From 87274a8083fb0dd9bb4471f37c350611af7ec851 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Sun, 23 Jun 2013 16:32:43 +0000
Subject: [PATCH] Apply various security fixes

svn path=/dists/sid/linux/; revision=20285
---
 debian/changelog                              |  3 +
 ...ot-pass-disk-names-as-format-strings.patch | 62 +++++++++++++++++++
 ...rom.c-use-kzalloc-for-failing-hardwa.patch | 45 ++++++++++++++
 ...tify-info-leak-in-copy_event_to_user.patch | 27 ++++++++
 debian/patches/series                         |  3 +
 5 files changed, 140 insertions(+)
 create mode 100644 debian/patches/bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch
 create mode 100644 debian/patches/bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
 create mode 100644 debian/patches/bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch

diff --git a/debian/changelog b/debian/changelog
index b68d6bdb1..dde3cba8a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -23,6 +23,9 @@ linux (3.9.7-1) UNRELEASED; urgency=low
   * yama: Disable ptrace restrictions by default, and change boot message
     to indicate this (Closes: #712740)
   * [x86] efi: Fix dummy variable buffer allocation
+  * fanotify: info leak in copy_event_to_user() (CVE-2013-2148)
+  * drivers/cdrom/cdrom.c: use kzalloc() for failing hardware (CVE-2013-2164)
+  * block: do not pass disk names as format strings (CVE-2013-2851)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Wed, 19 Jun 2013 04:30:59 +0100
 
diff --git a/debian/patches/bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch b/debian/patches/bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch
new file mode 100644
index 000000000..aab1ed5f7
--- /dev/null
+++ b/debian/patches/bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch
@@ -0,0 +1,62 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 19 Jun 2013 10:05:44 +1000
+Subject: block: do not pass disk names as format strings
+
+commit 00a10d269c161c4dc61e4d87d7941082c5b57488 upstream.
+
+Disk names may contain arbitrary strings, so they must not be interpreted
+as format strings. It seems that only md allows arbitrary strings to be
+used for disk names, but this could allow for a local memory corruption
+from uid 0 into ring 0.
+
+CVE-2013-2851
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+---
+ block/genhd.c              |    2 +-
+ drivers/block/nbd.c        |    3 ++-
+ drivers/scsi/osd/osd_uld.c |    2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index e9094b3..dadf42b 100644
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
+ 
+ 	ddev->parent = disk->driverfs_dev;
+ 
+-	dev_set_name(ddev, disk->disk_name);
++	dev_set_name(ddev, "%s", disk->disk_name);
+ 
+ 	/* delay uevents, until we scanned partition table */
+ 	dev_set_uevent_suppress(ddev, 1);
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 037288e..46b35f7 100644
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
+ 		else
+ 			blk_queue_flush(nbd->disk->queue, 0);
+ 
+-		thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
++		thread = kthread_create(nbd_thread, nbd, "%s",
++					nbd->disk->disk_name);
+ 		if (IS_ERR(thread)) {
+ 			mutex_lock(&nbd->tx_lock);
+ 			return PTR_ERR(thread);
+diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
+index 0fab6b5..9d86947 100644
+--- a/drivers/scsi/osd/osd_uld.c
++++ b/drivers/scsi/osd/osd_uld.c
+@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
+ 	oud->class_dev.class = &osd_uld_class;
+ 	oud->class_dev.parent = dev;
+ 	oud->class_dev.release = __remove;
+-	error = dev_set_name(&oud->class_dev, disk->disk_name);
++	error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
+ 	if (error) {
+ 		OSD_ERR("dev_set_name failed => %d\n", error);
+ 		goto err_put_cdev;
diff --git a/debian/patches/bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch b/debian/patches/bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
new file mode 100644
index 000000000..56c6621ee
--- /dev/null
+++ b/debian/patches/bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
@@ -0,0 +1,45 @@
+From: Jonathan Salwan <jonathan.salwan@gmail.com>
+Date: Wed, 19 Jun 2013 10:05:44 +1000
+Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
+
+commit 410b0fa7c0ffe191a0596430e1b414192a111fe0 upstream.
+
+In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
+area with kmalloc in line 2885.
+
+2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
+2886         if (cgc->buffer == NULL)
+2887                 return -ENOMEM;
+
+In line 2908 we can find the copy_to_user function:
+
+2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
+
+The cgc->buffer is never cleaned and initialized before this function.  If
+ret = 0 with the previous basic block, it's possible to display some
+memory bytes in kernel space from userspace.
+
+When we read a block from the disk it normally fills the ->buffer but if
+the drive is malfunctioning there is a chance that it would only be
+partially filled.  The result is an leak information to userspace.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+---
+ drivers/cdrom/cdrom.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index d620b44..8a3aff7 100644
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
+ 	if (lba < 0)
+ 		return -EINVAL;
+ 
+-	cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
++	cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
+ 	if (cgc->buffer == NULL)
+ 		return -ENOMEM;
+ 
diff --git a/debian/patches/bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch b/debian/patches/bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch
new file mode 100644
index 000000000..c5109eb04
--- /dev/null
+++ b/debian/patches/bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch
@@ -0,0 +1,27 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 19 Jun 2013 10:05:29 +1000
+Subject: fanotify: info leak in copy_event_to_user()
+
+commit d2e5df23489623877fa0a587570c44fe08be2f8f upstream.
+
+The ->reserverd field isn't cleared so we leak one byte of stack
+information to userspace.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Eric Paris <eparis@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+---
+ fs/notify/fanotify/fanotify_user.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/notify/fanotify/fanotify_user.c
++++ b/fs/notify/fanotify/fanotify_user.c
+@@ -121,6 +121,7 @@ static int fill_event_metadata(struct fs
+ 	metadata->event_len = FAN_EVENT_METADATA_LEN;
+ 	metadata->metadata_len = FAN_EVENT_METADATA_LEN;
+ 	metadata->vers = FANOTIFY_METADATA_VERSION;
++	metadata->reserved = 0;
+ 	metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS;
+ 	metadata->pid = pid_vnr(event->tgid);
+ 	if (unlikely(event->mask & FAN_Q_OVERFLOW))
diff --git a/debian/patches/series b/debian/patches/series
index 36b2e75ae..7625cb074 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -108,3 +108,6 @@ bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
 debian/powerpc-machdep-avoid-abi-change-in-3.9.6.patch
 debian/yama-disable-by-default.patch
 bugfix/x86/x86-efi-Fix-dummy-variable-buffer-allocation.patch
+bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch
+bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
+bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch