]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
.27 patches
authorGreg Kroah-Hartman <gregkh@suse.de>
Fri, 29 Oct 2010 21:17:19 +0000 (14:17 -0700)
committerGreg Kroah-Hartman <gregkh@suse.de>
Fri, 29 Oct 2010 21:17:19 +0000 (14:17 -0700)
queue-2.6.27/pcmcia-synclink_cs-fix-information-leak-to-userland.patch [new file with mode: 0644]
queue-2.6.27/sched-fix-string-comparison-in-proc-sched_features.patch [new file with mode: 0644]

diff --git a/queue-2.6.27/pcmcia-synclink_cs-fix-information-leak-to-userland.patch b/queue-2.6.27/pcmcia-synclink_cs-fix-information-leak-to-userland.patch
new file mode 100644 (file)
index 0000000..7fa01e4
--- /dev/null
@@ -0,0 +1,31 @@
+From 5b917a1420d3d1a9c8da49fb0090692dc9aaee86 Mon Sep 17 00:00:00 2001
+From: Vasiliy Kulikov <segooon@gmail.com>
+Date: Sun, 17 Oct 2010 18:41:24 +0400
+Subject: pcmcia: synclink_cs: fix information leak to userland
+
+From: Vasiliy Kulikov <segooon@gmail.com>
+
+commit 5b917a1420d3d1a9c8da49fb0090692dc9aaee86 upstream.
+
+Structure new_line is copied to userland with some padding fields unitialized.
+It leads to leaking of stack memory.
+
+Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/pcmcia/synclink_cs.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/char/pcmcia/synclink_cs.c
++++ b/drivers/char/pcmcia/synclink_cs.c
+@@ -4287,6 +4287,8 @@ static int hdlcdev_ioctl(struct net_devi
+       if (cmd != SIOCWANDEV)
+               return hdlc_ioctl(dev, ifr, cmd);
++      memset(&new_line, 0, size);
++
+       switch(ifr->ifr_settings.type) {
+       case IF_GET_IFACE: /* return current sync_serial_settings */
diff --git a/queue-2.6.27/sched-fix-string-comparison-in-proc-sched_features.patch b/queue-2.6.27/sched-fix-string-comparison-in-proc-sched_features.patch
new file mode 100644 (file)
index 0000000..0d074c8
--- /dev/null
@@ -0,0 +1,62 @@
+From 7740191cd909b75d75685fb08a5d1f54b8a9d28b Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Mon, 13 Sep 2010 17:47:00 -0400
+Subject: sched: Fix string comparison in /proc/sched_features
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit 7740191cd909b75d75685fb08a5d1f54b8a9d28b upstream.
+
+Fix incorrect handling of the following case:
+
+ INTERACTIVE
+ INTERACTIVE_SOMETHING_ELSE
+
+The comparison only checks up to each element's length.
+
+Changelog since v1:
+ - Embellish using some Rostedtisms.
+  [ mingo:                 ^^ == smaller and cleaner ]
+
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Reviewed-by: Steven Rostedt <rostedt@goodmis.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Tony Lindgren <tony@atomide.com>
+LKML-Reference: <20100913214700.GB16118@Krystal>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/sched.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/kernel/sched.c
++++ b/kernel/sched.c
+@@ -744,7 +744,7 @@ sched_feat_write(struct file *filp, cons
+               size_t cnt, loff_t *ppos)
+ {
+       char buf[64];
+-      char *cmp = buf;
++      char *cmp;
+       int neg = 0;
+       int i;
+@@ -755,6 +755,7 @@ sched_feat_write(struct file *filp, cons
+               return -EFAULT;
+       buf[cnt] = 0;
++      cmp = strstrip(buf);
+       if (strncmp(buf, "NO_", 3) == 0) {
+               neg = 1;
+@@ -762,9 +763,7 @@ sched_feat_write(struct file *filp, cons
+       }
+       for (i = 0; sched_feat_names[i]; i++) {
+-              int len = strlen(sched_feat_names[i]);
+-
+-              if (strncmp(cmp, sched_feat_names[i], len) == 0) {
++              if (strcmp(cmp, sched_feat_names[i]) == 0) {
+                       if (neg)
+                               sysctl_sched_features &= ~(1UL << i);
+                       else