/9] bpf: fix incorrect tracking of register size truncation
Origin: https://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958
Properly handle register truncation to a smaller size.
The old code first mirrors the clearing of the high 32 bits in the bitwise
tristate representation, which is correct. But then, it computes the new
arithmetic bounds as the intersection between the old arithmetic bounds and
the bounds resulting from the bitwise tristate representation. Therefore,
when coerce_reg_to_32() is called on a number with bounds
[0xffff'fff8, 0x1'0000'0007], the verifier computes
[0xffff'fff8, 0xffff'ffff] as bounds of the truncated number.
This is incorrect: The truncated number could also be in the range [0, 7],
and no meaningful arithmetic bounds can be computed in that case apart from
the obvious [0, 0xffff'ffff].
</