3.9-stable patches

added patches:
	audit-wait_for_auditd-should-use-task_uninterruptible.patch
	b43-stop-format-string-leaking-into-error-msgs.patch

diff --git a/queue-3.9/audit-wait_for_auditd-should-use-task_uninterruptible.patch b/queue-3.9/audit-wait_for_auditd-should-use-task_uninterruptible.patch
new file mode 100644 (file)
index 0000000..51844c3
--- /dev/null
+++ b/queue-3.9/audit-wait_for_auditd-should-use-task_uninterruptible.patch
@@ -0,0 +1,46 @@
+From f000cfdde5de4fc15dead5ccf524359c07eadf2b Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Wed, 12 Jun 2013 14:04:46 -0700
+Subject: audit: wait_for_auditd() should use TASK_UNINTERRUPTIBLE
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit f000cfdde5de4fc15dead5ccf524359c07eadf2b upstream.
+
+audit_log_start() does wait_for_auditd() in a loop until
+audit_backlog_wait_time passes or audit_skb_queue has a room.
+
+If signal_pending() is true this becomes a busy-wait loop, schedule() in
+TASK_INTERRUPTIBLE won't block.
+
+Thanks to Guy for fully investigating and explaining the problem.
+
+(akpm: that'll cause the system to lock up on a non-preemptible
+uniprocessor kernel)
+
+(Guy: "Our customer was in fact running a uniprocessor machine, and they
+reported a system hang.")
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Reported-by: Guy Streeter <streeter@redhat.com>
+Cc: Eric Paris <eparis@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/audit.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/audit.c
++++ b/kernel/audit.c
+@@ -1107,7 +1107,7 @@ static inline void audit_get_stamp(struc
+ static void wait_for_auditd(unsigned long sleep_time)
+ {
+       DECLARE_WAITQUEUE(wait, current);
+-      set_current_state(TASK_INTERRUPTIBLE);
++      set_current_state(TASK_UNINTERRUPTIBLE);
+       add_wait_queue(&audit_backlog_wait, &wait);
+ 
+       if (audit_backlog_limit &&

diff --git a/queue-3.9/b43-stop-format-string-leaking-into-error-msgs.patch b/queue-3.9/b43-stop-format-string-leaking-into-error-msgs.patch
new file mode 100644 (file)
index 0000000..97e09d8
--- /dev/null
+++ b/queue-3.9/b43-stop-format-string-leaking-into-error-msgs.patch
@@ -0,0 +1,36 @@
+From e0e29b683d6784ef59bbc914eac85a04b650e63c Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 10 May 2013 14:48:21 -0700
+Subject: b43: stop format string leaking into error msgs
+
+From: Kees Cook <keescook@chromium.org>
+
+commit e0e29b683d6784ef59bbc914eac85a04b650e63c upstream.
+
+The module parameter "fwpostfix" is userspace controllable, unfiltered,
+and is used to define the firmware filename. b43_do_request_fw() populates
+ctx->errors[] on error, containing the firmware filename. b43err()
+parses its arguments as a format string. For systems with b43 hardware,
+this could lead to a uid-0 to ring-0 escalation.
+
+CVE-2013-2852
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/b43/main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/b43/main.c
++++ b/drivers/net/wireless/b43/main.c
+@@ -2451,7 +2451,7 @@ static void b43_request_firmware(struct
+       for (i = 0; i < B43_NR_FWTYPES; i++) {
+               errmsg = ctx->errors[i];
+               if (strlen(errmsg))
+-                      b43err(dev->wl, errmsg);
++                      b43err(dev->wl, "%s", errmsg);
+       }
+       b43_print_fw_helptext(dev->wl, 1);
+       goto out;

diff --git a/queue-3.9/series b/queue-3.9/series
new file mode 100644 (file)
index 0000000..a3a11cf
--- /dev/null
+++ b/queue-3.9/series
@@ -0,0 +1,2 @@
+audit-wait_for_auditd-should-use-task_uninterruptible.patch
+b43-stop-format-string-leaking-into-error-msgs.patch