[kernel] r19930 - in dists/sid/linux/debian/patches: . bugfix/all bugfix/powerpc bugfix/s390

Thu Mar 21 05:44:02 UTC 2013

Author: benh
Date: Thu Mar 21 05:44:01 2013
New Revision: 19930

Log:
Apply security fixes and other important fixes from 3.2.y-queue

Added:
   dists/sid/linux/debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
   dists/sid/linux/debian/patches/bugfix/all/isofs-avoid-info-leak-on-export.patch
   dists/sid/linux/debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch
   dists/sid/linux/debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
   dists/sid/linux/debian/patches/bugfix/all/udf-avoid-info-leak-on-export.patch
   dists/sid/linux/debian/patches/bugfix/all/vhost-net-fix-heads-usage-of-ubuf_info.patch
   dists/sid/linux/debian/patches/bugfix/powerpc/powerpc-fix-cputable-entry-for-970mp-rev-1.0.patch
   dists/sid/linux/debian/patches/bugfix/s390/s390-mm-fix-flush_tlb_kernel_range.patch
Modified:
   dists/sid/linux/debian/patches/series

Added: dists/sid/linux/debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
==============================================================================

--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch	Thu Mar 21 05:44:01 2013	(r19930)
@@ -0,0 +1,83 @@
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sat, 9 Mar 2013 05:52:21 +0000
+Subject: dcbnl: fix various netlink info leaks
+
+[ Upstream commit 29cd8ae0e1a39e239a3a7b67da1986add1199fc0 ]
+
+The dcb netlink interface leaks stack memory in various places:
+* perm_addr[] buffer is only filled at max with 12 of the 32 bytes but
+  copied completely,
+* no in-kernel driver fills all fields of an IEEE 802.1Qaz subcommand,
+  so we're leaking up to 58 bytes for ieee_ets structs, up to 136 bytes
+  for ieee_pfc structs, etc.,
+* the same is true for CEE -- no in-kernel driver fills the whole
+  struct,
+
+Prevent all of the above stack info leaks by properly initializing the
+buffers/structures involved.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/dcb/dcbnl.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/dcb/dcbnl.c
++++ b/net/dcb/dcbnl.c
+@@ -336,6 +336,7 @@ static int dcbnl_getperm_hwaddr(struct n
+ 	dcb->dcb_family = AF_UNSPEC;
+ 	dcb->cmd = DCB_CMD_GPERM_HWADDR;
+ 
++	memset(perm_addr, 0, sizeof(perm_addr));
+ 	netdev->dcbnl_ops->getpermhwaddr(netdev, perm_addr);
+ 
+ 	ret = nla_put(dcbnl_skb, DCB_ATTR_PERM_HWADDR, sizeof(perm_addr),
+@@ -1238,6 +1239,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+ 
+ 	if (ops->ieee_getets) {
+ 		struct ieee_ets ets;
++		memset(&ets, 0, sizeof(ets));
+ 		err = ops->ieee_getets(netdev, &ets);
+ 		if (!err)
+ 			NLA_PUT(skb, DCB_ATTR_IEEE_ETS, sizeof(ets), &ets);
+@@ -1245,6 +1247,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+ 
+ 	if (ops->ieee_getpfc) {
+ 		struct ieee_pfc pfc;
++		memset(&pfc, 0, sizeof(pfc));
+ 		err = ops->ieee_getpfc(netdev, &pfc);
+ 		if (!err)
+ 			NLA_PUT(skb, DCB_ATTR_IEEE_PFC, sizeof(pfc), &pfc);
+@@ -1277,6 +1280,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+ 	/* get peer info if available */
+ 	if (ops->ieee_peer_getets) {
+ 		struct ieee_ets ets;
++		memset(&ets, 0, sizeof(ets));
+ 		err = ops->ieee_peer_getets(netdev, &ets);
+ 		if (!err)
+ 			NLA_PUT(skb, DCB_ATTR_IEEE_PEER_ETS, sizeof(ets), &ets);
+@@ -1284,6 +1288,7 @@ static int dcbnl_ieee_fill(struct sk_buf
+ 
+ 	if (ops->ieee_peer_getpfc) {
+ 		struct ieee_pfc pfc;
++		memset(&pfc, 0, sizeof(pfc));
+ 		err = ops->ieee_peer_getpfc(netdev, &pfc);
+ 		if (!err)
+ 			NLA_PUT(skb, DCB_ATTR_IEEE_PEER_PFC, sizeof(pfc), &pfc);
+@@ -1463,6 +1468,7 @@ static int dcbnl_cee_fill(struct sk_buff
+ 	/* peer info if available */
+ 	if (ops->cee_peer_getpg) {
+ 		struct cee_pg pg;
++		memset(&pg, 0, sizeof(pg));
+ 		err = ops->cee_peer_getpg(netdev, &pg);
+ 		if (!err)
+ 			NLA_PUT(skb, DCB_ATTR_CEE_PEER_PG, sizeof(pg), &pg);
+@@ -1470,6 +1476,7 @@ static int dcbnl_cee_fill(struct sk_buff
+ 
+ 	if (ops->cee_peer_getpfc) {
+ 		struct cee_pfc pfc;
++		memset(&pfc, 0, sizeof(pfc));
+ 		err = ops->cee_peer_getpfc(netdev, &pfc);
+ 		if (!err)
+ 			NLA_PUT(skb, DCB_ATTR_CEE_PEER_PFC, sizeof(pfc), &pfc);

Added: dists/sid/linux/debian/patches/bugfix/all/isofs-avoid-info-leak-on-export.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/isofs-avoid-info-leak-on-export.patch	Thu Mar 21 05:44:01 2013	(r19930)
@@ -0,0 +1,26 @@
+From: Mathias Krause <minipli at googlemail.com>
+Date: Thu, 12 Jul 2012 08:46:54 +0200
+Subject: isofs: avoid info leak on export
+
+commit fe685aabf7c8c9f138e5ea900954d295bf229175 upstream.
+
+For type 1 the parent_offset member in struct isofs_fid gets copied
+uninitialized to userland. Fix this by initializing it to 0.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: Jan Kara <jack at suse.cz>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/isofs/export.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/isofs/export.c
++++ b/fs/isofs/export.c
+@@ -135,6 +135,7 @@ isofs_export_encode_fh(struct dentry *de
+ 	len = 3;
+ 	fh32[0] = ei->i_iget5_block;
+  	fh16[2] = (__u16)ei->i_iget5_offset;  /* fh16 [sic] */
++	fh16[3] = 0;  /* avoid leaking uninitialized data */
+ 	fh32[2] = inode->i_generation;
+ 	if (connectable && !S_ISDIR(inode->i_mode)) {
+ 		struct inode *parent;

Added: dists/sid/linux/debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch	Thu Mar 21 05:44:01 2013	(r19930)
@@ -0,0 +1,67 @@
+From: Cong Wang <amwang at redhat.com>
+Date: Sun, 3 Mar 2013 16:18:11 +0000
+Subject: rds: limit the size allocated by rds_message_alloc()
+
+[ Upstream commit ece6b0a2b25652d684a7ced4ae680a863af041e0 ]
+
+Dave Jones reported the following bug:
+
+"When fed mangled socket data, rds will trust what userspace gives it,
+and tries to allocate enormous amounts of memory larger than what
+kmalloc can satisfy."
+
+WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0()
+Hardware name: GA-MA78GM-S2H
+Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s
+Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65
+Call Trace:
+ [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0
+ [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0
+ [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90
+ [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180
+ [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80
+ [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0
+ [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0
+ [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0
+ [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds]
+ [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds]
+ [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10
+ [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0
+ [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70
+ [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40
+ [<ffffffff81567f30>] sys_sendto+0x130/0x180
+ [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60
+ [<ffffffff816cd767>] ? sysret_check+0x1b/0x56
+ [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0
+ [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+ [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b
+---[ end trace eed6ae990d018c8b ]---
+
+Reported-by: Dave Jones <davej at redhat.com>
+Cc: Dave Jones <davej at redhat.com>
+Cc: David S. Miller <davem at davemloft.net>
+Cc: Venkat Venkatsubra <venkat.x.venkatsubra at oracle.com>
+Signed-off-by: Cong Wang <amwang at redhat.com>
+Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra at oracle.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/rds/message.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/rds/message.c
++++ b/net/rds/message.c
+@@ -197,6 +197,9 @@ struct rds_message *rds_message_alloc(un
+ {
+ 	struct rds_message *rm;
+ 
++	if (extra_len > KMALLOC_MAX_SIZE - sizeof(struct rds_message))
++		return NULL;
++
+ 	rm = kzalloc(sizeof(struct rds_message) + extra_len, gfp);
+ 	if (!rm)
+ 		goto out;

Added: dists/sid/linux/debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch	Thu Mar 21 05:44:01 2013	(r19930)
@@ -0,0 +1,29 @@
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sat, 9 Mar 2013 05:52:20 +0000
+Subject: rtnl: fix info leak on RTM_GETLINK request for VF  devices
+
+[ Upstream commit 84d73cd3fb142bf1298a8c13fd4ca50fd2432372 ]
+
+Initialize the mac address buffer with 0 as the driver specific function
+will probably not fill the whole buffer. In fact, all in-kernel drivers
+fill only ETH_ALEN of the MAX_ADDR_LEN bytes, i.e. 6 of the 32 possible
+bytes. Therefore we currently leak 26 bytes of stack memory to userland
+via the netlink interface.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/core/rtnetlink.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -973,6 +973,7 @@ static int rtnl_fill_ifinfo(struct sk_bu
+ 			 * report anything.
+ 			 */
+ 			ivi.spoofchk = -1;
++			memset(ivi.mac, 0, sizeof(ivi.mac));
+ 			if (dev->netdev_ops->ndo_get_vf_config(dev, i, &ivi))
+ 				break;
+ 			vf_mac.vf =

Added: dists/sid/linux/debian/patches/bugfix/all/udf-avoid-info-leak-on-export.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/udf-avoid-info-leak-on-export.patch	Thu Mar 21 05:44:01 2013	(r19930)
@@ -0,0 +1,26 @@
+From: Mathias Krause <minipli at googlemail.com>
+Date: Thu, 12 Jul 2012 08:46:55 +0200
+Subject: udf: avoid info leak on export
+
+commit 0143fc5e9f6f5aad4764801015bc8d4b4a278200 upstream.
+
+For type 0x51 the udf.parent_partref member in struct fid gets copied
+uninitialized to userland. Fix this by initializing it to 0.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: Jan Kara <jack at suse.cz>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/namei.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/udf/namei.c
++++ b/fs/udf/namei.c
+@@ -1293,6 +1293,7 @@ static int udf_encode_fh(struct dentry *
+ 	*lenp = 3;
+ 	fid->udf.block = location.logicalBlockNum;
+ 	fid->udf.partref = location.partitionReferenceNum;
++	fid->udf.parent_partref = 0;
+ 	fid->udf.generation = inode->i_generation;
+ 
+ 	if (connectable && !S_ISDIR(inode->i_mode)) {

Added: dists/sid/linux/debian/patches/bugfix/all/vhost-net-fix-heads-usage-of-ubuf_info.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/vhost-net-fix-heads-usage-of-ubuf_info.patch	Thu Mar 21 05:44:01 2013	(r19930)
@@ -0,0 +1,31 @@
+From: "Michael S. Tsirkin" <mst at redhat.com>
+Date: Sun, 17 Mar 2013 02:46:09 +0000
+Subject: vhost/net: fix heads usage of ubuf_info
+
+commit 46aa92d1ba162b4b3d6b7102440e459d4e4ee255 upstream.
+
+ubuf info allocator uses guest controlled head as an index,
+so a malicious guest could put the same head entry in the ring twice,
+and we will get two callbacks on the same value.
+To fix use upend_idx which is guaranteed to be unique.
+
+Reported-by: Rusty Russell <rusty at rustcorp.com.au>
+Signed-off-by: Michael S. Tsirkin <mst at redhat.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/vhost/net.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/vhost/net.c
++++ b/drivers/vhost/net.c
+@@ -234,7 +234,8 @@ static void handle_tx(struct vhost_net *
+ 				msg.msg_controllen = 0;
+ 				ubufs = NULL;
+ 			} else {
+-				struct ubuf_info *ubuf = &vq->ubuf_info[head];
++				struct ubuf_info *ubuf;
++				ubuf = vq->ubuf_info + vq->upend_idx;
+ 
+ 				vq->heads[vq->upend_idx].len = len;
+ 				ubuf->callback = vhost_zerocopy_callback;

Added: dists/sid/linux/debian/patches/bugfix/powerpc/powerpc-fix-cputable-entry-for-970mp-rev-1.0.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/powerpc/powerpc-fix-cputable-entry-for-970mp-rev-1.0.patch	Thu Mar 21 05:44:01 2013	(r19930)
@@ -0,0 +1,29 @@
+From: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Date: Wed, 13 Mar 2013 09:55:02 +1100
+Subject: powerpc: Fix cputable entry for 970MP rev 1.0
+
+commit d63ac5f6cf31c8a83170a9509b350c1489a7262b upstream.
+
+Commit 44ae3ab3358e962039c36ad4ae461ae9fb29596c forgot to update
+the entry for the 970MP rev 1.0 processor when moving some CPU
+features bits to the MMU feature bit mask. This breaks booting
+on some rare G5 models using that chip revision.
+
+Reported-by: Phileas Fogg <phileas-fogg at mail.ru>
+Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/powerpc/kernel/cputable.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/powerpc/kernel/cputable.c
++++ b/arch/powerpc/kernel/cputable.c
+@@ -268,7 +268,7 @@ static struct cpu_spec __initdata cpu_sp
+ 		.cpu_features		= CPU_FTRS_PPC970,
+ 		.cpu_user_features	= COMMON_USER_POWER4 |
+ 			PPC_FEATURE_HAS_ALTIVEC_COMP,
+-		.mmu_features		= MMU_FTR_HPTE_TABLE,
++		.mmu_features		= MMU_FTRS_PPC970,
+ 		.icache_bsize		= 128,
+ 		.dcache_bsize		= 128,
+ 		.num_pmcs		= 8,

Added: dists/sid/linux/debian/patches/bugfix/s390/s390-mm-fix-flush_tlb_kernel_range.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/s390/s390-mm-fix-flush_tlb_kernel_range.patch	Thu Mar 21 05:44:01 2013	(r19930)
@@ -0,0 +1,40 @@
+From: Heiko Carstens <heiko.carstens at de.ibm.com>
+Date: Mon, 4 Mar 2013 14:14:11 +0100
+Subject: s390/mm: fix flush_tlb_kernel_range()
+
+commit f6a70a07079518280022286a1dceb797d12e1edf upstream.
+
+Our flush_tlb_kernel_range() implementation calls __tlb_flush_mm() with
+&init_mm as argument. __tlb_flush_mm() however will only flush tlbs
+for the passed in mm if its mm_cpumask is not empty.
+
+For the init_mm however its mm_cpumask has never any bits set. Which in
+turn means that our flush_tlb_kernel_range() implementation doesn't
+work at all.
+
+This can be easily verified with a vmalloc/vfree loop which allocates
+a page, writes to it and then frees the page again. A crash will follow
+almost instantly.
+
+To fix this remove the cpumask_empty() check in __tlb_flush_mm() since
+there shouldn't be too many mms with a zero mm_cpumask, besides the
+init_mm of course.
+
+Signed-off-by: Heiko Carstens <heiko.carstens at de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/s390/include/asm/tlbflush.h |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/s390/include/asm/tlbflush.h
++++ b/arch/s390/include/asm/tlbflush.h
+@@ -74,8 +74,6 @@ static inline void __tlb_flush_idte(unsi
+ 
+ static inline void __tlb_flush_mm(struct mm_struct * mm)
+ {
+-	if (unlikely(cpumask_empty(mm_cpumask(mm))))
+-		return;
+ 	/*
+ 	 * If the machine has IDTE we prefer to do a per mm flush
+ 	 * on all cpus instead of doing a local flush if the mm

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Thu Mar 21 05:25:15 2013	(r19929)
+++ dists/sid/linux/debian/patches/series	Thu Mar 21 05:44:01 2013	(r19930)
@@ -619,3 +619,11 @@
 bugfix/all/i915-initialize-CADL-in-opregion.patch
 bugfix/all/signal-fix-use-of-missing-sa_restorer-field.patch
 bugfix/all/kernel-signal.c-use-__ARCH_HAS_SA_RESTORER-instead-o.patch
+bugfix/all/rds-limit-the-size-allocated-by-rds_message_alloc.patch
+bugfix/all/rtnl-fix-info-leak-on-rtm_getlink-request-for-vf-devices.patch
+bugfix/all/dcbnl-fix-various-netlink-info-leaks.patch
+bugfix/s390/s390-mm-fix-flush_tlb_kernel_range.patch
+bugfix/powerpc/powerpc-fix-cputable-entry-for-970mp-rev-1.0.patch
+bugfix/all/vhost-net-fix-heads-usage-of-ubuf_info.patch
+bugfix/all/udf-avoid-info-leak-on-export.patch
+bugfix/all/isofs-avoid-info-leak-on-export.patch

