Free software activities in May, June and July 2019

-
Hi Planet, it is been a long time since my last post.
Here is an update covering what I have been doing in my free software activities during May, June and July 2019.

May

Only contributions related to Debian were done in May
  •  linux: Update to 5.1 (including porting of all debian patches to the new release)
  • linux: Update to 5.1.2
  • linux: Update to 5.1.3
  • linux: Update to 5.1.5
  • firmware-nonfree: misc-nonfree: Add GV100 signed firmwares (Closes: #928672)

June

Debian

  • linux: Update to 5.1.7
  • linux: Update to 5.1.8
  • linux: Update to 5.1.10
  • linux: Update to 5.1.11
  • linux: Update to 5.1.15
  • linux: [sparc64] Fix device naming inconsistency between sunhv_console and sunhv_reg (Closes: #926539)
  • raspi3-firmware:  New upstream version 1.20190517
  • raspi3-firmware: New upstream version 1.20190620+1

Kernel Self Protection Project

I have recently joined the kernel self protection protect, which basically intends to harden the mainline linux kernel the most as possible by adding subsystems that improve the security or make internal subsystems more robust to some common errors that might lead to security issues.

As a first contribution, Kees Cook asked me to check all the NLA_STRING for non-nul terminated strings. Internal functions of NLA attrs expect to have standard nul-terminated strings and use standard strings functions like strcmp() or equivalent. Few drivers were using non-nul terminated strings in some cases, which might lead to buffer overflow. I have checked all the NLA_STRING uses in all drivers and forwarded a status for all of these. Everything were already fixed in linux-next (hopefully).

July

Debian

  • linux: Update to 5.1.16
  • linux: Update to 5.2-rc7 (including porting of all debian patches to the new release)
  • linux: Update to 5.2
  • linux: Update to 5.2.1
  • linux: [rt] Update to 5.2-rt1
  • linux: Update to 5.2.4
  • ethtool: New upstream version 5.2
  • raspi3-firmware: Fixed lintians warnings about the binaries blobs for the raspberry PI 4
  • raspi3-firmware: New upstream version 1.20190709
  • raspi3-firmware: New upstream version 1.20190718
The following CVEs are for buster-security:
  • linux: [x86] x86/insn-eval: Fix use-after-free access to LDT entry (CVE-2019-13233)
  • linux: [powerpc*] mm/64s/hash: Reallocate context ids on fork (CVE-2019-12817)
  • linux: nfc: Ensure presence of required attributes in the deactivate_target handler (CVE-2019-12984)
  • linux: binder: fix race between munmap() and direct reclaim (CVE-2019-1999)
  • linux: scsi: libsas: fix a race condition when smp task timeout (CVE-2018-20836)
  • linux: Input: gtco - bounds check collection indent level (CVE-2019-13631)

Kernel Self Protection Project

I am currently improving the API of the internal kernel subsystem "tasklet". This is an old API and like "timer" it has several limitations regarding the way informations are passed to the callback handler. A future patch set will be sent to upstream, I will probably write a blog post about it.

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

Add support for F2FS filesystem to GRUB and initramfs-tools

-
Hi there, For these like me who want to change their root filesystem to F2FS, I have enabled support for adding the F2FS module in the EFI signed image of grub in Debian (commit) . So the grub EFI image can load configuration, kernel images and initrd from a /boot that is formatted in F2FS (the upstream grub supports the filesystem since 2.04). Now that the kernel is loading it must be able to mount the rootfs. In Debian, a lot of features like some filesystems or some drivers are built as modules, this allow to be able to boot and work on a lot of different machines without have to build-in statically everything into the linux kernel image. This is why we use an initramfs , it offers a variety of cool features and detects magically some details for you like "load the brtfs module or your favorite emmc driver as module". If you want to use F2FS as your main filesystem on your rootfs, we need to add F2FS as base module into initramfs-tools (that handles all the scripts and...
Lire la suite

RaspberryPi 3 desktop image running Debian Buster 10.2

-
Image
Hi ! The Capitole Du Libre 2019 happened two weekend ago on 16th-17th November. I have helped the DebianFrance team on the Debian booth. It was a super event with a lot of cool and interesting people ! We promoted the Debian project and I have also presented a demo of a Raspberry PI 3 running a fresh debian 10.2 with a mainline linux kernel (for instance 4.19.x) with V3D or llvmpipe.  The different persons I met were very interested by the availability of the image, so I have decided to write a debos recipe from scratch for ARM64-based RaspberryPI. This is a desktop oriented image. It will start an lxde session automatically with the "pi" user. The root accound is locked but you can use sudo with the "pi" user. You can find the recipe here . You can build an image ready to flash with the following commands: $ git clone https://salsa.debian.org/raspi-team/image-specs.git $ cd image-specs/debos $ debos raspberrypi-desktop_arm64.yaml It should produ...
Lire la suite

My Raspberry PI 4 4GB

-
Image
Hi, I have received my Raspberry PI 4 4GB that has been funded by the Debian project. I would like to thank the DPL and Gunnar Wolf for this (who vouched for me). So today, I have unpacked the board and tested it with the default flashed noobs/raspbian, so I check that everything is working as expected (from the hw point of view, I already had bad suprises in the past with some evaluation boards). Interesting topics will come soon, mostly about booting a debian testing/sid on it , adding support to raspi-firmware and the linux kernel for enabling support for the pi 4 and some variants drivers for the bcm2711. See you !
Lire la suite