From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Thu, 1 Oct 2009 18:28:30 +0000 (-0700)
Subject: .30 patches
X-Git-Tag: v2.6.27.36~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ca4664fbfd169662cd60b482f04e8283beb0f223;p=thirdparty%2Fkernel%2Fstable-queue.git

.30 patches
---

diff --git a/queue-2.6.30/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch b/queue-2.6.30/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
new file mode 100644
index 00000000000..b37247cbd9c
--- /dev/null
+++ b/queue-2.6.30/net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
@@ -0,0 +1,54 @@
+From arjan@infradead.org  Thu Oct  1 11:19:55 2009
+From: Arjan van de Ven <arjan@infradead.org>
+Date: Wed, 30 Sep 2009 13:51:11 +0200
+Subject: net ax25: Fix signed comparison in the sockopt handler
+To: davem@davemloft.net
+Cc: jakub@redhat.com, security@kernel.org, torvalds@linux-foundation.org, mingo@elte.hu, stable@kernel.org
+Message-ID: <20090930135111.64240d86@infradead.org>
+
+
+From: Arjan van de Ven <arjan@linux.intel.com>
+
+fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way
+
+The ax25 code tried to use
+
+        if (optlen < sizeof(int))
+                return -EINVAL;
+
+as a security check against optlen being negative (or zero) in the
+set socket option.
+
+Unfortunately, "sizeof(int)" is an unsigned property, with the
+result that the whole comparison is done in unsigned, letting
+negative values slip through.
+
+This patch changes this to
+
+        if (optlen < (int)sizeof(int))
+                return -EINVAL;
+
+so that the comparison is done as signed, and negative values
+get properly caught.
+
+Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ax25/af_ax25.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -539,7 +539,7 @@ static int ax25_setsockopt(struct socket
+ 	if (level != SOL_AX25)
+ 		return -ENOPROTOOPT;
+ 
+-	if (optlen < sizeof(int))
++	if (optlen < (int)sizeof(int))
+ 		return -EINVAL;
+ 
+ 	if (get_user(opt, (int __user *)optval))
diff --git a/queue-2.6.30/net-make-the-copy-length-in-af_packet-sockopt-handler-unsigned.patch b/queue-2.6.30/net-make-the-copy-length-in-af_packet-sockopt-handler-unsigned.patch
new file mode 100644
index 00000000000..b7df1aac98e
--- /dev/null
+++ b/queue-2.6.30/net-make-the-copy-length-in-af_packet-sockopt-handler-unsigned.patch
@@ -0,0 +1,48 @@
+From arjan@infradead.org  Thu Oct  1 11:22:25 2009
+From: Arjan van de Ven <arjan@infradead.org>
+Date: Wed, 30 Sep 2009 13:54:47 +0200
+Subject: net: Make the copy length in af_packet sockopt handler unsigned
+To: Arjan van de Ven <arjan@infradead.org>
+Cc: jakub@redhat.com, security@kernel.org, stable@kernel.org, mingo@elte.hu, torvalds@linux-foundation.org, davem@davemloft.net
+Message-ID: <20090930135447.19454507@infradead.org>
+
+
+From: Arjan van de Ven <arjan@linux.intel.com>
+
+fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way
+
+The length of the to-copy data structure is currently stored in
+a signed integer. However many comparisons are done with sizeof(..)
+which is unsigned. It's more suitable for this variable to be unsigned
+to make these comparisons more naturally right.
+
+Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Ingo Molnar <mingo@elte.hu>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/packet/af_packet.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/packet/af_packet.c
++++ b/net/packet/af_packet.c
+@@ -1501,7 +1501,7 @@ packet_setsockopt(struct socket *sock, i
+ static int packet_getsockopt(struct socket *sock, int level, int optname,
+ 			     char __user *optval, int __user *optlen)
+ {
+-	int len;
++	unsigned int len;
+ 	int val;
+ 	struct sock *sk = sock->sk;
+ 	struct packet_sock *po = pkt_sk(sk);
+@@ -1514,7 +1514,7 @@ static int packet_getsockopt(struct sock
+ 	if (get_user(len, optlen))
+ 		return -EFAULT;
+ 
+-	if (len < 0)
++	if ((int)len < 0)
+ 		return -EINVAL;
+ 
+ 	switch(optname)	{
diff --git a/queue-2.6.30/series b/queue-2.6.30/series
index d8485b28374..a6934b6e0da 100644
--- a/queue-2.6.30/series
+++ b/queue-2.6.30/series
@@ -15,3 +15,5 @@ kvm-guest-fix-bogus-wallclock-physical-address-calculation.patch
 kvm-fix-cpuid-e2big-handling-for-extended-request-types.patch
 revert-kvm-x86-check-for-cr3-validity-in-ioctl_set_sregs.patch
 ahci-restore-pci_intx-handling.patch
+net-ax25-fix-signed-comparison-in-the-sockopt-handler.patch
+net-make-the-copy-length-in-af_packet-sockopt-handler-unsigned.patch