From: Greg Kroah-Hartman Date: Sun, 13 Oct 2013 21:49:41 +0000 (-0700) Subject: delete kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch from 3.0, 3... X-Git-Tag: v3.0.100~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be4e50c17144c5d8d218a2149f37cd946f1bb961;p=thirdparty%2Fkernel%2Fstable-queue.git delete kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch from 3.0, 3.4, and 3.10 --- diff --git a/queue-3.0/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch b/queue-3.0/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch deleted file mode 100644 index 756c4a65761..00000000000 --- a/queue-3.0/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 Mon Sep 17 00:00:00 2001 -From: Tetsuo Handa -Date: Mon, 30 Sep 2013 13:45:08 -0700 -Subject: kernel/kmod.c: check for NULL in call_usermodehelper_exec() - -From: Tetsuo Handa - -commit 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 upstream. - -If /proc/sys/kernel/core_pattern contains only "|", a NULL pointer -dereference happens upon core dump because argv_split("") returns -argv[0] == NULL. - -This bug was once fixed by commit 264b83c07a84 ("usermodehelper: check -subprocess_info->path != NULL") but was by error reintroduced by commit -7f57cfa4e2aa ("usermodehelper: kill the sub_info->path[0] check"). - -This bug seems to exist since 2.6.19 (the version which core dump to -pipe was added). Depending on kernel version and config, some side -effect might happen immediately after this oops (e.g. kernel panic with -2.6.32-358.18.1.el6). - -Signed-off-by: Tetsuo Handa -Acked-by: Oleg Nesterov -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - kernel/kmod.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/kernel/kmod.c -+++ b/kernel/kmod.c -@@ -420,6 +420,10 @@ int call_usermodehelper_exec(struct subp - DECLARE_COMPLETION_ONSTACK(done); - int retval = 0; - -+ if (!sub_info->path) { -+ call_usermodehelper_freeinfo(sub_info); -+ return -EINVAL; -+ } - helper_lock(); - if (!sub_info->path) { - retval = -EINVAL; diff --git a/queue-3.0/series b/queue-3.0/series index 537ac7ea2fb..f3b1d38a4ee 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -25,7 +25,6 @@ sparc64-remove-rwsem-export-leftovers.patch sparc64-fix-off-by-one-in-trampoline-tlb-mapping-installation-loop.patch sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch -kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch rtlwifi-align-private-space-in-rtl_priv-struct.patch p54usb-add-usb-id-for-corega-wlusb2gtst-usb-adapter.patch diff --git a/queue-3.10/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch b/queue-3.10/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch deleted file mode 100644 index 9de201bd419..00000000000 --- a/queue-3.10/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 Mon Sep 17 00:00:00 2001 -From: Tetsuo Handa -Date: Mon, 30 Sep 2013 13:45:08 -0700 -Subject: kernel/kmod.c: check for NULL in call_usermodehelper_exec() - -From: Tetsuo Handa - -commit 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 upstream. - -If /proc/sys/kernel/core_pattern contains only "|", a NULL pointer -dereference happens upon core dump because argv_split("") returns -argv[0] == NULL. - -This bug was once fixed by commit 264b83c07a84 ("usermodehelper: check -subprocess_info->path != NULL") but was by error reintroduced by commit -7f57cfa4e2aa ("usermodehelper: kill the sub_info->path[0] check"). - -This bug seems to exist since 2.6.19 (the version which core dump to -pipe was added). Depending on kernel version and config, some side -effect might happen immediately after this oops (e.g. kernel panic with -2.6.32-358.18.1.el6). - -Signed-off-by: Tetsuo Handa -Acked-by: Oleg Nesterov -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - kernel/kmod.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/kernel/kmod.c -+++ b/kernel/kmod.c -@@ -568,6 +568,10 @@ int call_usermodehelper_exec(struct subp - DECLARE_COMPLETION_ONSTACK(done); - int retval = 0; - -+ if (!sub_info->path) { -+ call_usermodehelper_freeinfo(sub_info); -+ return -EINVAL; -+ } - helper_lock(); - if (!sub_info->path) { - retval = -EINVAL; diff --git a/queue-3.10/series b/queue-3.10/series index b99eb37fc42..c42a778b5f0 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -74,7 +74,6 @@ sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch mm-fix-generic-hugetlb-pte-check-return-type.patch mm-bounce.c-fix-a-regression-where-ms_snap_stable-stable-pages-snapshotting-was-ignored.patch -kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch staging-comedi-ni_65xx-bug-fix-confine-insn_bits-to-one-subdevice.patch nfsv4.1-nfs4_fl_prepare_ds-fix-bugs-when-the-connect-attempt-fails.patch mwifiex-fix-null-pointer-dereference-in-usb-suspend-handler.patch diff --git a/queue-3.4/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch b/queue-3.4/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch deleted file mode 100644 index 1067c514c17..00000000000 --- a/queue-3.4/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 Mon Sep 17 00:00:00 2001 -From: Tetsuo Handa -Date: Mon, 30 Sep 2013 13:45:08 -0700 -Subject: kernel/kmod.c: check for NULL in call_usermodehelper_exec() - -From: Tetsuo Handa - -commit 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 upstream. - -If /proc/sys/kernel/core_pattern contains only "|", a NULL pointer -dereference happens upon core dump because argv_split("") returns -argv[0] == NULL. - -This bug was once fixed by commit 264b83c07a84 ("usermodehelper: check -subprocess_info->path != NULL") but was by error reintroduced by commit -7f57cfa4e2aa ("usermodehelper: kill the sub_info->path[0] check"). - -This bug seems to exist since 2.6.19 (the version which core dump to -pipe was added). Depending on kernel version and config, some side -effect might happen immediately after this oops (e.g. kernel panic with -2.6.32-358.18.1.el6). - -Signed-off-by: Tetsuo Handa -Acked-by: Oleg Nesterov -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - kernel/kmod.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/kernel/kmod.c -+++ b/kernel/kmod.c -@@ -540,6 +540,10 @@ int call_usermodehelper_exec(struct subp - DECLARE_COMPLETION_ONSTACK(done); - int retval = 0; - -+ if (!sub_info->path) { -+ call_usermodehelper_freeinfo(sub_info); -+ return -EINVAL; -+ } - helper_lock(); - if (!sub_info->path) { - retval = -EINVAL; diff --git a/queue-3.4/series b/queue-3.4/series index af9fd99cad3..9c0394565cb 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -30,7 +30,6 @@ sparc64-remove-rwsem-export-leftovers.patch sparc64-fix-off-by-one-in-trampoline-tlb-mapping.patch sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch -kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch ib_srpt-destroy-cm_id-before-destroying-qp.patch ib_srpt-always-set-response-for-task-management.patch