--- /dev/null
+From cf9b94f88bdbe8a02015fc30d7c232b2d262d4ad Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <error27@gmail.com>
+Date: Sat, 4 Sep 2010 03:14:35 +0000
+Subject: irda: off by one
+
+From: Dan Carpenter <error27@gmail.com>
+
+commit cf9b94f88bdbe8a02015fc30d7c232b2d262d4ad upstream.
+
+This is an off by one. We would go past the end when we NUL terminate
+the "value" string at end of the function. The "value" buffer is
+allocated in irlan_client_parse_response() or
+irlan_provider_parse_command().
+
+CC: stable@kernel.org
+Signed-off-by: Dan Carpenter <error27@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+---
+ net/irda/irlan/irlan_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/irda/irlan/irlan_common.c
++++ b/net/irda/irlan/irlan_common.c
+@@ -1100,7 +1100,7 @@ int irlan_extract_param(__u8 *buf, char
+ memcpy(&val_len, buf+n, 2); /* To avoid alignment problems */
+ le16_to_cpus(&val_len); n+=2;
+
+- if (val_len > 1016) {
++ if (val_len >= 1016) {
+ IRDA_DEBUG(2, "%s(), parameter length to long\n", __func__ );
+ return -RSP_INVALID_COMMAND_FORMAT;
+ }
--- /dev/null
+From 9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 Mon Sep 17 00:00:00 2001
+From: Steven Rostedt <srostedt@redhat.com>
+Date: Wed, 8 Sep 2010 11:20:37 -0400
+Subject: tracing: Do not allow llseek to set_ftrace_filter
+
+From: Steven Rostedt <srostedt@redhat.com>
+
+commit 9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 upstream.
+
+Reading the file set_ftrace_filter does three things.
+
+1) shows whether or not filters are set for the function tracer
+2) shows what functions are set for the function tracer
+3) shows what triggers are set on any functions
+
+3 is independent from 1 and 2.
+
+The way this file currently works is that it is a state machine,
+and as you read it, it may change state. But this assumption breaks
+when you use lseek() on the file. The state machine gets out of sync
+and the t_show() may use the wrong pointer and cause a kernel oops.
+
+Luckily, this will only kill the app that does the lseek, but the app
+dies while holding a mutex. This prevents anyone else from using the
+set_ftrace_filter file (or any other function tracing file for that matter).
+
+A real fix for this is to rewrite the code, but that is too much for
+a -rc release or stable. This patch simply disables llseek on the
+set_ftrace_filter() file for now, and we can do the proper fix for the
+next major release.
+
+Reported-by: Robert Swiecki <swiecki@google.com>
+Cc: Chris Wright <chrisw@sous-sol.org>
+Cc: Tavis Ormandy <taviso@google.com>
+Cc: Eugene Teo <eugene@redhat.com>
+Cc: vendor-sec@lst.de
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/trace/ftrace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -1456,7 +1456,7 @@ static struct file_operations ftrace_fil
+ .open = ftrace_filter_open,
+ .read = ftrace_regex_read,
+ .write = ftrace_filter_write,
+- .llseek = ftrace_regex_lseek,
++ .llseek = no_llseek,
+ .release = ftrace_filter_release,
+ };
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
