From d167779c273762cadff37b6094da1fcdf3a8725b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 11 Jul 2013 11:21:13 -0700 Subject: [PATCH] 3.4-stable patches added patches: block-do-not-pass-disk-names-as-format-strings.patch charger-manager-ensure-event-is-not-used-as-format-string.patch crypto-sanitize-argument-for-format-string.patch drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch hpfs-better-test-for-errors.patch libceph-fix-null-pointer-dereference-in-auth-client-code.patch maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch --- ...ot-pass-disk-names-as-format-strings.patch | 62 +++++++++++++++++++ ...e-event-is-not-used-as-format-string.patch | 34 ++++++++++ ...-sanitize-argument-for-format-string.patch | 35 +++++++++++ ...m.c-use-kzalloc-for-failing-hardware.patch | 51 +++++++++++++++ queue-3.4/hpfs-better-test-for-errors.patch | 54 ++++++++++++++++ ...nter-dereference-in-auth-client-code.patch | 49 +++++++++++++++ ...txt-to-stable-maintainer-information.patch | 30 +++++++++ ...nology-pci-9835-multi-i-o-controller.patch | 35 +++++++++++ queue-3.4/series | 8 +++ 9 files changed, 358 insertions(+) create mode 100644 queue-3.4/block-do-not-pass-disk-names-as-format-strings.patch create mode 100644 queue-3.4/charger-manager-ensure-event-is-not-used-as-format-string.patch create mode 100644 queue-3.4/crypto-sanitize-argument-for-format-string.patch create mode 100644 queue-3.4/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch create mode 100644 queue-3.4/hpfs-better-test-for-errors.patch create mode 100644 queue-3.4/libceph-fix-null-pointer-dereference-in-auth-client-code.patch create mode 100644 queue-3.4/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch create mode 100644 queue-3.4/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch create mode 100644 queue-3.4/series diff --git a/queue-3.4/block-do-not-pass-disk-names-as-format-strings.patch b/queue-3.4/block-do-not-pass-disk-names-as-format-strings.patch new file mode 100644 index 00000000000..526c26a4801 --- /dev/null +++ b/queue-3.4/block-do-not-pass-disk-names-as-format-strings.patch @@ -0,0 +1,62 @@ +From ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 3 Jul 2013 15:01:14 -0700 +Subject: block: do not pass disk names as format strings + +From: Kees Cook + +commit ffc8b30866879ed9ba62bd0a86fecdbd51cd3d19 upstream. + +Disk names may contain arbitrary strings, so they must not be +interpreted as format strings. It seems that only md allows arbitrary +strings to be used for disk names, but this could allow for a local +memory corruption from uid 0 into ring 0. + +CVE-2013-2851 + +Signed-off-by: Kees Cook +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + block/genhd.c | 2 +- + drivers/block/nbd.c | 3 ++- + drivers/scsi/osd/osd_uld.c | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -518,7 +518,7 @@ static void register_disk(struct gendisk + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -666,7 +666,8 @@ static int __nbd_ioctl(struct block_devi + + mutex_unlock(&nbd->tx_lock); + +- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); ++ thread = kthread_create(nbd_thread, nbd, "%s", ++ nbd->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&nbd->tx_lock); + return PTR_ERR(thread); +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -465,7 +465,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; diff --git a/queue-3.4/charger-manager-ensure-event-is-not-used-as-format-string.patch b/queue-3.4/charger-manager-ensure-event-is-not-used-as-format-string.patch new file mode 100644 index 00000000000..860b903a429 --- /dev/null +++ b/queue-3.4/charger-manager-ensure-event-is-not-used-as-format-string.patch @@ -0,0 +1,34 @@ +From 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 6 Jun 2013 13:52:21 -0700 +Subject: charger-manager: Ensure event is not used as format string + +From: Kees Cook + +commit 3594f4c0d7bc51e3a7e6d73c44e368ae079e42f3 upstream. + +The exposed interface for cm_notify_event() could result in the event msg +string being parsed as a format string. Make sure it is only used as a +literal string. + +Signed-off-by: Kees Cook +Cc: Anton Vorontsov +Cc: David Woodhouse +Signed-off-by: Anton Vorontsov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/charger-manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/charger-manager.c ++++ b/drivers/power/charger-manager.c +@@ -330,7 +330,7 @@ static void uevent_notify(struct charger + strncpy(env_str, event, UEVENT_BUF_SIZE); + kobject_uevent(&cm->dev->kobj, KOBJ_CHANGE); + +- dev_info(cm->dev, event); ++ dev_info(cm->dev, "%s", event); + } + + /** diff --git a/queue-3.4/crypto-sanitize-argument-for-format-string.patch b/queue-3.4/crypto-sanitize-argument-for-format-string.patch new file mode 100644 index 00000000000..324bf9f70be --- /dev/null +++ b/queue-3.4/crypto-sanitize-argument-for-format-string.patch @@ -0,0 +1,35 @@ +From 1c8fca1d92e14859159a82b8a380d220139b7344 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 3 Jul 2013 15:01:15 -0700 +Subject: crypto: sanitize argument for format string + +From: Kees Cook + +commit 1c8fca1d92e14859159a82b8a380d220139b7344 upstream. + +The template lookup interface does not provide a way to use format +strings, so make sure that the interface cannot be abused accidentally. + +Signed-off-by: Kees Cook +Cc: Herbert Xu +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algapi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -512,7 +512,8 @@ static struct crypto_template *__crypto_ + + struct crypto_template *crypto_lookup_template(const char *name) + { +- return try_then_request_module(__crypto_lookup_template(name), name); ++ return try_then_request_module(__crypto_lookup_template(name), "%s", ++ name); + } + EXPORT_SYMBOL_GPL(crypto_lookup_template); + diff --git a/queue-3.4/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch b/queue-3.4/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch new file mode 100644 index 00000000000..41d2d9d6c52 --- /dev/null +++ b/queue-3.4/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch @@ -0,0 +1,51 @@ +From 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 Mon Sep 17 00:00:00 2001 +From: Jonathan Salwan +Date: Wed, 3 Jul 2013 15:01:13 -0700 +Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware + +From: Jonathan Salwan + +commit 542db01579fbb7ea7d1f7bb9ddcef1559df660b2 upstream. + +In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory +area with kmalloc in line 2885. + + 2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); + 2886 if (cgc->buffer == NULL) + 2887 return -ENOMEM; + +In line 2908 we can find the copy_to_user function: + + 2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) + +The cgc->buffer is never cleaned and initialized before this function. +If ret = 0 with the previous basic block, it's possible to display some +memory bytes in kernel space from userspace. + +When we read a block from the disk it normally fills the ->buffer but if +the drive is malfunctioning there is a chance that it would only be +partially filled. The result is an leak information to userspace. + +Signed-off-by: Dan Carpenter +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Cc: Jonathan Salwan +Cc: Luis Henriques +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + diff --git a/queue-3.4/hpfs-better-test-for-errors.patch b/queue-3.4/hpfs-better-test-for-errors.patch new file mode 100644 index 00000000000..7b9603d4e67 --- /dev/null +++ b/queue-3.4/hpfs-better-test-for-errors.patch @@ -0,0 +1,54 @@ +From 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 4 Jul 2013 18:42:29 +0200 +Subject: hpfs: better test for errors + +From: Mikulas Patocka + +commit 3ebacb05044f82c5f0bb456a894eb9dc57d0ed90 upstream. + +The test if bitmap access is out of bound could errorneously pass if the +device size is divisible by 16384 sectors and we are asking for one bitmap +after the end. + +Check for invalid size in the superblock. Invalid size could cause integer +overflows in the rest of the code. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hpfs/map.c | 3 ++- + fs/hpfs/super.c | 8 +++++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/fs/hpfs/map.c ++++ b/fs/hpfs/map.c +@@ -17,7 +17,8 @@ unsigned int *hpfs_map_bitmap(struct sup + struct quad_buffer_head *qbh, char *id) + { + secno sec; +- if (hpfs_sb(s)->sb_chk) if (bmp_block * 16384 > hpfs_sb(s)->sb_fs_size) { ++ unsigned n_bands = (hpfs_sb(s)->sb_fs_size + 0x3fff) >> 14; ++ if (hpfs_sb(s)->sb_chk) if (bmp_block >= n_bands) { + hpfs_error(s, "hpfs_map_bitmap called with bad parameter: %08x at %s", bmp_block, id); + return NULL; + } +--- a/fs/hpfs/super.c ++++ b/fs/hpfs/super.c +@@ -552,7 +552,13 @@ static int hpfs_fill_super(struct super_ + sbi->sb_cp_table = NULL; + sbi->sb_c_bitmap = -1; + sbi->sb_max_fwd_alloc = 0xffffff; +- ++ ++ if (sbi->sb_fs_size >= 0x80000000) { ++ hpfs_error(s, "invalid size in superblock: %08x", ++ (unsigned)sbi->sb_fs_size); ++ goto bail4; ++ } ++ + /* Load bitmap directory */ + if (!(sbi->sb_bmp_dir = hpfs_load_bitmap_directory(s, le32_to_cpu(superblock->bitmaps)))) + goto bail4; diff --git a/queue-3.4/libceph-fix-null-pointer-dereference-in-auth-client-code.patch b/queue-3.4/libceph-fix-null-pointer-dereference-in-auth-client-code.patch new file mode 100644 index 00000000000..d445460c629 --- /dev/null +++ b/queue-3.4/libceph-fix-null-pointer-dereference-in-auth-client-code.patch @@ -0,0 +1,49 @@ +From 2cb33cac622afde897aa02d3dcd9fbba8bae839e Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 20 Jun 2013 13:13:59 -0700 +Subject: libceph: Fix NULL pointer dereference in auth client code + +From: Tyler Hicks + +commit 2cb33cac622afde897aa02d3dcd9fbba8bae839e upstream. + +A malicious monitor can craft an auth reply message that could cause a +NULL function pointer dereference in the client's kernel. + +To prevent this, the auth_none protocol handler needs an empty +ceph_auth_client_ops->build_request() function. + +CVE-2013-1059 + +Signed-off-by: Tyler Hicks +Reported-by: Chanam Park +Reviewed-by: Seth Arnold +Reviewed-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + net/ceph/auth_none.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ceph/auth_none.c ++++ b/net/ceph/auth_none.c +@@ -39,6 +39,11 @@ static int should_authenticate(struct ce + return xi->starting; + } + ++static int build_request(struct ceph_auth_client *ac, void *buf, void *end) ++{ ++ return 0; ++} ++ + /* + * the generic auth code decode the global_id, and we carry no actual + * authenticate state, so nothing happens here. +@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops + .destroy = destroy, + .is_authenticated = is_authenticated, + .should_authenticate = should_authenticate, ++ .build_request = build_request, + .handle_reply = handle_reply, + .create_authorizer = ceph_auth_none_create_authorizer, + .destroy_authorizer = ceph_auth_none_destroy_authorizer, diff --git a/queue-3.4/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch b/queue-3.4/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch new file mode 100644 index 00000000000..2c248bd346b --- /dev/null +++ b/queue-3.4/maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch @@ -0,0 +1,30 @@ +From 7b175c46720f8e6b92801bb634c93d1016f80c62 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 18 Jun 2013 12:58:12 -0700 +Subject: MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information + +From: Greg Kroah-Hartman + +commit 7b175c46720f8e6b92801bb634c93d1016f80c62 upstream. + +This hopefully will help point developers to the proper way that patches +should be submitted for inclusion in the stable kernel releases. + +Reported-by: David Howells +Acked-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + MAINTAINERS | 1 + + 1 file changed, 1 insertion(+) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -6390,6 +6390,7 @@ STABLE BRANCH + M: Greg Kroah-Hartman + L: stable@vger.kernel.org + S: Supported ++F: Documentation/stable_kernel_rules.txt + + STAGING SUBSYSTEM + M: Greg Kroah-Hartman diff --git a/queue-3.4/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch b/queue-3.4/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch new file mode 100644 index 00000000000..23b305f1747 --- /dev/null +++ b/queue-3.4/revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch @@ -0,0 +1,35 @@ +From 828c6a102b1f2b8583fadc0e779c46b31d448f0b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 30 Jun 2013 09:03:06 -0700 +Subject: Revert "serial: 8250_pci: add support for another kind of NetMos Technology PCI 9835 Multi-I/O Controller" + +From: Greg Kroah-Hartman + +commit 828c6a102b1f2b8583fadc0e779c46b31d448f0b upstream. + +This reverts commit 8d2f8cd424ca0b99001f3ff4f5db87c4e525f366. + +As reported by Stefan, this device already works with the parport_serial +driver, so the 8250_pci driver should not also try to grab it as well. + +Reported-by: Stefan Seyfried +Cc: Wang YanQing +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -4086,10 +4086,6 @@ static struct pci_device_id serial_pci_t + PCI_VENDOR_ID_IBM, 0x0299, + 0, 0, pbn_b0_bt_2_115200 }, + +- { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9835, +- 0x1000, 0x0012, +- 0, 0, pbn_b0_bt_2_115200 }, +- + { PCI_VENDOR_ID_NETMOS, PCI_DEVICE_ID_NETMOS_9901, + 0xA000, 0x1000, + 0, 0, pbn_b0_1_115200 }, diff --git a/queue-3.4/series b/queue-3.4/series new file mode 100644 index 00000000000..736bc58256b --- /dev/null +++ b/queue-3.4/series @@ -0,0 +1,8 @@ +libceph-fix-null-pointer-dereference-in-auth-client-code.patch +drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardware.patch +charger-manager-ensure-event-is-not-used-as-format-string.patch +hpfs-better-test-for-errors.patch +block-do-not-pass-disk-names-as-format-strings.patch +crypto-sanitize-argument-for-format-string.patch +maintainers-add-stable_kernel_rules.txt-to-stable-maintainer-information.patch +revert-serial-8250_pci-add-support-for-another-kind-of-netmos-technology-pci-9835-multi-i-o-controller.patch -- 2.47.3