From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 22 Nov 2010 22:08:10 +0000 (-0800)
Subject: .27 patches
X-Git-Tag: v2.6.27.57~75
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c132cadd7172f80ff088107c7d9ebd1827df6d29;p=thirdparty%2Fkernel%2Fstable-queue.git

.27 patches
---

diff --git a/queue-2.6.27/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch b/queue-2.6.27/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
new file mode 100644
index 00000000000..a2fc561b0c8
--- /dev/null
+++ b/queue-2.6.27/block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
@@ -0,0 +1,31 @@
+From 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jaxboe@fusionio.com>
+Date: Fri, 29 Oct 2010 08:10:18 -0600
+Subject: block: check for proper length of iov entries in blk_rq_map_user_iov()
+
+From: Jens Axboe <jaxboe@fusionio.com>
+
+commit 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 upstream.
+
+Ensure that we pass down properly validated iov segments before
+calling into the mapping or copy functions.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ block/blk-map.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -191,6 +191,8 @@ int blk_rq_map_user_iov(struct request_q
+ 			unaligned = 1;
+ 			break;
+ 		}
++		if (!iov[i].iov_len)
++			return -EINVAL;
+ 	}
+ 
+ 	if (unaligned || (q->dma_pad_mask & len))
diff --git a/queue-2.6.27/irda-fix-heap-memory-corruption-in-iriap.c.patch b/queue-2.6.27/irda-fix-heap-memory-corruption-in-iriap.c.patch
new file mode 100644
index 00000000000..46270812efd
--- /dev/null
+++ b/queue-2.6.27/irda-fix-heap-memory-corruption-in-iriap.c.patch
@@ -0,0 +1,32 @@
+From 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 Mon Sep 17 00:00:00 2001
+From: Samuel Ortiz <samuel@sortiz.org>
+Date: Wed, 6 Oct 2010 01:03:12 +0200
+Subject: irda: Fix heap memory corruption in iriap.c
+
+From: Samuel Ortiz <samuel@sortiz.org>
+
+commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream.
+
+While parsing the GetValuebyClass command frame, we could potentially write
+passed the skb->data pointer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/iriap.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/irda/iriap.c
++++ b/net/irda/iriap.c
+@@ -501,7 +501,8 @@ static void iriap_getvaluebyclass_confir
+ 		IRDA_DEBUG(4, "%s(), strlen=%d\n", __func__, value_len);
+ 
+ 		/* Make sure the string is null-terminated */
+-		fp[n+value_len] = 0x00;
++		if (n + value_len < skb->len)
++			fp[n + value_len] = 0x00;
+ 		IRDA_DEBUG(4, "Got string %s\n", fp+n);
+ 
+ 		/* Will truncate to IAS_MAX_STRING bytes */
diff --git a/queue-2.6.27/irda-fix-parameter-extraction-stack-overflow.patch b/queue-2.6.27/irda-fix-parameter-extraction-stack-overflow.patch
new file mode 100644
index 00000000000..44c4b787fd6
--- /dev/null
+++ b/queue-2.6.27/irda-fix-parameter-extraction-stack-overflow.patch
@@ -0,0 +1,37 @@
+From efc463eb508798da4243625b08c7396462cabf9f Mon Sep 17 00:00:00 2001
+From: Samuel Ortiz <samuel@sortiz.org>
+Date: Mon, 11 Oct 2010 01:17:56 +0200
+Subject: irda: Fix parameter extraction stack overflow
+
+From: Samuel Ortiz <samuel@sortiz.org>
+
+commit efc463eb508798da4243625b08c7396462cabf9f upstream.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/irda/parameters.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/irda/parameters.c
++++ b/net/irda/parameters.c
+@@ -298,6 +298,8 @@ static int irda_extract_string(void *sel
+ 
+ 	p.pi = pi;     /* In case handler needs to know */
+ 	p.pl = buf[1]; /* Extract length of value */
++	if (p.pl > 32)
++		p.pl = 32;
+ 
+ 	IRDA_DEBUG(2, "%s(), pi=%#x, pl=%d\n", __func__,
+ 		   p.pi, p.pl);
+@@ -318,7 +320,7 @@ static int irda_extract_string(void *sel
+ 		   (__u8) str[0], (__u8) str[1]);
+ 
+ 	/* Null terminate string */
+-	str[p.pl+1] = '\0';
++	str[p.pl] = '\0';
+ 
+ 	p.pv.c = str; /* Handler will need to take a copy */
+