From: Greg Kroah-Hartman Date: Fri, 26 Apr 2013 17:36:22 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.8.10~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=21c6f6ae331ff559a77303acc15869bfe9274e93;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: aio-fix-possible-invalid-memory-access-when-debug-is-enabled.patch tty-do-not-update-atime-mtime-on-read-write.patch tty-fix-atime-mtime-regression.patch --- diff --git a/queue-3.4/aio-fix-possible-invalid-memory-access-when-debug-is-enabled.patch b/queue-3.4/aio-fix-possible-invalid-memory-access-when-debug-is-enabled.patch new file mode 100644 index 00000000000..a17c305956a --- /dev/null +++ b/queue-3.4/aio-fix-possible-invalid-memory-access-when-debug-is-enabled.patch @@ -0,0 +1,32 @@ +From 91d80a84bbc8f28375cca7e65ec666577b4209ad Mon Sep 17 00:00:00 2001 +From: Zhao Hongjiang +Date: Fri, 26 Apr 2013 11:03:53 +0800 +Subject: aio: fix possible invalid memory access when DEBUG is enabled + +From: Zhao Hongjiang + +commit 91d80a84bbc8f28375cca7e65ec666577b4209ad upstream. + +dprintk() shouldn't access @ring after it's unmapped. + +Signed-off-by: Zhao Hongjiang +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1094,9 +1094,9 @@ static int aio_read_evt(struct kioctx *i + spin_unlock(&info->ring_lock); + + out: +- kunmap_atomic(ring); + dprintk("leaving aio_read_evt: %d h%lu t%lu\n", ret, + (unsigned long)ring->head, (unsigned long)ring->tail); ++ kunmap_atomic(ring); + return ret; + } + diff --git a/queue-3.4/series b/queue-3.4/series new file mode 100644 index 00000000000..396027508e8 --- /dev/null +++ b/queue-3.4/series @@ -0,0 +1,3 @@ +aio-fix-possible-invalid-memory-access-when-debug-is-enabled.patch +tty-do-not-update-atime-mtime-on-read-write.patch +tty-fix-atime-mtime-regression.patch diff --git a/queue-3.4/tty-do-not-update-atime-mtime-on-read-write.patch b/queue-3.4/tty-do-not-update-atime-mtime-on-read-write.patch new file mode 100644 index 00000000000..0e22bc78b3d --- /dev/null +++ b/queue-3.4/tty-do-not-update-atime-mtime-on-read-write.patch @@ -0,0 +1,54 @@ +From b0de59b5733d18b0d1974a060860a8b5c1b36a2e Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 15 Feb 2013 15:25:05 +0100 +Subject: TTY: do not update atime/mtime on read/write + +From: Jiri Slaby + +commit b0de59b5733d18b0d1974a060860a8b5c1b36a2e upstream. + +On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find +out length of a password using timestamps of /dev/ptmx. It is +documented in "Timing Analysis of Keystrokes and Timing Attacks on +SSH". To avoid that problem, do not update time when reading +from/writing to a TTY. + +I am afraid of regressions as this is a behavior we have since 0.97 +and apps may expect the time to be current, e.g. for monitoring +whether there was a change on the TTY. Now, there is no change. So +this would better have a lot of testing before it goes upstream. + +References: CVE-2013-0160 + +Signed-off-by: Jiri Slaby +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -974,8 +974,7 @@ static ssize_t tty_read(struct file *fil + else + i = -EIO; + tty_ldisc_deref(ld); +- if (i > 0) +- inode->i_atime = current_fs_time(inode->i_sb); ++ + return i; + } + +@@ -1076,11 +1075,8 @@ static inline ssize_t do_tty_write( + break; + cond_resched(); + } +- if (written) { +- struct inode *inode = file->f_path.dentry->d_inode; +- inode->i_mtime = current_fs_time(inode->i_sb); ++ if (written) + ret = written; +- } + out: + tty_write_unlock(tty); + return ret; diff --git a/queue-3.4/tty-fix-atime-mtime-regression.patch b/queue-3.4/tty-fix-atime-mtime-regression.patch new file mode 100644 index 00000000000..444a2d519c9 --- /dev/null +++ b/queue-3.4/tty-fix-atime-mtime-regression.patch @@ -0,0 +1,67 @@ +From 37b7f3c76595e23257f61bd80b223de8658617ee Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Fri, 26 Apr 2013 13:48:53 +0200 +Subject: TTY: fix atime/mtime regression + +From: Jiri Slaby + +commit 37b7f3c76595e23257f61bd80b223de8658617ee upstream. + +In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write") +we removed timestamps from tty inodes to fix a security issue and waited +if something breaks. Well, 'w', the utility to find out logged users +and their inactivity time broke. It shows that users are inactive since +the time they logged in. + +To revert to the old behaviour while still preventing attackers to +guess the password length, we update the timestamps in one-minute +intervals by this patch. + +Signed-off-by: Jiri Slaby +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -938,6 +938,14 @@ void start_tty(struct tty_struct *tty) + + EXPORT_SYMBOL(start_tty); + ++static void tty_update_time(struct timespec *time) ++{ ++ unsigned long sec = get_seconds(); ++ sec -= sec % 60; ++ if ((long)(sec - time->tv_sec) > 0) ++ time->tv_sec = sec; ++} ++ + /** + * tty_read - read method for tty device files + * @file: pointer to tty file +@@ -975,6 +983,9 @@ static ssize_t tty_read(struct file *fil + i = -EIO; + tty_ldisc_deref(ld); + ++ if (i > 0) ++ tty_update_time(&inode->i_atime); ++ + return i; + } + +@@ -1075,8 +1086,11 @@ static inline ssize_t do_tty_write( + break; + cond_resched(); + } +- if (written) ++ if (written) { ++ struct inode *inode = file->f_path.dentry->d_inode; ++ tty_update_time(&inode->i_mtime); + ret = written; ++ } + out: + tty_write_unlock(tty); + return ret;