Update to 3.9.5
svn path=/dists/sid/linux/; revision=20218
This commit is contained in:
parent
c2c180e11b
commit
935de573c8
|
@ -1,5 +1,51 @@
|
|||
linux (3.9.4-2) UNRELEASED; urgency=low
|
||||
linux (3.9.5-1) UNRELEASED; urgency=low
|
||||
|
||||
* New upstream stable update:
|
||||
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.9.5
|
||||
- [arm] 7723/1: crypto: sha1-armv4-large.S: fix SP handling
|
||||
- mac80211: use just spin_lock() in ieee80211_get_tkip_p2k()
|
||||
- USB: cxacru: potential underflow in cxacru_cm_get_array()
|
||||
- TTY: Fix tty miss restart after we turn off flow-control
|
||||
(Closes: #465823)
|
||||
- cifs: only set ops for inodes in I_NEW state
|
||||
- drivers/char/random.c: fix priming of last_data
|
||||
- random: fix accounting race condition with lockless irq entropy_count
|
||||
update
|
||||
- fat: fix possible overflow for fat_clusters
|
||||
- tg3: Fix data corruption on 5725 with TSO
|
||||
- ocfs2: goto out_unlock if ocfs2_get_clusters_nocache() failed in
|
||||
ocfs2_fiemap()
|
||||
- mm compaction: fix of improper cache flush in migration code
|
||||
- klist: del waiter from klist_remove_waiters before wakeup waitting process
|
||||
- wait: fix false timeouts when using wait_event_timeout()
|
||||
- nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary
|
||||
- mm: mmu_notifier: re-fix freed page still mapped in secondary MMU
|
||||
- mm: memcg: remove incorrect VM_BUG_ON for swap cache pages in uncharge
|
||||
- mm/pagewalk.c: walk_page_range should avoid VM_PFNMAP areas
|
||||
- mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer
|
||||
- module: don't unlink the module until we've removed all exposure.
|
||||
- xfs: kill suid/sgid through the truncate path.
|
||||
- SUNRPC: Prevent an rpc_task wakeup race
|
||||
- cifs: fix potential buffer overrun when composing a new options string
|
||||
- cgroup: initialize xattr before calling d_instantiate()
|
||||
- [powerpc] 32bit:Store temporary result in r0 instead of r8
|
||||
- [powerpc] tm: Fix userspace stack corruption on signal delivery for active
|
||||
transactions
|
||||
- [powerpc] tm: Abort on emulation and alignment faults
|
||||
- iscsi-target: fix heap buffer overflow on error
|
||||
- KVM: fix sil/dil/bpl/spl in the mod/rm fields
|
||||
- reiserfs: fix deadlock with nfs racing on create/lookup
|
||||
- reiserfs: fix problems with chowning setuid file w/ xattrs
|
||||
- reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry
|
||||
- jfs: fix a couple races
|
||||
- IB/iser: Return error to upper layers on EAGAIN registration failures
|
||||
- fuse: fix readdirplus Oops in fuse_dentry_revalidate
|
||||
- target: Re-instate sess_wait_list for target_wait_for_sess_cmds
|
||||
- xen-netback: Fix regressions caused by fix for CVE-2013-0216
|
||||
+ coalesce slots in TX path and fix regressions
|
||||
+ don't disconnect frontend when seeing oversize packet
|
||||
|
||||
[ Ben Hutchings ]
|
||||
* [powerpcspe] Remove installer udebs (really fixes FTBFS)
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Sat, 08 Jun 2013 15:25:11 +0100
|
||||
|
|
|
@ -1,62 +0,0 @@
|
|||
From: Kees Cook <keescook@chromium.org>
|
||||
Date: Thu, 23 May 2013 17:32:17 +0000
|
||||
Subject: iscsi-target: fix heap buffer overflow on error
|
||||
|
||||
commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream.
|
||||
|
||||
If a key was larger than 64 bytes, as checked by iscsi_check_key(), the
|
||||
error response packet, generated by iscsi_add_notunderstood_response(),
|
||||
would still attempt to copy the entire key into the packet, overflowing
|
||||
the structure on the heap.
|
||||
|
||||
Remote preauthentication kernel memory corruption was possible if a
|
||||
target was configured and listening on the network.
|
||||
|
||||
CVE-2013-2850
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
|
||||
---
|
||||
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
index c2185fc..e382221 100644
|
||||
--- a/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
|
||||
@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response(
|
||||
}
|
||||
INIT_LIST_HEAD(&extra_response->er_list);
|
||||
|
||||
- strncpy(extra_response->key, key, strlen(key) + 1);
|
||||
- strncpy(extra_response->value, NOTUNDERSTOOD,
|
||||
- strlen(NOTUNDERSTOOD) + 1);
|
||||
+ strlcpy(extra_response->key, key, sizeof(extra_response->key));
|
||||
+ strlcpy(extra_response->value, NOTUNDERSTOOD,
|
||||
+ sizeof(extra_response->value));
|
||||
|
||||
list_add_tail(&extra_response->er_list,
|
||||
¶m_list->extra_response_list);
|
||||
@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input(
|
||||
|
||||
if (phase & PHASE_SECURITY) {
|
||||
if (iscsi_check_for_auth_key(key) > 0) {
|
||||
- char *tmpptr = key + strlen(key);
|
||||
- *tmpptr = '=';
|
||||
kfree(tmpbuf);
|
||||
return 1;
|
||||
}
|
||||
diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h
|
||||
index 915b067..a47046a 100644
|
||||
--- a/drivers/target/iscsi/iscsi_target_parameters.h
|
||||
+++ b/drivers/target/iscsi/iscsi_target_parameters.h
|
||||
@@ -1,8 +1,10 @@
|
||||
#ifndef ISCSI_PARAMETERS_H
|
||||
#define ISCSI_PARAMETERS_H
|
||||
|
||||
+#include <scsi/iscsi_proto.h>
|
||||
+
|
||||
struct iscsi_extra_response {
|
||||
- char key[64];
|
||||
+ char key[KEY_MAXLEN];
|
||||
char value[32];
|
||||
struct list_head er_list;
|
||||
} ____cacheline_aligned;
|
|
@ -104,4 +104,3 @@ features/arm/imx53-qsb-usb-power.patch
|
|||
features/arm/0001-thermal-Add-driver-for-Armada-370-XP-SoC-thermal-man.patch
|
||||
features/arm/0001-ARM-mvebu-Add-thermal-support-to-Armada-XP-device-tr.patch
|
||||
|
||||
bugfix/all/iscsi-target-fix-heap-buffer-overflow-on-error.patch
|
||||
|
|
Loading…
Reference in New Issue