--- /dev/null
+From 30a22c215a0007603ffc08021f2e8b64018517dd Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Sun, 1 Mar 2015 10:11:05 -0500
+Subject: console: Fix console name size mismatch
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 30a22c215a0007603ffc08021f2e8b64018517dd upstream.
+
+commit 6ae9200f2cab7 ("enlarge console.name") increased the storage
+for the console name to 16 bytes, but not the corresponding
+struct console_cmdline::name storage. Console names longer than
+8 bytes cause read beyond end-of-string and failure to match
+console; I'm not sure if there are other unexpected consequences.
+
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ kernel/printk.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/printk.c
++++ b/kernel/printk.c
+@@ -107,7 +107,7 @@ static struct console *exclusive_console
+ */
+ struct console_cmdline
+ {
+- char name[8]; /* Name of the driver */
++ char name[16]; /* Name of the driver */
+ int index; /* Minor dev. to use */
+ char *options; /* Options for the driver */
+ #ifdef CONFIG_A11Y_BRAILLE_CONSOLE
+@@ -2290,6 +2290,8 @@ void register_console(struct console *ne
+ */
+ for (i = 0; i < MAX_CMDLINECONSOLES && console_cmdline[i].name[0];
+ i++) {
++ BUILD_BUG_ON(sizeof(console_cmdline[i].name) !=
++ sizeof(newcon->name));
+ if (strcmp(console_cmdline[i].name, newcon->name) != 0)
+ continue;
+ if (newcon->index >= 0 &&
--- /dev/null
+From ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Mon, 9 Mar 2015 23:11:12 +0200
+Subject: pagemap: do not leak physical addresses to non-privileged userspace
+
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+
+commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce upstream.
+
+As pointed by recent post[1] on exploiting DRAM physical imperfection,
+/proc/PID/pagemap exposes sensitive information which can be used to do
+attacks.
+
+This disallows anybody without CAP_SYS_ADMIN to read the pagemap.
+
+[1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
+
+[ Eventually we might want to do anything more finegrained, but for now
+ this is the simple model. - Linus ]
+
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Acked-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Seaborn <mseaborn@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: mancha security <mancha1@zoho.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/task_mmu.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -1110,9 +1110,19 @@ out:
+ return ret;
+ }
+
++static int pagemap_open(struct inode *inode, struct file *file)
++{
++ /* do not disclose physical addresses to unprivileged
++ userspace (closes a rowhammer attack vector) */
++ if (!capable(CAP_SYS_ADMIN))
++ return -EPERM;
++ return 0;
++}
++
+ const struct file_operations proc_pagemap_operations = {
+ .llseek = mem_lseek, /* borrow this */
+ .read = pagemap_read,
++ .open = pagemap_open,
+ };
+ #endif /* CONFIG_PROC_PAGE_MONITOR */
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
