From: Greg Kroah-Hartman Date: Wed, 15 Sep 2010 22:17:47 +0000 (-0700) Subject: .27 patches X-Git-Tag: v2.6.27.54~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=11104b4c69f006b0eac0e4fe1e53d4346b3c95fa;p=thirdparty%2Fkernel%2Fstable-queue.git .27 patches --- diff --git a/queue-2.6.27/irda-off-by-one.patch b/queue-2.6.27/irda-off-by-one.patch new file mode 100644 index 00000000000..1e00e32bbf0 --- /dev/null +++ b/queue-2.6.27/irda-off-by-one.patch @@ -0,0 +1,33 @@ +From cf9b94f88bdbe8a02015fc30d7c232b2d262d4ad Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 4 Sep 2010 03:14:35 +0000 +Subject: irda: off by one + +From: Dan Carpenter + +commit cf9b94f88bdbe8a02015fc30d7c232b2d262d4ad upstream. + +This is an off by one. We would go past the end when we NUL terminate +the "value" string at end of the function. The "value" buffer is +allocated in irlan_client_parse_response() or +irlan_provider_parse_command(). + +CC: stable@kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller + +--- + net/irda/irlan/irlan_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/irda/irlan/irlan_common.c ++++ b/net/irda/irlan/irlan_common.c +@@ -1100,7 +1100,7 @@ int irlan_extract_param(__u8 *buf, char + memcpy(&val_len, buf+n, 2); /* To avoid alignment problems */ + le16_to_cpus(&val_len); n+=2; + +- if (val_len > 1016) { ++ if (val_len >= 1016) { + IRDA_DEBUG(2, "%s(), parameter length to long\n", __func__ ); + return -RSP_INVALID_COMMAND_FORMAT; + } diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 64985bed135..8eb37cb5334 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -1,2 +1,4 @@ alsa-seq-oss-fix-double-free-at-error-path-of-snd_seq_oss_open.patch ath9k_hw-fix-parsing-of-ht40-5-ghz-ctls.patch +tracing-do-not-allow-llseek-to-set_ftrace_filter.patch +irda-off-by-one.patch diff --git a/queue-2.6.27/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch b/queue-2.6.27/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch new file mode 100644 index 00000000000..b5b9d166964 --- /dev/null +++ b/queue-2.6.27/tracing-do-not-allow-llseek-to-set_ftrace_filter.patch @@ -0,0 +1,54 @@ +From 9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Wed, 8 Sep 2010 11:20:37 -0400 +Subject: tracing: Do not allow llseek to set_ftrace_filter + +From: Steven Rostedt + +commit 9c55cb12c1c172e2d51e85fbb5a4796ca86b77e7 upstream. + +Reading the file set_ftrace_filter does three things. + +1) shows whether or not filters are set for the function tracer +2) shows what functions are set for the function tracer +3) shows what triggers are set on any functions + +3 is independent from 1 and 2. + +The way this file currently works is that it is a state machine, +and as you read it, it may change state. But this assumption breaks +when you use lseek() on the file. The state machine gets out of sync +and the t_show() may use the wrong pointer and cause a kernel oops. + +Luckily, this will only kill the app that does the lseek, but the app +dies while holding a mutex. This prevents anyone else from using the +set_ftrace_filter file (or any other function tracing file for that matter). + +A real fix for this is to rewrite the code, but that is too much for +a -rc release or stable. This patch simply disables llseek on the +set_ftrace_filter() file for now, and we can do the proper fix for the +next major release. + +Reported-by: Robert Swiecki +Cc: Chris Wright +Cc: Tavis Ormandy +Cc: Eugene Teo +Cc: vendor-sec@lst.de +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -1456,7 +1456,7 @@ static struct file_operations ftrace_fil + .open = ftrace_filter_open, + .read = ftrace_regex_read, + .write = ftrace_filter_write, +- .llseek = ftrace_regex_lseek, ++ .llseek = no_llseek, + .release = ftrace_filter_release, + }; +