From cb0ac20f755239fabcbcdb9e0203b4e4b8dbbfb8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 26 Mar 2013 13:28:06 -0700 Subject: [PATCH] 3.4-stable patches added patches: exec-use-eloop-for-max-recursion-depth.patch i915-initialize-cadl-in-opregion.patch isofs-avoid-info-leak-on-export.patch key-fix-resource-leak.patch tools-hv-netlink-source-address-validation-allows-dos.patch udf-avoid-info-leak-on-export.patch usb-garmin_gps-fix-memory-leak-on-disconnect.patch usb-io_ti-fix-get_icount-for-two-port-adapters.patch --- ...ec-use-eloop-for-max-recursion-depth.patch | 139 ++++++++++++++++++ .../i915-initialize-cadl-in-opregion.patch | 70 +++++++++ .../isofs-avoid-info-leak-on-export.patch | 31 ++++ queue-3.4/key-fix-resource-leak.patch | 36 +++++ queue-3.4/series | 8 + ...source-address-validation-allows-dos.patch | 46 ++++++ queue-3.4/udf-avoid-info-leak-on-export.patch | 31 ++++ ...in_gps-fix-memory-leak-on-disconnect.patch | 45 ++++++ ...fix-get_icount-for-two-port-adapters.patch | 32 ++++ 9 files changed, 438 insertions(+) create mode 100644 queue-3.4/exec-use-eloop-for-max-recursion-depth.patch create mode 100644 queue-3.4/i915-initialize-cadl-in-opregion.patch create mode 100644 queue-3.4/isofs-avoid-info-leak-on-export.patch create mode 100644 queue-3.4/key-fix-resource-leak.patch create mode 100644 queue-3.4/tools-hv-netlink-source-address-validation-allows-dos.patch create mode 100644 queue-3.4/udf-avoid-info-leak-on-export.patch create mode 100644 queue-3.4/usb-garmin_gps-fix-memory-leak-on-disconnect.patch create mode 100644 queue-3.4/usb-io_ti-fix-get_icount-for-two-port-adapters.patch diff --git a/queue-3.4/exec-use-eloop-for-max-recursion-depth.patch b/queue-3.4/exec-use-eloop-for-max-recursion-depth.patch new file mode 100644 index 00000000000..5b528e89649 --- /dev/null +++ b/queue-3.4/exec-use-eloop-for-max-recursion-depth.patch @@ -0,0 +1,139 @@ +From d740269867021faf4ce38a449353d2b986c34a67 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 17 Dec 2012 16:03:20 -0800 +Subject: exec: use -ELOOP for max recursion depth + +From: Kees Cook + +commit d740269867021faf4ce38a449353d2b986c34a67 upstream. + +To avoid an explosion of request_module calls on a chain of abusive +scripts, fail maximum recursion with -ELOOP instead of -ENOEXEC. As soon +as maximum recursion depth is hit, the error will fail all the way back +up the chain, aborting immediately. + +This also has the side-effect of stopping the user's shell from attempting +to reexecute the top-level file as a shell script. As seen in the +dash source: + + if (cmd != path_bshell && errno == ENOEXEC) { + *argv-- = cmd; + *argv = cmd = path_bshell; + goto repeat; + } + +The above logic was designed for running scripts automatically that lacked +the "#!" header, not to re-try failed recursion. On a legitimate -ENOEXEC, +things continue to behave as the shell expects. + +Additionally, when tracking recursion, the binfmt handlers should not be +involved. The recursion being tracked is the depth of calls through +search_binary_handler(), so that function should be exclusively responsible +for tracking the depth. + +Signed-off-by: Kees Cook +Cc: halfdog +Cc: P J P +Cc: Alexander Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + fs/binfmt_em86.c | 1 - + fs/binfmt_misc.c | 6 ------ + fs/binfmt_script.c | 4 +--- + fs/exec.c | 10 +++++----- + include/linux/binfmts.h | 2 -- + 5 files changed, 6 insertions(+), 17 deletions(-) + +--- a/fs/binfmt_em86.c ++++ b/fs/binfmt_em86.c +@@ -42,7 +42,6 @@ static int load_em86(struct linux_binprm + return -ENOEXEC; + } + +- bprm->recursion_depth++; /* Well, the bang-shell is implicit... */ + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -117,10 +117,6 @@ static int load_misc_binary(struct linux + if (!enabled) + goto _ret; + +- retval = -ENOEXEC; +- if (bprm->recursion_depth > BINPRM_MAX_RECURSION) +- goto _ret; +- + /* to keep locking time low, we copy the interpreter string */ + read_lock(&entries_lock); + fmt = check_file(bprm); +@@ -200,8 +196,6 @@ static int load_misc_binary(struct linux + if (retval < 0) + goto _error; + +- bprm->recursion_depth++; +- + retval = search_binary_handler (bprm, regs); + if (retval < 0) + goto _error; +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -22,15 +22,13 @@ static int load_script(struct linux_binp + char interp[BINPRM_BUF_SIZE]; + int retval; + +- if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!') || +- (bprm->recursion_depth > BINPRM_MAX_RECURSION)) ++ if ((bprm->buf[0] != '#') || (bprm->buf[1] != '!')) + return -ENOEXEC; + /* + * This section does the #! interpretation. + * Sorta complicated, but hopefully it will work. -TYT + */ + +- bprm->recursion_depth++; + allow_write_access(bprm->file); + fput(bprm->file); + bprm->file = NULL; +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -1389,6 +1389,10 @@ int search_binary_handler(struct linux_b + struct linux_binfmt *fmt; + pid_t old_pid, old_vpid; + ++ /* This allows 4 levels of binfmt rewrites before failing hard. */ ++ if (depth > 5) ++ return -ELOOP; ++ + retval = security_bprm_check(bprm); + if (retval) + return retval; +@@ -1413,12 +1417,8 @@ int search_binary_handler(struct linux_b + if (!try_module_get(fmt->module)) + continue; + read_unlock(&binfmt_lock); ++ bprm->recursion_depth = depth + 1; + retval = fn(bprm, regs); +- /* +- * Restore the depth counter to its starting value +- * in this call, so we don't have to rely on every +- * load_binary function to restore it on return. +- */ + bprm->recursion_depth = depth; + if (retval >= 0) { + if (depth == 0) { +--- a/include/linux/binfmts.h ++++ b/include/linux/binfmts.h +@@ -68,8 +68,6 @@ struct linux_binprm { + #define BINPRM_FLAGS_EXECFD_BIT 1 + #define BINPRM_FLAGS_EXECFD (1 << BINPRM_FLAGS_EXECFD_BIT) + +-#define BINPRM_MAX_RECURSION 4 +- + /* Function parameter for binfmt->coredump */ + struct coredump_params { + long signr; diff --git a/queue-3.4/i915-initialize-cadl-in-opregion.patch b/queue-3.4/i915-initialize-cadl-in-opregion.patch new file mode 100644 index 00000000000..c16fd795f14 --- /dev/null +++ b/queue-3.4/i915-initialize-cadl-in-opregion.patch @@ -0,0 +1,70 @@ +From d627b62ff8d4d36761adbcd90ff143d79c94ab22 Mon Sep 17 00:00:00 2001 +From: Lekensteyn +Date: Tue, 26 Jun 2012 00:36:24 +0200 +Subject: i915: initialize CADL in opregion + +From: Lekensteyn + +commit d627b62ff8d4d36761adbcd90ff143d79c94ab22 upstream. + +This is rather a hack to fix brightness hotkeys on a Clevo laptop. CADL is not +used anywhere in the driver code at the moment, but it could be used in BIOS as +is the case with the Clevo laptop. + +The Clevo B7130 requires the CADL field to contain at least the ID of +the LCD device. If this field is empty, the ACPI methods that are called +on pressing brightness / display switching hotkeys will not trigger a +notification. As a result, it appears as no hotkey has been pressed. + +Reference: https://bugs.freedesktop.org/show_bug.cgi?id=45452 +Tested-by: Peter Wu +Signed-off-by: Peter Wu +Acked-by: Jesse Barnes +Signed-off-by: Daniel Vetter +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_opregion.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_opregion.c ++++ b/drivers/gpu/drm/i915/intel_opregion.c +@@ -419,6 +419,25 @@ blind_set: + goto end; + } + ++static void intel_setup_cadls(struct drm_device *dev) ++{ ++ struct drm_i915_private *dev_priv = dev->dev_private; ++ struct intel_opregion *opregion = &dev_priv->opregion; ++ int i = 0; ++ u32 disp_id; ++ ++ /* Initialize the CADL field by duplicating the DIDL values. ++ * Technically, this is not always correct as display outputs may exist, ++ * but not active. This initialization is necessary for some Clevo ++ * laptops that check this field before processing the brightness and ++ * display switching hotkeys. Just like DIDL, CADL is NULL-terminated if ++ * there are less than eight devices. */ ++ do { ++ disp_id = ioread32(&opregion->acpi->didl[i]); ++ iowrite32(disp_id, &opregion->acpi->cadl[i]); ++ } while (++i < 8 && disp_id != 0); ++} ++ + void intel_opregion_init(struct drm_device *dev) + { + struct drm_i915_private *dev_priv = dev->dev_private; +@@ -428,8 +447,10 @@ void intel_opregion_init(struct drm_devi + return; + + if (opregion->acpi) { +- if (drm_core_check_feature(dev, DRIVER_MODESET)) ++ if (drm_core_check_feature(dev, DRIVER_MODESET)) { + intel_didl_outputs(dev); ++ intel_setup_cadls(dev); ++ } + + /* Notify BIOS we are ready to handle ACPI video ext notifs. + * Right now, all the events are handled by the ACPI video module. diff --git a/queue-3.4/isofs-avoid-info-leak-on-export.patch b/queue-3.4/isofs-avoid-info-leak-on-export.patch new file mode 100644 index 00000000000..1eb293b81fa --- /dev/null +++ b/queue-3.4/isofs-avoid-info-leak-on-export.patch @@ -0,0 +1,31 @@ +From fe685aabf7c8c9f138e5ea900954d295bf229175 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Thu, 12 Jul 2012 08:46:54 +0200 +Subject: isofs: avoid info leak on export + +From: Mathias Krause + +commit fe685aabf7c8c9f138e5ea900954d295bf229175 upstream. + +For type 1 the parent_offset member in struct isofs_fid gets copied +uninitialized to userland. Fix this by initializing it to 0. + +Signed-off-by: Mathias Krause +Signed-off-by: Jan Kara +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + fs/isofs/export.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/isofs/export.c ++++ b/fs/isofs/export.c +@@ -135,6 +135,7 @@ isofs_export_encode_fh(struct dentry *de + len = 3; + fh32[0] = ei->i_iget5_block; + fh16[2] = (__u16)ei->i_iget5_offset; /* fh16 [sic] */ ++ fh16[3] = 0; /* avoid leaking uninitialized data */ + fh32[2] = inode->i_generation; + if (connectable && !S_ISDIR(inode->i_mode)) { + struct inode *parent; diff --git a/queue-3.4/key-fix-resource-leak.patch b/queue-3.4/key-fix-resource-leak.patch new file mode 100644 index 00000000000..9e192074abd --- /dev/null +++ b/queue-3.4/key-fix-resource-leak.patch @@ -0,0 +1,36 @@ +From a84a921978b7d56e0e4b87ffaca6367429b4d8ff Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Fri, 28 Sep 2012 12:20:02 +0100 +Subject: key: Fix resource leak + +From: Alan Cox + +commit a84a921978b7d56e0e4b87ffaca6367429b4d8ff upstream. + +On an error iov may still have been reallocated and need freeing + +Signed-off-by: Alan Cox +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/keyctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -1081,12 +1081,12 @@ long keyctl_instantiate_key_iov(key_seri + ret = rw_copy_check_uvector(WRITE, _payload_iov, ioc, + ARRAY_SIZE(iovstack), iovstack, &iov, 1); + if (ret < 0) +- return ret; ++ goto err; + if (ret == 0) + goto no_payload_free; + + ret = keyctl_instantiate_key_common(id, iov, ioc, ret, ringid); +- ++err: + if (iov != iovstack) + kfree(iov); + return ret; diff --git a/queue-3.4/series b/queue-3.4/series index bcd1b918ba8..c746dfcb35d 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -60,3 +60,11 @@ usb-cdc-acm-fix-device-unregistration.patch usb-serial-fix-interface-refcounting.patch nohz-make-tick_nohz_irq_exit-irq-safe.patch udf-fix-bitmap-overflow-on-large-filesystems-with-small-block-size.patch +usb-garmin_gps-fix-memory-leak-on-disconnect.patch +usb-io_ti-fix-get_icount-for-two-port-adapters.patch +key-fix-resource-leak.patch +isofs-avoid-info-leak-on-export.patch +udf-avoid-info-leak-on-export.patch +tools-hv-netlink-source-address-validation-allows-dos.patch +i915-initialize-cadl-in-opregion.patch +exec-use-eloop-for-max-recursion-depth.patch diff --git a/queue-3.4/tools-hv-netlink-source-address-validation-allows-dos.patch b/queue-3.4/tools-hv-netlink-source-address-validation-allows-dos.patch new file mode 100644 index 00000000000..37dca78255a --- /dev/null +++ b/queue-3.4/tools-hv-netlink-source-address-validation-allows-dos.patch @@ -0,0 +1,46 @@ +From 95a69adab9acfc3981c504737a2b6578e4d846ef Mon Sep 17 00:00:00 2001 +From: Tomas Hozza +Date: Thu, 8 Nov 2012 10:53:29 +0100 +Subject: tools: hv: Netlink source address validation allows DoS + +From: Tomas Hozza + +commit 95a69adab9acfc3981c504737a2b6578e4d846ef upstream. + +The source code without this patch caused hypervkvpd to exit when it processed +a spoofed Netlink packet which has been sent from an untrusted local user. +Now Netlink messages with a non-zero nl_pid source address are ignored +and a warning is printed into the syslog. + +Signed-off-by: Tomas Hozza +Acked-by: K. Y. Srinivasan +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + tools/hv/hv_kvp_daemon.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/tools/hv/hv_kvp_daemon.c ++++ b/tools/hv/hv_kvp_daemon.c +@@ -727,13 +727,19 @@ int main(void) + len = recvfrom(fd, kvp_recv_buffer, sizeof(kvp_recv_buffer), 0, + addr_p, &addr_l); + +- if (len < 0 || addr.nl_pid) { ++ if (len < 0) { + syslog(LOG_ERR, "recvfrom failed; pid:%u error:%d %s", + addr.nl_pid, errno, strerror(errno)); + close(fd); + return -1; + } + ++ if (addr.nl_pid) { ++ syslog(LOG_WARNING, "Received packet from untrusted pid:%u", ++ addr.nl_pid); ++ continue; ++ } ++ + incoming_msg = (struct nlmsghdr *)kvp_recv_buffer; + incoming_cn_msg = (struct cn_msg *)NLMSG_DATA(incoming_msg); + hv_msg = (struct hv_kvp_msg *)incoming_cn_msg->data; diff --git a/queue-3.4/udf-avoid-info-leak-on-export.patch b/queue-3.4/udf-avoid-info-leak-on-export.patch new file mode 100644 index 00000000000..1d9bbbed19e --- /dev/null +++ b/queue-3.4/udf-avoid-info-leak-on-export.patch @@ -0,0 +1,31 @@ +From 0143fc5e9f6f5aad4764801015bc8d4b4a278200 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Thu, 12 Jul 2012 08:46:55 +0200 +Subject: udf: avoid info leak on export + +From: Mathias Krause + +commit 0143fc5e9f6f5aad4764801015bc8d4b4a278200 upstream. + +For type 0x51 the udf.parent_partref member in struct fid gets copied +uninitialized to userland. Fix this by initializing it to 0. + +Signed-off-by: Mathias Krause +Signed-off-by: Jan Kara +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/namei.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -1280,6 +1280,7 @@ static int udf_encode_fh(struct dentry * + *lenp = 3; + fid->udf.block = location.logicalBlockNum; + fid->udf.partref = location.partitionReferenceNum; ++ fid->udf.parent_partref = 0; + fid->udf.generation = inode->i_generation; + + if (connectable && !S_ISDIR(inode->i_mode)) { diff --git a/queue-3.4/usb-garmin_gps-fix-memory-leak-on-disconnect.patch b/queue-3.4/usb-garmin_gps-fix-memory-leak-on-disconnect.patch new file mode 100644 index 00000000000..3ac728eecdb --- /dev/null +++ b/queue-3.4/usb-garmin_gps-fix-memory-leak-on-disconnect.patch @@ -0,0 +1,45 @@ +From 618aa1068df29c37a58045fe940f9106664153fd Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 19 Mar 2013 09:21:07 +0100 +Subject: USB: garmin_gps: fix memory leak on disconnect + +From: Johan Hovold + +commit 618aa1068df29c37a58045fe940f9106664153fd upstream. + +Remove bogus disconnect test introduced by 95bef012e ("USB: more serial +drivers writing after disconnect") which prevented queued data from +being freed on disconnect. + +The possible IO it was supposed to prevent is long gone. + +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/garmin_gps.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/usb/serial/garmin_gps.c ++++ b/drivers/usb/serial/garmin_gps.c +@@ -971,10 +971,7 @@ static void garmin_close(struct usb_seri + if (!serial) + return; + +- mutex_lock(&port->serial->disc_mutex); +- +- if (!port->serial->disconnected) +- garmin_clear(garmin_data_p); ++ garmin_clear(garmin_data_p); + + /* shutdown our urbs */ + usb_kill_urb(port->read_urb); +@@ -983,8 +980,6 @@ static void garmin_close(struct usb_seri + /* keep reset state so we know that we must start a new session */ + if (garmin_data_p->state != STATE_RESET) + garmin_data_p->state = STATE_DISCONNECTED; +- +- mutex_unlock(&port->serial->disc_mutex); + } + + diff --git a/queue-3.4/usb-io_ti-fix-get_icount-for-two-port-adapters.patch b/queue-3.4/usb-io_ti-fix-get_icount-for-two-port-adapters.patch new file mode 100644 index 00000000000..f5d57b37960 --- /dev/null +++ b/queue-3.4/usb-io_ti-fix-get_icount-for-two-port-adapters.patch @@ -0,0 +1,32 @@ +From 5492bf3d5655b4954164f69c02955a7fca267611 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 19 Mar 2013 09:21:08 +0100 +Subject: USB: io_ti: fix get_icount for two port adapters + +From: Johan Hovold + +commit 5492bf3d5655b4954164f69c02955a7fca267611 upstream. + +Add missing get_icount field to two-port driver. + +The two-port driver was not updated when switching to the new icount +interface in commit 0bca1b913aff ("tty: Convert the USB drivers to the +new icount interface"). + +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -2770,6 +2770,7 @@ static struct usb_serial_driver edgeport + .set_termios = edge_set_termios, + .tiocmget = edge_tiocmget, + .tiocmset = edge_tiocmset, ++ .get_icount = edge_get_icount, + .write = edge_write, + .write_room = edge_write_room, + .chars_in_buffer = edge_chars_in_buffer, -- 2.47.3