~binli/ubuntu/+source/linux/+git/noble:master-prep
- Git
- lp:~binli/ubuntu/+source/linux/+git/noble
- master-prep
- Get this branch:
-
git clone
-b master-prep
https://git.launchpad.net/~binli/ubuntu/+source/linux/+git/noble
Branch merges
Related source package recipes
Branch information
- Name:
- master-prep
- Repository:
- lp:~binli/ubuntu/+source/linux/+git/noble
Recent commits
- 0eec6d2... by Roxana Nicolescu
-
UBUNTU: Ubuntu-6.5.0-12.12
Signed-off-by: Roxana Nicolescu <email address hidden>
- faf6d27... by Roxana Nicolescu
-
UBUNTU: [Config] Move some annotations config options
CONFIG_
DM_VERITY_ VERIFY_ ROOTHASH_ SIG_SECONDARY_ KEYRING has moved from
'Annotations without notes' because it has a tracker in the note and
CONFIG_WWAN has moved further up due to lexical sort.Ignore: yes
Signed-off-by: Roxana Nicolescu <email address hidden> - 1fdfd2f... by Roxana Nicolescu
-
UBUNTU: debian/
dkms-versions -- update from kernel-versions (main/2023.10.30) BugLink: https:/
/bugs.launchpad .net/bugs/ 1786013
Signed-off-by: Roxana Nicolescu <email address hidden> - 1451ab0... by Roxana Nicolescu
-
UBUNTU: link-to-tracker: update tracking bug
BugLink: https:/
/bugs.launchpad .net/bugs/ 2041536
Properties: no-test-build
Signed-off-by: Roxana Nicolescu <email address hidden> - eb8a3dd... by Zackr
-
drm/vmwgfx: Keep a gem reference to user bos in surfaces
Surfaces can be backed (i.e. stored in) memory objects (mob's) which
are created and managed by the userspace as GEM buffers. Surfaces
grab only a ttm reference which means that the gem object can
be deleted underneath us, especially in cases where prime buffer
export is used.Make sure that all userspace surfaces which are backed by gem objects
hold a gem reference to make sure they're not deleted before vmw
surfaces are done with them, which fixes:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 2632 at lib/refcount.c:28 refcount_warn_saturate+ 0xfb/0x150
Modules linked in: overlay vsock_loopback vmw_vsock_virtio_ transport_ common vmw_vsock_ vmci_transport vsock snd_ens1371 snd_ac97_codec ac97_bus snd_pcm gameport>
CPU: 2 PID: 2632 Comm: vmw_ref_count Not tainted 6.5.0-rc2-vmwgfx #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
RIP: 0010:refcount_warn_saturate+ 0xfb/0x150
Code: eb 9e 0f b6 1d 8b 5b a6 01 80 fb 01 0f 87 ba e4 80 00 83 e3 01 75 89 48 c7 c7 c0 3c f9 a3 c6 05 6f 5b a6 01 01 e8 15 81 98 ff <0f> 0b e9 6f ff ff ff 0f b>
RSP: 0018:ffffbdc34344bba0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027
RDX: ffff960475ea1548 RSI: 0000000000000001 RDI: ffff960475ea1540
RBP: ffffbdc34344bba8 R08: 0000000000000003 R09: 65646e75203a745f
R10: ffffffffa5b32b20 R11: 72657466612d6573 R12: ffff96037d6a6400
R13: ffff9603484805b0 R14: 000000000000000b R15: ffff9603bed06060
FS: 00007f5fd8520c40(0000) GS:ffff960475e8 0000(0000) knlGS:000000000 0000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5fda755000 CR3: 000000010d012005 CR4: 00000000003706e0
Call Trace:
<TASK>
? show_regs+0x6e/0x80
? refcount_warn_saturate+ 0xfb/0x150
? __warn+0x91/0x150
? refcount_warn_saturate+ 0xfb/0x150
? report_bug+0x19d/ 0x1b0
? handle_bug+0x46/ 0x80
? exc_invalid_op+0x1d/ 0x80
? asm_exc_invalid_ op+0x1f/ 0x30
? refcount_warn_saturate+ 0xfb/0x150
drm_gem_object_ handle_ put_unlocked+ 0xba/0x110 [drm]
drm_gem_object_ release_ handle+ 0x6e/0x80 [drm]
drm_gem_handle_ delete+ 0x6a/0xc0 [drm]
? __pfx_vmw_bo_unref_ ioctl+0x10/ 0x10 [vmwgfx]
vmw_bo_unref_ioctl+ 0x33/0x40 [vmwgfx]
drm_ioctl_kernel+ 0xbc/0x160 [drm]
drm_ioctl+0x2d2/0x580 [drm]
? __pfx_vmw_bo_unref_ ioctl+0x10/ 0x10 [vmwgfx]
? do_vmi_munmap+ 0xee/0x180
vmw_generic_ioctl+0xbd/ 0x180 [vmwgfx]
vmw_unlocked_ioctl+0x19/ 0x20 [vmwgfx]
__x64_sys_ioctl+ 0x99/0xd0
do_syscall_64+0x5d/ 0x90
? syscall_exit_to_ user_mode+ 0x2a/0x50
? do_syscall_64+0x6d/ 0x90
? handle_mm_fault+ 0x16e/0x2f0
? exit_to_user_mode_ prepare+ 0x34/0x170
? irqentry_exit_to_ user_mode+ 0xd/0x20
? irqentry_exit+0x3f/ 0x50
? exc_page_fault+0x8e/ 0x190
entry_SYSCALL_ 64_after_ hwframe+ 0x6e/0xd8
RIP: 0033:0x7f5fda51aaff
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 7>
RSP: 002b:00007ffd536a4d30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd536a4de0 RCX: 00007f5fda51aaff
RDX: 00007ffd536a4de0 RSI: 0000000040086442 RDI: 0000000000000003
RBP: 0000000040086442 R08: 000055fa603ada50 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffd536a51b8
R13: 0000000000000003 R14: 000055fa5ebb4c80 R15: 00007f5fda90f040
</TASK>
---[ end trace 0000000000000000 ]---A lot of the analyis on the bug was done by Murray McAllister and
Ian Forbes.Reported-by: Murray McAllister <email address hidden>
Cc: Ian Forbes <email address hidden>
Signed-off-by: Zack Rusin <email address hidden>
Fixes: a950b989ea29 ("drm/vmwgfx: Do not drop the reference to the handle too soon")
Cc: <email address hidden> # v6.2+
Reviewed-by: Martin Krastev <email address hidden>
Link: https://patchwork<email address hidden> CVE-2023-5633
(cherry picked from commit 91398b413d03660fd5828f7b4abc64 e884b98069)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden> - 58c16a1... by Quang Le <email address hidden>
-
fs/smb/client: Reset password pointer to NULL
Forget to reset ctx->password to NULL will lead to bug like double free
Cc: <email address hidden>
Cc: Willy Tarreau <w@1wt.eu>
Reviewed-by: Namjae Jeon <email address hidden>
Signed-off-by: Quang Le <email address hidden>
Signed-off-by: Steve French <email address hidden>
(cherry picked from commit e6e43b8aa7cd3c3af686caf0c2e118 19a886d705)
CVE-2023-5345
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Signed-off-by: Stefan Bader <email address hidden> - 56bb6c7... by Wander Lairson Costa <email address hidden>
-
netfilter: nfnetlink_osf: avoid OOB read
The opt_num field is controlled by user mode and is not currently
validated inside the kernel. An attacker can take advantage of this to
trigger an OOB read and potentially leak information.BUG: KASAN: slab-out-of-bounds in nf_osf_
match_one+ 0xbed/0xd10 net/netfilter/ nfnetlink_ osf.c:88
Read of size 2 at addr ffff88804bc64272 by task poc/6431CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
Call Trace:
nf_osf_match_one+ 0xbed/0xd10 net/netfilter/ nfnetlink_ osf.c:88
nf_osf_find+0x186/ 0x2f0 net/netfilter/ nfnetlink_ osf.c:281
nft_osf_eval+0x37f/ 0x590 net/netfilter/ nft_osf. c:47
expr_call_ops_eval net/netfilter/nf_tables_ core.c: 214
nft_do_chain+0x2b0/ 0x1490 net/netfilter/ nf_tables_ core.c: 264
nft_do_chain_ipv4+ 0x17c/0x1f0 net/netfilter/ nft_chain_ filter. c:23
[..]Also add validation to genre, subtype and version fields.
Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Lucas Leong <email address hidden>
Signed-off-by: Wander Lairson Costa <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>CVE-2023-39189
(cherry picked from commit f4f8a7803119005e87b716874bec07 c751efafec)
Signed-off-by: Magali Lemes <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden> - 437bbb6... by Pablo Neira Ayuso <email address hidden>
-
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
New elements in this transaction might expired before such transaction
ends. Skip sync GC for such elements otherwise commit path might walk
over an already released object. Once transaction is finished, async GC
will collect such expired element.Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
Signed-off-by: Pablo Neira Ayuso <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>CVE-2023-4244
(cherry picked from commit 2ee52ae94baabf7ee09cf2a8d854b9 90dac5d0e4)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden> - 9ff61a5... by John Johansen
-
UBUNTU: SAUCE: apparmor: open userns related sysctl so lxc can check if restriction are in place
BugLink: http://
bugs.launchpad. net/bugs/ 2040194 https:/
/github. com/canonical/ lxd/issues/ 11920#issuecomm ent-1756110109 lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something likeunshare true
to test if the restrictions are being enforced.
Ideally access to this information would be restricted so that any
unknown access would be logged, but lxc/d currently aren't ready for
this so in order to _not_ force lxc/d to probe whether enforcement is
enabled, open up read access to the sysctls for unprivileged user
namespace mediation.Signed-off-by: John Johansen <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden> - 5750e3e... by John Johansen
-
UBUNTU: SAUCE: apparmor: fix request field from a prompt reply that denies all access
BugLink: http://
bugs.launchpad. net/bugs/ 2040192 A reply to a prompt request that denies all permissions requested will
throw the following warning, because the auditing code does not expect
the request field to be empty when generating the audit message.Sep 27 22:48:14 ubuntu-mantic snapd[596]: listener.go:189: Sending access response back to kernel: {MsgNotificatio
n:{MsgHeader: {Length: 0 Version:0} NotificationTyp e:APPARMOR_ NOTIF_RESP Signalled:0 NoCache:1 ID:2 Error:0} Error:-13 Allow:0 Deny:4}
Sep 27 22:48:14 ubuntu-mantic kernel: ------------[ cut here ]------------
Sep 27 22:48:14 ubuntu-mantic kernel: AppArmor WARN aa_audit_file: ((!ad.request)):
Sep 27 22:48:14 ubuntu-mantic kernel: WARNING: CPU: 3 PID: 2082 at security/apparmor/ file.c: 268 aa_audit_ file+0x2b1/ 0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Modules linked in: snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore binfmt_misc nls_iso8859_1 kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 aesni_intel virtio_gpu crypto_simd cryptd virtio_dma_buf drm_shmem_helper 9pnet_virtio drm_kms_helper 9pnet vmw_vsock_virtio_ transport virtio_input vmw_vsock_ virtio_ transport_ common input_leds joydev serio_raw vsock msr parport_pc ppdev lp parport drm virtiofs efi_pstore ip_tables x_tables autofs4 virtio_net xhci_pci ahci psmouse net_failover libahci xhci_pci_renesas failover virtio_rng
Sep 27 22:48:14 ubuntu-mantic kernel: CPU: 3 PID: 2082 Comm: bash Not tainted 6.5.0-5-generic #5+aa4.0.0+debug5- Ubuntu
Sep 27 22:48:14 ubuntu-mantic kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS unknown 2/2/2022
Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0010:aa_audit_file+ 0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Code: 3c ff ff ff e8 80 6f a8 ff 44 8b 95 3c ff ff ff 5a 59 e9 e3 fe ff ff 48 c7 c6 98 5c 08 84 48 c7 c7 90 1a 60 84 e8 9f da 9d ff <0f> 0b 8b 85 78 ff ff ff e9 05 ff ff ff 48 89 de 4c 89 f7 e8 b7 f5
Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 0018:ffffb66a82b57968 EFLAGS: 00010246
Sep 27 22:48:14 ubuntu-mantic kernel: RAX: 0000000000000000 RBX: ffffb66a82b57b24 RCX: 0000000000000000
Sep 27 22:48:14 ubuntu-mantic kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
Sep 27 22:48:14 ubuntu-mantic kernel: RBP: ffffb66a82b57a30 R08: 0000000000000000 R09: 0000000000000000
Sep 27 22:48:14 ubuntu-mantic kernel: R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
Sep 27 22:48:14 ubuntu-mantic kernel: R13: ffff8b160239d800 R14: ffffb66a82b57970 R15: 0000000000000001
Sep 27 22:48:14 ubuntu-mantic kernel: FS: 00007f1f7d3b3380(0000) GS:ffff8b17778c 0000(0000) knlGS:000000000 0000000
Sep 27 22:48:14 ubuntu-mantic kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Sep 27 22:48:14 ubuntu-mantic kernel: CR2: 000055d4482063f0 CR3: 0000000137e64000 CR4: 0000000000750ee0
Sep 27 22:48:14 ubuntu-mantic kernel: PKRU: 55555554
Sep 27 22:48:14 ubuntu-mantic kernel: Call Trace:
Sep 27 22:48:14 ubuntu-mantic kernel: <TASK>
Sep 27 22:48:14 ubuntu-mantic kernel: ? show_regs+0x6d/0x80
Sep 27 22:48:14 ubuntu-mantic kernel: ? __warn+0x89/0x160
Sep 27 22:48:14 ubuntu-mantic kernel: ? aa_audit_file+0x2b1/ 0x310
Sep 27 22:48:14 ubuntu-mantic kernel: ? report_bug+0x17e/ 0x1b0
Sep 27 22:48:14 ubuntu-mantic kernel: ? handle_bug+0x51/ 0xa0
Sep 27 22:48:14 ubuntu-mantic kernel: ? exc_invalid_op+0x18/ 0x80
Sep 27 22:48:14 ubuntu-mantic kernel: ? asm_exc_invalid_ op+0x1b/ 0x20
Sep 27 22:48:14 ubuntu-mantic kernel: ? aa_audit_file+0x2b1/ 0x310
Sep 27 22:48:14 ubuntu-mantic kernel: ? aa_audit_file+0x2b1/ 0x310
Sep 27 22:48:14 ubuntu-mantic kernel: __aa_path_perm+0xaf/ 0x130
Sep 27 22:48:14 ubuntu-mantic kernel: aa_path_perm+0xf1/ 0x1c0
Sep 27 22:48:14 ubuntu-mantic kernel: apparmor_file_open+ 0x1bb/0x2e0
Sep 27 22:48:14 ubuntu-mantic kernel: security_file_open+ 0x2e/0x60
Sep 27 22:48:14 ubuntu-mantic kernel: do_dentry_open+0x10d/ 0x530
Sep 27 22:48:14 ubuntu-mantic kernel: vfs_open+0x33/0x50
Sep 27 22:48:14 ubuntu-mantic kernel: do_open+0x2ed/0x470
Sep 27 22:48:14 ubuntu-mantic kernel: ? path_init+0x59/0x3d0
Sep 27 22:48:14 ubuntu-mantic kernel: path_openat+0x135/0x2d0
Sep 27 22:48:14 ubuntu-mantic kernel: ? _raw_spin_unlock+ 0xe/0x40
Sep 27 22:48:14 ubuntu-mantic kernel: do_filp_open+0xaf/ 0x170
Sep 27 22:48:14 ubuntu-mantic kernel: do_sys_openat2+ 0xb3/0xe0
Sep 27 22:48:14 ubuntu-mantic kernel: __x64_sys_openat+ 0x55/0xa0
Sep 27 22:48:14 ubuntu-mantic kernel: do_syscall_64+0x59/ 0x90
Sep 27 22:48:14 ubuntu-mantic kernel: ? handle_mm_fault+ 0xad/0x360
Sep 27 22:48:14 ubuntu-mantic kernel: ? do_user_addr_fault+ 0x238/0x6b0
Sep 27 22:48:14 ubuntu-mantic kernel: ? exit_to_user_mode_ prepare+ 0x30/0xb0
Sep 27 22:48:14 ubuntu-mantic kernel: ? irqentry_exit_to_ user_mode+ 0x17/0x20
Sep 27 22:48:14 ubuntu-mantic kernel: ? irqentry_exit+0x43/ 0x50
Sep 27 22:48:14 ubuntu-mantic kernel: ? exc_page_fault+0x94/ 0x1b0
Sep 27 22:48:14 ubuntu-mantic kernel: entry_SYSCALL_64_after_ hwframe+ 0x6e/0xd8
Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0033:0x7f1f7d4cdbcc
Sep 27 22:48:14 ubuntu-mantic kernel: Code: 24 18 31 c0 41 83 e2 40 75 44 89 f0 25 00 00 41 00 3d 00 00 41 00 74 36 44 89 c2 4c 89 ce bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 48 8b 54 24 18 64 48 2b 14 25 28 00 00 00
Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 002b:00007fff2a1d1280 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
Sep 27 22:48:14 ubuntu-mantic kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f7d4cdbcc
Sep 27 22:48:14 ubuntu-mantic kernel: RDX: 0000000000090800 RSI: 000055b5d4043c40 RDI: 00000000ffffff9c
Sep 27 22:48:14 ubuntu-mantic kernel: RBP: 000055b5d4043c40 R08: 0000000000090800 R09: 000055b5d4043c40
Sep 27 22:48:14 ubuntu-mantic kernel: R10: 0000000000000000 R11: 0000000000000287 R12: 000055b5d4043c20
Sep 27 22:48:14 ubuntu-mantic kernel: R13: 000055b5d34637f8 R14: 000055b5d4043c00 R15: 000055b5d40436a0
Sep 27 22:48:14 ubuntu-mantic kernel: </TASK>
Sep 27 22:48:14 ubuntu-mantic kernel: ---[ end trace 0000000000000000 ]---Note: this does not change the mediation, it just ensures the assert in
the audit path does not trigger, polluting dmesg and the kernel audit log.Signed-off-by: John Johansen <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>