--- /dev/null
+From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001
+From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
+Date: Thu, 31 Oct 2013 14:01:02 +0530
+Subject: aacraid: prevent invalid pointer dereference
+
+From: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
+
+commit b4789b8e6be3151a955ade74872822f30e8cd914 upstream.
+
+It appears that driver runs into a problem here if fibsize is too small
+because we allocate user_srbcmd with fibsize size only but later we
+access it until user_srbcmd->sg.count to copy it over to srbcmd.
+
+It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this
+structure already includes one sg element and this is not needed for
+commands without data. So, we would recommend to add the following
+(instead of test for fibsize == 0).
+
+Signed-off-by: Mahesh Rajashekhara <Mahesh.Rajashekhara@pmcs.com>
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/commctrl.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -510,7 +510,8 @@ static int aac_send_raw_srb(struct aac_d
+ goto cleanup;
+ }
+
+- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) {
++ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) ||
++ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) {
+ rcode = -EINVAL;
+ goto cleanup;
+ }
--- /dev/null
+From 63660e05ec719613b518547b40a1c501c10f0bc4 Mon Sep 17 00:00:00 2001
+From: Bob Moore <robert.moore@intel.com>
+Date: Thu, 8 Aug 2013 15:29:32 +0800
+Subject: ACPICA: DeRefOf operator: Update to fully resolve FieldUnit and BufferField refs.
+
+From: Bob Moore <robert.moore@intel.com>
+
+commit 63660e05ec719613b518547b40a1c501c10f0bc4 upstream.
+
+Previously, references to these objects were resolved only to the actual
+FieldUnit or BufferField object. The correct behavior is to resolve these
+references to an actual value.
+The problem is that DerefOf did not resolve these objects to actual
+values. An "Integer" object is simple, return the value. But a field in
+an operation region will require a read operation. For a BufferField, the
+appropriate data must be extracted from the parent buffer.
+
+NOTE: It appears that this issues is present in Windows7 but not
+Windows8.
+
+Signed-off-by: Bob Moore <robert.moore@intel.com>
+Signed-off-by: Lv Zheng <lv.zheng@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpica/exoparg1.c | 35 ++++++++++++++++++++++++++++++++---
+ 1 file changed, 32 insertions(+), 3 deletions(-)
+
+--- a/drivers/acpi/acpica/exoparg1.c
++++ b/drivers/acpi/acpica/exoparg1.c
+@@ -991,11 +991,40 @@ acpi_status acpi_ex_opcode_1A_0T_1R(stru
+ acpi_namespace_node
+ *)
+ return_desc);
+- }
++ if (!return_desc) {
++ break;
++ }
++
++ /*
++ * June 2013:
++ * buffer_fields/field_units require additional resolution
++ */
++ switch (return_desc->common.type) {
++ case ACPI_TYPE_BUFFER_FIELD:
++ case ACPI_TYPE_LOCAL_REGION_FIELD:
++ case ACPI_TYPE_LOCAL_BANK_FIELD:
++ case ACPI_TYPE_LOCAL_INDEX_FIELD:
++
++ status =
++ acpi_ex_read_data_from_field
++ (walk_state, return_desc,
++ &temp_desc);
++ if (ACPI_FAILURE(status)) {
++ goto cleanup;
++ }
+
+- /* Add another reference to the object! */
++ return_desc = temp_desc;
++ break;
+
+- acpi_ut_add_reference(return_desc);
++ default:
++
++ /* Add another reference to the object */
++
++ acpi_ut_add_reference
++ (return_desc);
++ break;
++ }
++ }
+ break;
+
+ default:
--- /dev/null
+From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 30 Oct 2013 20:12:51 +0300
+Subject: libertas: potential oops in debugfs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 upstream.
+
+If we do a zero size allocation then it will oops. Also we can't be
+sure the user passes us a NUL terminated string so I've added a
+terminator.
+
+This code can only be triggered by root.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Cc: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/libertas/debugfs.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/libertas/debugfs.c
++++ b/drivers/net/wireless/libertas/debugfs.c
+@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct
+ char *p2;
+ struct debug_data *d = f->private_data;
+
+- pdata = kmalloc(cnt, GFP_KERNEL);
++ if (cnt == 0)
++ return 0;
++
++ pdata = kmalloc(cnt + 1, GFP_KERNEL);
+ if (pdata == NULL)
+ return 0;
+
+@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct
+ kfree(pdata);
+ return 0;
+ }
++ pdata[cnt] = '\0';
+
+ p0 = pdata;
+ for (i = 0; i < num_of_items; i++) {
--- /dev/null
+acpica-derefof-operator-update-to-fully-resolve-fieldunit-and-bufferfield-refs.patch
+libertas-potential-oops-in-debugfs.patch
+aacraid-prevent-invalid-pointer-dereference.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
