[PATCH 2/3] af_802154: Disable auto-loading as mitigation against local exploits
Forwarded: not-needed
Recent review has revealed several bugs in obscure protocol
implementations that can be exploited by local users for denial of
service or privilege escalation. We can mitigate the effect of any
remaining vulnerabilities in such protocols by preventing unprivileged
users from loading the modules, so that they are only exploitable on
systems where the administrator has chosen to load the protocol.
The 'af_802154' (IEEE 802.15.4) protocol is not widely used, was
not present in the 'lenny' kernel, and seems to receive only sporadic
maintenance. Therefore disable auto-loading.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Gbp-Pq: Topic debian
Gbp-Pq: Name af_802154-Disable-auto-loading-as-mitigation-against.patch
Tweak gitignore for Debian pkg-kernel using git svn.
Forwarded: not-needed
[bwh: Tweak further for pure git]
Gbp-Pq: Topic debian
Gbp-Pq: Name gitignore.patch
linux (5.10.162-1) bullseye-security; urgency=high
* New upstream stable update:
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.159
- [armhf] dts: rockchip: fix node name for hym8563 rtc
- [armhf] dts: rockchip: fix ir-receiver node names
- [arm64] dts: rockchip: fix ir-receiver node names
- [armel,armhf] 9266/1: mm: fix no-MMU ZERO_PAGE() implementation
- 9p/fd: Use P9_HDRSZ for header size
- ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event
- btrfs: send: avoid unaligned encoded writes when attempting to clone range
- ASoC: soc-pcm: Add NULL check in BE reparenting
- [armhf] regulator: twl6030: fix get status of twl6032 regulators
- fbcon: Use kzalloc() in fbcon_prepare_logo()
- [arm64,armhf] usb: dwc3: gadget: Disable GUSB2PHYCFG.SUSPHY for End
Transfer
- 9p/xen: check logical size for buffer size
- net: usb: qmi_wwan: add u-blox 0x1342 composition
- mm/khugepaged: take the right locks for page table retraction
- mm/khugepaged: fix GUP-fast interaction by sending IPI
- mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
- rtc: mc146818: Prevent reading garbage
- rtc: mc146818: Detect and handle broken RTCs
- rtc: mc146818: Dont test for bit 0-5 in Register D
- rtc: cmos: remove stale REVISIT comments
- rtc: mc146818-lib: change return values of mc146818_get_time()
- rtc: Check return value from mc146818_get_time()
- rtc: mc146818-lib: fix RTC presence check
- rtc: mc146818-lib: extract mc146818_avoid_UIP
- rtc: cmos: avoid UIP when writing alarm time
- rtc: cmos: avoid UIP when reading alarm time
- rtc: cmos: Replace spin_lock_irqsave with spin_lock in hard IRQ
- rtc: mc146818: Reduce spinlock section in mc146818_set_time()
- media: videobuf2-core: take mmap_lock in vb2_get_unmapped_area()
- media: v4l2-dv-timings.c: fix too strict blanking sanity checks
- memcg: fix possible use-after-free in memcg_write_event_control()
- mm/gup: fix gup_pud_range() for dax
- Bluetooth: btusb: Add debug message for CSR controllers
- Bluetooth: Fix crash when replugging CSR fake controllers
- [s390x] KVM: s390: vsie: Fix the initialization of the epoch extension
(epdx) field
- [x86] drm/vmwgfx: Don't use screen objects when SEV is active
- drm/shmem-helper: Remove errant put in error path
- drm/shmem-helper: Avoid vm_open error paths
- HID: usbhid: Add ALWAYS_POLL quirk for some mice
- HID: hid-lg4ff: Add check for empty lbuf
- HID: core: fix shift-out-of-bounds in hid_report_raw_event
- can: af_can: fix NULL pointer dereference in can_rcv_filter
- mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page
(CVE-2022-3623)
- rtc: cmos: Disable irq around direct invocation of cmos_interrupt()
- rtc: mc146818-lib: fix locking in mc146818_set_time
- rtc: mc146818-lib: fix signedness bug in mc146818_get_time()
- netfilter: nft_set_pipapo: Actually validate intervals in fields after the
first one
- ieee802154: cc2520: Fix error return code in cc2520_hw_init()
- netfilter: ctnetlink: fix compilation warning after data race fixes in ct
mark
- e1000e: Fix TX dispatch condition
- igb: Allocate MSI-X vector when testing
- [arm64,armhf] drm: bridge: dw_hdmi: fix preference of RGB modes over
YUV420
- af_unix: Get user_ns from in_skb in unix_diag_get_exact().
- [x86] vmxnet3: correctly report encapsulated LRO packet
- Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn()
- Bluetooth: Fix not cleanup led when bt_init fails
- mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
- xen-netfront: Fix NULL sring after live migration
- [arm64,armhf] net: mvneta: Prevent out of bounds read in
mvneta_config_rss()
- i40e: Fix not setting default xps_cpus after reset
- i40e: Fix for VF MAC address 0
- i40e: Disallow ip4 and ip6 l4_4_bytes
- nvme initialize core quirks before calling nvme_init_subsystem
- net: stmmac: fix "snps,axi-config" node property parsing
- ip_gre: do not report erspan version on GRE interface
- [arm64] net: thunderx: Fix missing destroy_workqueue of nicvf_rx_mode_wq
- [arm64] net: hisilicon: Fix potential use-after-free in hisi_femac_rx()
- [arm64] net: hisilicon: Fix potential use-after-free in hix5hd2_rx()
- tipc: Fix potential OOB in tipc_link_proto_rcv()
- ipv4: Fix incorrect route flushing when source address is deleted
- ipv4: Fix incorrect route flushing when table ID 0 is used
- tipc: call tipc_lxc_xmit without holding node_read_lock
- [x86] net: plip: don't call kfree_skb/dev_kfree_skb() under
spin_lock_irq()
- ipv6: avoid use-after-free in ip6_fragment()
- [arm64,armhf] net: mvneta: Fix an out of bounds check
- macsec: add missing attribute validation for offload
- can: esd_usb: Allow REC and TEC to return to zero
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.160
- [x86] smpboot: Move rcu_cpu_starting() earlier
- vfs: fix copy_file_range() regression in cross-fs copies
- vfs: fix copy_file_range() averts filesystem freeze protection
- nfp: fix use-after-free in area_cache_get() (CVE-2022-3545)
- fuse: always revalidate if exclusive create
- io_uring: add missing item types for splice request (CVE-2022-4696)
- ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
- can: mcba_usb: Fix termination command argument
- [armel,armhf] ASoC: cs42l51: Correct PGA Volume minimum value
- nvme-pci: clear the prp2 field when not used
- ASoC: ops: Correct bounds check for second channel on SX controls
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.161
- udf: Discard preallocation before extending file with a hole
- udf: Fix preallocation discarding at indirect extent boundary
- udf: Do not bother looking for prealloc extents if i_lenExtents matches
i_size
- udf: Fix extending file within last block
- usb: gadget: uvc: Prevent buffer overflow in setup handler
- USB: serial: option: add Quectel EM05-G modem
- USB: serial: cp210x: add Kamstrup RF sniffer PIDs
- USB: serial: f81232: fix division by zero on line-speed change
- USB: serial: f81534: fix division by zero on line-speed change
- xhci: Apply XHCI_RESET_TO_DEFAULT quirk to ADL-N
- igb: Initialize mailbox message for VF reset
- HID: ite: Add support for Acer S1002 keyboard-dock
- HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch 10E
- HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10
- HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk
- Bluetooth: L2CAP: Fix u8 overflow (CVE-2022-45934)
- net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
https://www.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.162
- kernel: provide create_io_thread() helper
- iov_iter: add helper to save iov_iter state
- saner calling conventions for unlazy_child()
- fs: add support for LOOKUP_CACHED
- fix handling of nd->depth on LOOKUP_CACHED failures in try_to_unlazy*
- Make sure nd->path.mnt and nd->path.dentry are always valid pointers
- fs: expose LOOKUP_CACHED through openat2() RESOLVE_CACHED
- tools headers UAPI: Sync openat2.h with the kernel sources
- net: provide __sys_shutdown_sock() that takes a socket
- net: add accept helper not installing fd
- signal: Add task_sigpending() helper
- fs: make do_renameat2() take struct filename
- file: Rename __close_fd_get_file close_fd_get_file
- fs: provide locked helper variant of close_fd_get_file()
- entry: Add support for TIF_NOTIFY_SIGNAL
- task_work: Use TIF_NOTIFY_SIGNAL if available
- [x86] Wire up TIF_NOTIFY_SIGNAL
- [arm64] add support for TIF_NOTIFY_SIGNAL
- [powerpc*] add support for TIF_NOTIFY_SIGNAL
- [mips*] add support for TIF_NOTIFY_SIGNAL
- [s390x] add support for TIF_NOTIFY_SIGNAL
- [armel,armhf] add support for TIF_NOTIFY_SIGNAL
- task_work: remove legacy TWA_SIGNAL path
- kernel: remove checking for TIF_NOTIFY_SIGNAL
- coredump: Limit what can interrupt coredumps
- kernel: allow fork with TIF_NOTIFY_SIGNAL pending
- entry/kvm: Exit to user mode when TIF_NOTIFY_SIGNAL is set
- arch: setup PF_IO_WORKER threads like PF_KTHREAD
- arch: ensure parisc/powerpc handle PF_IO_WORKER in copy_thread()
- [x86] process: setup io_threads more like normal user space threads
- kernel: stop masking signals in create_io_thread()
- kernel: don't call do_exit() for PF_IO_WORKER threads
- task_work: add helper for more targeted task_work canceling
- io_uring: import 5.15-stable io_uring
- signal: kill JOBCTL_TASK_WORK
- task_work: unconditionally run task_work from get_signal()
- net: remove cmsg restriction from io_uring based send/recvmsg calls
- Revert "proc: don't allow async path resolution of /proc/thread-self
components"
- Revert "proc: don't allow async path resolution of /proc/self components"
- eventpoll: add EPOLL_URING_WAKE poll wakeup flag
- eventfd: provide a eventfd_signal_mask() helper
- io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups
[ Salvatore Bonaccorso ]
* linux-kbuild: Include scripts/pahole-flags.sh (Closes: #
1008501)
* Bump ABI to 21
* Refresh "Export symbols needed by Android drivers"
* ASoC: Intel/SOF: use set_stream() instead of set_tdm_slots() for HDAudio
(Closes: #
1027430, #
1027483)
* ASoC/SoundWire: dai: expand 'stream' concept beyond SoundWire
(Closes: #
1027430, #
1027483)
* [rt] Update to 5.10.162-rt78
* i2c: ismt: Fix an out-of-bounds bug in ismt_access() (CVE-2022-2873)
* [x86] drm/vmwgfx: Validate the box size for the snooped cursor
(CVE-2022-36280)
* media: dvb-core: Fix UAF due to refcount races at releasing (CVE-2022-41218)
* net: sched: disallow noqueue for qdisc classes (CVE-2022-47929)
* ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
(CVE-2023-0266)
* net: sched: cbq: dont intepret cls results when asked to drop
(CVE-2023-23454)
* net: sched: atm: dont intepret cls results when asked to drop
(CVE-2023-23455)
* netfilter: nft_payload: incorrect arithmetics when fetching VLAN header bits
(CVE-2023-0179)
* ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
(CVE-2023-0394)
* [rt] arm64: make _TIF_WORK_MASK bits contiguous
[ Ben Hutchings ]
* Disable SECURITY_LOCKDOWN_LSM and MODULE_SIG where we don't sign code
(Closes: #825141)
[dgit import unpatched linux 5.10.162-1]
projects / linux.git / log