Add various security fixes from 3.8.4-rc1
svn path=/dists/trunk/linux/; revision=19919
This commit is contained in:
parent
77bae59ff4
commit
22a19b2efa
|
@ -5,6 +5,14 @@ linux (3.8.3-1~experimental.1) UNRELEASED; urgency=low
|
|||
|
||||
[ Ben Hutchings ]
|
||||
* aufs: Update to aufs3.8-20130311
|
||||
* USB: cdc-wdm: fix buffer overflow (CVE-2013-1860)
|
||||
* signal: always clear sa_restorer on execve (CVE-2013-0914)
|
||||
* ext3: Fix format string issues (CVE-2013-1848)
|
||||
* net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS (CVE-2013-1828)
|
||||
* bridge: fix mdb info leaks
|
||||
* rtnl: fix info leak on RTM_GETLINK request for VF devices
|
||||
* dcbnl: fix various netlink info leaks
|
||||
* ALSA: seq: Fix missing error handling in snd_seq_timer_open()
|
||||
|
||||
[ Ian Campbell ]
|
||||
* arm: correct path to DTB files. Patch from Nobuhiro Iwamatsu.
|
||||
|
|
74
debian/patches/bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch
vendored
Normal file
74
debian/patches/bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch
vendored
Normal file
|
@ -0,0 +1,74 @@
|
|||
From 66efdc71d95887b652a742a5dae51fa834d71465 Mon Sep 17 00:00:00 2001
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
Date: Fri, 8 Mar 2013 18:11:17 +0100
|
||||
Subject: ALSA: seq: Fix missing error handling in snd_seq_timer_open()
|
||||
|
||||
From: Takashi Iwai <tiwai@suse.de>
|
||||
|
||||
commit 66efdc71d95887b652a742a5dae51fa834d71465 upstream.
|
||||
|
||||
snd_seq_timer_open() didn't catch the whole error path but let through
|
||||
if the timer id is a slave. This may lead to Oops by accessing the
|
||||
uninitialized pointer.
|
||||
|
||||
BUG: unable to handle kernel NULL pointer dereference at 00000000000002ae
|
||||
IP: [<ffffffff819b3477>] snd_seq_timer_open+0xe7/0x130
|
||||
PGD 785cd067 PUD 76964067 PMD 0
|
||||
Oops: 0002 [#4] SMP
|
||||
CPU 0
|
||||
Pid: 4288, comm: trinity-child7 Tainted: G D W 3.9.0-rc1+ #100 Bochs Bochs
|
||||
RIP: 0010:[<ffffffff819b3477>] [<ffffffff819b3477>] snd_seq_timer_open+0xe7/0x130
|
||||
RSP: 0018:ffff88006ece7d38 EFLAGS: 00010246
|
||||
RAX: 0000000000000286 RBX: ffff88007851b400 RCX: 0000000000000000
|
||||
RDX: 000000000000ffff RSI: ffff88006ece7d58 RDI: ffff88006ece7d38
|
||||
RBP: ffff88006ece7d98 R08: 000000000000000a R09: 000000000000fffe
|
||||
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
|
||||
R13: ffff8800792c5400 R14: 0000000000e8f000 R15: 0000000000000007
|
||||
FS: 00007f7aaa650700(0000) GS:ffff88007f800000(0000) GS:0000000000000000
|
||||
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
|
||||
CR2: 00000000000002ae CR3: 000000006efec000 CR4: 00000000000006f0
|
||||
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
|
||||
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
|
||||
Process trinity-child7 (pid: 4288, threadinfo ffff88006ece6000, task ffff880076a8a290)
|
||||
Stack:
|
||||
0000000000000286 ffffffff828f2be0 ffff88006ece7d58 ffffffff810f354d
|
||||
65636e6575716573 2065756575712072 ffff8800792c0030 0000000000000000
|
||||
ffff88006ece7d98 ffff8800792c5400 ffff88007851b400 ffff8800792c5520
|
||||
Call Trace:
|
||||
[<ffffffff810f354d>] ? trace_hardirqs_on+0xd/0x10
|
||||
[<ffffffff819b17e9>] snd_seq_queue_timer_open+0x29/0x70
|
||||
[<ffffffff819ae01a>] snd_seq_ioctl_set_queue_timer+0xda/0x120
|
||||
[<ffffffff819acb9b>] snd_seq_do_ioctl+0x9b/0xd0
|
||||
[<ffffffff819acbe0>] snd_seq_ioctl+0x10/0x20
|
||||
[<ffffffff811b9542>] do_vfs_ioctl+0x522/0x570
|
||||
[<ffffffff8130a4b3>] ? file_has_perm+0x83/0xa0
|
||||
[<ffffffff810f354d>] ? trace_hardirqs_on+0xd/0x10
|
||||
[<ffffffff811b95ed>] sys_ioctl+0x5d/0xa0
|
||||
[<ffffffff813663fe>] ? trace_hardirqs_on_thunk+0x3a/0x3f
|
||||
[<ffffffff81faed69>] system_call_fastpath+0x16/0x1b
|
||||
|
||||
Reported-and-tested-by: Tommi Rantala <tt.rantala@gmail.com>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
sound/core/seq/seq_timer.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/sound/core/seq/seq_timer.c
|
||||
+++ b/sound/core/seq/seq_timer.c
|
||||
@@ -290,10 +290,10 @@ int snd_seq_timer_open(struct snd_seq_qu
|
||||
tid.device = SNDRV_TIMER_GLOBAL_SYSTEM;
|
||||
err = snd_timer_open(&t, str, &tid, q->queue);
|
||||
}
|
||||
- if (err < 0) {
|
||||
- snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err);
|
||||
- return err;
|
||||
- }
|
||||
+ }
|
||||
+ if (err < 0) {
|
||||
+ snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err);
|
||||
+ return err;
|
||||
}
|
||||
t->callback = snd_seq_timer_interrupt;
|
||||
t->callback_data = q;
|
|
@ -0,0 +1,59 @@
|
|||
From 9e989b12e61b81f93750f9eb5fb5aa147afb7cd9 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sat, 9 Mar 2013 05:52:19 +0000
|
||||
Subject: bridge: fix mdb info leaks
|
||||
|
||||
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
|
||||
[ Upstream commit c085c49920b2f900ba716b4ca1c1a55ece9872cc ]
|
||||
|
||||
The bridging code discloses heap and stack bytes via the RTM_GETMDB
|
||||
netlink interface and via the notify messages send to group RTNLGRP_MDB
|
||||
afer a successful add/del.
|
||||
|
||||
Fix both cases by initializing all unset members/padding bytes with
|
||||
memset(0).
|
||||
|
||||
Cc: Stephen Hemminger <stephen@networkplumber.org>
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/bridge/br_mdb.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
--- a/net/bridge/br_mdb.c
|
||||
+++ b/net/bridge/br_mdb.c
|
||||
@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_bu
|
||||
port = p->port;
|
||||
if (port) {
|
||||
struct br_mdb_entry e;
|
||||
+ memset(&e, 0, sizeof(e));
|
||||
e.ifindex = port->dev->ifindex;
|
||||
e.state = p->state;
|
||||
if (p->addr.proto == htons(ETH_P_IP))
|
||||
@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *s
|
||||
break;
|
||||
|
||||
bpm = nlmsg_data(nlh);
|
||||
+ memset(bpm, 0, sizeof(*bpm));
|
||||
bpm->ifindex = dev->ifindex;
|
||||
if (br_mdb_fill_info(skb, cb, dev) < 0)
|
||||
goto out;
|
||||
@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struc
|
||||
return -EMSGSIZE;
|
||||
|
||||
bpm = nlmsg_data(nlh);
|
||||
+ memset(bpm, 0, sizeof(*bpm));
|
||||
bpm->family = AF_BRIDGE;
|
||||
bpm->ifindex = dev->ifindex;
|
||||
nest = nla_nest_start(skb, MDBA_MDB);
|
||||
@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *de
|
||||
{
|
||||
struct br_mdb_entry entry;
|
||||
|
||||
+ memset(&entry, 0, sizeof(entry));
|
||||
entry.ifindex = port->dev->ifindex;
|
||||
entry.addr.proto = group->proto;
|
||||
entry.addr.u.ip4 = group->u.ip4;
|
|
@ -0,0 +1,95 @@
|
|||
From d6f60f50fead5fb769f447c20aa5b80a1fd627f3 Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sat, 9 Mar 2013 05:52:21 +0000
|
||||
Subject: dcbnl: fix various netlink info leaks
|
||||
|
||||
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
|
||||
[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ]
|
||||
|
||||
The dcb netlink interface leaks stack memory in various places:
|
||||
* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
|
||||
copied completely,
|
||||
* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
|
||||
so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
|
||||
for ieee_pfc structs, etc.,
|
||||
* the same is true for CEE -- no in-kernel driver fills the whole
|
||||
struct,
|
||||
|
||||
Prevent all of the above stack info leaks by properly initializing the
|
||||
buffers/structures involved.
|
||||
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/dcb/dcbnl.c | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
--- a/net/dcb/dcbnl.c
|
||||
+++ b/net/dcb/dcbnl.c
|
||||
@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct n
|
||||
if (!netdev->dcbnl_ops->getpermhwaddr)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
+ memset(perm_addr, 0, sizeof(perm_addr));
|
||||
netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
|
||||
|
||||
return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr);
|
||||
@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buf
|
||||
|
||||
if (ops->ieee_getets) {
|
||||
struct ieee_ets ets;
|
||||
+ memset(&ets, 0, sizeof(ets));
|
||||
err = ops->ieee_getets(netdev, &ets);
|
||||
if (!err &&
|
||||
nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets))
|
||||
@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buf
|
||||
|
||||
if (ops->ieee_getmaxrate) {
|
||||
struct ieee_maxrate maxrate;
|
||||
+ memset(&maxrate, 0, sizeof(maxrate));
|
||||
err = ops->ieee_getmaxrate(netdev, &maxrate);
|
||||
if (!err) {
|
||||
err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE,
|
||||
@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buf
|
||||
|
||||
if (ops->ieee_getpfc) {
|
||||
struct ieee_pfc pfc;
|
||||
+ memset(&pfc, 0, sizeof(pfc));
|
||||
err = ops->ieee_getpfc(netdev, &pfc);
|
||||
if (!err &&
|
||||
nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc))
|
||||
@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buf
|
||||
/* get peer info if available */
|
||||
if (ops->ieee_peer_getets) {
|
||||
struct ieee_ets ets;
|
||||
+ memset(&ets, 0, sizeof(ets));
|
||||
err = ops->ieee_peer_getets(netdev, &ets);
|
||||
if (!err &&
|
||||
nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets))
|
||||
@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buf
|
||||
|
||||
if (ops->ieee_peer_getpfc) {
|
||||
struct ieee_pfc pfc;
|
||||
+ memset(&pfc, 0, sizeof(pfc));
|
||||
err = ops->ieee_peer_getpfc(netdev, &pfc);
|
||||
if (!err &&
|
||||
nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc))
|
||||
@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff
|
||||
/* peer info if available */
|
||||
if (ops->cee_peer_getpg) {
|
||||
struct cee_pg pg;
|
||||
+ memset(&pg, 0, sizeof(pg));
|
||||
err = ops->cee_peer_getpg(netdev, &pg);
|
||||
if (!err &&
|
||||
nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg))
|
||||
@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff
|
||||
|
||||
if (ops->cee_peer_getpfc) {
|
||||
struct cee_pfc pfc;
|
||||
+ memset(&pfc, 0, sizeof(pfc));
|
||||
err = ops->cee_peer_getpfc(netdev, &pfc);
|
||||
if (!err &&
|
||||
nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc))
|
|
@ -0,0 +1,48 @@
|
|||
From 8d0c2d10dd72c5292eda7a06231056a4c972e4cc Mon Sep 17 00:00:00 2001
|
||||
From: Lars-Peter Clausen <lars@metafoo.de>
|
||||
Date: Sat, 9 Mar 2013 15:28:44 +0100
|
||||
Subject: ext3: Fix format string issues
|
||||
|
||||
From: Lars-Peter Clausen <lars@metafoo.de>
|
||||
|
||||
commit 8d0c2d10dd72c5292eda7a06231056a4c972e4cc upstream.
|
||||
|
||||
ext3_msg() takes the printk prefix as the second parameter and the
|
||||
format string as the third parameter. Two callers of ext3_msg omit the
|
||||
prefix and pass the format string as the second parameter and the first
|
||||
parameter to the format string as the third parameter. In both cases
|
||||
this string comes from an arbitrary source. Which means the string may
|
||||
contain format string characters, which will
|
||||
lead to undefined and potentially harmful behavior.
|
||||
|
||||
The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages
|
||||
in ext3") and is fixed by this patch.
|
||||
|
||||
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
fs/ext3/super.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/fs/ext3/super.c
|
||||
+++ b/fs/ext3/super.c
|
||||
@@ -353,7 +353,7 @@ static struct block_device *ext3_blkdev_
|
||||
return bdev;
|
||||
|
||||
fail:
|
||||
- ext3_msg(sb, "error: failed to open journal device %s: %ld",
|
||||
+ ext3_msg(sb, KERN_ERR, "error: failed to open journal device %s: %ld",
|
||||
__bdevname(dev, b), PTR_ERR(bdev));
|
||||
|
||||
return NULL;
|
||||
@@ -887,7 +887,7 @@ static ext3_fsblk_t get_sb_block(void **
|
||||
/*todo: use simple_strtoll with >32bit ext3 */
|
||||
sb_block = simple_strtoul(options, &options, 0);
|
||||
if (*options && *options != ',') {
|
||||
- ext3_msg(sb, "error: invalid sb specification: %s",
|
||||
+ ext3_msg(sb, KERN_ERR, "error: invalid sb specification: %s",
|
||||
(char *) *data);
|
||||
return 1;
|
||||
}
|
52
debian/patches/bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch
vendored
Normal file
52
debian/patches/bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch
vendored
Normal file
|
@ -0,0 +1,52 @@
|
|||
From e5f9811e44fcf067a0dbb8abf55bbad454a1688a Mon Sep 17 00:00:00 2001
|
||||
From: Guenter Roeck <linux@roeck-us.net>
|
||||
Date: Wed, 27 Feb 2013 10:57:31 +0000
|
||||
Subject: net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
|
||||
|
||||
|
||||
From: Guenter Roeck <linux@roeck-us.net>
|
||||
|
||||
commit 726bc6b092da4c093eb74d13c07184b18c1af0f1 upstream.
|
||||
|
||||
Building sctp may fail with:
|
||||
|
||||
In function ‘copy_from_user’,
|
||||
inlined from ‘sctp_getsockopt_assoc_stats’ at
|
||||
net/sctp/socket.c:5656:20:
|
||||
arch/x86/include/asm/uaccess_32.h:211:26: error: call to
|
||||
‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
|
||||
buffer size is not provably correct
|
||||
|
||||
if built with W=1 due to a missing parameter size validation
|
||||
before the call to copy_from_user.
|
||||
|
||||
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
|
||||
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/sctp/socket.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/net/sctp/socket.c
|
||||
+++ b/net/sctp/socket.c
|
||||
@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(s
|
||||
if (len < sizeof(sctp_assoc_t))
|
||||
return -EINVAL;
|
||||
|
||||
+ /* Allow the struct to grow and fill in as much as possible */
|
||||
+ len = min_t(size_t, len, sizeof(sas));
|
||||
+
|
||||
if (copy_from_user(&sas, optval, len))
|
||||
return -EFAULT;
|
||||
|
||||
@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(s
|
||||
/* Mark beginning of a new observation period */
|
||||
asoc->stats.max_obs_rto = asoc->rto_min;
|
||||
|
||||
- /* Allow the struct to grow and fill in as much as possible */
|
||||
- len = min_t(size_t, len, sizeof(sas));
|
||||
-
|
||||
if (put_user(len, optlen))
|
||||
return -EFAULT;
|
||||
|
71
debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch
vendored
Normal file
71
debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch
vendored
Normal file
|
@ -0,0 +1,71 @@
|
|||
From 55c315e31dac6ebe4b66c630d2127cab52b02cc3 Mon Sep 17 00:00:00 2001
|
||||
From: Cong Wang <amwang@redhat.com>
|
||||
Date: Sun, 3 Mar 2013 16:18:11 +0000
|
||||
Subject: rds: limit the size allocated by rds_message_alloc()
|
||||
|
||||
|
||||
From: Cong Wang <amwang@redhat.com>
|
||||
|
||||
[ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ]
|
||||
|
||||
Dave Jones reported the following bug:
|
||||
|
||||
"When fed mangled socket data, rds will trust what userspace gives it,
|
||||
and tries to allocate enormous amounts of memory larger than what
|
||||
kmalloc can satisfy."
|
||||
|
||||
WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
|
||||
Hardware name: GA-MA78GM-S2H
|
||||
Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
|
||||
Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
|
||||
Call Trace:
|
||||
[<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
|
||||
[<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
|
||||
[<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
|
||||
[<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
|
||||
[<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
|
||||
[<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
|
||||
[<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
|
||||
[<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
|
||||
[<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
|
||||
[<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
|
||||
[<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
|
||||
[<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
|
||||
[<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
|
||||
[<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
|
||||
[<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
|
||||
[<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
|
||||
[<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
|
||||
[<ffffffff81567f30>] sys_sendto+0x130/0x180
|
||||
[<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
|
||||
[<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
|
||||
[<ffffffff816cd767>] ? sysret_check+0x1b/0x56
|
||||
[<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
|
||||
[<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
|
||||
[<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
|
||||
---[ end trace eed6ae990d018c8b ]---
|
||||
|
||||
Reported-by: Dave Jones <davej@redhat.com>
|
||||
Cc: Dave Jones <davej@redhat.com>
|
||||
Cc: David S. Miller <davem@davemloft.net>
|
||||
Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
Signed-off-by: Cong Wang <amwang@redhat.com>
|
||||
Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/rds/message.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/net/rds/message.c
|
||||
+++ b/net/rds/message.c
|
||||
@@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(un
|
||||
{
|
||||
struct rds_message *rm;
|
||||
|
||||
+ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message))
|
||||
+ return NULL;
|
||||
+
|
||||
rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp);
|
||||
if (!rm)
|
||||
goto out;
|
33
debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
vendored
Normal file
33
debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
vendored
Normal file
|
@ -0,0 +1,33 @@
|
|||
From 322aa953dd5565d1029a18d5bda0bd25a0dbb4bb Mon Sep 17 00:00:00 2001
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
Date: Sat, 9 Mar 2013 05:52:20 +0000
|
||||
Subject: rtnl: fix info leak on RTM_GETLINK request for VF devices
|
||||
|
||||
|
||||
From: Mathias Krause <minipli@googlemail.com>
|
||||
|
||||
[ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ]
|
||||
|
||||
Initialize the mac address buffer with 0 as the driver specific function
|
||||
will probably not fill the whole buffer. In fact, all in-kernel drivers
|
||||
fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
|
||||
bytes. Therefore we currently leak 26 bytes of stack memory to userland
|
||||
via the netlink interface.
|
||||
|
||||
Signed-off-by: Mathias Krause <minipli@googlemail.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/core/rtnetlink.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/net/core/rtnetlink.c
|
||||
+++ b/net/core/rtnetlink.c
|
||||
@@ -976,6 +976,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
|
||||
* report anything.
|
||||
*/
|
||||
ivi.spoofchk = -1;
|
||||
+ memset(ivi.mac, 0, sizeof(ivi.mac));
|
||||
if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
|
||||
break;
|
||||
vf_mac.vf =
|
|
@ -0,0 +1,69 @@
|
|||
From 2ca39528c01a933f6689cd6505ce65bd6d68a530 Mon Sep 17 00:00:00 2001
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Wed, 13 Mar 2013 14:59:33 -0700
|
||||
Subject: signal: always clear sa_restorer on execve
|
||||
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
|
||||
commit 2ca39528c01a933f6689cd6505ce65bd6d68a530 upstream.
|
||||
|
||||
When the new signal handlers are set up, the location of sa_restorer is
|
||||
not cleared, leaking a parent process's address space location to
|
||||
children. This allows for a potential bypass of the parent's ASLR by
|
||||
examining the sa_restorer value returned when calling sigaction().
|
||||
|
||||
Based on what should be considered "secret" about addresses, it only
|
||||
matters across the exec not the fork (since the VMAs haven't changed
|
||||
until the exec). But since exec sets SIG_DFL and keeps sa_restorer,
|
||||
this is where it should be fixed.
|
||||
|
||||
Given the few uses of sa_restorer, a "set" function was not written
|
||||
since this would be the only use. Instead, we use
|
||||
__ARCH_HAS_SA_RESTORER, as already done in other places.
|
||||
|
||||
Example of the leak before applying this patch:
|
||||
|
||||
$ cat /proc/$$/maps
|
||||
...
|
||||
7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
|
||||
...
|
||||
$ ./leak
|
||||
...
|
||||
7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
|
||||
...
|
||||
1 0 (nil) 0x7fb9f30b94a0
|
||||
2 4000000 (nil) 0x7f278bcaa4a0
|
||||
3 4000000 (nil) 0x7f278bcaa4a0
|
||||
4 0 (nil) 0x7fb9f30b94a0
|
||||
...
|
||||
|
||||
[akpm@linux-foundation.org: use SA_RESTORER for backportability]
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Reported-by: Emese Revfy <re.emese@gmail.com>
|
||||
Cc: Emese Revfy <re.emese@gmail.com>
|
||||
Cc: PaX Team <pageexec@freemail.hu>
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Cc: Oleg Nesterov <oleg@redhat.com>
|
||||
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
|
||||
Cc: Serge Hallyn <serge.hallyn@canonical.com>
|
||||
Cc: Julien Tinnes <jln@google.com>
|
||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
||||
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
kernel/signal.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/kernel/signal.c
|
||||
+++ b/kernel/signal.c
|
||||
@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct
|
||||
if (force_default || ka->sa.sa_handler != SIG_IGN)
|
||||
ka->sa.sa_handler = SIG_DFL;
|
||||
ka->sa.sa_flags = 0;
|
||||
+#ifdef SA_RESTORER
|
||||
+ ka->sa.sa_restorer = NULL;
|
||||
+#endif
|
||||
sigemptyset(&ka->sa.sa_mask);
|
||||
ka++;
|
||||
}
|
|
@ -0,0 +1,87 @@
|
|||
From c0f5ecee4e741667b2493c742b60b6218d40b3aa Mon Sep 17 00:00:00 2001
|
||||
From: Oliver Neukum <oneukum@suse.de>
|
||||
Date: Tue, 12 Mar 2013 14:52:42 +0100
|
||||
Subject: USB: cdc-wdm: fix buffer overflow
|
||||
|
||||
From: Oliver Neukum <oneukum@suse.de>
|
||||
|
||||
commit c0f5ecee4e741667b2493c742b60b6218d40b3aa upstream.
|
||||
|
||||
The buffer for responses must not overflow.
|
||||
If this would happen, set a flag, drop the data and return
|
||||
an error after user space has read all remaining data.
|
||||
|
||||
Signed-off-by: Oliver Neukum <oliver@neukum.org>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
|
||||
---
|
||||
drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
|
||||
1 file changed, 20 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/drivers/usb/class/cdc-wdm.c
|
||||
+++ b/drivers/usb/class/cdc-wdm.c
|
||||
@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
|
||||
#define WDM_RESPONDING 7
|
||||
#define WDM_SUSPENDING 8
|
||||
#define WDM_RESETTING 9
|
||||
+#define WDM_OVERFLOW 10
|
||||
|
||||
#define WDM_MAX 16
|
||||
|
||||
@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *
|
||||
{
|
||||
struct wdm_device *desc = urb->context;
|
||||
int status = urb->status;
|
||||
+ int length = urb->actual_length;
|
||||
|
||||
spin_lock(&desc->iuspin);
|
||||
clear_bit(WDM_RESPONDING, &desc->flags);
|
||||
@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *
|
||||
}
|
||||
|
||||
desc->rerr = status;
|
||||
- desc->reslength = urb->actual_length;
|
||||
- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
|
||||
- desc->length += desc->reslength;
|
||||
+ if (length + desc->length > desc->wMaxCommand) {
|
||||
+ /* The buffer would overflow */
|
||||
+ set_bit(WDM_OVERFLOW, &desc->flags);
|
||||
+ } else {
|
||||
+ /* we may already be in overflow */
|
||||
+ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
|
||||
+ memmove(desc->ubuf + desc->length, desc->inbuf, length);
|
||||
+ desc->length += length;
|
||||
+ desc->reslength = length;
|
||||
+ }
|
||||
+ }
|
||||
skip_error:
|
||||
wake_up(&desc->wait);
|
||||
|
||||
@@ -435,6 +445,11 @@ retry:
|
||||
rv = -ENODEV;
|
||||
goto err;
|
||||
}
|
||||
+ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
|
||||
+ clear_bit(WDM_OVERFLOW, &desc->flags);
|
||||
+ rv = -ENOBUFS;
|
||||
+ goto err;
|
||||
+ }
|
||||
i++;
|
||||
if (file->f_flags & O_NONBLOCK) {
|
||||
if (!test_bit(WDM_READ, &desc->flags)) {
|
||||
@@ -478,6 +493,7 @@ retry:
|
||||
spin_unlock_irq(&desc->iuspin);
|
||||
goto retry;
|
||||
}
|
||||
+
|
||||
if (!desc->reslength) { /* zero length read */
|
||||
dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
|
||||
clear_bit(WDM_READ, &desc->flags);
|
||||
@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_int
|
||||
struct wdm_device *desc = wdm_find_device(intf);
|
||||
int rv;
|
||||
|
||||
+ clear_bit(WDM_OVERFLOW, &desc->flags);
|
||||
clear_bit(WDM_RESETTING, &desc->flags);
|
||||
rv = recover_from_urb_loss(desc);
|
||||
mutex_unlock(&desc->wlock);
|
|
@ -77,3 +77,12 @@ bugfix/x86/drm-i915-add-quirk-to-invert-brightness-on-packard-bell-ncl20.patch
|
|||
bugfix/all/mm-Try-harder-to-allocate-vmemmap-blocks.patch
|
||||
features/all/alx/alx-update-for-3.8.patch
|
||||
bugfix/mips/mips-add-dependencies-for-have_arch_transparent_hugepage.patch
|
||||
bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch
|
||||
bugfix/all/signal-always-clear-sa_restorer-on-execve.patch
|
||||
bugfix/all/ext3-fix-format-string-issues.patch
|
||||
bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch
|
||||
bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch
|
||||
bugfix/all/bridge-fix-mdb-info-leaks.patch
|
||||
bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
|
||||
bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
|
||||
bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch
|
||||
|
|
Loading…
Reference in New Issue