[kernel] r19919 - in dists/trunk/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at alioth.debian.org
Tue Mar 19 04:52:27 UTC 2013
Author: benh
Date: Tue Mar 19 04:52:25 2013
New Revision: 19919
Log:
Add various security fixes from 3.8.4-rc1
Added:
dists/trunk/linux/debian/patches/bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch
dists/trunk/linux/debian/patches/bugfix/all/bridge-fix-mdb-info-leaks.patch
dists/trunk/linux/debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
dists/trunk/linux/debian/patches/bugfix/all/ext3-fix-format-string-issues.patch
dists/trunk/linux/debian/patches/bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch
dists/trunk/linux/debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch
dists/trunk/linux/debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
dists/trunk/linux/debian/patches/bugfix/all/signal-always-clear-sa_restorer-on-execve.patch
dists/trunk/linux/debian/patches/bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch
Modified:
dists/trunk/linux/debian/changelog
dists/trunk/linux/debian/patches/series
Modified: dists/trunk/linux/debian/changelog
==============================================================================
--- dists/trunk/linux/debian/changelog Tue Mar 19 03:54:56 2013 (r19918)
+++ dists/trunk/linux/debian/changelog Tue Mar 19 04:52:25 2013 (r19919)
@@ -5,6 +5,14 @@
[ Ben Hutchings ]
* aufs: Update to aufs3.8-20130311
+ * USB: cdc-wdm: fix buffer overflow (CVE-2013-1860)
+ * signal: always clear sa_restorer on execve (CVE-2013-0914)
+ * ext3: Fix format string issues (CVE-2013-1848)
+ * net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS (CVE-2013-1828)
+ * bridge: fix mdb info leaks
+ * rtnl: fix info leak on RTM_GETLINK request for VF devices
+ * dcbnl: fix various netlink info leaks
+ * ALSA: seq: Fix missing error handling in snd_seq_timer_open()
[ Ian Campbell ]
* arm: correct path to DTB files. Patch from Nobuhiro Iwamatsu.
Added: dists/trunk/linux/debian/patches/bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch Tue Mar 19 04:52:25 2013 (r19919)
@@ -0,0 +1,74 @@
+From 66efdc71d95887b652a742a5dae51fa834d71465 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai at suse.de>
+Date: Fri, 8 Mar 2013 18:11:17 +0100
+Subject: ALSA: seq: Fix missing error handling in snd_seq_timer_open()
+
+From: Takashi Iwai <tiwai at suse.de>
+
+commit 66efdc71d95887b652a742a5dae51fa834d71465 upstream.
+
+snd_seq_timer_open() didn't catch the whole error path but let through
+if the timer id is a slave. This may lead to Oops by accessing the
+uninitialized pointer.
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000000000002ae
+ IP: [<ffffffff819b3477>] snd_seq_timer_open+0xe7/0x130
+ PGD 785cd067 PUD 76964067 PMD 0
+ Oops: 0002 [#4] SMP
+ CPU 0
+ Pid: 4288, comm: trinity-child7 Tainted: G D W 3.9.0-rc1+ #100 Bochs Bochs
+ RIP: 0010:[<ffffffff819b3477>] [<ffffffff819b3477>] snd_seq_timer_open+0xe7/0x130
+ RSP: 0018:ffff88006ece7d38 EFLAGS: 00010246
+ RAX: 0000000000000286 RBX: ffff88007851b400 RCX: 0000000000000000
+ RDX: 000000000000ffff RSI: ffff88006ece7d58 RDI: ffff88006ece7d38
+ RBP: ffff88006ece7d98 R08: 000000000000000a R09: 000000000000fffe
+ R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
+ R13: ffff8800792c5400 R14: 0000000000e8f000 R15: 0000000000000007
+ FS: 00007f7aaa650700(0000) GS:ffff88007f800000(0000) GS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00000000000002ae CR3: 000000006efec000 CR4: 00000000000006f0
+ DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+ DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+ Process trinity-child7 (pid: 4288, threadinfo ffff88006ece6000, task ffff880076a8a290)
+ Stack:
+ 0000000000000286 ffffffff828f2be0 ffff88006ece7d58 ffffffff810f354d
+ 65636e6575716573 2065756575712072 ffff8800792c0030 0000000000000000
+ ffff88006ece7d98 ffff8800792c5400 ffff88007851b400 ffff8800792c5520
+ Call Trace:
+ [<ffffffff810f354d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff819b17e9>] snd_seq_queue_timer_open+0x29/0x70
+ [<ffffffff819ae01a>] snd_seq_ioctl_set_queue_timer+0xda/0x120
+ [<ffffffff819acb9b>] snd_seq_do_ioctl+0x9b/0xd0
+ [<ffffffff819acbe0>] snd_seq_ioctl+0x10/0x20
+ [<ffffffff811b9542>] do_vfs_ioctl+0x522/0x570
+ [<ffffffff8130a4b3>] ? file_has_perm+0x83/0xa0
+ [<ffffffff810f354d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff811b95ed>] sys_ioctl+0x5d/0xa0
+ [<ffffffff813663fe>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff81faed69>] system_call_fastpath+0x16/0x1b
+
+Reported-and-tested-by: Tommi Rantala <tt.rantala at gmail.com>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+
+---
+ sound/core/seq/seq_timer.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/core/seq/seq_timer.c
++++ b/sound/core/seq/seq_timer.c
+@@ -290,10 +290,10 @@ int snd_seq_timer_open(struct snd_seq_qu
+ tid.device = SNDRV_TIMER_GLOBAL_SYSTEM;
+ err = snd_timer_open(&t, str, &tid, q->queue);
+ }
+- if (err < 0) {
+- snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err);
+- return err;
+- }
++ }
++ if (err < 0) {
++ snd_printk(KERN_ERR "seq fatal error: cannot create timer (%i)\n", err);
++ return err;
+ }
+ t->callback = snd_seq_timer_interrupt;
+ t->callback_data = q;
Added: dists/trunk/linux/debian/patches/bugfix/all/bridge-fix-mdb-info-leaks.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/bridge-fix-mdb-info-leaks.patch Tue Mar 19 04:52:25 2013 (r19919)
@@ -0,0 +1,59 @@
+From 9e989b12e61b81f93750f9eb5fb5aa147afb7cd9 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sat, 9 Mar 2013 05:52:19 +0000
+Subject: bridge: fix mdb info leaks
+
+
+From: Mathias Krause <minipli at googlemail.com>
+
+[ Upstream commit c085c49920b2f900ba716b4ca1c1a55ece9872cc ]
+
+The bridging code discloses heap and stack bytes via the RTM_GETMDB
+netlink interface and via the notify messages send to group RTNLGRP_MDB
+afer a successful add/del.
+
+Fix both cases by initializing all unset members/padding bytes with
+memset(0).
+
+Cc: Stephen Hemminger <stephen at networkplumber.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/bridge/br_mdb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/bridge/br_mdb.c
++++ b/net/bridge/br_mdb.c
+@@ -82,6 +82,7 @@ static int br_mdb_fill_info(struct sk_bu
+ port = p->port;
+ if (port) {
+ struct br_mdb_entry e;
++ memset(&e, 0, sizeof(e));
+ e.ifindex = port->dev->ifindex;
+ e.state = p->state;
+ if (p->addr.proto == htons(ETH_P_IP))
+@@ -138,6 +139,7 @@ static int br_mdb_dump(struct sk_buff *s
+ break;
+
+ bpm = nlmsg_data(nlh);
++ memset(bpm, 0, sizeof(*bpm));
+ bpm->ifindex = dev->ifindex;
+ if (br_mdb_fill_info(skb, cb, dev) < 0)
+ goto out;
+@@ -173,6 +175,7 @@ static int nlmsg_populate_mdb_fill(struc
+ return -EMSGSIZE;
+
+ bpm = nlmsg_data(nlh);
++ memset(bpm, 0, sizeof(*bpm));
+ bpm->family = AF_BRIDGE;
+ bpm->ifindex = dev->ifindex;
+ nest = nla_nest_start(skb, MDBA_MDB);
+@@ -230,6 +233,7 @@ void br_mdb_notify(struct net_device *de
+ {
+ struct br_mdb_entry entry;
+
++ memset(&entry, 0, sizeof(entry));
+ entry.ifindex = port->dev->ifindex;
+ entry.addr.proto = group->proto;
+ entry.addr.u.ip4 = group->u.ip4;
Added: dists/trunk/linux/debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch Tue Mar 19 04:52:25 2013 (r19919)
@@ -0,0 +1,95 @@
+From d6f60f50fead5fb769f447c20aa5b80a1fd627f3 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sat, 9 Mar 2013 05:52:21 +0000
+Subject: dcbnl: fix various netlink info leaks
+
+
+From: Mathias Krause <minipli at googlemail.com>
+
+[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ]
+
+The dcb netlink interface leaks stack memory in various places:
+* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
+ copied completely,
+* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
+ so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
+ for ieee_pfc structs, etc.,
+* the same is true for CEE -- no in-kernel driver fills the whole
+ struct,
+
+Prevent all of the above stack info leaks by properly initializing the
+buffers/structures involved.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/dcb/dcbnl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -284,6 +284,7 @@ static int dcbnl_getperm_hwaddr(struct n
+ if (!netdev->dcbnl_ops->getpermhwaddr)
+ return -EOPNOTSUPP;
+
++ memset(perm_addr, 0, sizeof(perm_addr));
+ netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+
+ return nla_put(skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr), perm_addr);
+@@ -1042,6 +1043,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+
+ if (ops->ieee_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_getets(netdev, &ets);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets))
+@@ -1050,6 +1052,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+
+ if (ops->ieee_getmaxrate) {
+ struct ieee_maxrate maxrate;
++ memset(&maxrate, 0, sizeof(maxrate));
+ err = ops->ieee_getmaxrate(netdev, &maxrate);
+ if (!err) {
+ err = nla_put(skb, DCB_ATTR_IEEE_MAXRATE,
+@@ -1061,6 +1064,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+
+ if (ops->ieee_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc))
+@@ -1094,6 +1098,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+ /* get peer info if available */
+ if (ops->ieee_peer_getets) {
+ struct ieee_ets ets;
++ memset(&ets, 0, sizeof(ets));
+ err = ops->ieee_peer_getets(netdev, &ets);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets))
+@@ -1102,6 +1107,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+
+ if (ops->ieee_peer_getpfc) {
+ struct ieee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->ieee_peer_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc))
+@@ -1280,6 +1286,7 @@ static int dcbnl_cee_fill(struct sk_buff
+ /* peer info if available */
+ if (ops->cee_peer_getpg) {
+ struct cee_pg pg;
++ memset(&pg, 0, sizeof(pg));
+ err = ops->cee_peer_getpg(netdev, &pg);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg))
+@@ -1288,6 +1295,7 @@ static int dcbnl_cee_fill(struct sk_buff
+
+ if (ops->cee_peer_getpfc) {
+ struct cee_pfc pfc;
++ memset(&pfc, 0, sizeof(pfc));
+ err = ops->cee_peer_getpfc(netdev, &pfc);
+ if (!err &&
+ nla_put(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc))
Added: dists/trunk/linux/debian/patches/bugfix/all/ext3-fix-format-string-issues.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/ext3-fix-format-string-issues.patch Tue Mar 19 04:52:25 2013 (r19919)
@@ -0,0 +1,48 @@
+From 8d0c2d10dd72c5292eda7a06231056a4c972e4cc Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars at metafoo.de>
+Date: Sat, 9 Mar 2013 15:28:44 +0100
+Subject: ext3: Fix format string issues
+
+From: Lars-Peter Clausen <lars at metafoo.de>
+
+commit 8d0c2d10dd72c5292eda7a06231056a4c972e4cc upstream.
+
+ext3_msg() takes the printk prefix as the second parameter and the
+format string as the third parameter. Two callers of ext3_msg omit the
+prefix and pass the format string as the second parameter and the first
+parameter to the format string as the third parameter. In both cases
+this string comes from an arbitrary source. Which means the string may
+contain format string characters, which will
+lead to undefined and potentially harmful behavior.
+
+The issue was introduced in commit 4cf46b67eb("ext3: Unify log messages
+in ext3") and is fixed by this patch.
+
+Signed-off-by: Lars-Peter Clausen <lars at metafoo.de>
+Signed-off-by: Jan Kara <jack at suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+
+---
+ fs/ext3/super.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/ext3/super.c
++++ b/fs/ext3/super.c
+@@ -353,7 +353,7 @@ static struct block_device *ext3_blkdev_
+ return bdev;
+
+ fail:
+- ext3_msg(sb, "error: failed to open journal device %s: %ld",
++ ext3_msg(sb, KERN_ERR, "error: failed to open journal device %s: %ld",
+ __bdevname(dev, b), PTR_ERR(bdev));
+
+ return NULL;
+@@ -887,7 +887,7 @@ static ext3_fsblk_t get_sb_block(void **
+ /*todo: use simple_strtoll with >32bit ext3 */
+ sb_block = simple_strtoul(options, &options, 0);
+ if (*options && *options != ',') {
+- ext3_msg(sb, "error: invalid sb specification: %s",
++ ext3_msg(sb, KERN_ERR, "error: invalid sb specification: %s",
+ (char *) *data);
+ return 1;
+ }
Added: dists/trunk/linux/debian/patches/bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch Tue Mar 19 04:52:25 2013 (r19919)
@@ -0,0 +1,52 @@
+From e5f9811e44fcf067a0dbb8abf55bbad454a1688a Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux at roeck-us.net>
+Date: Wed, 27 Feb 2013 10:57:31 +0000
+Subject: net/sctp: Validate parameter size for SCTP_GET_ASSOC_STATS
+
+
+From: Guenter Roeck <linux at roeck-us.net>
+
+commit 726bc6b092da4c093eb74d13c07184b18c1af0f1 upstream.
+
+Building sctp may fail with:
+
+In function ‘copy_from_user’,
+ inlined from ‘sctp_getsockopt_assoc_stats’ at
+ net/sctp/socket.c:5656:20:
+arch/x86/include/asm/uaccess_32.h:211:26: error: call to
+ ‘copy_from_user_overflow’ declared with attribute error: copy_from_user()
+ buffer size is not provably correct
+
+if built with W=1 due to a missing parameter size validation
+before the call to copy_from_user.
+
+Signed-off-by: Guenter Roeck <linux at roeck-us.net>
+Acked-by: Vlad Yasevich <vyasevich at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/sctp/socket.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -5653,6 +5653,9 @@ static int sctp_getsockopt_assoc_stats(s
+ if (len < sizeof(sctp_assoc_t))
+ return -EINVAL;
+
++ /* Allow the struct to grow and fill in as much as possible */
++ len = min_t(size_t, len, sizeof(sas));
++
+ if (copy_from_user(&sas, optval, len))
+ return -EFAULT;
+
+@@ -5686,9 +5689,6 @@ static int sctp_getsockopt_assoc_stats(s
+ /* Mark beginning of a new observation period */
+ asoc->stats.max_obs_rto = asoc->rto_min;
+
+- /* Allow the struct to grow and fill in as much as possible */
+- len = min_t(size_t, len, sizeof(sas));
+-
+ if (put_user(len, optlen))
+ return -EFAULT;
+
Added: dists/trunk/linux/debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch Tue Mar 19 04:52:25 2013 (r19919)
@@ -0,0 +1,71 @@
+From 55c315e31dac6ebe4b66c630d2127cab52b02cc3 Mon Sep 17 00:00:00 2001
+From: Cong Wang <amwang at redhat.com>
+Date: Sun, 3 Mar 2013 16:18:11 +0000
+Subject: rds: limit the size allocated by rds_message_alloc()
+
+
+From: Cong Wang <amwang at redhat.com>
+
+[ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ]
+
+Dave Jones reported the following bug:
+
+"When fed mangled socket data, rds will trust what userspace gives it,
+and tries to allocate enormous amounts of memory larger than what
+kmalloc can satisfy."
+
+WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
+Hardware name: GA-MA78GM-S2H
+Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
+Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
+Call Trace:
+ [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
+ [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
+ [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
+ [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
+ [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
+ [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
+ [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
+ [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
+ [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
+ [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
+ [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
+ [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
+ [<ffffffff81567f30>] sys_sendto+0x130/0x180
+ [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
+ [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
+ [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
+ [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
+---[ end trace eed6ae990d018c8b ]---
+
+Reported-by: Dave Jones <davej at redhat.com>
+Cc: Dave Jones <davej at redhat.com>
+Cc: David S. Miller <davem at davemloft.net>
+Cc: Venkat Venkatsubra <venkat.x.venkatsubra at oracle.com>
+Signed-off-by: Cong Wang <amwang at redhat.com>
+Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/rds/message.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(un
+ {
+ struct rds_message *rm;
+
++ if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message))
++ return NULL;
++
+ rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp);
+ if (!rm)
+ goto out;
Added: dists/trunk/linux/debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch Tue Mar 19 04:52:25 2013 (r19919)
@@ -0,0 +1,33 @@
+From 322aa953dd5565d1029a18d5bda0bd25a0dbb4bb Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sat, 9 Mar 2013 05:52:20 +0000
+Subject: rtnl: fix info leak on RTM_GETLINK request for VF devices
+
+
+From: Mathias Krause <minipli at googlemail.com>
+
+[ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ]
+
+Initialize the mac address buffer with 0 as the driver specific function
+will probably not fill the whole buffer. In fact, all in-kernel drivers
+fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
+bytes. Therefore we currently leak 26 bytes of stack memory to userland
+via the netlink interface.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/core/rtnetlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -976,6 +976,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ * report anything.
+ */
+ ivi.spoofchk = -1;
++ memset(ivi.mac, 0, sizeof(ivi.mac));
+ if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
+ break;
+ vf_mac.vf =
Added: dists/trunk/linux/debian/patches/bugfix/all/signal-always-clear-sa_restorer-on-execve.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/signal-always-clear-sa_restorer-on-execve.patch Tue Mar 19 04:52:25 2013 (r19919)
@@ -0,0 +1,69 @@
+From 2ca39528c01a933f6689cd6505ce65bd6d68a530 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Wed, 13 Mar 2013 14:59:33 -0700
+Subject: signal: always clear sa_restorer on execve
+
+From: Kees Cook <keescook at chromium.org>
+
+commit 2ca39528c01a933f6689cd6505ce65bd6d68a530 upstream.
+
+When the new signal handlers are set up, the location of sa_restorer is
+not cleared, leaking a parent process's address space location to
+children. This allows for a potential bypass of the parent's ASLR by
+examining the sa_restorer value returned when calling sigaction().
+
+Based on what should be considered "secret" about addresses, it only
+matters across the exec not the fork (since the VMAs haven't changed
+until the exec). But since exec sets SIG_DFL and keeps sa_restorer,
+this is where it should be fixed.
+
+Given the few uses of sa_restorer, a "set" function was not written
+since this would be the only use. Instead, we use
+__ARCH_HAS_SA_RESTORER, as already done in other places.
+
+Example of the leak before applying this patch:
+
+ $ cat /proc/$$/maps
+ ...
+ 7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
+ ...
+ $ ./leak
+ ...
+ 7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
+ ...
+ 1 0 (nil) 0x7fb9f30b94a0
+ 2 4000000 (nil) 0x7f278bcaa4a0
+ 3 4000000 (nil) 0x7f278bcaa4a0
+ 4 0 (nil) 0x7fb9f30b94a0
+ ...
+
+[akpm at linux-foundation.org: use SA_RESTORER for backportability]
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Emese Revfy <re.emese at gmail.com>
+Cc: Emese Revfy <re.emese at gmail.com>
+Cc: PaX Team <pageexec at freemail.hu>
+Cc: Al Viro <viro at zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: "Eric W. Biederman" <ebiederm at xmission.com>
+Cc: Serge Hallyn <serge.hallyn at canonical.com>
+Cc: Julien Tinnes <jln at google.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+
+---
+ kernel/signal.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct
+ if (force_default || ka->sa.sa_handler != SIG_IGN)
+ ka->sa.sa_handler = SIG_DFL;
+ ka->sa.sa_flags = 0;
++#ifdef SA_RESTORER
++ ka->sa.sa_restorer = NULL;
++#endif
+ sigemptyset(&ka->sa.sa_mask);
+ ka++;
+ }
Added: dists/trunk/linux/debian/patches/bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/trunk/linux/debian/patches/bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch Tue Mar 19 04:52:25 2013 (r19919)
@@ -0,0 +1,87 @@
+From c0f5ecee4e741667b2493c742b60b6218d40b3aa Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum at suse.de>
+Date: Tue, 12 Mar 2013 14:52:42 +0100
+Subject: USB: cdc-wdm: fix buffer overflow
+
+From: Oliver Neukum <oneukum at suse.de>
+
+commit c0f5ecee4e741667b2493c742b60b6218d40b3aa upstream.
+
+The buffer for responses must not overflow.
+If this would happen, set a flag, drop the data and return
+an error after user space has read all remaining data.
+
+Signed-off-by: Oliver Neukum <oliver at neukum.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-wdm.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -56,6 +56,7 @@ MODULE_DEVICE_TABLE (usb, wdm_ids);
+ #define WDM_RESPONDING 7
+ #define WDM_SUSPENDING 8
+ #define WDM_RESETTING 9
++#define WDM_OVERFLOW 10
+
+ #define WDM_MAX 16
+
+@@ -155,6 +156,7 @@ static void wdm_in_callback(struct urb *
+ {
+ struct wdm_device *desc = urb->context;
+ int status = urb->status;
++ int length = urb->actual_length;
+
+ spin_lock(&desc->iuspin);
+ clear_bit(WDM_RESPONDING, &desc->flags);
+@@ -185,9 +187,17 @@ static void wdm_in_callback(struct urb *
+ }
+
+ desc->rerr = status;
+- desc->reslength = urb->actual_length;
+- memmove(desc->ubuf + desc->length, desc->inbuf, desc->reslength);
+- desc->length += desc->reslength;
++ if (length + desc->length > desc->wMaxCommand) {
++ /* The buffer would overflow */
++ set_bit(WDM_OVERFLOW, &desc->flags);
++ } else {
++ /* we may already be in overflow */
++ if (!test_bit(WDM_OVERFLOW, &desc->flags)) {
++ memmove(desc->ubuf + desc->length, desc->inbuf, length);
++ desc->length += length;
++ desc->reslength = length;
++ }
++ }
+ skip_error:
+ wake_up(&desc->wait);
+
+@@ -435,6 +445,11 @@ retry:
+ rv = -ENODEV;
+ goto err;
+ }
++ if (test_bit(WDM_OVERFLOW, &desc->flags)) {
++ clear_bit(WDM_OVERFLOW, &desc->flags);
++ rv = -ENOBUFS;
++ goto err;
++ }
+ i++;
+ if (file->f_flags & O_NONBLOCK) {
+ if (!test_bit(WDM_READ, &desc->flags)) {
+@@ -478,6 +493,7 @@ retry:
+ spin_unlock_irq(&desc->iuspin);
+ goto retry;
+ }
++
+ if (!desc->reslength) { /* zero length read */
+ dev_dbg(&desc->intf->dev, "%s: zero length - clearing WDM_READ\n", __func__);
+ clear_bit(WDM_READ, &desc->flags);
+@@ -1004,6 +1020,7 @@ static int wdm_post_reset(struct usb_int
+ struct wdm_device *desc = wdm_find_device(intf);
+ int rv;
+
++ clear_bit(WDM_OVERFLOW, &desc->flags);
+ clear_bit(WDM_RESETTING, &desc->flags);
+ rv = recover_from_urb_loss(desc);
+ mutex_unlock(&desc->wlock);
Modified: dists/trunk/linux/debian/patches/series
==============================================================================
--- dists/trunk/linux/debian/patches/series Tue Mar 19 03:54:56 2013 (r19918)
+++ dists/trunk/linux/debian/patches/series Tue Mar 19 04:52:25 2013 (r19919)
@@ -77,3 +77,12 @@
bugfix/all/mm-Try-harder-to-allocate-vmemmap-blocks.patch
features/all/alx/alx-update-for-3.8.patch
bugfix/mips/mips-add-dependencies-for-have_arch_transparent_hugepage.patch
+bugfix/all/usb-cdc-wdm-fix-buffer-overflow.patch
+bugfix/all/signal-always-clear-sa_restorer-on-execve.patch
+bugfix/all/ext3-fix-format-string-issues.patch
+bugfix/all/net-sctp-validate-parameter-size-for-sctp_get_assoc_stats.patch
+bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch
+bugfix/all/bridge-fix-mdb-info-leaks.patch
+bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
+bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
+bugfix/all/alsa-seq-fix-missing-error-handling-in-snd_seq_timer_open.patch
More information about the Kernel-svn-changes
mailing list