--- /dev/null
+From 2702b1526c7278c4d65d78de209a465d4de2885e Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 19 Oct 2012 13:56:51 -0700
+Subject: kernel/sys.c: fix stack memory content leak via UNAME26
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 2702b1526c7278c4d65d78de209a465d4de2885e upstream.
+
+Calling uname() with the UNAME26 personality set allows a leak of kernel
+stack contents. This fixes it by defensively calculating the length of
+copy_to_user() call, making the len argument unsigned, and initializing
+the stack buffer to zero (now technically unneeded, but hey, overkill).
+
+CVE-2012-0957
+
+Reported-by: PaX Team <pageexec@freemail.hu>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: PaX Team <pageexec@freemail.hu>
+Cc: Brad Spengler <spender@grsecurity.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sys.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1133,15 +1133,16 @@ DECLARE_RWSEM(uts_sem);
+ * Work around broken programs that cannot handle "Linux 3.0".
+ * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40
+ */
+-static int override_release(char __user *release, int len)
++static int override_release(char __user *release, size_t len)
+ {
+ int ret = 0;
+- char buf[65];
+
+ if (current->personality & UNAME26) {
+- char *rest = UTS_RELEASE;
++ const char *rest = UTS_RELEASE;
++ char buf[65] = { 0 };
+ int ndots = 0;
+ unsigned v;
++ size_t copy;
+
+ while (*rest) {
+ if (*rest == '.' && ++ndots >= 3)
+@@ -1151,8 +1152,9 @@ static int override_release(char __user
+ rest++;
+ }
+ v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+- snprintf(buf, len, "2.6.%u%s", v, rest);
+- ret = copy_to_user(release, buf, len);
++ copy = min(sizeof(buf), max_t(size_t, 1, len));
++ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
++ ret = copy_to_user(release, buf, copy + 1);
+ }
+ return ret;
+ }
--- /dev/null
+From cd0b16c1c3cda12dbed1f8de8f1a9b0591990724 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Sat, 13 Oct 2012 00:30:28 -0400
+Subject: NLM: nlm_lookup_file() may return NLMv4-specific error codes
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit cd0b16c1c3cda12dbed1f8de8f1a9b0591990724 upstream.
+
+If the filehandle is stale, or open access is denied for some reason,
+nlm_fopen() may return one of the NLMv4-specific error codes nlm4_stale_fh
+or nlm4_failed. These get passed right through nlm_lookup_file(),
+and so when nlmsvc_retrieve_args() calls the latter, it needs to filter
+the result through the cast_status() machinery.
+
+Failure to do so, will trigger the BUG_ON() in encode_nlm_stat...
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Reported-by: Larry McVoy <lm@bitmover.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/clntxdr.c | 2 +-
+ fs/lockd/svcproc.c | 3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/lockd/clntxdr.c
++++ b/fs/lockd/clntxdr.c
+@@ -223,7 +223,7 @@ static void encode_nlm_stat(struct xdr_s
+ {
+ __be32 *p;
+
+- BUG_ON(be32_to_cpu(stat) > NLM_LCK_DENIED_GRACE_PERIOD);
++ WARN_ON_ONCE(be32_to_cpu(stat) > NLM_LCK_DENIED_GRACE_PERIOD);
+ p = xdr_reserve_space(xdr, 4);
+ *p = stat;
+ }
+--- a/fs/lockd/svcproc.c
++++ b/fs/lockd/svcproc.c
+@@ -67,7 +67,8 @@ nlmsvc_retrieve_args(struct svc_rqst *rq
+
+ /* Obtain file pointer. Not used by FREE_ALL call. */
+ if (filp != NULL) {
+- if ((error = nlm_lookup_file(rqstp, &file, &lock->fh)) != 0)
++ error = cast_status(nlm_lookup_file(rqstp, &file, &lock->fh));
++ if (error != 0)
+ goto no_locks;
+ *filp = file;
+
--- /dev/null
+From 44009105081b51417f311f4c3be0061870b6b8ed Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 10 Oct 2012 10:18:35 +0300
+Subject: oprofile, x86: Fix wrapping bug in op_x86_get_ctrl()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 44009105081b51417f311f4c3be0061870b6b8ed upstream.
+
+The "event" variable is a u16 so the shift will always wrap to zero
+making the line a no-op.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Robert Richter <robert.richter@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/oprofile/nmi_int.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/oprofile/nmi_int.c
++++ b/arch/x86/oprofile/nmi_int.c
+@@ -55,7 +55,7 @@ u64 op_x86_get_ctrl(struct op_x86_model_
+ val |= counter_config->extra;
+ event &= model->event_mask ? model->event_mask : 0xFF;
+ val |= event & 0xFF;
+- val |= (event & 0x0F00) << 24;
++ val |= (u64)(event & 0x0F00) << 24;
+
+ return val;
+ }
--- /dev/null
+From fdc858a466b738d35d3492bc7cf77b1dac98bf7c Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 30 Apr 2012 13:50:56 +0000
+Subject: pcmcia: sharpsl: don't discard sharpsl_pcmcia_ops
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit fdc858a466b738d35d3492bc7cf77b1dac98bf7c upstream.
+
+The sharpsl_pcmcia_ops structure gets passed into
+sa11xx_drv_pcmcia_probe, where it gets accessed at run-time,
+unlike all other pcmcia drivers that pass their structures
+into platform_device_add_data, which makes a copy.
+
+This means the gcc warning is valid and the structure
+must not be marked as __initdata.
+
+Without this patch, building collie_defconfig results in:
+
+drivers/pcmcia/pxa2xx_sharpsl.c:22:31: fatal error: mach-pxa/hardware.h: No such file or directory
+compilation terminated.
+make[3]: *** [drivers/pcmcia/pxa2xx_sharpsl.o] Error 1
+make[2]: *** [drivers/pcmcia] Error 2
+make[1]: *** [drivers] Error 2
+make: *** [sub-make] Error 2
+
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Cc: Dominik Brodowski <linux@dominikbrodowski.net>
+Cc: Russell King <rmk+kernel@arm.linux.org.uk>
+Cc: Pavel Machek <pavel@suse.cz>
+Cc: linux-pcmcia@lists.infradead.org
+Cc: Jochen Friedrich <jochen@scram.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pcmcia/pxa2xx_sharpsl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pcmcia/pxa2xx_sharpsl.c
++++ b/drivers/pcmcia/pxa2xx_sharpsl.c
+@@ -222,7 +222,7 @@ static void sharpsl_pcmcia_socket_suspen
+ sharpsl_pcmcia_init_reset(skt);
+ }
+
+-static struct pcmcia_low_level sharpsl_pcmcia_ops __initdata = {
++static struct pcmcia_low_level sharpsl_pcmcia_ops = {
+ .owner = THIS_MODULE,
+ .hw_init = sharpsl_pcmcia_hw_init,
+ .hw_shutdown = sharpsl_pcmcia_hw_shutdown,
--- /dev/null
+From 12d63702c53bc2230dfc997e91ca891f39cb6446 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Tue, 18 Sep 2012 13:37:18 +0400
+Subject: Revert: lockd: use rpc client's cl_nodename for id encoding
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts 12d63702c53bc2230dfc997e91ca891f39cb6446 which was commit
+303a7ce92064c285a04c870f2dc0192fdb2968cb upstream.
+
+Taking hostname from uts namespace if not safe, because this cuold be
+performind during umount operation on child reaper death. And in this case
+current->nsproxy is NULL already.
+
+Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
+Cc: Trond Myklebust <Trond.Myklebust@netapp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/lockd/mon.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/lockd/mon.c
++++ b/fs/lockd/mon.c
+@@ -40,7 +40,6 @@ struct nsm_args {
+ u32 proc;
+
+ char *mon_name;
+- char *nodename;
+ };
+
+ struct nsm_res {
+@@ -94,7 +93,6 @@ static int nsm_mon_unmon(struct nsm_hand
+ .vers = 3,
+ .proc = NLMPROC_NSM_NOTIFY,
+ .mon_name = nsm->sm_mon_name,
+- .nodename = utsname()->nodename,
+ };
+ struct rpc_message msg = {
+ .rpc_argp = &args,
+@@ -431,7 +429,7 @@ static void encode_my_id(struct xdr_stre
+ {
+ __be32 *p;
+
+- encode_nsm_string(xdr, argp->nodename);
++ encode_nsm_string(xdr, utsname()->nodename);
+ p = xdr_reserve_space(xdr, 4 + 4 + 4);
+ *p++ = cpu_to_be32(argp->prog);
+ *p++ = cpu_to_be32(argp->vers);
arch-tile-avoid-generating-.eh_frame-information-in-modules.patch
+nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch
+oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch
+sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch
+revert-lockd-use-rpc-client-s-cl_nodename-for-id-encoding.patch
+pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch
+kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch
+use-clamp_t-in-uname26-fix.patch
+x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch
--- /dev/null
+From 212ba90696ab4884e2025b0b13726d67aadc2cd4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <levinsasha928@gmail.com>
+Date: Tue, 17 Jul 2012 00:01:26 +0200
+Subject: SUNRPC: Prevent kernel stack corruption on long values of flush
+
+From: Sasha Levin <levinsasha928@gmail.com>
+
+commit 212ba90696ab4884e2025b0b13726d67aadc2cd4 upstream.
+
+The buffer size in read_flush() is too small for the longest possible values
+for it. This can lead to a kernel stack corruption:
+
+[ 43.047329] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff833e64b4
+[ 43.047329]
+[ 43.049030] Pid: 6015, comm: trinity-child18 Tainted: G W 3.5.0-rc7-next-20120716-sasha #221
+[ 43.050038] Call Trace:
+[ 43.050435] [<ffffffff836c60c2>] panic+0xcd/0x1f4
+[ 43.050931] [<ffffffff833e64b4>] ? read_flush.isra.7+0xe4/0x100
+[ 43.051602] [<ffffffff810e94e6>] __stack_chk_fail+0x16/0x20
+[ 43.052206] [<ffffffff833e64b4>] read_flush.isra.7+0xe4/0x100
+[ 43.052951] [<ffffffff833e6500>] ? read_flush_pipefs+0x30/0x30
+[ 43.053594] [<ffffffff833e652c>] read_flush_procfs+0x2c/0x30
+[ 43.053596] [<ffffffff812b9a8c>] proc_reg_read+0x9c/0xd0
+[ 43.053596] [<ffffffff812b99f0>] ? proc_reg_write+0xd0/0xd0
+[ 43.053596] [<ffffffff81250d5b>] do_loop_readv_writev+0x4b/0x90
+[ 43.053596] [<ffffffff81250fd6>] do_readv_writev+0xf6/0x1d0
+[ 43.053596] [<ffffffff812510ee>] vfs_readv+0x3e/0x60
+[ 43.053596] [<ffffffff812511b8>] sys_readv+0x48/0xb0
+[ 43.053596] [<ffffffff8378167d>] system_call_fastpath+0x1a/0x1f
+
+Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/cache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/sunrpc/cache.c
++++ b/net/sunrpc/cache.c
+@@ -1404,11 +1404,11 @@ static ssize_t read_flush(struct file *f
+ size_t count, loff_t *ppos,
+ struct cache_detail *cd)
+ {
+- char tbuf[20];
++ char tbuf[22];
+ unsigned long p = *ppos;
+ size_t len;
+
+- sprintf(tbuf, "%lu\n", convert_to_wallclock(cd->flush_time));
++ snprintf(tbuf, sizeof(tbuf), "%lu\n", convert_to_wallclock(cd->flush_time));
+ len = strlen(tbuf);
+ if (p >= len)
+ return 0;
--- /dev/null
+From 31fd84b95eb211d5db460a1dda85e004800a7b52 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Fri, 19 Oct 2012 18:45:53 -0700
+Subject: use clamp_t in UNAME26 fix
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream.
+
+The min/max call needed to have explicit types on some architectures
+(e.g. mn10300). Use clamp_t instead to avoid the warning:
+
+ kernel/sys.c: In function 'override_release':
+ kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default]
+
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sys.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1152,7 +1152,7 @@ static int override_release(char __user
+ rest++;
+ }
+ v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40;
+- copy = min(sizeof(buf), max_t(size_t, 1, len));
++ copy = clamp_t(size_t, len, 1, sizeof(buf));
+ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest);
+ ret = copy_to_user(release, buf, copy + 1);
+ }
--- /dev/null
+From 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a Mon Sep 17 00:00:00 2001
+From: Jacob Shin <jacob.shin@amd.com>
+Date: Thu, 20 Oct 2011 16:15:26 -0500
+Subject: x86: Exclude E820_RESERVED regions and memory holes above 4 GB from direct mapping.
+
+From: Jacob Shin <jacob.shin@amd.com>
+
+commit 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a upstream.
+
+On systems with very large memory (1 TB in our case), BIOS may report a
+reserved region or a hole in the E820 map, even above the 4 GB range. Exclude
+these from the direct mapping.
+
+[ hpa: this should be done not just for > 4 GB but for everything above the legacy
+ region (1 MB), at the very least. That, however, turns out to require significant
+ restructuring. That work is well underway, but is not suitable for rc/stable. ]
+
+Signed-off-by: Jacob Shin <jacob.shin@amd.com>
+Link: http://lkml.kernel.org/r/1319145326-13902-1-git-send-email-jacob.shin@amd.com
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/setup.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -937,8 +937,21 @@ void __init setup_arch(char **cmdline_p)
+
+ #ifdef CONFIG_X86_64
+ if (max_pfn > max_low_pfn) {
+- max_pfn_mapped = init_memory_mapping(1UL<<32,
+- max_pfn<<PAGE_SHIFT);
++ int i;
++ for (i = 0; i < e820.nr_map; i++) {
++ struct e820entry *ei = &e820.map[i];
++
++ if (ei->addr + ei->size <= 1UL << 32)
++ continue;
++
++ if (ei->type == E820_RESERVED)
++ continue;
++
++ max_pfn_mapped = init_memory_mapping(
++ ei->addr < 1UL << 32 ? 1UL << 32 : ei->addr,
++ ei->addr + ei->size);
++ }
++
+ /* can we preseve max_low_pfn ?*/
+ max_low_pfn = max_pfn;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
