From: Greg Kroah-Hartman Date: Thu, 11 Jul 2013 18:22:42 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.0.86~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=30b1eb9ea2428ed34d234d1becf57f91a06dff4c;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: block-do-not-pass-disk-names-as-format-strings.patch crypto-sanitize-argument-for-format-string.patch drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch hpfs-better-test-for-errors.patch libceph-fix-null-pointer-dereference-in-auth-client-code.patch maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch --- diff --git a/queue-3.0/block-do-not-pass-disk-names-as-format-strings.patch b/queue-3.0/block-do-not-pass-disk-names-as-format-strings.patch new file mode 100644 index 00000000000..eddf5095747 --- /dev/null +++ b/queue-3.0/block-do-not-pass-disk-names-as-format-strings.patch @@ -0,0 +1,62 @@ +From ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 3 Jul 2013 15:01:14 -0700 +Subject: block: do not pass disk names as format strings + +From: Kees Cook + +commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream. + +Disk names may contain arbitrary strings, so they must not be +interpreted as format strings. It seems that only md allows arbitrary +strings to be used for disk names, but this could allow for a local +memory corruption from uid 0 into ring 0. + +CVE-2013-2851 + +Signed-off-by: Kees Cook +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + block/genhd.c | 2 +- + drivers/block/nbd.c | 3 ++- + drivers/scsi/osd/osd_uld.c | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -518,7 +518,7 @@ void register_disk(struct gendisk *disk) + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -658,7 +658,8 @@ static int __nbd_ioctl(struct block_devi + + mutex_unlock(&lo->tx_lock); + +- thread = kthread_create(nbd_thread, lo, lo->disk->disk_name); ++ thread = kthread_create(nbd_thread, lo, "%s", ++ lo->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&lo->tx_lock); + return PTR_ERR(thread); +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -465,7 +465,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; diff --git a/queue-3.0/crypto-sanitize-argument-for-format-string.patch b/queue-3.0/crypto-sanitize-argument-for-format-string.patch new file mode 100644 index 00000000000..4e0441a5209 --- /dev/null +++ b/queue-3.0/crypto-sanitize-argument-for-format-string.patch @@ -0,0 +1,35 @@ +From 1c8fca1d92e14859159a82b8a380d220139b7344 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 3 Jul 2013 15:01:15 -0700 +Subject: crypto: sanitize argument for format string + +From: Kees Cook + +commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream. + +The template lookup interface does not provide a way to use format +strings, so make sure that the interface cannot be abused accidentally. + +Signed-off-by: Kees Cook +Cc: Herbert Xu +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algapi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -478,7 +478,8 @@ static struct crypto_template *__crypto_ + + struct crypto_template *crypto_lookup_template(const char *name) + { +- return try_then_request_module(__crypto_lookup_template(name), name); ++ return try_then_request_module(__crypto_lookup_template(name), "%s", ++ name); + } + EXPORT_SYMBOL_GPL(crypto_lookup_template); + diff --git a/queue-3.0/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch b/queue-3.0/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch new file mode 100644 index 00000000000..958d8d0d19d --- /dev/null +++ b/queue-3.0/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch @@ -0,0 +1,51 @@ +From 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 Mon Sep 17 00:00:00 2001 +From: Jonathan Salwan +Date: Wed, 3 Jul 2013 15:01:13 -0700 +Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware + +From: Jonathan Salwan + +commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream. + +In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory +area with kmalloc in line 2885. + + 2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); + 2886 if (cgc->buffer == NULL) + 2887 return -ENOMEM; + +In line 2908 we can find the copy_to_user function: + + 2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) + +The cgc->buffer is never cleaned and initialized before this function. +If ret = 0 with the previous basic block, it's possible to display some +memory bytes in kernel space from userspace. + +When we read a block from the disk it normally fills the ->buffer but if +the drive is malfunctioning there is a chance that it would only be +partially filled. The result is an leak information to userspace. + +Signed-off-by: Dan Carpenter +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Jonathan Salwan +Cc: Luis Henriques +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2879,7 +2879,7 @@ static noinline int mmc_ioctl_cdrom_read + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + diff --git a/queue-3.0/hpfs-better-test-for-errors.patch b/queue-3.0/hpfs-better-test-for-errors.patch new file mode 100644 index 00000000000..d0bf39b39a8 --- /dev/null +++ b/queue-3.0/hpfs-better-test-for-errors.patch @@ -0,0 +1,54 @@ +From 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 4 Jul 2013 18:42:29 +0200 +Subject: hpfs: better test for errors + +From: Mikulas Patocka + +commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream. + +The test if bitmap access is out of bound could errorneously pass if the +device size is divisible by 16384 sectors and we are asking for one bitmap +after the end. + +Check for invalid size in the superblock. Invalid size could cause integer +overflows in the rest of the code. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hpfs/map.c | 3 ++- + fs/hpfs/super.c | 8 +++++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/hpfs/map.c ++++ b/fs/hpfs/map.c +@@ -17,7 +17,8 @@ unsigned int *hpfs_map_bitmap(struct sup + struct quad_buffer_head *qbh, char *id) + { + secno sec; +- if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) { ++ unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14; ++ if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) { + hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id); + return NULL; + } +--- a/fs/hpfs/super.c ++++ b/fs/hpfs/super.c +@@ -553,7 +553,13 @@ static int hpfs_fill_super(struct super_ + sbi->sb_cp_table = NULL; + sbi->sb_c_bitmap = -1; + sbi->sb_max_fwd_alloc = 0xffffff; +- ++ ++ if (sbi->sb_fs_size >= 0x80000000) { ++ hpfs_error(s, "invalid size in superblock: %08x", ++ (unsigned)sbi->sb_fs_size); ++ goto bail4; ++ } ++ + /* Load bitmap directory */ + if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps)))) + goto bail4; diff --git a/queue-3.0/libceph-fix-null-pointer-dereference-in-auth-client-code.patch b/queue-3.0/libceph-fix-null-pointer-dereference-in-auth-client-code.patch new file mode 100644 index 00000000000..ee6a813f26d --- /dev/null +++ b/queue-3.0/libceph-fix-null-pointer-dereference-in-auth-client-code.patch @@ -0,0 +1,49 @@ +From 2cb33cac622afde897aa02d3dcd9fbba8bae839e Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 20 Jun 2013 13:13:59 -0700 +Subject: libceph: Fix NULL pointer dereference in auth client code + +From: Tyler Hicks + +commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream. + +A malicious monitor can craft an auth reply message that could cause a +NULL function pointer dereference in the client's kernel. + +To prevent this, the auth_none protocol handler needs an empty +ceph_auth_client_ops->build_request() function. + +CVE-2013-1059 + +Signed-off-by: Tyler Hicks +Reported-by: Chanam Park +Reviewed-by: Seth Arnold +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/auth_none.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ceph/auth_none.c ++++ b/net/ceph/auth_none.c +@@ -39,6 +39,11 @@ static int should_authenticate(struct ce + return xi->starting; + } + ++static int build_request(struct ceph_auth_client *ac, void *buf, void *end) ++{ ++ return 0; ++} ++ + /* + * the generic auth code decode the global_id, and we carry no actual + * authenticate state, so nothing happens here. +@@ -107,6 +112,7 @@ static const struct ceph_auth_client_ops + .destroy = destroy, + .is_authenticated = is_authenticated, + .should_authenticate = should_authenticate, ++ .build_request = build_request, + .handle_reply = handle_reply, + .create_authorizer = ceph_auth_none_create_authorizer, + .destroy_authorizer = ceph_auth_none_destroy_authorizer, diff --git a/queue-3.0/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch b/queue-3.0/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch new file mode 100644 index 00000000000..a6175c3c4a5 --- /dev/null +++ b/queue-3.0/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch @@ -0,0 +1,30 @@ +From 7b175c46720f8e6b92801bb634c93d1016f80c62 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 18 Jun 2013 12:58:12 -0700 +Subject: MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information + +From: Greg Kroah-Hartman + +commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream. + +This hopefully will help point developers to the proper way that patches +should be submitted for inclusion in the stable kernel releases. + +Reported-by: David Howells +Acked-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + MAINTAINERS | 1 + + 1 file changed, 1 insertion(+) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -5725,6 +5725,7 @@ P: Vincent Sanders + M: Simtec Linux Team + W: http://www.simtec.co.uk/products/EB110ATX/ + S: Supported ++F: Documentation/stable_kernel_rules.txt + + SIMTEC EB2410ITX (BAST) + P: Ben Dooks diff --git a/queue-3.0/series b/queue-3.0/series new file mode 100644 index 00000000000..7b7249a8933 --- /dev/null +++ b/queue-3.0/series @@ -0,0 +1,6 @@ +libceph-fix-null-pointer-dereference-in-auth-client-code.patch +drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch +hpfs-better-test-for-errors.patch +block-do-not-pass-disk-names-as-format-strings.patch +crypto-sanitize-argument-for-format-string.patch +maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch