From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 17 Apr 2015 13:20:33 +0000 (+0200)
Subject: 3.10-stable patches
X-Git-Tag: v3.10.75~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d20f1dc692551489decd520f55ff791c554cdcaf;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	console-fix-console-name-size-mismatch.patch
	pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch
---

diff --git a/queue-3.10/console-fix-console-name-size-mismatch.patch b/queue-3.10/console-fix-console-name-size-mismatch.patch
new file mode 100644
index 00000000000..0dcdf8bf1e6
--- /dev/null
+++ b/queue-3.10/console-fix-console-name-size-mismatch.patch
@@ -0,0 +1,43 @@
+From 30a22c215a0007603ffc08021f2e8b64018517dd Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Sun, 1 Mar 2015 10:11:05 -0500
+Subject: console: Fix console name size mismatch
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 30a22c215a0007603ffc08021f2e8b64018517dd upstream.
+
+commit 6ae9200f2cab7 ("enlarge console.name") increased the storage
+for the console name to 16 bytes, but not the corresponding
+struct console_cmdline::name storage. Console names longer than
+8 bytes cause read beyond end-of-string and failure to match
+console; I'm not sure if there are other unexpected consequences.
+
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ kernel/printk.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/kernel/printk.c
++++ b/kernel/printk.c
+@@ -107,7 +107,7 @@ static struct console *exclusive_console
+  */
+ struct console_cmdline
+ {
+-	char	name[8];			/* Name of the driver	    */
++	char	name[16];			/* Name of the driver	    */
+ 	int	index;				/* Minor dev. to use	    */
+ 	char	*options;			/* Options for the driver   */
+ #ifdef CONFIG_A11Y_BRAILLE_CONSOLE
+@@ -2290,6 +2290,8 @@ void register_console(struct console *ne
+ 	 */
+ 	for (i = 0; i < MAX_CMDLINECONSOLES && console_cmdline[i].name[0];
+ 			i++) {
++		BUILD_BUG_ON(sizeof(console_cmdline[i].name) !=
++			     sizeof(newcon->name));
+ 		if (strcmp(console_cmdline[i].name, newcon->name) != 0)
+ 			continue;
+ 		if (newcon->index >= 0 &&
diff --git a/queue-3.10/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch b/queue-3.10/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch
new file mode 100644
index 00000000000..7fa452e02fe
--- /dev/null
+++ b/queue-3.10/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch
@@ -0,0 +1,55 @@
+From ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce Mon Sep 17 00:00:00 2001
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+Date: Mon, 9 Mar 2015 23:11:12 +0200
+Subject: pagemap: do not leak physical addresses to non-privileged userspace
+
+From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
+
+commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce upstream.
+
+As pointed by recent post[1] on exploiting DRAM physical imperfection,
+/proc/PID/pagemap exposes sensitive information which can be used to do
+attacks.
+
+This disallows anybody without CAP_SYS_ADMIN to read the pagemap.
+
+[1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
+
+[ Eventually we might want to do anything more finegrained, but for now
+  this is the simple model.   - Linus ]
+
+Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
+Acked-by: Konstantin Khlebnikov <khlebnikov@openvz.org>
+Acked-by: Andy Lutomirski <luto@amacapital.net>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Mark Seaborn <mseaborn@chromium.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: mancha security <mancha1@zoho.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/task_mmu.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/fs/proc/task_mmu.c
++++ b/fs/proc/task_mmu.c
+@@ -1110,9 +1110,19 @@ out:
+ 	return ret;
+ }
+ 
++static int pagemap_open(struct inode *inode, struct file *file)
++{
++	/* do not disclose physical addresses to unprivileged
++	   userspace (closes a rowhammer attack vector) */
++	if (!capable(CAP_SYS_ADMIN))
++		return -EPERM;
++	return 0;
++}
++
+ const struct file_operations proc_pagemap_operations = {
+ 	.llseek		= mem_lseek, /* borrow this */
+ 	.read		= pagemap_read,
++	.open		= pagemap_open,
+ };
+ #endif /* CONFIG_PROC_PAGE_MONITOR */
+ 
diff --git a/queue-3.10/series b/queue-3.10/series
index d90890eafba..c6ffda72d19 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -30,3 +30,5 @@ net-rds-use-correct-size-for-max-unacked-packets-and-bytes.patch
 net-llc-use-correct-size-for-sysctl-timeout-entries.patch
 kernel.h-define-u8-s8-u32-etc.-limits.patch
 ib-mlx4-saturate-roce-port-pma-counters-in-case-of-overflow.patch
+console-fix-console-name-size-mismatch.patch
+pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch