Package: linux / 4.19.37-3

Metadata

Package Version Patches format
linux 4.19.37-3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
features/all/lockdown/0011 PCI Lock down BAR access when the kernel is locked d.patch | (download)

drivers/pci/pci-sysfs.c | 9 9 + 0 - 0 !
drivers/pci/proc.c | 9 8 + 1 - 0 !
drivers/pci/syscall.c | 3 2 + 1 - 0 !
3 files changed, 19 insertions(+), 2 deletions(-)

 [11/29] pci: lock down bar access when the kernel is locked down
features/all/lockdown/0012 x86 Lock down IO port access when the kernel is lock.patch | (download)

arch/x86/kernel/ioport.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 [12/29] x86: lock down io port access when the kernel is locked down
features/all/lockdown/0013 x86 msr Restrict MSR access when the kernel is locke.patch | (download)

arch/x86/kernel/msr.c | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 [13/29] x86/msr: restrict msr access when the kernel is locked down
features/all/lockdown/0014 asus wmi Restrict debugfs interface when the kernel .patch | (download)

drivers/platform/x86/asus-wmi.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 [14/29] asus-wmi: restrict debugfs interface when the kernel is
 locked down
features/all/lockdown/0015 ACPI Limit access to custom_method when the kernel i.patch | (download)

drivers/acpi/custom_method.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [15/29] acpi: limit access to custom_method when the kernel is locked
 down
features/all/lockdown/0016 acpi Ignore acpi_rsdp kernel param when the kernel h.patch | (download)

drivers/acpi/osl.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [16/29] acpi: ignore acpi_rsdp kernel param when the kernel has been
 locked down
features/all/lockdown/0017 acpi Disable ACPI table override if the kernel is lo.patch | (download)

drivers/acpi/tables.c | 5 5 + 0 - 0 !
1 file changed, 5 insertions(+)

 [17/29] acpi: disable acpi table override if the kernel is locked
 down
features/all/lockdown/0018 acpi Disable APEI error injection if the kernel is l.patch | (download)

drivers/acpi/apei/einj.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [18/29] acpi: disable apei error injection if the kernel is locked
 down
features/all/lockdown/0020 Prohibit PCMCIA CIS storage when the kernel is locke.patch | (download)

drivers/pcmcia/cistpl.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [20/29] prohibit pcmcia cis storage when the kernel is locked down
features/all/lockdown/0021 Lock down TIOCSSERIAL.patch | (download)

drivers/tty/serial/serial_core.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [21/29] lock down tiocsserial
features/all/lockdown/0022 Lock down module params that specify hardware parame.patch | (download)

kernel/params.c | 26 21 + 5 - 0 !
1 file changed, 21 insertions(+), 5 deletions(-)

 [22/29] lock down module params that specify hardware parameters (eg.
 ioport)
features/all/lockdown/0023 x86 mmiotrace Lock down the testmmiotrace module.patch | (download)

arch/x86/mm/testmmiotrace.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [23/29] x86/mmiotrace: lock down the testmmiotrace module
features/all/lockdown/0024 debugfs Disallow use of debugfs files when the kerne.patch | (download)

fs/debugfs/file.c | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 [24/29] debugfs: disallow use of debugfs files when the kernel is
 locked down
features/all/lockdown/0025 Lock down proc kcore.patch | (download)

fs/proc/kcore.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [25/29] lock down /proc/kcore
features/all/lockdown/0026 Lock down kprobes.patch | (download)

kernel/kprobes.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [26/29] lock down kprobes
features/all/lockdown/0027 bpf Restrict kernel image access functions when the .patch | (download)

kernel/bpf/syscall.c | 3 3 + 0 - 0 !
1 file changed, 3 insertions(+)

 [27/29] bpf: restrict kernel image access functions when the kernel
 is locked down
features/all/lockdown/0028 efi Add an EFI_SECURE_BOOT flag to indicate secure b.patch | (download)

arch/x86/kernel/setup.c | 14 1 + 13 - 0 !
drivers/firmware/efi/Makefile | 1 1 + 0 - 0 !
drivers/firmware/efi/secureboot.c | 38 38 + 0 - 0 !
include/linux/efi.h | 16 10 + 6 - 0 !
4 files changed, 50 insertions(+), 19 deletions(-)

 [28/29] efi: add an efi_secure_boot flag to indicate secure boot mode
features/all/lockdown/0029 efi Lock down the kernel if booted in secure boot mo.patch | (download)

arch/x86/kernel/setup.c | 6 4 + 2 - 0 !
security/Kconfig | 14 14 + 0 - 0 !
security/lock_down.c | 1 1 + 0 - 0 !
3 files changed, 19 insertions(+), 2 deletions(-)

 [29/29] efi: lock down the kernel if booted in secure boot mode
features/all/lockdown/enable cold boot attack mitigation.patch | (download)

arch/x86/boot/compressed/eboot.c | 22 22 + 0 - 0 !
1 file changed, 22 insertions(+)

 [18/18] enable cold boot attack mitigation
features/all/lockdown/mtd disable slram and phram when locked down.patch | (download)

drivers/mtd/devices/phram.c | 3 3 + 0 - 0 !
drivers/mtd/devices/slram.c | 3 3 + 0 - 0 !
2 files changed, 6 insertions(+)

 mtd: disable slram and phram when locked down
features/all/lockdown/arm64 add kernel config option to lock down when.patch | (download)

drivers/firmware/efi/arm-init.c | 4 4 + 0 - 0 !
drivers/firmware/efi/efi.c | 3 2 + 1 - 0 !
drivers/firmware/efi/libstub/fdt.c | 6 6 + 0 - 0 !
include/linux/efi.h | 1 1 + 0 - 0 !
4 files changed, 13 insertions(+), 1 deletion(-)

 arm64: add kernel config option to lock down when in secure boot mode
Bug-Debian: https://bugs.debian.org/831827
features/all/lockdown/lockdown refer to debian wiki until manual page exists.patch | (download)

security/lock_down.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 lockdown: refer to debian wiki until manual page exists
features/all/db mok keyring/0001 KEYS Allow unrestricted boot time addition of keys t.patch | (download)

certs/internal.h | 18 18 + 0 - 0 !
certs/system_keyring.c | 33 33 + 0 - 0 !
2 files changed, 51 insertions(+)

 [patch 1/7] keys: allow unrestricted boot-time addition of keys to
 secondary keyring
features/all/db mok keyring/0002 efi Add EFI signature data types.patch | (download)

include/linux/efi.h | 25 25 + 0 - 0 !
1 file changed, 25 insertions(+)

 [patch 2/7] efi: add efi signature data types
features/all/db mok keyring/0003 efi Add an EFI signature blob parser.patch | (download)

certs/Kconfig | 8 8 + 0 - 0 !
certs/Makefile | 1 1 + 0 - 0 !
certs/efi_parser.c | 112 112 + 0 - 0 !
include/linux/efi.h | 9 9 + 0 - 0 !
4 files changed, 130 insertions(+)

 [patch 3/7] efi: add an efi signature blob parser
features/all/db mok keyring/0004 MODSIGN Import certificates from UEFI Secure Boot.patch | (download)

certs/Kconfig | 16 16 + 0 - 0 !
certs/Makefile | 4 4 + 0 - 0 !
certs/load_uefi.c | 168 168 + 0 - 0 !
3 files changed, 188 insertions(+)

 [patch 4/7] modsign: import certificates from uefi secure boot
features/all/db mok keyring/0005 MODSIGN Allow the db UEFI variable to be suppressed.patch | (download)

certs/load_uefi.c | 44 34 + 10 - 0 !
1 file changed, 34 insertions(+), 10 deletions(-)

 [patch 5/7] modsign: allow the "db" uefi variable to be suppressed
features/all/db mok keyring/0006 Make get_cert_list not complain about cert lists tha.patch | (download)

certs/load_uefi.c | 37 22 + 15 - 0 !
1 file changed, 22 insertions(+), 15 deletions(-)

 [patch 6/7] make get_cert_list() not complain about cert lists that
 aren't present.
features/all/db mok keyring/0007 modsign Use secondary trust keyring for module signi.patch | (download)

kernel/module_signing.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 modsign: use all trusted keys to verify module signature
features/all/db mok keyring/0001 MODSIGN do not load mok when secure boot disabled.patch | (download)

certs/load_uefi.c | 26 15 + 11 - 0 !
1 file changed, 15 insertions(+), 11 deletions(-)

 [patch 1/5] modsign: do not load mok when secure boot disabled
features/all/db mok keyring/0002 MODSIGN load blacklist from MOKx.patch | (download)

certs/load_uefi.c | 18 15 + 3 - 0 !
1 file changed, 15 insertions(+), 3 deletions(-)

 [patch 2/4] modsign: load blacklist from mokx
features/all/db mok keyring/0003 MODSIGN checking the blacklisted hash before loading a kernel module.patch | (download)

kernel/module_signing.c | 62 60 + 2 - 0 !
1 file changed, 60 insertions(+), 2 deletions(-)

 [patch 3/4] modsign: checking the blacklisted hash before loading a
 kernel module
features/all/db mok keyring/0004 MODSIGN check the attributes of db and mok.patch | (download)

certs/load_uefi.c | 25 19 + 6 - 0 !
1 file changed, 19 insertions(+), 6 deletions(-)

 [patch 4/4] modsign: check the attributes of db and mok
features/all/db mok keyring/modsign make shash allocation failure fatal.patch | (download)

kernel/module_signing.c | 6 4 + 2 - 0 !
1 file changed, 4 insertions(+), 2 deletions(-)

 modsign: make shash allocation failure fatal

mod_is_hash_blacklisted() currently returns 0 (suceess) if
crypto_alloc_shash() fails.  This should instead be a fatal error,
so unwrap and pass up the error code.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

debian/i386 686 pae pci set pci nobios by default.patch | (download)

arch/x86/pci/common.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 [i386/686-pae] pci: set pci=nobios by default
bugfix/all/xen pciback Don t disable PCI_COMMAND on PCI device .patch | (download)

drivers/xen/xen-pciback/pciback_ops.c | 2 0 + 2 - 0 !
1 file changed, 2 deletions(-)

 xen/pciback: don't disable pci_command on pci device reset.
debian/ntfs mark it as broken.patch | (download)

fs/ntfs/Kconfig | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 ntfs: mark it as broken

NTFS has unfixed issues CVE-2018-12929, CVE-2018-12930, and
CVE-2018-12931.  ntfs-3g is a better supported alternative.

Make sure it can't be enabled even in custom kernels.


bugfix/all/vfio type1 Limit DMA mappings per container.patch | (download)

drivers/vfio/vfio_iommu_type1.c | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 vfio/type1: limit dma mappings per container
bugfix/all/0001 aio clear IOCB_HIPRI.patch | (download)

fs/aio.c | 11 8 + 3 - 0 !
1 file changed, 8 insertions(+), 3 deletions(-)

 [01/14] aio: clear iocb_hipri
bugfix/all/0002 aio use assigned completion handler.patch | (download)

fs/aio.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [02/14] aio: use assigned completion handler
bugfix/all/0003 aio separate out ring reservation from req allocatio.patch | (download)

fs/aio.c | 30 17 + 13 - 0 !
1 file changed, 17 insertions(+), 13 deletions(-)

 [03/14] aio: separate out ring reservation from req allocation
bugfix/all/0004 aio don t zero entire aio_kiocb aio_get_req.patch | (download)

fs/aio.c | 9 7 + 2 - 0 !
1 file changed, 7 insertions(+), 2 deletions(-)

 [04/14] aio: don't zero entire aio_kiocb aio_get_req()
bugfix/all/0005 aio use iocb_put instead of open coding it.patch | (download)

fs/aio.c | 3 1 + 2 - 0 !
1 file changed, 1 insertion(+), 2 deletions(-)

 [05/14] aio: use iocb_put() instead of open coding it
bugfix/all/0006 aio split out iocb copy from io_submit_one.patch | (download)

fs/aio.c | 68 38 + 30 - 0 !
1 file changed, 38 insertions(+), 30 deletions(-)

 [06/14] aio: split out iocb copy from io_submit_one()
bugfix/all/0007 aio abstract out io_event filler helper.patch | (download)

fs/aio.c | 14 10 + 4 - 0 !
1 file changed, 10 insertions(+), 4 deletions(-)

 [07/14] aio: abstract out io_event filler helper
bugfix/all/0008 aio initialize kiocb private in case any filesystems.patch | (download)

fs/aio.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [08/14] aio: initialize kiocb private in case any filesystems expect
 it.
bugfix/all/0009 aio simplify and fix fget fput for io_submit.patch | (download)

fs/aio.c | 72 29 + 43 - 0 !
include/linux/fs.h | 8 7 + 1 - 0 !
2 files changed, 36 insertions(+), 44 deletions(-)

 [09/14] aio: simplify - and fix - fget/fput for io_submit()
bugfix/all/0010 pin iocb through aio.patch | (download)

fs/aio.c | 37 21 + 16 - 0 !
1 file changed, 21 insertions(+), 16 deletions(-)

 [10/14] pin iocb through aio.
bugfix/all/0011 aio fold lookup_kiocb into its sole caller.patch | (download)

fs/aio.c | 29 7 + 22 - 0 !
1 file changed, 7 insertions(+), 22 deletions(-)

 [11/14] aio: fold lookup_kiocb() into its sole caller
bugfix/all/0012 aio keep io_event in aio_kiocb.patch | (download)

fs/aio.c | 31 13 + 18 - 0 !
1 file changed, 13 insertions(+), 18 deletions(-)

 [12/14] aio: keep io_event in aio_kiocb
bugfix/all/0013 aio store event at final iocb_put.patch | (download)

fs/aio.c | 33 17 + 16 - 0 !
1 file changed, 17 insertions(+), 16 deletions(-)

 [13/14] aio: store event at final iocb_put()
bugfix/all/0014 Fix aio_poll races.patch | (download)

fs/aio.c | 90 40 + 50 - 0 !
1 file changed, 40 insertions(+), 50 deletions(-)

 [14/14] fix aio_poll() races
bugfix/all/tracing fix buffer_ref pipe ops.patch | (download)

fs/splice.c | 4 2 + 2 - 0 !
include/linux/pipe_fs_i.h | 1 1 + 0 - 0 !
kernel/trace/trace.c | 28 14 + 14 - 0 !
3 files changed, 17 insertions(+), 16 deletions(-)

 tracing: fix buffer_ref pipe ops
bugfix/all/0001 mm make page ref count overflow check tighter and mo.patch | (download)

include/linux/mm.h | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 mm: make page ref count overflow check tighter and more explicit