~canonical-kernel-team/ubuntu/+source/linux/+git/mantic:master-prep

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

0eec6d2... by Roxana Nicolescu on 2023-10-30

UBUNTU: Ubuntu-6.5.0-12.12

Signed-off-by: Roxana Nicolescu <email address hidden>

faf6d27... by Roxana Nicolescu on 2023-10-30

UBUNTU: [Config] Move some annotations config options

CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING has moved from
'Annotations without notes' because it has a tracker in the note and
CONFIG_WWAN has moved further up due to lexical sort.

Ignore: yes
Signed-off-by: Roxana Nicolescu <email address hidden>

1fdfd2f... by Roxana Nicolescu on 2023-10-30

UBUNTU: debian/dkms-versions -- update from kernel-versions (main/2023.10.30)

BugLink: https://bugs.launchpad.net/bugs/1786013
Signed-off-by: Roxana Nicolescu <email address hidden>

1451ab0... by Roxana Nicolescu on 2023-10-30

UBUNTU: link-to-tracker: update tracking bug

BugLink: https://bugs.launchpad.net/bugs/2041536
Properties: no-test-build
Signed-off-by: Roxana Nicolescu <email address hidden>

eb8a3dd... by Zackr on 2023-10-30

drm/vmwgfx: Keep a gem reference to user bos in surfaces

Surfaces can be backed (i.e. stored in) memory objects (mob's) which
are created and managed by the userspace as GEM buffers. Surfaces
grab only a ttm reference which means that the gem object can
be deleted underneath us, especially in cases where prime buffer
export is used.

Make sure that all userspace surfaces which are backed by gem objects
hold a gem reference to make sure they're not deleted before vmw
surfaces are done with them, which fixes:
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 2 PID: 2632 at lib/refcount.c:28 refcount_warn_saturate+0xfb/0x150
Modules linked in: overlay vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vsock snd_ens1371 snd_ac97_codec ac97_bus snd_pcm gameport>
CPU: 2 PID: 2632 Comm: vmw_ref_count Not tainted 6.5.0-rc2-vmwgfx #1
Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
RIP: 0010:refcount_warn_saturate+0xfb/0x150
Code: eb 9e 0f b6 1d 8b 5b a6 01 80 fb 01 0f 87 ba e4 80 00 83 e3 01 75 89 48 c7 c7 c0 3c f9 a3 c6 05 6f 5b a6 01 01 e8 15 81 98 ff <0f> 0b e9 6f ff ff ff 0f b>
RSP: 0018:ffffbdc34344bba0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027
RDX: ffff960475ea1548 RSI: 0000000000000001 RDI: ffff960475ea1540
RBP: ffffbdc34344bba8 R08: 0000000000000003 R09: 65646e75203a745f
R10: ffffffffa5b32b20 R11: 72657466612d6573 R12: ffff96037d6a6400
R13: ffff9603484805b0 R14: 000000000000000b R15: ffff9603bed06060
FS: 00007f5fd8520c40(0000) GS:ffff960475e80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f5fda755000 CR3: 000000010d012005 CR4: 00000000003706e0
Call Trace:
 <TASK>
 ? show_regs+0x6e/0x80
 ? refcount_warn_saturate+0xfb/0x150
 ? __warn+0x91/0x150
 ? refcount_warn_saturate+0xfb/0x150
 ? report_bug+0x19d/0x1b0
 ? handle_bug+0x46/0x80
 ? exc_invalid_op+0x1d/0x80
 ? asm_exc_invalid_op+0x1f/0x30
 ? refcount_warn_saturate+0xfb/0x150
 drm_gem_object_handle_put_unlocked+0xba/0x110 [drm]
 drm_gem_object_release_handle+0x6e/0x80 [drm]
 drm_gem_handle_delete+0x6a/0xc0 [drm]
 ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx]
 vmw_bo_unref_ioctl+0x33/0x40 [vmwgfx]
 drm_ioctl_kernel+0xbc/0x160 [drm]
 drm_ioctl+0x2d2/0x580 [drm]
 ? __pfx_vmw_bo_unref_ioctl+0x10/0x10 [vmwgfx]
 ? do_vmi_munmap+0xee/0x180
 vmw_generic_ioctl+0xbd/0x180 [vmwgfx]
 vmw_unlocked_ioctl+0x19/0x20 [vmwgfx]
 __x64_sys_ioctl+0x99/0xd0
 do_syscall_64+0x5d/0x90
 ? syscall_exit_to_user_mode+0x2a/0x50
 ? do_syscall_64+0x6d/0x90
 ? handle_mm_fault+0x16e/0x2f0
 ? exit_to_user_mode_prepare+0x34/0x170
 ? irqentry_exit_to_user_mode+0xd/0x20
 ? irqentry_exit+0x3f/0x50
 ? exc_page_fault+0x8e/0x190
 entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7f5fda51aaff
Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 7>
RSP: 002b:00007ffd536a4d30 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd536a4de0 RCX: 00007f5fda51aaff
RDX: 00007ffd536a4de0 RSI: 0000000040086442 RDI: 0000000000000003
RBP: 0000000040086442 R08: 000055fa603ada50 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 00007ffd536a51b8
R13: 0000000000000003 R14: 000055fa5ebb4c80 R15: 00007f5fda90f040
 </TASK>
---[ end trace 0000000000000000 ]---

A lot of the analyis on the bug was done by Murray McAllister and
Ian Forbes.

Reported-by: Murray McAllister <email address hidden>
Cc: Ian Forbes <email address hidden>
Signed-off-by: Zack Rusin <email address hidden>
Fixes: a950b989ea29 ("drm/vmwgfx: Do not drop the reference to the handle too soon")
Cc: <email address hidden> # v6.2+
Reviewed-by: Martin Krastev <email address hidden>
Link: https://patchwork<email address hidden>

CVE-2023-5633
(cherry picked from commit 91398b413d03660fd5828f7b4abc64e884b98069)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

58c16a1... by Quang Le <email address hidden> on 2023-10-27

fs/smb/client: Reset password pointer to NULL

Forget to reset ctx->password to NULL will lead to bug like double free

Cc: <email address hidden>
Cc: Willy Tarreau <w@1wt.eu>
Reviewed-by: Namjae Jeon <email address hidden>
Signed-off-by: Quang Le <email address hidden>
Signed-off-by: Steve French <email address hidden>
(cherry picked from commit e6e43b8aa7cd3c3af686caf0c2e11819a886d705)
CVE-2023-5345
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

56bb6c7... by Wander Lairson Costa <email address hidden> on 2023-10-27

netfilter: nfnetlink_osf: avoid OOB read

The opt_num field is controlled by user mode and is not currently
validated inside the kernel. An attacker can take advantage of this to
trigger an OOB read and potentially leak information.

BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
Read of size 2 at addr ffff88804bc64272 by task poc/6431

CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
Call Trace:
 nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
 nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
 nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
 expr_call_ops_eval net/netfilter/nf_tables_core.c:214
 nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
 nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
 [..]

Also add validation to genre, subtype and version fields.

Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Lucas Leong <email address hidden>
Signed-off-by: Wander Lairson Costa <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>

CVE-2023-39189
(cherry picked from commit f4f8a7803119005e87b716874bec07c751efafec)
Signed-off-by: Magali Lemes <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

437bbb6... by Pablo Neira Ayuso <email address hidden> on 2023-10-27

netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction

New elements in this transaction might expired before such transaction
ends. Skip sync GC for such elements otherwise commit path might walk
over an already released object. Once transaction is finished, async GC
will collect such expired element.

Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
Signed-off-by: Pablo Neira Ayuso <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>

CVE-2023-4244
(cherry picked from commit 2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Roxana Nicolescu <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>

9ff61a5... by John Johansen on 2023-10-25

UBUNTU: SAUCE: apparmor: open userns related sysctl so lxc can check if restriction are in place

BugLink: http://bugs.launchpad.net/bugs/2040194

https://github.com/canonical/lxd/issues/11920#issuecomment-1756110109

lxc and lxd currently need to determine if the apparmor restriction
on unprivileged user namespaces are being enforced, so that apparmor
restrictions won't break lxc/d, and they won't clutter the logs
by doing something like

  unshare true

to test if the restrictions are being enforced.

Ideally access to this information would be restricted so that any
unknown access would be logged, but lxc/d currently aren't ready for
this so in order to _not_ force lxc/d to probe whether enforcement is
enabled, open up read access to the sysctls for unprivileged user
namespace mediation.

Signed-off-by: John Johansen <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>

5750e3e... by John Johansen on 2023-10-25

UBUNTU: SAUCE: apparmor: fix request field from a prompt reply that denies all access

BugLink: http://bugs.launchpad.net/bugs/2040192

A reply to a prompt request that denies all permissions requested will
throw the following warning, because the auditing code does not expect
the request field to be empty when generating the audit message.

Sep 27 22:48:14 ubuntu-mantic snapd[596]: listener.go:189: Sending access response back to kernel: {MsgNotification:{MsgHeader:{Length:0 Version:0} NotificationType:APPARMOR_NOTIF_RESP Signalled:0 NoCache:1 ID:2 Error:0} Error:-13 Allow:0 Deny:4}
Sep 27 22:48:14 ubuntu-mantic kernel: ------------[ cut here ]------------
Sep 27 22:48:14 ubuntu-mantic kernel: AppArmor WARN aa_audit_file: ((!ad.request)):
Sep 27 22:48:14 ubuntu-mantic kernel: WARNING: CPU: 3 PID: 2082 at security/apparmor/file.c:268 aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Modules linked in: snd_seq_dummy snd_hrtimer snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore binfmt_misc nls_iso8859_1 kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul polyval_clmulni polyval_generic ghash_clmulni_intel sha512_ssse3 aesni_intel virtio_gpu crypto_simd cryptd virtio_dma_buf drm_shmem_helper 9pnet_virtio drm_kms_helper 9pnet vmw_vsock_virtio_transport virtio_input vmw_vsock_virtio_transport_common input_leds joydev serio_raw vsock msr parport_pc ppdev lp parport drm virtiofs efi_pstore ip_tables x_tables autofs4 virtio_net xhci_pci ahci psmouse net_failover libahci xhci_pci_renesas failover virtio_rng
Sep 27 22:48:14 ubuntu-mantic kernel: CPU: 3 PID: 2082 Comm: bash Not tainted 6.5.0-5-generic #5+aa4.0.0+debug5-Ubuntu
Sep 27 22:48:14 ubuntu-mantic kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/LXD, BIOS unknown 2/2/2022
Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0010:aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: Code: 3c ff ff ff e8 80 6f a8 ff 44 8b 95 3c ff ff ff 5a 59 e9 e3 fe ff ff 48 c7 c6 98 5c 08 84 48 c7 c7 90 1a 60 84 e8 9f da 9d ff <0f> 0b 8b 85 78 ff ff ff e9 05 ff ff ff 48 89 de 4c 89 f7 e8 b7 f5
Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 0018:ffffb66a82b57968 EFLAGS: 00010246
Sep 27 22:48:14 ubuntu-mantic kernel: RAX: 0000000000000000 RBX: ffffb66a82b57b24 RCX: 0000000000000000
Sep 27 22:48:14 ubuntu-mantic kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
Sep 27 22:48:14 ubuntu-mantic kernel: RBP: ffffb66a82b57a30 R08: 0000000000000000 R09: 0000000000000000
Sep 27 22:48:14 ubuntu-mantic kernel: R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
Sep 27 22:48:14 ubuntu-mantic kernel: R13: ffff8b160239d800 R14: ffffb66a82b57970 R15: 0000000000000001
Sep 27 22:48:14 ubuntu-mantic kernel: FS: 00007f1f7d3b3380(0000) GS:ffff8b17778c0000(0000) knlGS:0000000000000000
Sep 27 22:48:14 ubuntu-mantic kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Sep 27 22:48:14 ubuntu-mantic kernel: CR2: 000055d4482063f0 CR3: 0000000137e64000 CR4: 0000000000750ee0
Sep 27 22:48:14 ubuntu-mantic kernel: PKRU: 55555554
Sep 27 22:48:14 ubuntu-mantic kernel: Call Trace:
Sep 27 22:48:14 ubuntu-mantic kernel: <TASK>
Sep 27 22:48:14 ubuntu-mantic kernel: ? show_regs+0x6d/0x80
Sep 27 22:48:14 ubuntu-mantic kernel: ? __warn+0x89/0x160
Sep 27 22:48:14 ubuntu-mantic kernel: ? aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: ? report_bug+0x17e/0x1b0
Sep 27 22:48:14 ubuntu-mantic kernel: ? handle_bug+0x51/0xa0
Sep 27 22:48:14 ubuntu-mantic kernel: ? exc_invalid_op+0x18/0x80
Sep 27 22:48:14 ubuntu-mantic kernel: ? asm_exc_invalid_op+0x1b/0x20
Sep 27 22:48:14 ubuntu-mantic kernel: ? aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: ? aa_audit_file+0x2b1/0x310
Sep 27 22:48:14 ubuntu-mantic kernel: __aa_path_perm+0xaf/0x130
Sep 27 22:48:14 ubuntu-mantic kernel: aa_path_perm+0xf1/0x1c0
Sep 27 22:48:14 ubuntu-mantic kernel: apparmor_file_open+0x1bb/0x2e0
Sep 27 22:48:14 ubuntu-mantic kernel: security_file_open+0x2e/0x60
Sep 27 22:48:14 ubuntu-mantic kernel: do_dentry_open+0x10d/0x530
Sep 27 22:48:14 ubuntu-mantic kernel: vfs_open+0x33/0x50
Sep 27 22:48:14 ubuntu-mantic kernel: do_open+0x2ed/0x470
Sep 27 22:48:14 ubuntu-mantic kernel: ? path_init+0x59/0x3d0
Sep 27 22:48:14 ubuntu-mantic kernel: path_openat+0x135/0x2d0
Sep 27 22:48:14 ubuntu-mantic kernel: ? _raw_spin_unlock+0xe/0x40
Sep 27 22:48:14 ubuntu-mantic kernel: do_filp_open+0xaf/0x170
Sep 27 22:48:14 ubuntu-mantic kernel: do_sys_openat2+0xb3/0xe0
Sep 27 22:48:14 ubuntu-mantic kernel: __x64_sys_openat+0x55/0xa0
Sep 27 22:48:14 ubuntu-mantic kernel: do_syscall_64+0x59/0x90
Sep 27 22:48:14 ubuntu-mantic kernel: ? handle_mm_fault+0xad/0x360
Sep 27 22:48:14 ubuntu-mantic kernel: ? do_user_addr_fault+0x238/0x6b0
Sep 27 22:48:14 ubuntu-mantic kernel: ? exit_to_user_mode_prepare+0x30/0xb0
Sep 27 22:48:14 ubuntu-mantic kernel: ? irqentry_exit_to_user_mode+0x17/0x20
Sep 27 22:48:14 ubuntu-mantic kernel: ? irqentry_exit+0x43/0x50
Sep 27 22:48:14 ubuntu-mantic kernel: ? exc_page_fault+0x94/0x1b0
Sep 27 22:48:14 ubuntu-mantic kernel: entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Sep 27 22:48:14 ubuntu-mantic kernel: RIP: 0033:0x7f1f7d4cdbcc
Sep 27 22:48:14 ubuntu-mantic kernel: Code: 24 18 31 c0 41 83 e2 40 75 44 89 f0 25 00 00 41 00 3d 00 00 41 00 74 36 44 89 c2 4c 89 ce bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 44 48 8b 54 24 18 64 48 2b 14 25 28 00 00 00
Sep 27 22:48:14 ubuntu-mantic kernel: RSP: 002b:00007fff2a1d1280 EFLAGS: 00000287 ORIG_RAX: 0000000000000101
Sep 27 22:48:14 ubuntu-mantic kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1f7d4cdbcc
Sep 27 22:48:14 ubuntu-mantic kernel: RDX: 0000000000090800 RSI: 000055b5d4043c40 RDI: 00000000ffffff9c
Sep 27 22:48:14 ubuntu-mantic kernel: RBP: 000055b5d4043c40 R08: 0000000000090800 R09: 000055b5d4043c40
Sep 27 22:48:14 ubuntu-mantic kernel: R10: 0000000000000000 R11: 0000000000000287 R12: 000055b5d4043c20
Sep 27 22:48:14 ubuntu-mantic kernel: R13: 000055b5d34637f8 R14: 000055b5d4043c00 R15: 000055b5d40436a0
Sep 27 22:48:14 ubuntu-mantic kernel: </TASK>
Sep 27 22:48:14 ubuntu-mantic kernel: ---[ end trace 0000000000000000 ]---

Note: this does not change the mediation, it just ensures the assert in
the audit path does not trigger, polluting dmesg and the kernel audit log.

Signed-off-by: John Johansen <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Signed-off-by: Roxana Nicolescu <email address hidden>