Univention Bugzilla – Bug 52549
linux: Multiple issues (4.4)
Last modified: 2021-01-13 17:20:16 CET
New Debian linux 4.9.246-2 fixes: This update addresses the following issues: * In create_pinctrl of core.c, there is a possible out of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-140550171 (CVE-2020-0427) * Insufficient access control vulnerability in PowerCap Framework (CVE-2020-8694) * performance counters race condition use-after-free (CVE-2020-14351) * Geneve/IPsec traffic may be unencrypted between two Geneve endpoints (CVE-2020-25645) * use-after-free in read in vt_do_kdgkb_ioctl (CVE-2020-25656) * race condition in fg_console can lead to use-after-free in con_font_op (CVE-2020-25668) * use-after-free read in sunkbd_reinit in drivers/input/keyboard/sunkbd.c (CVE-2020-25669) * perf_event_parse_addr_filter memory (CVE-2020-25704) * ICMP rate limiting can be used for DNS poisoning attack (CVE-2020-25705) * xen: guest OS users can cause a DoS via a high rate of events to dom0 (XSA-332) (CVE-2020-27673) * xen: race condition in event-channel removal during the event-handling loop (XSA-331) (CVE-2020-27675) * slab-out-of-bounds read in fbcon (CVE-2020-28974)
--- mirror/ftp/4.4/unmaintained/4.4-7/source/linux_4.9.240-2.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/linux_4.9.246-2.dsc @@ -1,3 +1,369 @@ +4.9.246-2 [Thu, 17 Dec 2020 13:51:31 +0100] Ben Hutchings <benh@debian.org>: + + * [arm64] Fix FTBFS after Xen netback fix: + - arm64: Remove redundant mov from LL/SC cmpxchg + - arm64: Avoid redundant type conversions in xchg() and cmpxchg() + - arm64: cmpxchg: Use "K" instead of "L" for ll/sc immediate constraint + - arm64: Use correct ll/sc atomic constraints + +4.9.246-1 [Wed, 16 Dec 2020 23:26:40 +0100] Ben Hutchings <benh@debian.org>: + + * New upstream stable update: + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.241 + - tipc: fix the skb_unshare() in tipc_buf_append() + - net/ipv4: always honour route mtu during forwarding + - r8169: fix data corruption issue on RTL8402 + - ALSA: bebob: potential info leak in hwdep_read() + - net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device + - net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling + ether_setup + - nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in + nfc_genl_fw_download() + - tcp: fix to update snd_wl1 in bulk receiver fast path + - icmp: randomize the global rate limiter (CVE-2020-25705) + - cifs: remove bogus debug code + - [x86] KVM: x86/mmu: Commit zap of remaining invalid pages when recovering + lpages + - ima: Don't ignore errors from crypto_shash_update() + - crypto: algif_aead - Do not set MAY_BACKLOG on the async path + - [x86] EDAC/i5100: Fix error handling order in i5100_init_one() + - [armhf] media: Revert "media: exynos4-is: Add missed check for + pinctrl_lookup_state()" + - [armhf] media: omap3isp: Fix memleak in isp_probe + - [armhf] crypto: omap-sham - fix digcnt register handling with export/ + import + - [armhf] media: ti-vpe: Fix a missing check and reference count leak + - regulator: resolve supply after creating regulator + - ath10k: provide survey info as accumulated data + - ath6kl: prevent potential array overflow in ath6kl_add_new_sta() + - ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() + - wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 + - [arm64] ASoC: qcom: lpass-platform: fix memory leak + - mwifiex: Do not use GFP_KERNEL in atomic context + - [x86] drm/gma500: fix error check + - scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' + - scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() + - [x86] VMCI: check return value of get_user_pages_fast() for errors + - tty: serial: earlycon dependency + - pty: do tty_flip_buffer_push without port->lock in pty_write + - [x86] video: fbdev: vga16fb: fix setting of pixclock because a pass-by- + value error + - video: fbdev: sis: fix null ptr dereference + - HID: roccat: add bounds checking in kone_sysfs_write_settings() + - ath6kl: wmi: prevent a shift wrapping bug in + ath6kl_wmi_delete_pstream_cmd() + - [amd64] misc: mic: scif: Fix error handling path + - ALSA: seq: oss: Avoid mutex lock for a long-time ioctl + - quota: clear padding in v2r1_mem2diskdqb() + - net: enic: Cure the enic api locking trainwreck + - iwlwifi: mvm: split a print to avoid a WARNING in ROC + - usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. + - nl80211: fix non-split wiphy information + - scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() + - mwifiex: fix double free + - IB/mlx4: Fix starvation in paravirt mux/demux + - IB/mlx4: Adjust delayed work when a dup is observed + - mtd: lpddr: fix excessive stack usage with clang + - mtd: mtdoops: Don't write panic data twice + - [armel,armhf] 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using + DT values + - RDMA/qedr: Fix use of uninitialized field + - [x86] perf intel-pt: Fix "context_switch event has no tid" error + - [arm64] RDMA/hns: Set the unsupported wr opcode + - overflow: Include header file with SIZE_MAX declaration + - IB/rdmavt: Fix sizeof mismatch + - rapidio: fix error handling path + - rapidio: fix the missed put_device() for rio_mport_add_riodev + - [arm64,armhf] clk: bcm2835: add missing release if devm_clk_hw_register + fails + - vfio/pci: Clear token on bypass registration failure + - [armhf] Input: omap4-keypad - fix handling of platform_get_irq() error + - [armhf] Input: twl4030_keypad - fix handling of platform_get_irq() error + - [armhf] Input: sun4i-ps2 - fix handling of platform_get_irq() error + - [x86] KVM: x86: emulating RDPID failure shall return #UD rather than #GP + - [arm64] dts: qcom: msm8916: Fix MDP/DSI interrupts + - [arm64] dts: zynqmp: Remove additional compatible string for i2c IPs + - nvmet: fix uninitialized work for zero kato + - [x86] crypto: ccp - fix error handling + - media: firewire: fix memory leak + - media: ati_remote: sanity check for both endpoints + - [armhf] media: exynos4-is: Fix several reference count leaks due to + pm_runtime_get_sync + - [armhf] media: exynos4-is: Fix a reference count leak due to + pm_runtime_get_sync + - [armhf] media: exynos4-is: Fix a reference count leak + - media: media/pci: prevent memory leak in bttv_probe + - media: uvcvideo: Ensure all probed info is returned to v4l2 + - mmc: sdio: Check for CISTPL_VERS_1 buffer size + - media: saa7134: avoid a shift overflow + - fs: dlm: fix configfs memory leak + - ntfs: add check for mft record size in superblock + - PM: hibernate: remove the bogus call to get_gendisk() in + software_resume() + - scsi: mvumi: Fix error return in mvumi_io_attach() + - scsi: target: core: Add CONTROL field for trace events + - [amd64] mic: vop: copy data to kernel space then write to io memory + - [amd64] misc: vop: add round_up(x,4) for vring_size to avoid kernel panic + - usb: gadget: function: printer: fix use-after-free in __lock_acquire + - udf: Limit sparing table size + - udf: Avoid accessing uninitialized data on failed inode read + - USB: cdc-acm: handle broken union descriptors + - ath9k: hif_usb: fix race condition between usb_get_urb() and + usb_kill_anchored_urbs() + - misc: rtsx: Fix memory leak in rtsx_pci_probe + - reiserfs: only call unlock_new_inode() if I_NEW + - xfs: make sure the rt allocator doesn't run off the end + - usb: ohci: Default to per-port over-current protection + - Bluetooth: Only mark socket zapped after unlocking + - brcmsmac: fix memory leak in wlc_phy_attach_lcnphy + - rtl8xxxu: prevent potential memory leak + - Fix use after free in get_capset_info callback. + - tty: ipwireless: fix error handling + - ipvs: Fix uninit-value in do_ip_vs_set_ctl() + - reiserfs: Fix memory leak in reiserfs_parse_options() + - brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach + - usb: core: Solve race condition in anchor cleanup functions + - ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() + - usb: cdc-acm: add quirk to blacklist ETAS ES58X devices + - USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync(). + - eeprom: at25: set minimum read/write access stride to 1 + - usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets. + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.242 + - SUNRPC: ECONNREFUSED should cause a rebind. + - efivarfs: Replace invalid slashes with exclamation marks in dentries. + - tipc: fix memory leak caused by tipc_buf_append() + - [x86] arch/x86/amd/ibs: Fix re-arming IBS Fetch + - fuse: fix page dereference after free + - p54: avoid accessing the data mapped to streaming DMA + - mtd: lpddr: Fix bad logic in print_drs_error + - fscrypt: return -EXDEV for incompatible rename or link into encrypted dir + - fscrypto: move ioctl processing more fully into common code + - fscrypt: use EEXIST when file already uses different policy + - f2fs: add trace exit in exception path + - f2fs: fix to check segment boundary during SIT page readahead + - um: change sigio_spinlock to a mutex + - [armel,armhf] 8997/2: hw_breakpoint: Handle inexact watchpoint addresses + - xfs: fix realtime bitmap/summary file truncation when growing rt volume + - ath10k: fix VHT NSS calculation when STBC is enabled + - media: tw5864: check status of tw5864_frameinterval_get + - mmc: via-sdmmc: Fix data race bug + - USB: adutux: fix debugging + - [arm64] mm: return cpu_all_mask when node is NUMA_NO_NODE + - drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values + - md/bitmap: md_bitmap_get_counter returns wrong blocks + - [armhf] clk: ti: clockdomain: fix static checker warning + - net: 9p: initialize sun_server.sun_path to have addr's value only when + addr is valid + - ext4: Detect already used quota file early + - gfs2: add validation checks for size of superblock + - [armhf] memory: emif: Remove bogus debugfs error handling + - md/raid5: fix oops during stripe resizing + - [x86] perf/x86/amd/ibs: Don't include randomized bits in + get_ibs_op_count() + - [x86] perf/x86/amd/ibs: Fix raw sample data accumulation + - fs: Don't invalidate page buffers in block_write_full_page() + - NFS: fix nfs_path in case of a rename retry + - ACPI / extlog: Check for RDMSR failure + - ACPI: video: use ACPI backlight for HP 635 Notebook + - ACPI: debug: don't allow debugging when ACPI is disabled + - acpi-cpufreq: Honor _PSD table setting on new AMD CPUs + - scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove() + - btrfs: reschedule if necessary when logging directory items + - btrfs: cleanup cow block on error + - btrfs: fix use-after-free on readahead extent after failure to create it + - [arm64,armhf] usb: dwc3: core: add phy cleanup for probe error handling + - [arm64,armhf] usb: dwc3: core: don't trigger runtime pm when remove + driver + - vt: keyboard, simplify vt_kdgkbsent + - vt: keyboard, extend func_buf_lock to readers (CVE-2020-25656) + - ubifs: dent: Fix some potential memory leaks while iterating entries + - ubi: check kthread_should_stop() after the setting of task state + - ceph: promote to unsigned long long before shifting + - libceph: clear con->out_msg on Policy::stateful_server faults + - 9P: Cast to loff_t before multiplying + - ring-buffer: Return 0 on success from ring_buffer_resize() + - vringh: fix __vringh_iov() when riov and wiov are different + - tty: make FONTX ioctl use the tty pointer they were actually passed + (CVE-2020-25668) + - cachefiles: Handle readpage error correctly + - device property: Keep secondary firmware node secondary by type + - device property: Don't clear secondary pointer for shared primary + firmware node + - [arm64] KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR + - [x86] staging: comedi: cb_pcidas: Allow 2-channel commands for AO + subdevice + - tipc: fix use-after-free in tipc_bcast_get_mode + - ALSA: usb-audio: Add implicit feedback quirk for Qu-16 + - kthread_worker: prevent queuing delayed work from timer_fn when it is + being canceled + - ftrace: Fix recursion check for NMI test + - ftrace: Handle tracing when switching between context + - tracing: Fix out of bounds write in get_trace_buf + - [armhf] dts: sun4i-a10: fix cpu_alert temperature + - [x86] kexec: Use up-to-dated screen_info copy to fill boot params + - of: Fix reserved-memory overlap detection + - scsi: core: Don't start concurrent async scan on same host + - vsock: use ns_capable_noaudit() on socket create + - ACPI: NFIT: Fix comparison to '-ENXIO' + - vt: Disable KD_FONT_OP_COPY (CVE-2020-28974) + - fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent + - USB: serial: cyberjack: fix write-URB completion race + - USB: serial: option: add LE910Cx compositions 0x1203, 0x1230, 0x1231 + - USB: serial: option: add Telit FN980 composition 0x1055 + - USB: Add NO_LPM quirk for Kingston flash drive + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.243 + - powercap: restrict energy meter to root access (CVE-2020-8694) + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.244 + - regulator: defer probe when trying to get voltage from unresolved supply + - ring-buffer: Fix recursion protection transitions between interrupt + context + - gfs2: Wake up when sd_glock_disposal becomes zero + - mm: mempolicy: fix potential pte_unmap_unlock pte error + - time: Prevent undefined behaviour in timespec64_to_ns() + - btrfs: reschedule when cloning lots of extents + - genirq: Let GENERIC_IRQ_IPI select IRQ_DOMAIN_HIERARCHY + - net: xfrm: fix a race condition during allocing spi + - perf tools: Add missing swap for ino_generation + - ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() + - can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ + context + - can: dev: __can_get_echo_skb(): fix real payload length return value for + RTR frames + - can: can_create_echo_skb(): fix echo skb generation: always use + skb_clone() + - can: peak_usb: add range checking in decode operations + - can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping + - xfs: flush new eof page on truncate to avoid post-eof corruption + - Btrfs: fix missing error return if writeback for extent buffer never + started + - pinctrl: devicetree: Avoid taking direct reference to device name string + (CVE-2020-0427) + - i40e: Fix a potential NULL pointer dereference + - i40e: add num_vectors checker in iwarp handler + - i40e: Wrong truncation from u16 to u8 + - i40e: Fix of memory leak and integer truncation in i40e_virtchnl.c + - i40e: Memory leak in i40e_config_iwarp_qvlist + - geneve: add transport ports in route lookup for geneve (CVE-2020-25645) + - ath9k_htc: Use appropriate rs_datalen type + - gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free + - gfs2: check for live vs. read-only file system in gfs2_fitrim + - scsi: hpsa: Fix memory leak in hpsa_init_one() + - drm/amdgpu: perform srbm soft reset always on SDMA resume + - mac80211: fix use of skb payload instead of header + - cfg80211: regulatory: Fix inconsistent format argument + - scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() + - [amd64] iommu/amd: Increase interrupt remapping table limit to 512 entries + - xfs: fix flags argument to rmap lookup when converting shared file rmaps + - xfs: fix rmap key and record comparison functions + - xfs: fix a missing unlock on error in xfs_fs_map_blocks + - of/address: Fix of_node memory leak in of_dma_is_coherent + - [i386] cosa: Add missing kfree in error path of cosa_write + - perf: Fix get_recursion_context() + - ext4: correctly report "not supported" for {usr,grp}jquota when + !CONFIG_QUOTA + - ext4: unlock xattr_sem properly in ext4_inline_data_truncate() + - usb: cdc-acm: Add DISABLE_ECHO for Renesas USB Download mode + - [x86] mei: protect mei_cl_mtu from null dereference + - ocfs2: initialize ip_next_orphan + - don't dump the threads that had been already exiting when zapped. + - [x86] drm/gma500: Fix out-of-bounds access to struct drm_device.vblank[] + - [x86] pinctrl: amd: use higher precision for 512 RtcClk + - [x86] pinctrl: amd: fix incorrect way to disable debounce filter + - swiotlb: fix "x86: Don't panic if can not alloc buffer for swiotlb" + - IPv6: Set SIT tunnel hard_header_len to zero + - net/x25: Fix null-ptr-deref in x25_connect + - net: Update window_clamp if SOCK_RCVBUF is set + - random32: make prandom_u32() output unpredictable + - [x86] speculation: Allow IBPB to be conditionally enabled on CPUs with + always-on STIBP + - perf/core: Fix bad use of igrab() + - perf/core: Fix crash when using HW tracing kernel filters + - perf/core: Fix a memory leak in perf_event_parse_addr_filter() + (CVE-2020-25704) + - xen/events: avoid removing an event channel while handling it + (CVE-2020-27675) + - xen/events: Fix potential DoS of dom0 by rogue guests (CVE-2020-27673): + + xen/events: add a proper barrier to 2-level uevent unmasking + + xen/events: fix race in evtchn_fifo_unmask() + + xen/events: add a new "late EOI" evtchn framework + + xen/blkback: use lateeoi irq binding + + xen/netback: use lateeoi irq binding + + xen/scsiback: use lateeoi irq binding + + xen/pciback: use lateeoi irq binding + + xen/events: switch user event channels to lateeoi model + + xen/events: use a common cpu hotplug hook for event channels + + xen/events: defer eoi in case of excessive number of events + + xen/events: block rogue events for some time + - perf/core: Fix race in the perf_mmap_close() function (CVE-2020-14351) + - Revert "kernel/reboot.c: convert simple_strtoul to kstrtoint" + - reboot: fix overflow parsing reboot cpu number + - ext4: fix leaking sysfs kobject after failed mount + - Convert trailing spaces and periods in path components + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.245 + - [armhf] i2c: imx: use clk notifier for rate changes + - [armhf] i2c: imx: Fix external abort on interrupt in exit paths + - [armhf] i2c: mux: pca954x: Add missing pca9546 definition to chip_desc + - [x86] Input: sunkbd - avoid use-after-free in teardown paths + (CVE-2020-25669) + - mac80211: always wind down STA state + - [x86] KVM: x86: clflushopt should be treated as a no-op by emulation + https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.246 + - ah6: fix error return code in ah6_input() + - atm: nicstar: Unmap DMA on send error + - bnxt_en: read EEPROM A2h address using page 0 + - devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() + - inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() + - net: b44: fix error return code in b44_init_one() + - net: bridge: add missing counters to ndo_get_stats64 callback + - net: Have netpoll bring-up DSA management interface + - netlabel: fix our progress tracking in netlbl_unlabel_staticlist() + - netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() + - net/mlx4_core: Fix init_hca fields offset + - net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request + - qlcnic: fix error return code in qlcnic_83xx_restart_hw() + - sctp: change to hold/put transport for proto_unreach_timer + - net: usb: qmi_wwan: Set DTR quirk for MR400 + - tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate + - [armhf] pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq + - [arm64] psci: Avoid printing in cpu_psci_cpu_die() + - vfs: remove lockdep bogosity in __sb_start_write + - [armhf] dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy + - [armhf] dts: imx50-evk: Fix the chip select 1 IOMUX + - perf lock: Don't free "lock_seq_stat" if read_count isn't zero + - can: dev: can_restart(): post buffer from the right context + - can: peak_usb: fix potential integer overflow on shift of a int + - [armhf] regulator: ti-abb: Fix array out of bound read access on the + first transition + - xfs: revert "xfs: fix rmap key and record comparison functions" + - libfs: fix error cast of negative value in simple_attr_write() + - ALSA: ctl: fix error path at adding user-defined element set + - ALSA: mixart: Fix mutex deadlock + - tty: serial: imx: keep console clocks always on + - ext4: fix bogus warning in ext4_update_dx_flag() + - [x86] iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type + enum + - regulator: fix memory leak with repeated set_machine_constraints() + - mac80211: minstrel: remove deferred sampling code + - mac80211: minstrel: fix tx status processing corner case + - mac80211: free sta in sta_info_insert_finish() on errors + - [x86] microcode/intel: Check patch signature before saving microcode for + early loading + + [ Ben Hutchings ] + * fscrypto: Ignore ABI changes + * xen/events: Ignore ABI changes + * efivarfs: revert "fix memory leak in efivarfs_create()" (regression in + 4.9.246) + * [x86] speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb + (regressions in 4.9.228, 4.9.244) + * regulator: avoid resolve_supply() infinite recursion (regression in + 4.9.241) + * regulator: workaround self-referent regulators (regression in 4.9.241) + * bonding: wait for sysfs kobject destruction before freeing struct slave + (regression in 4.9.226) + * [x86] iommu/amd: Set DTE[IntTabLen] to represent 512 IRTEs (regression in + 4.9.244) + 4.9.240-2 [Fri, 30 Oct 2020 18:26:41 +0000] Ben Hutchings <benh@debian.org>: * xen/events: don't use chip_data for legacy IRQs (Closes: #973417) <http://10.200.17.11/4.4-7/#1279507831696507503>
univention-kernel-image-signed Version: 5.0.0-14A~4.4.0.202101061603 c4682480d7 yaml
Fixed signing with 266e7f77 univention-kernel-image-signed 5.0.0-15A~4.4.0.202101071237 OK: amd64 @ kvm + SeaBIOS OK: amd64 @ kvm + OVMF + SB OK: cat /sys/kernel/security/securelevel ; echo OK: i386 @ kvm OK: uname -a OK: dmesg -H OK ./linux-dmesg-norm -a OK: YAML Verified
<https://errata.software-univention.de/#/?erratum=4.4x866> <https://errata.software-univention.de/#/?erratum=4.4x867>