--- /dev/null
+From ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 3 Jul 2013 15:01:14 -0700
+Subject: block: do not pass disk names as format strings
+
+From: Kees Cook <keescook@chromium.org>
+
+commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream.
+
+Disk names may contain arbitrary strings, so they must not be
+interpreted as format strings. It seems that only md allows arbitrary
+strings to be used for disk names, but this could allow for a local
+memory corruption from uid 0 into ring 0.
+
+CVE-2013-2851
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/genhd.c | 2 +-
+ drivers/block/nbd.c | 3 ++-
+ drivers/scsi/osd/osd_uld.c | 2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+--- a/block/genhd.c
++++ b/block/genhd.c
+@@ -518,7 +518,7 @@ void register_disk(struct gendisk *disk)
+
+ ddev->parent = disk->driverfs_dev;
+
+- dev_set_name(ddev, disk->disk_name);
++ dev_set_name(ddev, "%s", disk->disk_name);
+
+ /* delay uevents, until we scanned partition table */
+ dev_set_uevent_suppress(ddev, 1);
+--- a/drivers/block/nbd.c
++++ b/drivers/block/nbd.c
+@@ -658,7 +658,8 @@ static int __nbd_ioctl(struct block_devi
+
+ mutex_unlock(&lo->tx_lock);
+
+- thread = kthread_create(nbd_thread, lo, lo->disk->disk_name);
++ thread = kthread_create(nbd_thread, lo, "%s",
++ lo->disk->disk_name);
+ if (IS_ERR(thread)) {
+ mutex_lock(&lo->tx_lock);
+ return PTR_ERR(thread);
+--- a/drivers/scsi/osd/osd_uld.c
++++ b/drivers/scsi/osd/osd_uld.c
+@@ -465,7 +465,7 @@ static int osd_probe(struct device *dev)
+ oud->class_dev.class = &osd_uld_class;
+ oud->class_dev.parent = dev;
+ oud->class_dev.release = __remove;
+- error = dev_set_name(&oud->class_dev, disk->disk_name);
++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
+ if (error) {
+ OSD_ERR("dev_set_name failed => %d\n", error);
+ goto err_put_cdev;
--- /dev/null
+From 1c8fca1d92e14859159a82b8a380d220139b7344 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 3 Jul 2013 15:01:15 -0700
+Subject: crypto: sanitize argument for format string
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream.
+
+The template lookup interface does not provide a way to use format
+strings, so make sure that the interface cannot be abused accidentally.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algapi.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -478,7 +478,8 @@ static struct crypto_template *__crypto_
+
+ struct crypto_template *crypto_lookup_template(const char *name)
+ {
+- return try_then_request_module(__crypto_lookup_template(name), name);
++ return try_then_request_module(__crypto_lookup_template(name), "%s",
++ name);
+ }
+ EXPORT_SYMBOL_GPL(crypto_lookup_template);
+
--- /dev/null
+From 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 Mon Sep 17 00:00:00 2001
+From: Jonathan Salwan <jonathan.salwan@gmail.com>
+Date: Wed, 3 Jul 2013 15:01:13 -0700
+Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
+
+From: Jonathan Salwan <jonathan.salwan@gmail.com>
+
+commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream.
+
+In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
+area with kmalloc in line 2885.
+
+ 2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
+ 2886 if (cgc->buffer == NULL)
+ 2887 return -ENOMEM;
+
+In line 2908 we can find the copy_to_user function:
+
+ 2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
+
+The cgc->buffer is never cleaned and initialized before this function.
+If ret = 0 with the previous basic block, it's possible to display some
+memory bytes in kernel space from userspace.
+
+When we read a block from the disk it normally fills the ->buffer but if
+the drive is malfunctioning there is a chance that it would only be
+partially filled. The result is an leak information to userspace.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Jonathan Salwan <jonathan.salwan@gmail.com>
+Cc: Luis Henriques <luis.henriques@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cdrom/cdrom.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/cdrom/cdrom.c
++++ b/drivers/cdrom/cdrom.c
+@@ -2879,7 +2879,7 @@ static noinline int mmc_ioctl_cdrom_read
+ if (lba < 0)
+ return -EINVAL;
+
+- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
+ if (cgc->buffer == NULL)
+ return -ENOMEM;
+
--- /dev/null
+From 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+Date: Thu, 4 Jul 2013 18:42:29 +0200
+Subject: hpfs: better test for errors
+
+From: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
+
+commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream.
+
+The test if bitmap access is out of bound could errorneously pass if the
+device size is divisible by 16384 sectors and we are asking for one bitmap
+after the end.
+
+Check for invalid size in the superblock. Invalid size could cause integer
+overflows in the rest of the code.
+
+Signed-off-by: Mikulas Patocka <mpatocka@artax.karlin.mff.cuni.cz>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/hpfs/map.c | 3 ++-
+ fs/hpfs/super.c | 8 +++++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+--- a/fs/hpfs/map.c
++++ b/fs/hpfs/map.c
+@@ -17,7 +17,8 @@ unsigned int *hpfs_map_bitmap(struct sup
+ struct quad_buffer_head *qbh, char *id)
+ {
+ secno sec;
+- if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) {
++ unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14;
++ if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) {
+ hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id);
+ return NULL;
+ }
+--- a/fs/hpfs/super.c
++++ b/fs/hpfs/super.c
+@@ -553,7 +553,13 @@ static int hpfs_fill_super(struct super_
+ sbi->sb_cp_table = NULL;
+ sbi->sb_c_bitmap = -1;
+ sbi->sb_max_fwd_alloc = 0xffffff;
+-
++
++ if (sbi->sb_fs_size >= 0x80000000) {
++ hpfs_error(s, "invalid size in superblock: %08x",
++ (unsigned)sbi->sb_fs_size);
++ goto bail4;
++ }
++
+ /* Load bitmap directory */
+ if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps))))
+ goto bail4;
--- /dev/null
+From 2cb33cac622afde897aa02d3dcd9fbba8bae839e Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Thu, 20 Jun 2013 13:13:59 -0700
+Subject: libceph: Fix NULL pointer dereference in auth client code
+
+From: Tyler Hicks <tyhicks@canonical.com>
+
+commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream.
+
+A malicious monitor can craft an auth reply message that could cause a
+NULL function pointer dereference in the client's kernel.
+
+To prevent this, the auth_none protocol handler needs an empty
+ceph_auth_client_ops->build_request() function.
+
+CVE-2013-1059
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+Reported-by: Chanam Park <chanam.park@hkpco.kr>
+Reviewed-by: Seth Arnold <seth.arnold@canonical.com>
+Reviewed-by: Sage Weil <sage@inktank.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ceph/auth_none.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/ceph/auth_none.c
++++ b/net/ceph/auth_none.c
+@@ -39,6 +39,11 @@ static int should_authenticate(struct ce
+ return xi->starting;
+ }
+
++static int build_request(struct ceph_auth_client *ac, void *buf, void *end)
++{
++ return 0;
++}
++
+ /*
+ * the generic auth code decode the global_id, and we carry no actual
+ * authenticate state, so nothing happens here.
+@@ -107,6 +112,7 @@ static const struct ceph_auth_client_ops
+ .destroy = destroy,
+ .is_authenticated = is_authenticated,
+ .should_authenticate = should_authenticate,
++ .build_request = build_request,
+ .handle_reply = handle_reply,
+ .create_authorizer = ceph_auth_none_create_authorizer,
+ .destroy_authorizer = ceph_auth_none_destroy_authorizer,
--- /dev/null
+From 7b175c46720f8e6b92801bb634c93d1016f80c62 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 18 Jun 2013 12:58:12 -0700
+Subject: MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream.
+
+This hopefully will help point developers to the proper way that patches
+should be submitted for inclusion in the stable kernel releases.
+
+Reported-by: David Howells <dhowells@redhat.com>
+Acked-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ MAINTAINERS | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/MAINTAINERS
++++ b/MAINTAINERS
+@@ -5725,6 +5725,7 @@ P: Vincent Sanders <vince@simtec.co.uk>
+ M: Simtec Linux Team <linux@simtec.co.uk>
+ W: http://www.simtec.co.uk/products/EB110ATX/
+ S: Supported
++F: Documentation/stable_kernel_rules.txt
+
+ SIMTEC EB2410ITX (BAST)
+ P: Ben Dooks
--- /dev/null
+libceph-fix-null-pointer-dereference-in-auth-client-code.patch
+drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch
+hpfs-better-test-for-errors.patch
+block-do-not-pass-disk-names-as-format-strings.patch
+crypto-sanitize-argument-for-format-string.patch
+maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
