From: Greg Kroah-Hartman Date: Fri, 17 Apr 2015 09:40:49 +0000 (+0200) Subject: 3.14-stable patches X-Git-Tag: v3.10.75~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2efc96bc1ba97abe20c92db46047774c79bdf371;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: arc-sa_siginfo-ucontext-regs-off-by-one.patch pci-aer-avoid-info-leak-in-__print_tlp_header.patch selinux-fix-sel_write_enforce-broken-return-value.patch --- diff --git a/queue-3.14/arc-sa_siginfo-ucontext-regs-off-by-one.patch b/queue-3.14/arc-sa_siginfo-ucontext-regs-off-by-one.patch new file mode 100644 index 00000000000..7009f02f257 --- /dev/null +++ b/queue-3.14/arc-sa_siginfo-ucontext-regs-off-by-one.patch @@ -0,0 +1,92 @@ +From 6914e1e3f63caa829431160f0f7093292daef2d5 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Thu, 26 Mar 2015 09:25:44 +0530 +Subject: ARC: SA_SIGINFO ucontext regs off-by-one + +From: Vineet Gupta + +commit 6914e1e3f63caa829431160f0f7093292daef2d5 upstream. + +The regfile provided to SA_SIGINFO signal handler as ucontext was off by +one due to pt_regs gutter cleanups in 2013. + +Before handling signal, user pt_regs are copied onto user_regs_struct and copied +back later. Both structs are binary compatible. This was all fine until +commit 2fa919045b72 (ARC: pt_regs update #2) which removed the empty stack slot +at top of pt_regs (corresponding to first pad) and made the corresponding +fixup in struct user_regs_struct (the pad in there was moved out of +@scratch - not removed altogether as it is part of ptrace ABI) + + struct user_regs_struct { ++ long pad; + struct { +- long pad; + long bta, lp_start, lp_end,.... + } scratch; + ... + } + +This meant that now user_regs_struct was off by 1 reg w.r.t pt_regs and +signal code needs to user_regs_struct.scratch to reflect it as pt_regs, +which is what this commit does. + +This problem was hidden for 2 years, because both save/restore, despite +using wrong location, were using the same location. Only an interim +inspection (reproducer below) exposed the issue. + + void handle_segv(int signo, siginfo_t *info, void *context) + { + ucontext_t *uc = context; + struct user_regs_struct *regs = &(uc->uc_mcontext.regs); + + printf("regs %x %x\n", <=== prints 7 8 (vs. 8 9) + regs->scratch.r8, regs->scratch.r9); + } + + int main() + { + struct sigaction sa; + + sa.sa_sigaction = handle_segv; + sa.sa_flags = SA_SIGINFO; + sigemptyset(&sa.sa_mask); + sigaction(SIGSEGV, &sa, NULL); + + asm volatile( + "mov r7, 7 \n" + "mov r8, 8 \n" + "mov r9, 9 \n" + "mov r10, 10 \n" + :::"r7","r8","r9","r10"); + + *((unsigned int*)0x10) = 0; + } + +Fixes: 2fa919045b72ec892e "ARC: pt_regs update #2: Remove unused gutter at start of pt_regs" +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/signal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arc/kernel/signal.c ++++ b/arch/arc/kernel/signal.c +@@ -67,7 +67,7 @@ stash_usr_regs(struct rt_sigframe __user + sigset_t *set) + { + int err; +- err = __copy_to_user(&(sf->uc.uc_mcontext.regs), regs, ++ err = __copy_to_user(&(sf->uc.uc_mcontext.regs.scratch), regs, + sizeof(sf->uc.uc_mcontext.regs.scratch)); + err |= __copy_to_user(&sf->uc.uc_sigmask, set, sizeof(sigset_t)); + +@@ -83,7 +83,7 @@ static int restore_usr_regs(struct pt_re + if (!err) + set_current_blocked(&set); + +- err |= __copy_from_user(regs, &(sf->uc.uc_mcontext.regs), ++ err |= __copy_from_user(regs, &(sf->uc.uc_mcontext.regs.scratch), + sizeof(sf->uc.uc_mcontext.regs.scratch)); + + return err; diff --git a/queue-3.14/pci-aer-avoid-info-leak-in-__print_tlp_header.patch b/queue-3.14/pci-aer-avoid-info-leak-in-__print_tlp_header.patch new file mode 100644 index 00000000000..3de0e6bf36b --- /dev/null +++ b/queue-3.14/pci-aer-avoid-info-leak-in-__print_tlp_header.patch @@ -0,0 +1,53 @@ +From a1b7f2f6367944d445c6853035830a35c6343939 Mon Sep 17 00:00:00 2001 +From: Rasmus Villemoes +Date: Thu, 26 Feb 2015 09:55:03 +0100 +Subject: PCI/AER: Avoid info leak in __print_tlp_header() + +From: Rasmus Villemoes + +commit a1b7f2f6367944d445c6853035830a35c6343939 upstream. + +Commit fab4c256a58b ("PCI/AER: Add a TLP header print helper") introduced +the helper function __print_tlp_header(), but contrary to the intention, +the behaviour did change: Since we're taking the address of the parameter +t, the first 4 or 8 bytes printed will be the value of the pointer t +itself, and the remaining 12 or 8 bytes will be who-knows-what (something +from the stack). + +We want to show the values of the four members of the struct +aer_header_log_regs; that can be done without ugly and error-prone casts. +On little-endian this should produce the same output as originally +intended, and since no-one has complained about getting garbage output so +far, I think big-endian should be ok too. + +Fixes: fab4c256a58b ("PCI/AER: Add a TLP header print helper") +Signed-off-by: Rasmus Villemoes +Signed-off-by: Bjorn Helgaas +Acked-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pcie/aer/aerdrv_errprint.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/drivers/pci/pcie/aer/aerdrv_errprint.c ++++ b/drivers/pci/pcie/aer/aerdrv_errprint.c +@@ -127,16 +127,8 @@ static const char *aer_agent_string[] = + static void __print_tlp_header(struct pci_dev *dev, + struct aer_header_log_regs *t) + { +- unsigned char *tlp = (unsigned char *)&t; +- +- dev_err(&dev->dev, " TLP Header:" +- " %02x%02x%02x%02x %02x%02x%02x%02x" +- " %02x%02x%02x%02x %02x%02x%02x%02x\n", +- *(tlp + 3), *(tlp + 2), *(tlp + 1), *tlp, +- *(tlp + 7), *(tlp + 6), *(tlp + 5), *(tlp + 4), +- *(tlp + 11), *(tlp + 10), *(tlp + 9), +- *(tlp + 8), *(tlp + 15), *(tlp + 14), +- *(tlp + 13), *(tlp + 12)); ++ dev_err(&dev->dev, " TLP Header: %08x %08x %08x %08x\n", ++ t->dw0, t->dw1, t->dw2, t->dw3); + } + + static void __aer_print_error(struct pci_dev *dev, diff --git a/queue-3.14/selinux-fix-sel_write_enforce-broken-return-value.patch b/queue-3.14/selinux-fix-sel_write_enforce-broken-return-value.patch new file mode 100644 index 00000000000..91db0e6fc22 --- /dev/null +++ b/queue-3.14/selinux-fix-sel_write_enforce-broken-return-value.patch @@ -0,0 +1,32 @@ +From 6436a123a147db51a0b06024a8350f4c230e73ff Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Mon, 23 Mar 2015 18:01:35 -0700 +Subject: selinux: fix sel_write_enforce broken return value + +From: Joe Perches + +commit 6436a123a147db51a0b06024a8350f4c230e73ff upstream. + +Return a negative error value like the rest of the entries in this function. + +Signed-off-by: Joe Perches +Acked-by: Stephen Smalley +[PM: tweaked subject line] +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/selinuxfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/selinuxfs.c ++++ b/security/selinux/selinuxfs.c +@@ -152,7 +152,7 @@ static ssize_t sel_write_enforce(struct + goto out; + + /* No partial writes. */ +- length = EINVAL; ++ length = -EINVAL; + if (*ppos != 0) + goto out; + diff --git a/queue-3.14/series b/queue-3.14/series index c706a7f7139..377d8913843 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -2,3 +2,6 @@ alsa-hda-add-one-more-node-in-the-eapd-supporting-candidate-list.patch alsa-usb-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch alsa-hda-realtek-make-more-stable-to-get-pin-sense-for-alc283.patch alsa-hda-fix-headphone-pin-config-for-lifebook-t731.patch +pci-aer-avoid-info-leak-in-__print_tlp_header.patch +arc-sa_siginfo-ucontext-regs-off-by-one.patch +selinux-fix-sel_write_enforce-broken-return-value.patch