This bug was fixed in the package linux - 4.4.0-193.224
---------------
linux (4.4.0-193.224) xenial; urgency=medium
* CVE-2020-16119
- SAUCE: dccp: avoid double free of ccid on child socket
linux (4.4.0-192.222) xenial; urgency=medium
* xenial/linux: 4.4.0-192.222 -proposed tracker (LP: #1897734)
* mwifiex stops working after kernel upgrade (LP: #1897299)
- mwifiex: Increase AES key storage size to 256 bits
* xenial 4.4.0-191-generic in -proposed has a regression (LP: #1896725)
- Revert "XEN uses irqdesc::irq_data_common::handler_data to store a per
interrupt XEN data pointer which contains XEN specific information."
linux (4.4.0-191.221) xenial; urgency=medium
* xenial/linux: 4.4.0-191.221 -proposed tracker (LP: #1896067)
* Novalink (mkvterm command failure) (LP: #1892546)
- tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup()
* Xenial update: v4.4.236 upstream stable release (LP: #1895891)
- HID: core: Correctly handle ReportSize being zero
- HID: core: Sanitize event code and type when mapping input
- perf record/stat: Explicitly call out event modifiers in the documentation
- mm, page_alloc: remove unnecessary variable from free_pcppages_bulk
- hwmon: (applesmc) check status earlier.
- ceph: don't allow setlease on cephfs
- s390: don't trace preemption in percpu macros
- xen/xenbus: Fix granting of vmalloc'd memory
- dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling
- batman-adv: Avoid uninitialized chaddr when handling DHCP
- batman-adv: bla: use netif_rx_ni when not in interrupt context
- dmaengine: at_hdmac: check return value of of_find_device_by_node() in
at_dma_xlate()
- netfilter: nf_tables: incorrect enum nft_list_attributes definition
- netfilter: nf_tables: fix destination register zeroing
- dmaengine: pl330: Fix burst length if burst size is smaller than bus width
- bnxt_en: Check for zero dir entries in NVRAM.
- fix regression in "epoll: Keep a reference on files added to the check
list"
- tg3: Fix soft lockup when tg3_reset_task() fails.
- iommu/vt-d: Serialize IOMMU GCMD register modifications
- thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430
- include/linux/log2.h: add missing () around n in roundup_pow_of_two()
- btrfs: drop path before adding new uuid tree entry
- btrfs: Remove redundant extent_buffer_get in get_old_root
- btrfs: Remove extraneous extent_buffer_get from tree_mod_log_rewind
- btrfs: set the lockdep class for log tree extent buffers
- uaccess: Add non-pagefault user-space read functions
- uaccess: Add non-pagefault user-space write function
- btrfs: fix potential deadlock in the search ioctl
- net: qmi_wwan: MDM9x30 specific power management
- net: qmi_wwan: support "raw IP" mode
- net: qmi_wwan: should hold RTNL while changing netdev type
- net: qmi_wwan: ignore bogus CDC Union descriptors
- Add Dell Wireless 5809e Gobi 4G HSPA+ Mobile Broadband Card (rev3) to
qmi_wwan
- qmi_wwan: Added support for Gemalto's Cinterion PHxx WWAN interface
- qmi_wwan: add support for Quectel EC21 and EC25
- NET: usb: qmi_wwan: add support for Telit LE922A PID 0x1040
- drivers: net: usb: qmi_wwan: add QMI_QUIRK_SET_DTR for Telit PID 0x1201
- usb: qmi_wwan: add D-Link DWM-222 A2 device ID
- net: usb: qmi_wwan: add Telit ME910 support
- net: usb: qmi_wwan: add Telit 0x1050 composition
- ALSA: ca0106: fix error code handling
- ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check
- dm cache metadata: Avoid returning cmd->bm wild pointer on error
- dm thin metadata: Avoid returning cmd->bm wild pointer on error
- net: refactor bind_bucket fastreuse into helper
- net: initialize fastreuse on inet_inherit_port
- checkpatch: fix the usage of capture group ( ... )
- mm/hugetlb: fix a race between hugetlb sysctl handlers
- cfg80211: regulatory: reject invalid hints
- net: usb: Fix uninit-was-stored issue in asix_read_phy_addr()
- ALSA: firewire-digi00x: add support for console models of Digi00x series
- ALSA: firewire-digi00x: exclude Avid Adrenaline from detection
- ALSA; firewire-tascam: exclude Tascam FE-8 from detection
- fs/affs: use octal for permissions
- affs: fix basic permission bits to actually work
- ravb: Fixed to be able to unload modules
- net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init()
- bnxt_en: Failure to update PHY is not fatal condition.
- bnxt: don't enable NAPI until rings are ready
- net: usb: dm9601: Add USB ID of Keenetic Plus DSL
- sctp: not disable bh in the whole sctp_get_port_local()
- net: disable netpoll on fresh napis
- Linux 4.4.236
* clock: overriding the clocksource should select the requested clocksource
(LP: #1894591)
- clocksource: Defer override invalidation unless clock is unstable
* alsa/hdmi: the hdmi audio stops working from Ubuntu-4.4.0-155.182
(LP: #1895603)
- ALSA: hda/hdmi - Read the pin sense from register when repolling
- SAUCE: ALSA: hda/hdmi - Check pin_eld->monitor_present
* Xenial update: v4.4.235 upstream stable release (LP: #1895031)
- net: Fix potential wrong skb->protocol in skb_vlan_untag()
- tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
- ipvlan: fix device features
- bonding: show saner speed for broadcast mode
- bonding: fix a potential double-unregister
- powerpc/pseries: Do not initiate shutdown when system is running on UPS
- ALSA: pci: delete repeated words in comments
- ASoC: tegra: Fix reference count leaks.
- media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA
value in debiirq()
- scsi: target: tcmu: Fix crash on ARM during cmd completion
- drm/amdkfd: Fix reference count leaks.
- drm/radeon: fix multiple reference count leak
- drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms
- drm/amd/display: fix ref count leak in amdgpu_drm_ioctl
- drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config
- drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails
- scsi: lpfc: Fix shost refcount mismatch when deleting vport
- selftests/powerpc: Purge extra count_pmc() calls of ebb selftests
- PCI: Fix pci_create_slot() reference count leak
- rtlwifi: rtl8192cu: Prevent leaking urb
- mips/vdso: Fix resource leaks in genvdso.c
- drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open
- drm/nouveau: Fix reference count leak in nouveau_connector_detect
- locking/lockdep: Fix overflow in presentation of average lock-time
- scsi: iscsi: Do not put host in iscsi_set_flashnode_param()
- ceph: fix potential mdsc use-after-free crash
- scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del()
- EDAC/ie31200: Fallback if host bridge device is already initialized
- media: davinci: vpif_capture: fix potential double free
- powerpc/spufs: add CONFIG_COREDUMP dependency
- USB: sisusbvga: Fix a potential UB casued by left shifting a negative
value
- Revert "ath10k: fix DMA related firmware crashes on multiple devices"
- i2c: rcar: in slave mode, clear NACK earlier
- jbd2: make sure jh have b_transaction set in refile/unfile_buffer
- jbd2: abort journal if free a async write error metadata buffer
- s390/cio: add cond_resched() in the slow_eval_known_fn() loop
- scsi: ufs: Fix possible infinite loop in ufshcd_hold
- net: gianfar: Add of_node_put() before goto statement
- fbcon: prevent user font height or width change from causing potential
out-
of-bounds access
- USB: lvtest: return proper error code in probe
- vt: defer kfree() of vc_screenbuf in vc_do_resize()
- vt_ioctl: change VT_RESIZEX ioctl to check for error return from
vc_resize()
- serial: samsung: Removes the IRQ not found warning
- serial: pl011: Don't leak amba_ports entry on driver register error
- serial: 8250: change lock order in serial8250_do_startup()
- writeback: Protect inode->i_io_list with inode->i_lock
- writeback: Avoid skipping inode writeback
- writeback: Fix sync livelock due to b_dirty_time processing
- XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt
XEN
data pointer which contains XEN specific information.
- xhci: Do warm-reset when both CAS and XDEV_RESUME are set
- PM: sleep: core: Fix the handling of pending runtime resume requests
- device property: Fix the secondary firmware node handling in
set_primary_fwnode()
- USB: yurex: Fix bad gfp argument
- usb: uas: Add quirk for PNY Pro Elite
- USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge
- usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe()
- usb: storage: Add unusual_uas entry for Sony PSZ drives
- btrfs: check the right error variable in btrfs_del_dir_entries_in_log
- HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
- ALSA: usb-audio: Update documentation comment for MS2109 quirk
- Linux 4.4.235
* DELL LATITUDE 5491 touchscreen doesn't work (LP: #1889446) // Xenial update:
v4.4.235 upstream stable release (LP: #1895031)
- USB: quirks: Add no-lpm quirk for another Raydium touchscreen
* Xenial update: v4.4.234 upstream stable release (LP: #1893248)
- cxl: Fix kobject memleak
- drm/imx: imx-ldb: Disable both channels for split mode in enc->disable()
- perf probe: Fix memory leakage when the probe point is not found
- net/compat: Add missing sock updates for SCM_RIGHTS
- watchdog: f71808e_wdt: indicate WDIOF_CARDRESET support in
watchdog_info.options
- watchdog: f71808e_wdt: remove use of wrong watchdog_info option
- coredump: fix race condition between collapse_huge_page() and core dumping
- khugepaged: khugepaged_test_exit() check mmget_still_valid()
- khugepaged: adjust VM_BUG_ON_MM() in __khugepaged_enter()
- btrfs: export helpers for subvolume name/id resolution
- btrfs: don't show full path of bind mounts in subvol=
- romfs: fix uninitialized memory leak in romfs_dev_read()
- mm: include CMA pages in lowmem_reserve at boot
- mm, page_alloc: fix core hung in free_pcppages_bulk()
- ext4: clean up ext4_match() and callers
- ext4: fix checking of directory entry validity for inline directories
- media: budget-core: Improve exception handling in budget_register()
- media: vpss: clean up resources in init
- Input: psmouse - add a newline when printing 'proto' by sysfs
- m68knommu: fix overwriting of bits in ColdFire V3 cache control
- xfs: fix inode quota reservation checks
- jffs2: fix UAF problem
- scsi: libfc: Free skb in fc_disc_gpn_id_resp() for valid cases
- virtio_ring: Avoid loop when vq is broken in virtqueue_poll
- xfs: Fix UBSAN null-ptr-deref in xfs_sysfs_init
- alpha: fix annotation of io{read,write}{16,32}be()
- ext4: fix potential negative array index in do_split()
- ASoC: intel: Fix memleak in sst_media_open
- powerpc: Allow 4224 bytes of stack expansion for the signal frame
- epoll: Keep a reference on files added to the check list
- do_epoll_ctl(): clean the failure exits up a bit
- mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible
- xen: don't reschedule in preemption off sections
- omapfb: dss: Fix max fclk divider for omap36xx
- KVM: arm/arm64: Don't reschedule in unmap_stage2_range()
- Linux 4.4.234
* CVE-2018-10322
- libxfs: synchronize dinode_verify with userspace
- xfs: sanity check directory inode di_size
- xfs: move inode fork verifiers to xfs_dinode_verify
- xfs: enhance dinode verifier
-- Thadeu Lima de Souza Cascardo <casca...@canonical.com> Tue, 06 Oct
2020 12:24:31 -0300
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10322
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16119
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1897299
Title:
mwifiex stops working after kernel upgrade
Status in HWE Next:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
Fix Released
Bug description:
== Impact ==
Marvell WiFi cards supported by the mwifiex driver may fail to connect to
some access points after kernel upgrade.
This is caused by the commit
commit e18696786548244914f36ec3c46ac99c53df99c3
Author: Dan Carpenter <dan.carpen...@oracle.com>
Date: Wed Jul 8 14:58:57 2020 +0300
mwifiex: Prevent memory corruption handling keys
The length of the key comes from the network and it's a 16 bit number. It
needs to be capped to prevent a buffer overflow.
Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell
mwifiex driver")
Signed-off-by: Dan Carpenter <dan.carpen...@oracle.com>
Acked-by: Ganapathi Bhat <ganapathi.b...@nxp.com>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
Link: https://lore.kernel.org/r/20200708115857.GA13729@mwanda
The commit added a check to mwifiex_ret_802_11_key_material_v2() to
make sure the key length doesn't larger than the key buffer size
before copying it. The allocated key buffer is 16-byte long. In some
cases the key would be 32-byte long and hence the check fails. One
thing to note is that this commit is not the cause of the problem,
instead it just makes the issue visible.
The commit is included in Ubuntu-4.4.0-190.220, Ubuntu-4.15.0-119.120,
Ubuntu-5.4.0-48.52, and Ubuntu-5.8.0-18.19.
== Fix ==
There's already a fix in the mainline which increase the key buffer size to
32 bytes:
commit 4afc850e2e9e781976fb2c7852ce7bac374af938
Author: Maximilian Luz <luzmaximil...@gmail.com>
Date: Tue Aug 25 17:38:29 2020 +0200
mwifiex: Increase AES key storage size to 256 bits
Following commit e18696786548 ("mwifiex: Prevent memory corruption
handling keys") the mwifiex driver fails to authenticate with certain
networks, specifically networks with 256 bit keys, and repeatedly asks
for the password. The kernel log repeats the following lines (id and
bssid redacted):
mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid
<bssid>
mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid>
successfully
mwifiex_pcie 0000:01:00.0: crypto keys added
mwifiex_pcie 0000:01:00.0: info: successfully disconnected from
<bssid>: reason code 3
Tracking down this problem lead to the overflow check introduced by the
aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
check fails on networks with 256 bit keys due to the current storage
size for AES keys in struct mwifiex_aes_param being only 128 bit.
To fix this issue, increase the storage size for AES keys to 256 bit.
Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys")
Signed-off-by: Maximilian Luz <luzmaximil...@gmail.com>
Reported-by: Kaloyan Nikolov <koni...@gmail.com>
Tested-by: Kaloyan Nikolov <koni...@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpen...@oracle.com>
Reviewed-by: Brian Norris <briannor...@chromium.org>
Tested-by: Brian Norris <briannor...@chromium.org>
Signed-off-by: Kalle Valo <kv...@codeaurora.org>
Link:
https://lore.kernel.org/r/20200825153829.38043-1-luzmaximil...@gmail.com
== Regression Potential ==
Low. While the fix increases the buffer size, it still checks and make sure
data to be copy can fit into the buffer. Also the commit does fix the issue we
saw in the Cert lab.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hwe-next/+bug/1897299/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
