+++ /dev/null
-From: Jann Horn <jann@thejh.net>
-Date: Sat, 26 Dec 2015 03:52:31 +0100
-Subject: [PATCH] ptrace: being capable wrt a process requires mapped uids/gids
-
-ptrace_has_cap() checks whether the current process should be
-treated as having a certain capability for ptrace checks
-against another process. Until now, this was equivalent to
-has_ns_capability(current, target_ns, CAP_SYS_PTRACE).
-
-However, if a root-owned process wants to enter a user
-namespace for some reason without knowing who owns it and
-therefore can't change to the namespace owner's uid and gid
-before entering, as soon as it has entered the namespace,
-the namespace owner can attach to it via ptrace and thereby
-gain access to its uid and gid.
-
-While it is possible for the entering process to switch to
-the uid of a claimed namespace owner before entering,
-causing the attempt to enter to fail if the claimed uid is
-wrong, this doesn't solve the problem of determining an
-appropriate gid.
-
-With this change, the entering process can first enter the
-namespace and then safely inspect the namespace's
-properties, e.g. through /proc/self/{uid_map,gid_map},
-assuming that the namespace owner doesn't have access to
-uid 0.
-
-Changed in v2: The caller needs to be capable in the
-namespace into which tcred's uids/gids can be mapped.
-
-Signed-off-by: Jann Horn <jann@thejh.net>
-Acked-by: Serge Hallyn <serge.hallyn@ubuntu.com>
-Acked-by: Andy Lutomirski <luto@kernel.org>
----
- kernel/ptrace.c | 33 ++++++++++++++++++++++++++++-----
- 1 file changed, 28 insertions(+), 5 deletions(-)
-
-diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index b760bae..260a08d 100644
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -20,6 +20,7 @@
- #include <linux/uio.h>
- #include <linux/audit.h>
- #include <linux/pid_namespace.h>
-+#include <linux/user_namespace.h>
- #include <linux/syscalls.h>
- #include <linux/uaccess.h>
- #include <linux/regset.h>
-@@ -207,12 +208,34 @@ static int ptrace_check_attach(struct task_struct *child, bool ignore_state)
- return ret;
- }
-
--static int ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
-+static bool ptrace_has_cap(const struct cred *tcred, unsigned int mode)
- {
-+ struct user_namespace *tns = tcred->user_ns;
-+
-+ /* When a root-owned process enters a user namespace created by a
-+ * malicious user, the user shouldn't be able to execute code under
-+ * uid 0 by attaching to the root-owned process via ptrace.
-+ * Therefore, similar to the capable_wrt_inode_uidgid() check,
-+ * verify that all the uids and gids of the target process are
-+ * mapped into a namespace below the current one in which the caller
-+ * is capable.
-+ * No fsuid/fsgid check because __ptrace_may_access doesn't do it
-+ * either.
-+ */
-+ while (
-+ !kuid_has_mapping(tns, tcred->euid) ||
-+ !kuid_has_mapping(tns, tcred->suid) ||
-+ !kuid_has_mapping(tns, tcred->uid) ||
-+ !kgid_has_mapping(tns, tcred->egid) ||
-+ !kgid_has_mapping(tns, tcred->sgid) ||
-+ !kgid_has_mapping(tns, tcred->gid)) {
-+ tns = tns->parent;
-+ }
-+
- if (mode & PTRACE_MODE_NOAUDIT)
-- return has_ns_capability_noaudit(current, ns, CAP_SYS_PTRACE);
-+ return has_ns_capability_noaudit(current, tns, CAP_SYS_PTRACE);
- else
-- return has_ns_capability(current, ns, CAP_SYS_PTRACE);
-+ return has_ns_capability(current, tns, CAP_SYS_PTRACE);
- }
-
- /* Returns 0 on success, -errno on denial. */
-@@ -241,7 +264,7 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
- gid_eq(cred->gid, tcred->sgid) &&
- gid_eq(cred->gid, tcred->gid))
- goto ok;
-- if (ptrace_has_cap(tcred->user_ns, mode))
-+ if (ptrace_has_cap(tcred, mode))
- goto ok;
- rcu_read_unlock();
- return -EPERM;
-@@ -252,7 +275,7 @@ ok:
- dumpable = get_dumpable(task->mm);
- rcu_read_lock();
- if (dumpable != SUID_DUMP_USER &&
-- !ptrace_has_cap(__task_cred(task)->user_ns, mode)) {
-+ !ptrace_has_cap(__task_cred(task), mode)) {
- rcu_read_unlock();
- return -EPERM;
- }
---
-2.1.4
+++ /dev/null
-From 34e2179e6322105e7de2e78bb14d34fb2b04942b Mon Sep 17 00:00:00 2001
-From: Paolo Bonzini <pbonzini@redhat.com>
-Date: Thu, 26 Nov 2015 12:09:59 +0000
-Subject: KVM: svm: unconditionally intercept #DB
-
-This is needed to avoid the possibility that the guest triggers
-an infinite stream of #DB exceptions (CVE-2015-8104).
-
-VMX is not affected: because it does not save DR6 in the VMCS,
-it already intercepts #DB unconditionally.
-
-Reported-by: Jan Beulich <jbeulich@suse.com>
-Cc: stable@vger.kernel.org
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-(cherry picked from commit cbdb967af3d54993f5814f1cee0ed311a055377d)
-CVE-2015-8104
-BugLink: https://bugs.launchpad.net/bugs/1520184
-Acked-by: Stefan Bader <stefan.bader@canonical.com>
-Acked-by: Tim Gardner <tim.gardner@canonical.com>
-Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
-
-diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
-index 78547f7..d8af78e 100644
---- a/arch/x86/kvm/svm.c
-+++ b/arch/x86/kvm/svm.c
-@@ -1107,6 +1107,7 @@ static void init_vmcb(struct vcpu_svm *svm, bool init_event)
- set_exception_intercept(svm, UD_VECTOR);
- set_exception_intercept(svm, MC_VECTOR);
- set_exception_intercept(svm, AC_VECTOR);
-+ set_exception_intercept(svm, DB_VECTOR);
-
- set_intercept(svm, INTERCEPT_INTR);
- set_intercept(svm, INTERCEPT_NMI);
-@@ -1642,20 +1643,13 @@ static void svm_set_segment(struct kvm_vcpu *vcpu,
- mark_dirty(svm->vmcb, VMCB_SEG);
- }
-
--static void update_db_bp_intercept(struct kvm_vcpu *vcpu)
-+static void update_bp_intercept(struct kvm_vcpu *vcpu)
- {
- struct vcpu_svm *svm = to_svm(vcpu);
-
-- clr_exception_intercept(svm, DB_VECTOR);
- clr_exception_intercept(svm, BP_VECTOR);
-
-- if (svm->nmi_singlestep)
-- set_exception_intercept(svm, DB_VECTOR);
--
- if (vcpu->guest_debug & KVM_GUESTDBG_ENABLE) {
-- if (vcpu->guest_debug &
-- (KVM_GUESTDBG_SINGLESTEP | KVM_GUESTDBG_USE_HW_BP))
-- set_exception_intercept(svm, DB_VECTOR);
- if (vcpu->guest_debug & KVM_GUESTDBG_USE_SW_BP)
- set_exception_intercept(svm, BP_VECTOR);
- } else
-@@ -1761,7 +1755,6 @@ static int db_interception(struct vcpu_svm *svm)
- if (!(svm->vcpu.guest_debug & KVM_GUESTDBG_SINGLESTEP))
- svm->vmcb->save.rflags &=
- ~(X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_bp_intercept(&svm->vcpu);
- }
-
- if (svm->vcpu.guest_debug &
-@@ -3760,7 +3753,6 @@ static void enable_nmi_window(struct kvm_vcpu *vcpu)
- */
- svm->nmi_singlestep = true;
- svm->vmcb->save.rflags |= (X86_EFLAGS_TF | X86_EFLAGS_RF);
-- update_db_bp_intercept(vcpu);
- }
-
- static int svm_set_tss_addr(struct kvm *kvm, unsigned int addr)
-@@ -4382,7 +4374,7 @@ static struct kvm_x86_ops svm_x86_ops = {
- .vcpu_load = svm_vcpu_load,
- .vcpu_put = svm_vcpu_put,
-
-- .update_db_bp_intercept = update_db_bp_intercept,
-+ .update_db_bp_intercept = update_bp_intercept,
- .get_msr = svm_get_msr,
- .set_msr = svm_set_msr,
- .get_segment_base = svm_get_segment_base,
---
-cgit v0.10.2
-
# also update proxmox-ve/changelog if you change KERNEL_VER or KREL
KERNEL_VER=4.2.6
-PKGREL=33
+PKGREL=34
# also include firmware of previous version into
# the fw package: fwlist-2.6.32-PREV-pve
KREL=1
#cd ${KERNEL_SRC}; patch -p1 <../vhost-net-extend-device-allocation-to-vmalloc.patch
cd ${KERNEL_SRC}; patch -p1 <../kvmstealtime.patch
cd ${KERNEL_SRC}; patch -p1 <../kvm-x86-obey-KVM_X86_QUIRK_CD_NW_CLEARED-in-kvm_set_cr0.patch
- cd ${KERNEL_SRC}; patch -p1 <../KVM-svm-unconditionally-intercept-DB.patch
cd ${KERNEL_SRC}; patch -p1 <../apparmor-socket-mediation.patch
- cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-8709-ptrace-require-mapped-uids-gids.patch
cd ${KERNEL_SRC}; patch -p1 <../CVE-2015-7513-KVM-x86-Reload-pit-counters-for-all-channels.patch
# backport iSCSI fix from 4.4rc5
cd ${KERNEL_SRC}; patch -p1 <../iSCSI-block-sd-Fix-device-imposed-transfer-length-limits.patch
+pve-kernel (4.2.6-34) unstable; urgency=medium
+
+ * update kernel source to Ubuntu-4.2.0-25.30 (fix CVE-2016-0728)
+
+ * remove KVM-svm-unconditionally-intercept-DB.patch (upstream)
+
+ * remove CVE-2015-8709-ptrace-require-mapped-uids-gids.patch (upstream)
+
+ -- Proxmox Support Team <support@proxmox.com> Thu, 21 Jan 2016 08:55:17 +0100
+
pve-kernel (4.2.6-33) unstable; urgency=medium
* update spl/zfs to 0.6.5.4