[pve-devel] [PATCH kernel 1/2] Update to 4.4.0-22.39
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon May 9 08:49:47 CEST 2016
drop CVE fixes applied upstream
---
...ption-triggered-by-invalid-USB-descriptor.patch | 138 ---------------------
...55-usbip-fix-potential-out-of-bound-write.patch | 45 -------
Makefile | 8 +-
3 files changed, 3 insertions(+), 188 deletions(-)
delete mode 100644 CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch
delete mode 100644 CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch
diff --git a/CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch b/CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch
deleted file mode 100644
index ae96f4d..0000000
--- a/CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From 889c172b1e097eceefc5d9d3639c3862c98c6753 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn at mork.no>
-Date: Wed, 20 Apr 2016 11:15:11 +0100
-Subject: [PATCH 1/2] cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-usbnet_link_change will call schedule_work and should be
-avoided if bind is failing. Otherwise we will end up with
-scheduled work referring to a netdev which has gone away.
-
-Instead of making the call conditional, we can just defer
-it to usbnet_probe, using the driver_info flag made for
-this purpose.
-
-Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change")
-Reported-by: Andrey Konovalov <andreyknvl at gmail.com>
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Bjørn Mork <bjorn at mork.no>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-(cherry picked from commit 4d06dd537f95683aba3651098ae288b7cbff8274)
-CVE-2016-3951
-BugLink: https://bugs.launchpad.net/bugs/1567191
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
-Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
-Signed-off-by: Kamal Mostafa <kamal at canonical.com>
----
- drivers/net/usb/cdc_ncm.c | 20 +++++---------------
- 1 file changed, 5 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
-index e8a1144..93c88a2 100644
---- a/drivers/net/usb/cdc_ncm.c
-+++ b/drivers/net/usb/cdc_ncm.c
-@@ -941,8 +941,6 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting);
-
- static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
- {
-- int ret;
--
- /* MBIM backwards compatible function? */
- if (cdc_ncm_select_altsetting(intf) != CDC_NCM_COMM_ALTSETTING_NCM)
- return -ENODEV;
-@@ -951,16 +949,7 @@ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
- * Additionally, generic NCM devices are assumed to accept arbitrarily
- * placed NDP.
- */
-- ret = cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
--
-- /*
-- * We should get an event when network connection is "connected" or
-- * "disconnected". Set network connection in "disconnected" state
-- * (carrier is OFF) during attach, so the IP network stack does not
-- * start IPv6 negotiation and more.
-- */
-- usbnet_link_change(dev, 0, 0);
-- return ret;
-+ return cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
- }
-
- static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)
-@@ -1543,7 +1532,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
-
- static const struct driver_info cdc_ncm_info = {
- .description = "CDC NCM",
-- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET,
-+ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
-+ | FLAG_LINK_INTR,
- .bind = cdc_ncm_bind,
- .unbind = cdc_ncm_unbind,
- .manage_power = usbnet_manage_power,
-@@ -1556,7 +1546,7 @@ static const struct driver_info cdc_ncm_info = {
- static const struct driver_info wwan_info = {
- .description = "Mobile Broadband Network Device",
- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
-- | FLAG_WWAN,
-+ | FLAG_LINK_INTR | FLAG_WWAN,
- .bind = cdc_ncm_bind,
- .unbind = cdc_ncm_unbind,
- .manage_power = usbnet_manage_power,
-@@ -1569,7 +1559,7 @@ static const struct driver_info wwan_info = {
- static const struct driver_info wwan_noarp_info = {
- .description = "Mobile Broadband Network Device (NO ARP)",
- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
-- | FLAG_WWAN | FLAG_NOARP,
-+ | FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP,
- .bind = cdc_ncm_bind,
- .unbind = cdc_ncm_unbind,
- .manage_power = usbnet_manage_power,
---
-2.1.4
-
-From ac6b36fbfad65378b81338637254f0d23b35e2a1 Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum at suse.com>
-Date: Wed, 20 Apr 2016 11:15:12 +0100
-Subject: [PATCH 2/2] usbnet: cleanup after bind() in probe()
-
-In case bind() works, but a later error forces bailing
-in probe() in error cases work and a timer may be scheduled.
-They must be killed. This fixes an error case related to
-the double free reported in
-http://www.spinics.net/lists/netdev/msg367669.html
-and needs to go on top of Linus' fix to cdc-ncm.
-
-Signed-off-by: Oliver Neukum <ONeukum at suse.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-(cherry picked from commit 1666984c8625b3db19a9abc298931d35ab7bc64b)
-CVE-2016-3951
-BugLink: https://bugs.launchpad.net/bugs/1567191
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
-Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
-Signed-off-by: Kamal Mostafa <kamal at canonical.com>
----
- drivers/net/usb/usbnet.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
-index 0744bf2..c2ea4e5 100644
---- a/drivers/net/usb/usbnet.c
-+++ b/drivers/net/usb/usbnet.c
-@@ -1766,6 +1766,13 @@ out3:
- if (info->unbind)
- info->unbind (dev, udev);
- out1:
-+ /* subdrivers must undo all they did in bind() if they
-+ * fail it, but we may fail later and a deferred kevent
-+ * may trigger an error resubmitting itself and, worse,
-+ * schedule a timer. So we kill it all just in case.
-+ */
-+ cancel_work_sync(&dev->kevent);
-+ del_timer_sync(&dev->delay);
- free_netdev(net);
- out:
- return status;
---
-2.1.4
-
diff --git a/CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch b/CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch
deleted file mode 100644
index d3f9fd0..0000000
--- a/CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001
-From: Ignat Korchagin <ignat.korchagin at gmail.com>
-Date: Thu, 17 Mar 2016 18:00:29 +0000
-Subject: USB: usbip: fix potential out-of-bounds write
-
-Fix potential out-of-bounds write to urb->transfer_buffer
-usbip handles network communication directly in the kernel. When receiving a
-packet from its peer, usbip code parses headers according to protocol. As
-part of this parsing urb->actual_length is filled. Since the input for
-urb->actual_length comes from the network, it should be treated as untrusted.
-Any entity controlling the network may put any value in the input and the
-preallocated urb->transfer_buffer may not be large enough to hold the data.
-Thus, the malicious entity is able to write arbitrary data to kernel memory.
-
-Signed-off-by: Ignat Korchagin <ignat.korchagin at gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/usb/usbip/usbip_common.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
-index facaaf0..e40da77 100644
---- a/drivers/usb/usbip/usbip_common.c
-+++ b/drivers/usb/usbip/usbip_common.c
-@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb)
- if (!(size > 0))
- return 0;
-
-+ if (size > urb->transfer_buffer_length) {
-+ /* should not happen, probably malicious packet */
-+ if (ud->side == USBIP_STUB) {
-+ usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
-+ return 0;
-+ } else {
-+ usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
-+ return -EPIPE;
-+ }
-+ }
-+
- ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
- if (ret != size) {
- dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);
---
-cgit v0.12
-
diff --git a/Makefile b/Makefile
index 88cf495..74205c0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,8 @@
RELEASE=4.2
# also update proxmox-ve/changelog if you change KERNEL_VER or KREL
-KERNEL_VER=4.4.6
-PKGREL=48
+KERNEL_VER=4.4.8
+PKGREL=49
# also include firmware of previous version into
# the fw package: fwlist-2.6.32-PREV-pve
KREL=1
@@ -107,7 +107,7 @@ ${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst
download:
rm -rf ${KERNEL_SRC} ${KERNELSRCTAR}
#git clone git://kernel.ubuntu.com/ubuntu/ubuntu-vivid.git
- git clone git://kernel.ubuntu.com/ubuntu/ubuntu-xenial.git ${KERNEL_SRC}
+ git clone --single-branch -b Ubuntu-4.4.0-22.39 git://kernel.ubuntu.com/ubuntu/ubuntu-xenial.git ${KERNEL_SRC}
tar czf ${KERNELSRCTAR} --exclude .git ${KERNEL_SRC}
check_gcc:
@@ -236,8 +236,6 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNELSRCTAR}
#cd ${KERNEL_SRC}; patch -p1 <../add-empty-ndo_poll_controller-to-veth.patch
cd ${KERNEL_SRC}; patch -p1 <../override_for_missing_acs_capabilities.patch
#cd ${KERNEL_SRC}; patch -p1 <../vhost-net-extend-device-allocation-to-vmalloc.patch
- cd ${KERNEL_SRC}; patch -p1 <../CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch
- cd ${KERNEL_SRC}; patch -p1 <../CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch
cd ${KERNEL_SRC}; patch -p1 <../bug-950-tcp-fix-tcp_mark_head_lost-to-check-skb-len-before-f.patch
sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
touch $@
--
2.1.4
More information about the pve-devel
mailing list