~ubuntu-kernel/ubuntu/+source/linux/+git/precise:master

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

a7f4ed7... by Stefan Bader on 2017-03-31

UBUNTU: Ubuntu-3.2.0-126.169

Signed-off-by: Stefan Bader <email address hidden>

d141a3e... by Andrey Konovalov <email address hidden> on 2017-03-29

net/packet: fix overflow in check for tp_reserve

When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.

Fix by checking that tp_reserve <= INT_MAX on assign.

Signed-off-by: Andrey Konovalov <email address hidden>
Acked-by: Eric Dumazet <email address hidden>
Signed-off-by: David S. Miller <email address hidden>

BugLink: https://bugs.launchpad.net/bugs/1678009
CVE-2017-7308
(cherry picked from commit bcc5364bdcfe131e6379363f089e7b4108d35b70 linux-net)
Signed-off-by: Andy Whitcroft <email address hidden>

f6c1609... by Andrey Konovalov <email address hidden> on 2017-03-29

net/packet: fix overflow in check for tp_frame_nr

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov <email address hidden>
Acked-by: Eric Dumazet <email address hidden>
Signed-off-by: David S. Miller <email address hidden>

BugLink: https://bugs.launchpad.net/bugs/1678009
CVE-2017-7308
(cherry picked from commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b linux-net)
Signed-off-by: Andy Whitcroft <email address hidden>

5fefcc0... by Andrey Konovalov <email address hidden> on 2017-03-29

net/packet: fix overflow in check for priv area size

Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Signed-off-by: Andrey Konovalov <email address hidden>
Acked-by: Eric Dumazet <email address hidden>
Signed-off-by: David S. Miller <email address hidden>

BugLink: https://bugs.launchpad.net/bugs/1678009
CVE-2017-7308
(cherry picked from commit 2b6867c2ce76c596676bec7d2d525af525fdc6e2 linux-net)
Signed-off-by: Andy Whitcroft <email address hidden>

2af7bde... by Eric Dumazet <email address hidden> on 2014-08-15

packet: handle too big packets for PACKET_V3

BugLink: http://bugs.launchpad.net/bugs/1393477

[ Upstream commit dc808110bb62b64a448696ecac3938902c92e1ab ]

af_packet can currently overwrite kernel memory by out of bound
accesses, because it assumed a [new] block can always hold one frame.

This is not generally the case, even if most existing tools do it right.

This patch clamps too long frames as API permits, and issue a one time
error on syslog.

[ 394.357639] tpacket_rcv: packet too big, clamped from 5042 to 3966. macoff=82

In this example, packet header tp_snaplen was set to 3966,
and tp_len was set to 5042 (skb->len)

Signed-off-by: Eric Dumazet <email address hidden>
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Acked-by: Daniel Borkmann <email address hidden>
Acked-by: Neil Horman <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
Signed-off-by: Kamal Mostafa <email address hidden>
Signed-off-by: Luis Henriques <email address hidden>

(backported from dc808110bb62b64a448696ecac3938902c92e1ab upstream)
BugLink: https://bugs.launchpad.net/bugs/1678009
CVE-2017-7308
Signed-off-by: Stefan Bader <email address hidden>

1078203... by Stefan Bader on 2017-03-31

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Stefan Bader <email address hidden>

c4c94b5... by Stefan Bader on 2017-03-24

UBUNTU: Ubuntu-3.2.0-125.168

Signed-off-by: Stefan Bader <email address hidden>

b384174... by Andy Whitcroft on 2017-03-23

xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder

Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues. To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.

CVE-2017-7184
Signed-off-by: Andy Whitcroft <email address hidden>

57d2aed... by Andy Whitcroft on 2017-03-22

xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window

When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate
the user supplied replay_esn to ensure that the size is valid and to ensure
that the replay_window size is within the allocated buffer. However later
it is possible to update this replay_esn via a XFRM_MSG_NEWAE call.
There we again validate the size of the supplied buffer matches the
existing state and if so inject the contents. We do not at this point
check that the replay_window is within the allocated memory. This leads
to out-of-bounds reads and writes triggered by netlink packets. This leads
to memory corruption and the potential for priviledge escalation.

We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the
user is not trying to change the size of the replay state buffer which
includes the replay_esn. It however does not check the replay_window
remains within that buffer. Add validation of the contained replay_window.

CVE-2017-7184
Signed-off-by: Andy Whitcroft <email address hidden>

640fed4... by Thadeu Lima de Souza Cascardo on 2017-03-23

UBUNTU: Start new release

Ignore: yes
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>