[pve-devel] [PATCH kernel 1/2] Update to 4.4.0-22.39

Mon May 9 08:49:47 CEST 2016

drop CVE fixes applied upstream
---
 ...ption-triggered-by-invalid-USB-descriptor.patch | 138 ---------------------
 ...55-usbip-fix-potential-out-of-bound-write.patch |  45 -------
 Makefile                                           |   8 +-
 3 files changed, 3 insertions(+), 188 deletions(-)
 delete mode 100644 CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch
 delete mode 100644 CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch

diff --git a/CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch b/CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch
deleted file mode 100644
index ae96f4d..0000000
--- a/CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch
+++ /dev/null
@@ -1,138 +0,0 @@
-From 889c172b1e097eceefc5d9d3639c3862c98c6753 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn at mork.no>
-Date: Wed, 20 Apr 2016 11:15:11 +0100
-Subject: [PATCH 1/2] cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-usbnet_link_change will call schedule_work and should be
-avoided if bind is failing. Otherwise we will end up with
-scheduled work referring to a netdev which has gone away.
-
-Instead of making the call conditional, we can just defer
-it to usbnet_probe, using the driver_info flag made for
-this purpose.
-
-Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change")
-Reported-by: Andrey Konovalov <andreyknvl at gmail.com>
-Suggested-by: Linus Torvalds <torvalds at linux-foundation.org>
-Signed-off-by: Bjørn Mork <bjorn at mork.no>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-(cherry picked from commit 4d06dd537f95683aba3651098ae288b7cbff8274)
-CVE-2016-3951
-BugLink: https://bugs.launchpad.net/bugs/1567191
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
-Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
-Signed-off-by: Kamal Mostafa <kamal at canonical.com>
----
- drivers/net/usb/cdc_ncm.c | 20 +++++---------------
- 1 file changed, 5 insertions(+), 15 deletions(-)
-
-diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
-index e8a1144..93c88a2 100644
---- a/drivers/net/usb/cdc_ncm.c
-+++ b/drivers/net/usb/cdc_ncm.c
-@@ -941,8 +941,6 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsetting);
- 
- static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
- {
--	int ret;
--
- 	/* MBIM backwards compatible function? */
- 	if (cdc_ncm_select_altsetting(intf) != CDC_NCM_COMM_ALTSETTING_NCM)
- 		return -ENODEV;
-@@ -951,16 +949,7 @@ static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf)
- 	 * Additionally, generic NCM devices are assumed to accept arbitrarily
- 	 * placed NDP.
- 	 */
--	ret = cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
--
--	/*
--	 * We should get an event when network connection is "connected" or
--	 * "disconnected". Set network connection in "disconnected" state
--	 * (carrier is OFF) during attach, so the IP network stack does not
--	 * start IPv6 negotiation and more.
--	 */
--	usbnet_link_change(dev, 0, 0);
--	return ret;
-+	return cdc_ncm_bind_common(dev, intf, CDC_NCM_DATA_ALTSETTING_NCM, 0);
- }
- 
- static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max)
-@@ -1543,7 +1532,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
- 
- static const struct driver_info cdc_ncm_info = {
- 	.description = "CDC NCM",
--	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET,
-+	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
-+			| FLAG_LINK_INTR,
- 	.bind = cdc_ncm_bind,
- 	.unbind = cdc_ncm_unbind,
- 	.manage_power = usbnet_manage_power,
-@@ -1556,7 +1546,7 @@ static const struct driver_info cdc_ncm_info = {
- static const struct driver_info wwan_info = {
- 	.description = "Mobile Broadband Network Device",
- 	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
--			| FLAG_WWAN,
-+			| FLAG_LINK_INTR | FLAG_WWAN,
- 	.bind = cdc_ncm_bind,
- 	.unbind = cdc_ncm_unbind,
- 	.manage_power = usbnet_manage_power,
-@@ -1569,7 +1559,7 @@ static const struct driver_info wwan_info = {
- static const struct driver_info wwan_noarp_info = {
- 	.description = "Mobile Broadband Network Device (NO ARP)",
- 	.flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET
--			| FLAG_WWAN | FLAG_NOARP,
-+			| FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP,
- 	.bind = cdc_ncm_bind,
- 	.unbind = cdc_ncm_unbind,
- 	.manage_power = usbnet_manage_power,
--- 
-2.1.4
-
-From ac6b36fbfad65378b81338637254f0d23b35e2a1 Mon Sep 17 00:00:00 2001
-From: Oliver Neukum <oneukum at suse.com>
-Date: Wed, 20 Apr 2016 11:15:12 +0100
-Subject: [PATCH 2/2] usbnet: cleanup after bind() in probe()
-
-In case bind() works, but a later error forces bailing
-in probe() in error cases work and a timer may be scheduled.
-They must be killed. This fixes an error case related to
-the double free reported in
-http://www.spinics.net/lists/netdev/msg367669.html
-and needs to go on top of Linus' fix to cdc-ncm.
-
-Signed-off-by: Oliver Neukum <ONeukum at suse.com>
-Signed-off-by: David S. Miller <davem at davemloft.net>
-(cherry picked from commit 1666984c8625b3db19a9abc298931d35ab7bc64b)
-CVE-2016-3951
-BugLink: https://bugs.launchpad.net/bugs/1567191
-Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
-Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
-Signed-off-by: Kamal Mostafa <kamal at canonical.com>
----
- drivers/net/usb/usbnet.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
-index 0744bf2..c2ea4e5 100644
---- a/drivers/net/usb/usbnet.c
-+++ b/drivers/net/usb/usbnet.c
-@@ -1766,6 +1766,13 @@ out3:
- 	if (info->unbind)
- 		info->unbind (dev, udev);
- out1:
-+	/* subdrivers must undo all they did in bind() if they
-+	 * fail it, but we may fail later and a deferred kevent
-+	 * may trigger an error resubmitting itself and, worse,
-+	 * schedule a timer. So we kill it all just in case.
-+	 */
-+	cancel_work_sync(&dev->kevent);
-+	del_timer_sync(&dev->delay);
- 	free_netdev(net);
- out:
- 	return status;
--- 
-2.1.4
-
diff --git a/CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch b/CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch
deleted file mode 100644
index d3f9fd0..0000000
--- a/CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb Mon Sep 17 00:00:00 2001
-From: Ignat Korchagin <ignat.korchagin at gmail.com>
-Date: Thu, 17 Mar 2016 18:00:29 +0000
-Subject: USB: usbip: fix potential out-of-bounds write
-
-Fix potential out-of-bounds write to urb->transfer_buffer
-usbip handles network communication directly in the kernel. When receiving a
-packet from its peer, usbip code parses headers according to protocol. As
-part of this parsing urb->actual_length is filled. Since the input for
-urb->actual_length comes from the network, it should be treated as untrusted.
-Any entity controlling the network may put any value in the input and the
-preallocated urb->transfer_buffer may not be large enough to hold the data.
-Thus, the malicious entity is able to write arbitrary data to kernel memory.
-
-Signed-off-by: Ignat Korchagin <ignat.korchagin at gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
----
- drivers/usb/usbip/usbip_common.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/drivers/usb/usbip/usbip_common.c b/drivers/usb/usbip/usbip_common.c
-index facaaf0..e40da77 100644
---- a/drivers/usb/usbip/usbip_common.c
-+++ b/drivers/usb/usbip/usbip_common.c
-@@ -741,6 +741,17 @@ int usbip_recv_xbuff(struct usbip_device *ud, struct urb *urb)
- 	if (!(size > 0))
- 		return 0;
- 
-+	if (size > urb->transfer_buffer_length) {
-+		/* should not happen, probably malicious packet */
-+		if (ud->side == USBIP_STUB) {
-+			usbip_event_add(ud, SDEV_EVENT_ERROR_TCP);
-+			return 0;
-+		} else {
-+			usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
-+			return -EPIPE;
-+		}
-+	}
-+
- 	ret = usbip_recv(ud->tcp_socket, urb->transfer_buffer, size);
- 	if (ret != size) {
- 		dev_err(&urb->dev->dev, "recv xbuf, %d\n", ret);
--- 
-cgit v0.12
-
diff --git a/Makefile b/Makefile
index 88cf495..74205c0 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,8 @@
 RELEASE=4.2
 
 # also update proxmox-ve/changelog if you change KERNEL_VER or KREL
-KERNEL_VER=4.4.6
-PKGREL=48
+KERNEL_VER=4.4.8
+PKGREL=49
 # also include firmware of previous version into
 # the fw package:  fwlist-2.6.32-PREV-pve
 KREL=1
@@ -107,7 +107,7 @@ ${PVE_DEB} pve: proxmox-ve/control proxmox-ve/postinst
 download:
 	rm -rf ${KERNEL_SRC} ${KERNELSRCTAR}
 	#git clone git://kernel.ubuntu.com/ubuntu/ubuntu-vivid.git
-	git clone git://kernel.ubuntu.com/ubuntu/ubuntu-xenial.git ${KERNEL_SRC}
+	git clone --single-branch -b Ubuntu-4.4.0-22.39 git://kernel.ubuntu.com/ubuntu/ubuntu-xenial.git ${KERNEL_SRC}
 	tar czf ${KERNELSRCTAR} --exclude .git ${KERNEL_SRC} 
 
 check_gcc: 
@@ -236,8 +236,6 @@ ${KERNEL_SRC}/README ${KERNEL_CFG_ORG}: ${KERNELSRCTAR}
 	#cd ${KERNEL_SRC}; patch -p1 <../add-empty-ndo_poll_controller-to-veth.patch
 	cd ${KERNEL_SRC}; patch -p1 <../override_for_missing_acs_capabilities.patch
 	#cd ${KERNEL_SRC}; patch -p1 <../vhost-net-extend-device-allocation-to-vmalloc.patch
-	cd ${KERNEL_SRC}; patch -p1 <../CVE-2016-3955-usbip-fix-potential-out-of-bound-write.patch
-	cd ${KERNEL_SRC}; patch -p1 <../CVE-2016-3951-usbnet-memory-corruption-triggered-by-invalid-USB-descriptor.patch
 	cd ${KERNEL_SRC}; patch -p1 <../bug-950-tcp-fix-tcp_mark_head_lost-to-check-skb-len-before-f.patch
 	sed -i ${KERNEL_SRC}/Makefile -e 's/^EXTRAVERSION.*$$/EXTRAVERSION=${EXTRAVERSION}/'
 	touch $@
-- 
2.1.4



