From: Greg Kroah-Hartman Date: Fri, 29 Oct 2010 21:17:19 +0000 (-0700) Subject: .27 patches X-Git-Tag: v2.6.27.56~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=890acb2928869b201552dac23a17b28881e631f4;p=thirdparty%2Fkernel%2Fstable-queue.git .27 patches --- diff --git a/queue-2.6.27/pcmcia-synclink_cs-fix-information-leak-to-userland.patch b/queue-2.6.27/pcmcia-synclink_cs-fix-information-leak-to-userland.patch new file mode 100644 index 00000000000..7fa01e41316 --- /dev/null +++ b/queue-2.6.27/pcmcia-synclink_cs-fix-information-leak-to-userland.patch @@ -0,0 +1,31 @@ +From 5b917a1420d3d1a9c8da49fb0090692dc9aaee86 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov +Date: Sun, 17 Oct 2010 18:41:24 +0400 +Subject: pcmcia: synclink_cs: fix information leak to userland + +From: Vasiliy Kulikov + +commit 5b917a1420d3d1a9c8da49fb0090692dc9aaee86 upstream. + +Structure new_line is copied to userland with some padding fields unitialized. +It leads to leaking of stack memory. + +Signed-off-by: Vasiliy Kulikov +Signed-off-by: Dominik Brodowski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/pcmcia/synclink_cs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/char/pcmcia/synclink_cs.c ++++ b/drivers/char/pcmcia/synclink_cs.c +@@ -4287,6 +4287,8 @@ static int hdlcdev_ioctl(struct net_devi + if (cmd != SIOCWANDEV) + return hdlc_ioctl(dev, ifr, cmd); + ++ memset(&new_line, 0, size); ++ + switch(ifr->ifr_settings.type) { + case IF_GET_IFACE: /* return current sync_serial_settings */ + diff --git a/queue-2.6.27/sched-fix-string-comparison-in-proc-sched_features.patch b/queue-2.6.27/sched-fix-string-comparison-in-proc-sched_features.patch new file mode 100644 index 00000000000..0d074c80530 --- /dev/null +++ b/queue-2.6.27/sched-fix-string-comparison-in-proc-sched_features.patch @@ -0,0 +1,62 @@ +From 7740191cd909b75d75685fb08a5d1f54b8a9d28b Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Mon, 13 Sep 2010 17:47:00 -0400 +Subject: sched: Fix string comparison in /proc/sched_features + +From: Mathieu Desnoyers + +commit 7740191cd909b75d75685fb08a5d1f54b8a9d28b upstream. + +Fix incorrect handling of the following case: + + INTERACTIVE + INTERACTIVE_SOMETHING_ELSE + +The comparison only checks up to each element's length. + +Changelog since v1: + - Embellish using some Rostedtisms. + [ mingo: ^^ == smaller and cleaner ] + +Signed-off-by: Mathieu Desnoyers +Reviewed-by: Steven Rostedt +Cc: Peter Zijlstra +Cc: Tony Lindgren +LKML-Reference: <20100913214700.GB16118@Krystal> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -744,7 +744,7 @@ sched_feat_write(struct file *filp, cons + size_t cnt, loff_t *ppos) + { + char buf[64]; +- char *cmp = buf; ++ char *cmp; + int neg = 0; + int i; + +@@ -755,6 +755,7 @@ sched_feat_write(struct file *filp, cons + return -EFAULT; + + buf[cnt] = 0; ++ cmp = strstrip(buf); + + if (strncmp(buf, "NO_", 3) == 0) { + neg = 1; +@@ -762,9 +763,7 @@ sched_feat_write(struct file *filp, cons + } + + for (i = 0; sched_feat_names[i]; i++) { +- int len = strlen(sched_feat_names[i]); +- +- if (strncmp(cmp, sched_feat_names[i], len) == 0) { ++ if (strcmp(cmp, sched_feat_names[i]) == 0) { + if (neg) + sysctl_sched_features &= ~(1UL << i); + else