--- /dev/null
+From d20d5ffab92f00188f360c44c791a5ffb988247c Mon Sep 17 00:00:00 2001
+From: Antonio Ospite <ospite@studenti.unina.it>
+Date: Tue, 5 Oct 2010 17:20:16 +0200
+Subject: HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl
+
+From: Antonio Ospite <ospite@studenti.unina.it>
+
+commit d20d5ffab92f00188f360c44c791a5ffb988247c upstream.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+IP: [<ffffffffa02c66b4>] hidraw_ioctl+0xfc/0x32c [hid]
+[...]
+
+This is reproducible by disconnecting the device while userspace does
+ioctl in a loop and doesn't check return values in order to exit the
+loop.
+
+Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hid/hidraw.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -237,11 +237,16 @@ static long hidraw_ioctl(struct file *fi
+ struct inode *inode = file->f_path.dentry->d_inode;
+ unsigned int minor = iminor(inode);
+ long ret = 0;
+- /* FIXME: What stops hidraw_table going NULL */
+- struct hidraw *dev = hidraw_table[minor];
++ struct hidraw *dev;
+ void __user *user_arg = (void __user*) arg;
+
+ lock_kernel();
++ dev = hidraw_table[minor];
++ if (!dev) {
++ ret = -ENODEV;
++ goto out;
++ }
++
+ switch (cmd) {
+ case HIDIOCGRDESCSIZE:
+ if (put_user(dev->hid->rsize, (int __user *)arg))
+@@ -314,6 +319,7 @@ static long hidraw_ioctl(struct file *fi
+
+ ret = -ENOTTY;
+ }
++out:
+ unlock_kernel();
+ return ret;
+ }
--- /dev/null
+From 0f04cfd098fb81fded74e78ea1a1b86cc6c6c31e Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 31 Aug 2010 13:21:42 +0000
+Subject: net sched: fix kernel leak in act_police
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 0f04cfd098fb81fded74e78ea1a1b86cc6c6c31e upstream.
+
+While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
+ audited other users of tc_action_ops->dump for information leaks.
+
+ That commit covered almost all of them but act_police still had a leak.
+
+ opt.limit and opt.capab aren't zeroed out before the structure is
+ passed out.
+
+ This patch uses the C99 initializers to zero everything unused out.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/act_police.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/net/sched/act_police.c
++++ b/net/sched/act_police.c
+@@ -340,22 +340,19 @@ tcf_act_police_dump(struct sk_buff *skb,
+ {
+ unsigned char *b = skb_tail_pointer(skb);
+ struct tcf_police *police = a->priv;
+- struct tc_police opt;
++ struct tc_police opt = {
++ .index = police->tcf_index,
++ .action = police->tcf_action,
++ .mtu = police->tcfp_mtu,
++ .burst = police->tcfp_burst,
++ .refcnt = police->tcf_refcnt - ref,
++ .bindcnt = police->tcf_bindcnt - bind,
++ };
+
+- opt.index = police->tcf_index;
+- opt.action = police->tcf_action;
+- opt.mtu = police->tcfp_mtu;
+- opt.burst = police->tcfp_burst;
+- opt.refcnt = police->tcf_refcnt - ref;
+- opt.bindcnt = police->tcf_bindcnt - bind;
+ if (police->tcfp_R_tab)
+ opt.rate = police->tcfp_R_tab->rate;
+- else
+- memset(&opt.rate, 0, sizeof(opt.rate));
+ if (police->tcfp_P_tab)
+ opt.peakrate = police->tcfp_P_tab->rate;
+- else
+- memset(&opt.peakrate, 0, sizeof(opt.peakrate));
+ NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
+ if (police->tcfp_result)
+ NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);
projects / thirdparty / kernel / stable-queue.git / commitdiff
