From: Greg Kroah-Hartman Date: Wed, 24 Oct 2012 16:07:01 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.0.49~50 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e8e5432d763be7e6b40e08525e870aed4c9b17c;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch revert-lockd-use-rpc-client-s-cl_nodename-for-id-encoding.patch sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch use-clamp_t-in-uname26-fix.patch x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch --- diff --git a/queue-3.0/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch b/queue-3.0/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch new file mode 100644 index 00000000000..c023b9e55a6 --- /dev/null +++ b/queue-3.0/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch @@ -0,0 +1,63 @@ +From 2702b1526c7278c4d65d78de209a465d4de2885e Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 19 Oct 2012 13:56:51 -0700 +Subject: kernel/sys.c: fix stack memory content leak via UNAME26 + +From: Kees Cook + +commit 2702b1526c7278c4d65d78de209a465d4de2885e upstream. + +Calling uname() with the UNAME26 personality set allows a leak of kernel +stack contents. This fixes it by defensively calculating the length of +copy_to_user() call, making the len argument unsigned, and initializing +the stack buffer to zero (now technically unneeded, but hey, overkill). + +CVE-2012-0957 + +Reported-by: PaX Team +Signed-off-by: Kees Cook +Cc: Andi Kleen +Cc: PaX Team +Cc: Brad Spengler +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sys.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1133,15 +1133,16 @@ DECLARE_RWSEM(uts_sem); + * Work around broken programs that cannot handle "Linux 3.0". + * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40 + */ +-static int override_release(char __user *release, int len) ++static int override_release(char __user *release, size_t len) + { + int ret = 0; +- char buf[65]; + + if (current->personality & UNAME26) { +- char *rest = UTS_RELEASE; ++ const char *rest = UTS_RELEASE; ++ char buf[65] = { 0 }; + int ndots = 0; + unsigned v; ++ size_t copy; + + while (*rest) { + if (*rest == '.' && ++ndots >= 3) +@@ -1151,8 +1152,9 @@ static int override_release(char __user + rest++; + } + v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; +- snprintf(buf, len, "2.6.%u%s", v, rest); +- ret = copy_to_user(release, buf, len); ++ copy = min(sizeof(buf), max_t(size_t, 1, len)); ++ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); ++ ret = copy_to_user(release, buf, copy + 1); + } + return ret; + } diff --git a/queue-3.0/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch b/queue-3.0/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch new file mode 100644 index 00000000000..3a8121b32ae --- /dev/null +++ b/queue-3.0/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch @@ -0,0 +1,50 @@ +From cd0b16c1c3cda12dbed1f8de8f1a9b0591990724 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 13 Oct 2012 00:30:28 -0400 +Subject: NLM: nlm_lookup_file() may return NLMv4-specific error codes + +From: Trond Myklebust + +commit cd0b16c1c3cda12dbed1f8de8f1a9b0591990724 upstream. + +If the filehandle is stale, or open access is denied for some reason, +nlm_fopen() may return one of the NLMv4-specific error codes nlm4_stale_fh +or nlm4_failed. These get passed right through nlm_lookup_file(), +and so when nlmsvc_retrieve_args() calls the latter, it needs to filter +the result through the cast_status() machinery. + +Failure to do so, will trigger the BUG_ON() in encode_nlm_stat... + +Signed-off-by: Trond Myklebust +Reported-by: Larry McVoy +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/clntxdr.c | 2 +- + fs/lockd/svcproc.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/lockd/clntxdr.c ++++ b/fs/lockd/clntxdr.c +@@ -223,7 +223,7 @@ static void encode_nlm_stat(struct xdr_s + { + __be32 *p; + +- BUG_ON(be32_to_cpu(stat) > NLM_LCK_DENIED_GRACE_PERIOD); ++ WARN_ON_ONCE(be32_to_cpu(stat) > NLM_LCK_DENIED_GRACE_PERIOD); + p = xdr_reserve_space(xdr, 4); + *p = stat; + } +--- a/fs/lockd/svcproc.c ++++ b/fs/lockd/svcproc.c +@@ -67,7 +67,8 @@ nlmsvc_retrieve_args(struct svc_rqst *rq + + /* Obtain file pointer. Not used by FREE_ALL call. */ + if (filp != NULL) { +- if ((error = nlm_lookup_file(rqstp, &file, &lock->fh)) != 0) ++ error = cast_status(nlm_lookup_file(rqstp, &file, &lock->fh)); ++ if (error != 0) + goto no_locks; + *filp = file; + diff --git a/queue-3.0/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch b/queue-3.0/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch new file mode 100644 index 00000000000..ef8ff477cab --- /dev/null +++ b/queue-3.0/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch @@ -0,0 +1,31 @@ +From 44009105081b51417f311f4c3be0061870b6b8ed Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 10 Oct 2012 10:18:35 +0300 +Subject: oprofile, x86: Fix wrapping bug in op_x86_get_ctrl() + +From: Dan Carpenter + +commit 44009105081b51417f311f4c3be0061870b6b8ed upstream. + +The "event" variable is a u16 so the shift will always wrap to zero +making the line a no-op. + +Signed-off-by: Dan Carpenter +Signed-off-by: Robert Richter +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/oprofile/nmi_int.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/oprofile/nmi_int.c ++++ b/arch/x86/oprofile/nmi_int.c +@@ -55,7 +55,7 @@ u64 op_x86_get_ctrl(struct op_x86_model_ + val |= counter_config->extra; + event &= model->event_mask ? model->event_mask : 0xFF; + val |= event & 0xFF; +- val |= (event & 0x0F00) << 24; ++ val |= (u64)(event & 0x0F00) << 24; + + return val; + } diff --git a/queue-3.0/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch b/queue-3.0/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch new file mode 100644 index 00000000000..5b4162fa81e --- /dev/null +++ b/queue-3.0/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch @@ -0,0 +1,49 @@ +From fdc858a466b738d35d3492bc7cf77b1dac98bf7c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 30 Apr 2012 13:50:56 +0000 +Subject: pcmcia: sharpsl: don't discard sharpsl_pcmcia_ops + +From: Arnd Bergmann + +commit fdc858a466b738d35d3492bc7cf77b1dac98bf7c upstream. + +The sharpsl_pcmcia_ops structure gets passed into +sa11xx_drv_pcmcia_probe, where it gets accessed at run-time, +unlike all other pcmcia drivers that pass their structures +into platform_device_add_data, which makes a copy. + +This means the gcc warning is valid and the structure +must not be marked as __initdata. + +Without this patch, building collie_defconfig results in: + +drivers/pcmcia/pxa2xx_sharpsl.c:22:31: fatal error: mach-pxa/hardware.h: No such file or directory +compilation terminated. +make[3]: *** [drivers/pcmcia/pxa2xx_sharpsl.o] Error 1 +make[2]: *** [drivers/pcmcia] Error 2 +make[1]: *** [drivers] Error 2 +make: *** [sub-make] Error 2 + +Signed-off-by: Arnd Bergmann +Cc: Dominik Brodowski +Cc: Russell King +Cc: Pavel Machek +Cc: linux-pcmcia@lists.infradead.org +Cc: Jochen Friedrich +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pcmcia/pxa2xx_sharpsl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pcmcia/pxa2xx_sharpsl.c ++++ b/drivers/pcmcia/pxa2xx_sharpsl.c +@@ -222,7 +222,7 @@ static void sharpsl_pcmcia_socket_suspen + sharpsl_pcmcia_init_reset(skt); + } + +-static struct pcmcia_low_level sharpsl_pcmcia_ops __initdata = { ++static struct pcmcia_low_level sharpsl_pcmcia_ops = { + .owner = THIS_MODULE, + .hw_init = sharpsl_pcmcia_hw_init, + .hw_shutdown = sharpsl_pcmcia_hw_shutdown, diff --git a/queue-3.0/revert-lockd-use-rpc-client-s-cl_nodename-for-id-encoding.patch b/queue-3.0/revert-lockd-use-rpc-client-s-cl_nodename-for-id-encoding.patch new file mode 100644 index 00000000000..64ac0713c59 --- /dev/null +++ b/queue-3.0/revert-lockd-use-rpc-client-s-cl_nodename-for-id-encoding.patch @@ -0,0 +1,49 @@ +From 12d63702c53bc2230dfc997e91ca891f39cb6446 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 18 Sep 2012 13:37:18 +0400 +Subject: Revert: lockd: use rpc client's cl_nodename for id encoding + +From: Greg Kroah-Hartman + +This reverts 12d63702c53bc2230dfc997e91ca891f39cb6446 which was commit +303a7ce92064c285a04c870f2dc0192fdb2968cb upstream. + +Taking hostname from uts namespace if not safe, because this cuold be +performind during umount operation on child reaper death. And in this case +current->nsproxy is NULL already. + +Cc: Stanislav Kinsbursky +Cc: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/mon.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/lockd/mon.c ++++ b/fs/lockd/mon.c +@@ -40,7 +40,6 @@ struct nsm_args { + u32 proc; + + char *mon_name; +- char *nodename; + }; + + struct nsm_res { +@@ -94,7 +93,6 @@ static int nsm_mon_unmon(struct nsm_hand + .vers = 3, + .proc = NLMPROC_NSM_NOTIFY, + .mon_name = nsm->sm_mon_name, +- .nodename = utsname()->nodename, + }; + struct rpc_message msg = { + .rpc_argp = &args, +@@ -431,7 +429,7 @@ static void encode_my_id(struct xdr_stre + { + __be32 *p; + +- encode_nsm_string(xdr, argp->nodename); ++ encode_nsm_string(xdr, utsname()->nodename); + p = xdr_reserve_space(xdr, 4 + 4 + 4); + *p++ = cpu_to_be32(argp->prog); + *p++ = cpu_to_be32(argp->vers); diff --git a/queue-3.0/series b/queue-3.0/series index 5b4899088e2..d16e23a9d10 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -1 +1,9 @@ arch-tile-avoid-generating-.eh_frame-information-in-modules.patch +nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch +oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch +sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch +revert-lockd-use-rpc-client-s-cl_nodename-for-id-encoding.patch +pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch +kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch +use-clamp_t-in-uname26-fix.patch +x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch diff --git a/queue-3.0/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch b/queue-3.0/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch new file mode 100644 index 00000000000..4bddb9c3c05 --- /dev/null +++ b/queue-3.0/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch @@ -0,0 +1,54 @@ +From 212ba90696ab4884e2025b0b13726d67aadc2cd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jul 2012 00:01:26 +0200 +Subject: SUNRPC: Prevent kernel stack corruption on long values of flush + +From: Sasha Levin + +commit 212ba90696ab4884e2025b0b13726d67aadc2cd4 upstream. + +The buffer size in read_flush() is too small for the longest possible values +for it. This can lead to a kernel stack corruption: + +[ 43.047329] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff833e64b4 +[ 43.047329] +[ 43.049030] Pid: 6015, comm: trinity-child18 Tainted: G W 3.5.0-rc7-next-20120716-sasha #221 +[ 43.050038] Call Trace: +[ 43.050435] [] panic+0xcd/0x1f4 +[ 43.050931] [] ? read_flush.isra.7+0xe4/0x100 +[ 43.051602] [] __stack_chk_fail+0x16/0x20 +[ 43.052206] [] read_flush.isra.7+0xe4/0x100 +[ 43.052951] [] ? read_flush_pipefs+0x30/0x30 +[ 43.053594] [] read_flush_procfs+0x2c/0x30 +[ 43.053596] [] proc_reg_read+0x9c/0xd0 +[ 43.053596] [] ? proc_reg_write+0xd0/0xd0 +[ 43.053596] [] do_loop_readv_writev+0x4b/0x90 +[ 43.053596] [] do_readv_writev+0xf6/0x1d0 +[ 43.053596] [] vfs_readv+0x3e/0x60 +[ 43.053596] [] sys_readv+0x48/0xb0 +[ 43.053596] [] system_call_fastpath+0x1a/0x1f + +Signed-off-by: Sasha Levin +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1404,11 +1404,11 @@ static ssize_t read_flush(struct file *f + size_t count, loff_t *ppos, + struct cache_detail *cd) + { +- char tbuf[20]; ++ char tbuf[22]; + unsigned long p = *ppos; + size_t len; + +- sprintf(tbuf, "%lu\n", convert_to_wallclock(cd->flush_time)); ++ snprintf(tbuf, sizeof(tbuf), "%lu\n", convert_to_wallclock(cd->flush_time)); + len = strlen(tbuf); + if (p >= len) + return 0; diff --git a/queue-3.0/use-clamp_t-in-uname26-fix.patch b/queue-3.0/use-clamp_t-in-uname26-fix.patch new file mode 100644 index 00000000000..d1dfcc40372 --- /dev/null +++ b/queue-3.0/use-clamp_t-in-uname26-fix.patch @@ -0,0 +1,35 @@ +From 31fd84b95eb211d5db460a1dda85e004800a7b52 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 19 Oct 2012 18:45:53 -0700 +Subject: use clamp_t in UNAME26 fix + +From: Kees Cook + +commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream. + +The min/max call needed to have explicit types on some architectures +(e.g. mn10300). Use clamp_t instead to avoid the warning: + + kernel/sys.c: In function 'override_release': + kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default] + +Reported-by: Fengguang Wu +Signed-off-by: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1152,7 +1152,7 @@ static int override_release(char __user + rest++; + } + v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; +- copy = min(sizeof(buf), max_t(size_t, 1, len)); ++ copy = clamp_t(size_t, len, 1, sizeof(buf)); + copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); + ret = copy_to_user(release, buf, copy + 1); + } diff --git a/queue-3.0/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch b/queue-3.0/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch new file mode 100644 index 00000000000..fdccfa12832 --- /dev/null +++ b/queue-3.0/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch @@ -0,0 +1,52 @@ +From 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a Mon Sep 17 00:00:00 2001 +From: Jacob Shin +Date: Thu, 20 Oct 2011 16:15:26 -0500 +Subject: x86: Exclude E820_RESERVED regions and memory holes above 4 GB from direct mapping. + +From: Jacob Shin + +commit 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a upstream. + +On systems with very large memory (1 TB in our case), BIOS may report a +reserved region or a hole in the E820 map, even above the 4 GB range. Exclude +these from the direct mapping. + +[ hpa: this should be done not just for > 4 GB but for everything above the legacy + region (1 MB), at the very least. That, however, turns out to require significant + restructuring. That work is well underway, but is not suitable for rc/stable. ] + +Signed-off-by: Jacob Shin +Link: http://lkml.kernel.org/r/1319145326-13902-1-git-send-email-jacob.shin@amd.com +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -937,8 +937,21 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_X86_64 + if (max_pfn > max_low_pfn) { +- max_pfn_mapped = init_memory_mapping(1UL<<32, +- max_pfn<addr + ei->size <= 1UL << 32) ++ continue; ++ ++ if (ei->type == E820_RESERVED) ++ continue; ++ ++ max_pfn_mapped = init_memory_mapping( ++ ei->addr < 1UL << 32 ? 1UL << 32 : ei->addr, ++ ei->addr + ei->size); ++ } ++ + /* can we preseve max_low_pfn ?*/ + max_low_pfn = max_pfn; + }