From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 22 Nov 2010 22:08:19 +0000 (-0800)
Subject: .33 stuff
X-Git-Tag: v2.6.27.57~74
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a28f5099ceb9d64033cafa61f972cfc1b16addfa;p=thirdparty%2Fkernel%2Fstable-queue.git

.33 stuff
---

diff --git a/queue-2.6.33/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch b/queue-2.6.33/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
new file mode 100644
index 00000000000..afcd9409b16
--- /dev/null
+++ b/queue-2.6.33/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
@@ -0,0 +1,31 @@
+From 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jaxboe@fusionio.com>
+Date: Fri, 29 Oct 2010 08:10:18 -0600
+Subject: block: check for proper length of iov entries in blk_rq_map_user_iov()
+
+From: Jens Axboe <jaxboe@fusionio.com>
+
+commit 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 upstream.
+
+Ensure that we pass down properly validated iov segments before
+calling into the mapping or copy functions.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/blk-map.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_q
+ 			unaligned = 1;
+ 			break;
+ 		}
++		if (!iov[i].iov_len)
++			return -EINVAL;
+ 	}
+ 
+ 	if (unaligned || (q->dma_pad_mask & len) || map_data)
diff --git a/queue-2.6.33/block-ensure-physical-block-size-is-unsigned-int.patch b/queue-2.6.33/block-ensure-physical-block-size-is-unsigned-int.patch
new file mode 100644
index 00000000000..d905b3e0a04
--- /dev/null
+++ b/queue-2.6.33/block-ensure-physical-block-size-is-unsigned-int.patch
@@ -0,0 +1,54 @@
+From 892b6f90db81cccb723d5d92f4fddc2d68b206e1 Mon Sep 17 00:00:00 2001
+From: Martin K. Petersen <martin.petersen@oracle.com>
+Date: Wed, 13 Oct 2010 21:18:03 +0200
+Subject: block: Ensure physical block size is unsigned int
+
+From: Martin K. Petersen <martin.petersen@oracle.com>
+
+commit 892b6f90db81cccb723d5d92f4fddc2d68b206e1 upstream.
+
+Physical block size was declared unsigned int to accomodate the maximum
+size reported by READ CAPACITY(16).  Make sure we use the right type in
+the related functions.
+
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Acked-by: Mike Snitzer <snitzer@redhat.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/blk-settings.c   |    2 +-
+ include/linux/blkdev.h |    4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -356,7 +356,7 @@ EXPORT_SYMBOL(blk_queue_logical_block_si
+  *   hardware can operate on without reverting to read-modify-write
+  *   operations.
+  */
+-void blk_queue_physical_block_size(struct request_queue *q, unsigned short size)
++void blk_queue_physical_block_size(struct request_queue *q, unsigned int size)
+ {
+ 	q->limits.physical_block_size = size;
+ 
+--- a/include/linux/blkdev.h
++++ b/include/linux/blkdev.h
+@@ -926,7 +926,7 @@ extern void blk_queue_max_segment_size(s
+ extern void blk_queue_max_discard_sectors(struct request_queue *q,
+ 		unsigned int max_discard_sectors);
+ extern void blk_queue_logical_block_size(struct request_queue *, unsigned short);
+-extern void blk_queue_physical_block_size(struct request_queue *, unsigned short);
++extern void blk_queue_physical_block_size(struct request_queue *, unsigned int);
+ extern void blk_queue_alignment_offset(struct request_queue *q,
+ 				       unsigned int alignment);
+ extern void blk_limits_io_min(struct queue_limits *limits, unsigned int min);
+@@ -1077,7 +1077,7 @@ static inline unsigned int queue_physica
+ 	return q->limits.physical_block_size;
+ }
+ 
+-static inline int bdev_physical_block_size(struct block_device *bdev)
++static inline unsigned int bdev_physical_block_size(struct block_device *bdev)
+ {
+ 	return queue_physical_block_size(bdev_get_queue(bdev));
+ }
diff --git a/queue-2.6.33/block-limit-vec-count-in-bio_kmalloc-and-bio_alloc_map_data.patch b/queue-2.6.33/block-limit-vec-count-in-bio_kmalloc-and-bio_alloc_map_data.patch
new file mode 100644
index 00000000000..74ec6b0b442
--- /dev/null
+++ b/queue-2.6.33/block-limit-vec-count-in-bio_kmalloc-and-bio_alloc_map_data.patch
@@ -0,0 +1,43 @@
+From f3f63c1c28bc861a931fac283b5bc3585efb8967 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jaxboe@fusionio.com>
+Date: Fri, 29 Oct 2010 11:46:56 -0600
+Subject: block: limit vec count in bio_kmalloc() and bio_alloc_map_data()
+
+From: Jens Axboe <jaxboe@fusionio.com>
+
+commit f3f63c1c28bc861a931fac283b5bc3585efb8967 upstream.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/bio.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/bio.c
++++ b/fs/bio.c
+@@ -371,6 +371,9 @@ struct bio *bio_kmalloc(gfp_t gfp_mask,
+ {
+ 	struct bio *bio;
+ 
++	if (nr_iovecs > UIO_MAXIOV)
++		return NULL;
++
+ 	bio = kmalloc(sizeof(struct bio) + nr_iovecs * sizeof(struct bio_vec),
+ 		      gfp_mask);
+ 	if (unlikely(!bio))
+@@ -701,8 +704,12 @@ static void bio_free_map_data(struct bio
+ static struct bio_map_data *bio_alloc_map_data(int nr_segs, int iov_count,
+ 					       gfp_t gfp_mask)
+ {
+-	struct bio_map_data *bmd = kmalloc(sizeof(*bmd), gfp_mask);
++	struct bio_map_data *bmd;
++
++	if (iov_count > UIO_MAXIOV)
++		return NULL;
+ 
++	bmd = kmalloc(sizeof(*bmd), gfp_mask);
+ 	if (!bmd)
+ 		return NULL;
+ 
diff --git a/queue-2.6.33/block-take-care-not-to-overflow-when-calculating-total-iov-length.patch b/queue-2.6.33/block-take-care-not-to-overflow-when-calculating-total-iov-length.patch
new file mode 100644
index 00000000000..b1a85151c53
--- /dev/null
+++ b/queue-2.6.33/block-take-care-not-to-overflow-when-calculating-total-iov-length.patch
@@ -0,0 +1,77 @@
+From 9f864c80913467312c7b8690e41fb5ebd1b50e92 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jaxboe@fusionio.com>
+Date: Fri, 29 Oct 2010 11:31:42 -0600
+Subject: block: take care not to overflow when calculating total iov length
+
+From: Jens Axboe <jaxboe@fusionio.com>
+
+commit 9f864c80913467312c7b8690e41fb5ebd1b50e92 upstream.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/scsi_ioctl.c |   34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+--- a/block/scsi_ioctl.c
++++ b/block/scsi_ioctl.c
+@@ -321,33 +321,47 @@ static int sg_io(struct request_queue *q
+ 	if (hdr->iovec_count) {
+ 		const int size = sizeof(struct sg_iovec) * hdr->iovec_count;
+ 		size_t iov_data_len;
+-		struct sg_iovec *iov;
++		struct sg_iovec *sg_iov;
++		struct iovec *iov;
++		int i;
+ 
+-		iov = kmalloc(size, GFP_KERNEL);
+-		if (!iov) {
++		sg_iov = kmalloc(size, GFP_KERNEL);
++		if (!sg_iov) {
+ 			ret = -ENOMEM;
+ 			goto out;
+ 		}
+ 
+-		if (copy_from_user(iov, hdr->dxferp, size)) {
+-			kfree(iov);
++		if (copy_from_user(sg_iov, hdr->dxferp, size)) {
++			kfree(sg_iov);
+ 			ret = -EFAULT;
+ 			goto out;
+ 		}
+ 
++		/*
++		 * Sum up the vecs, making sure they don't overflow
++		 */
++		iov = (struct iovec *) sg_iov;
++		iov_data_len = 0;
++		for (i = 0; i < hdr->iovec_count; i++) {
++			if (iov_data_len + iov[i].iov_len < iov_data_len) {
++				kfree(sg_iov);
++				ret = -EINVAL;
++				goto out;
++			}
++			iov_data_len += iov[i].iov_len;
++		}
++
+ 		/* SG_IO howto says that the shorter of the two wins */
+-		iov_data_len = iov_length((struct iovec *)iov,
+-					  hdr->iovec_count);
+ 		if (hdr->dxfer_len < iov_data_len) {
+-			hdr->iovec_count = iov_shorten((struct iovec *)iov,
++			hdr->iovec_count = iov_shorten(iov,
+ 						       hdr->iovec_count,
+ 						       hdr->dxfer_len);
+ 			iov_data_len = hdr->dxfer_len;
+ 		}
+ 
+-		ret = blk_rq_map_user_iov(q, rq, NULL, iov, hdr->iovec_count,
++		ret = blk_rq_map_user_iov(q, rq, NULL, sg_iov, hdr->iovec_count,
+ 					  iov_data_len, GFP_KERNEL);
+-		kfree(iov);
++		kfree(sg_iov);
+ 	} else if (hdr->dxfer_len)
+ 		ret = blk_rq_map_user(q, rq, NULL, hdr->dxferp, hdr->dxfer_len,
+ 				      GFP_KERNEL);
diff --git a/queue-2.6.33/irda-fix-heap-memory-corruption-in-iriap.c.patch b/queue-2.6.33/irda-fix-heap-memory-corruption-in-iriap.c.patch
new file mode 100644
index 00000000000..46270812efd
--- /dev/null
+++ b/queue-2.6.33/irda-fix-heap-memory-corruption-in-iriap.c.patch
@@ -0,0 +1,32 @@
+From 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 Mon Sep 17 00:00:00 2001
+From: Samuel Ortiz <samuel@sortiz.org>
+Date: Wed, 6 Oct 2010 01:03:12 +0200
+Subject: irda: Fix heap memory corruption in iriap.c
+
+From: Samuel Ortiz <samuel@sortiz.org>
+
+commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream.
+
+While parsing the GetValuebyClass command frame, we could potentially write
+passed the skb->data pointer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/iriap.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/irda/iriap.c
++++ b/net/irda/iriap.c
+@@ -501,7 +501,8 @@ static void iriap_getvaluebyclass_confir
+ 		IRDA_DEBUG(4, "%s(), strlen=%d\n", __func__, value_len);
+ 
+ 		/* Make sure the string is null-terminated */
+-		fp[n+value_len] = 0x00;
++		if (n + value_len < skb->len)
++			fp[n + value_len] = 0x00;
+ 		IRDA_DEBUG(4, "Got string %s\n", fp+n);
+ 
+ 		/* Will truncate to IAS_MAX_STRING bytes */
diff --git a/queue-2.6.33/irda-fix-parameter-extraction-stack-overflow.patch b/queue-2.6.33/irda-fix-parameter-extraction-stack-overflow.patch
new file mode 100644
index 00000000000..44c4b787fd6
--- /dev/null
+++ b/queue-2.6.33/irda-fix-parameter-extraction-stack-overflow.patch
@@ -0,0 +1,37 @@
+From efc463eb508798da4243625b08c7396462cabf9f Mon Sep 17 00:00:00 2001
+From: Samuel Ortiz <samuel@sortiz.org>
+Date: Mon, 11 Oct 2010 01:17:56 +0200
+Subject: irda: Fix parameter extraction stack overflow
+
+From: Samuel Ortiz <samuel@sortiz.org>
+
+commit efc463eb508798da4243625b08c7396462cabf9f upstream.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/parameters.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/irda/parameters.c
++++ b/net/irda/parameters.c
+@@ -298,6 +298,8 @@ static int irda_extract_string(void *sel
+ 
+ 	p.pi = pi;     /* In case handler needs to know */
+ 	p.pl = buf[1]; /* Extract length of value */
++	if (p.pl > 32)
++		p.pl = 32;
+ 
+ 	IRDA_DEBUG(2, "%s(), pi=%#x, pl=%d\n", __func__,
+ 		   p.pi, p.pl);
+@@ -318,7 +320,7 @@ static int irda_extract_string(void *sel
+ 		   (__u8) str[0], (__u8) str[1]);
+ 
+ 	/* Null terminate string */
+-	str[p.pl+1] = '\0';
++	str[p.pl] = '\0';
+ 
+ 	p.pv.c = str; /* Handler will need to take a copy */
+ 
diff --git a/queue-2.6.33/series b/queue-2.6.33/series
index 9a038c645a2..bd86dc1c36b 100644
--- a/queue-2.6.33/series
+++ b/queue-2.6.33/series
@@ -95,3 +95,9 @@ libsas-fix-ncq-mixing-with-non-ncq.patch
 gdth-integer-overflow-in-ioctl.patch
 fix-race-when-removing-scsi-devices.patch
 fix-regressions-in-scsi_internal_device_block.patch
+block-ensure-physical-block-size-is-unsigned-int.patch
+block-limit-vec-count-in-bio_kmalloc-and-bio_alloc_map_data.patch
+block-take-care-not-to-overflow-when-calculating-total-iov-length.patch
+block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
+irda-fix-parameter-extraction-stack-overflow.patch
+irda-fix-heap-memory-corruption-in-iriap.c.patch