From: Greg Kroah-Hartman Date: Sat, 23 Nov 2013 02:10:56 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.11.10~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b0ca8b2202a4279e41a9f3761f070632470eb1e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: aacraid-prevent-invalid-pointer-dereference.patch libertas-potential-oops-in-debugfs.patch --- diff --git a/queue-3.4/aacraid-prevent-invalid-pointer-dereference.patch b/queue-3.4/aacraid-prevent-invalid-pointer-dereference.patch new file mode 100644 index 00000000000..94a9a9181a1 --- /dev/null +++ b/queue-3.4/aacraid-prevent-invalid-pointer-dereference.patch @@ -0,0 +1,41 @@ +From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001 +From: Mahesh Rajashekhara +Date: Thu, 31 Oct 2013 14:01:02 +0530 +Subject: aacraid: prevent invalid pointer dereference + +From: Mahesh Rajashekhara + +commit b4789b8e6be3151a955ade74872822f30e8cd914 upstream. + +It appears that driver runs into a problem here if fibsize is too small +because we allocate user_srbcmd with fibsize size only but later we +access it until user_srbcmd->sg.count to copy it over to srbcmd. + +It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this +structure already includes one sg element and this is not needed for +commands without data. So, we would recommend to add the following +(instead of test for fibsize == 0). + +Signed-off-by: Mahesh Rajashekhara +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Linus Torvalds +Cc: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/commctrl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/aacraid/commctrl.c ++++ b/drivers/scsi/aacraid/commctrl.c +@@ -508,7 +508,8 @@ static int aac_send_raw_srb(struct aac_d + goto cleanup; + } + +- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { ++ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || ++ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { + rcode = -EINVAL; + goto cleanup; + } diff --git a/queue-3.4/libertas-potential-oops-in-debugfs.patch b/queue-3.4/libertas-potential-oops-in-debugfs.patch new file mode 100644 index 00000000000..2421925ab15 --- /dev/null +++ b/queue-3.4/libertas-potential-oops-in-debugfs.patch @@ -0,0 +1,49 @@ +From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 30 Oct 2013 20:12:51 +0300 +Subject: libertas: potential oops in debugfs + +From: Dan Carpenter + +commit a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 upstream. + +If we do a zero size allocation then it will oops. Also we can't be +sure the user passes us a NUL terminated string so I've added a +terminator. + +This code can only be triggered by root. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Acked-by: Dan Williams +Signed-off-by: John W. Linville +Cc: Kees Cook +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/libertas/debugfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/libertas/debugfs.c ++++ b/drivers/net/wireless/libertas/debugfs.c +@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct + char *p2; + struct debug_data *d = f->private_data; + +- pdata = kmalloc(cnt, GFP_KERNEL); ++ if (cnt == 0) ++ return 0; ++ ++ pdata = kmalloc(cnt + 1, GFP_KERNEL); + if (pdata == NULL) + return 0; + +@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct + kfree(pdata); + return 0; + } ++ pdata[cnt] = '\0'; + + p0 = pdata; + for (i = 0; i < num_of_items; i++) { diff --git a/queue-3.4/series b/queue-3.4/series index 9784283d288..940c996c755 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -1,2 +1,4 @@ vfs-proc-guarantee-unique-inodes-in-proc.patch nfs-don-t-allow-nfs_find_actor-to-match-inodes-of-the-wrong-type.patch +libertas-potential-oops-in-debugfs.patch +aacraid-prevent-invalid-pointer-dereference.patch