From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 7 Sep 2012 17:30:28 +0000 (-0700)
Subject: 3.4-stable patches
X-Git-Tag: v3.5.4~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d8292bf69a852a447466d61d7820e6798809b0ca;p=thirdparty%2Fkernel%2Fstable-queue.git

3.4-stable patches

added patches:
	fix-order-of-arguments-to-compat_put_time.patch
---

diff --git a/queue-3.4/fix-order-of-arguments-to-compat_put_time.patch b/queue-3.4/fix-order-of-arguments-to-compat_put_time.patch
new file mode 100644
index 00000000000..97c0dbab7d5
--- /dev/null
+++ b/queue-3.4/fix-order-of-arguments-to-compat_put_time.patch
@@ -0,0 +1,51 @@
+From ed6fe9d614fc1bca95eb8c0ccd0e92db00ef9d5d Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sat, 1 Sep 2012 12:34:07 -0400
+Subject: Fix order of arguments to compat_put_time[spec|val]
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit ed6fe9d614fc1bca95eb8c0ccd0e92db00ef9d5d upstream.
+
+Commit 644595f89620 ("compat: Handle COMPAT_USE_64BIT_TIME in
+net/socket.c") introduced a bug where the helper functions to take
+either a 64-bit or compat time[spec|val] got the arguments in the wrong
+order, passing the kernel stack pointer off as a user pointer (and vice
+versa).
+
+Because of the user address range check, that in turn then causes an
+EFAULT due to the user pointer range checking failing for the kernel
+address.  Incorrectly resuling in a failed system call for 32-bit
+processes with a 64-bit kernel.
+
+On odder architectures like HP-PA (with separate user/kernel address
+spaces), it can be used read kernel memory.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/socket.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/socket.c
++++ b/net/socket.c
+@@ -2605,7 +2605,7 @@ static int do_siocgstamp(struct net *net
+ 	err = sock_do_ioctl(net, sock, cmd, (unsigned long)&ktv);
+ 	set_fs(old_fs);
+ 	if (!err)
+-		err = compat_put_timeval(up, &ktv);
++		err = compat_put_timeval(&ktv, up);
+ 
+ 	return err;
+ }
+@@ -2621,7 +2621,7 @@ static int do_siocgstampns(struct net *n
+ 	err = sock_do_ioctl(net, sock, cmd, (unsigned long)&kts);
+ 	set_fs(old_fs);
+ 	if (!err)
+-		err = compat_put_timespec(up, &kts);
++		err = compat_put_timespec(&kts, up);
+ 
+ 	return err;
+ }
diff --git a/queue-3.4/series b/queue-3.4/series
index 00502b5471d..3f4edf1c962 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -64,3 +64,4 @@ powerpc-fix-dscr-inheritance-in-copy_thread.patch
 powerpc-restore-correct-dscr-in-context-switch.patch
 powerpc-make-sure-ipi-handlers-see-data-written-by-ipi-senders.patch
 remove-user-triggerable-bug-from-mpol_to_str.patch
+fix-order-of-arguments-to-compat_put_time.patch