+tehuti-check-register-size.patch
+tehuti-move-ioctl-perm-check-closer-to-function-start.patch
usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch
jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch
increase-the-max_burst-threshold-from-3-to-tp-reordering.patch
--- /dev/null
+From 6131a2601f42cd7fdbac0e960713396fe68af59f Mon Sep 17 00:00:00 2001
+From: Francois Romieu <romieu@fr.zoreil.com>
+Date: Sun, 20 Apr 2008 19:32:34 +0200
+Subject: tehuti: check register size (CVE-2008-1675)
+
+From: Francois Romieu <romieu@fr.zoreil.com>
+
+Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/tehuti.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/net/tehuti.c
++++ b/drivers/net/tehuti.c
+@@ -625,6 +625,12 @@ static void __init bdx_firmware_endianes
+ s_firmLoad[i] = CPU_CHIP_SWAP32(s_firmLoad[i]);
+ }
+
++static int bdx_range_check(struct bdx_priv *priv, u32 offset)
++{
++ return (offset > (u32) (BDX_REGS_SIZE / priv->nic->port_num)) ?
++ -EINVAL : 0;
++}
++
+ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
+ {
+ struct bdx_priv *priv = ndev->priv;
+@@ -646,6 +652,9 @@ static int bdx_ioctl_priv(struct net_dev
+ switch (data[0]) {
+
+ case BDX_OP_READ:
++ error = bdx_range_check(priv, data[1]);
++ if (error < 0)
++ return error;
+ data[2] = READ_REG(priv, data[1]);
+ DBG("read_reg(0x%x)=0x%x (dec %d)\n", data[1], data[2],
+ data[2]);
+@@ -655,6 +664,11 @@ static int bdx_ioctl_priv(struct net_dev
+ break;
+
+ case BDX_OP_WRITE:
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++ error = bdx_range_check(priv, data[1]);
++ if (error < 0)
++ return error;
+ WRITE_REG(priv, data[1], data[2]);
+ DBG("write_reg(0x%x, 0x%x)\n", data[1], data[2]);
+ break;
--- /dev/null
+From f946dffed6334f08da065a89ed65026ebf8b33b4 Mon Sep 17 00:00:00 2001
+From: Jeff Garzik <jeff@garzik.org>
+Date: Fri, 25 Apr 2008 03:11:31 -0400
+Subject: tehuti: move ioctl perm check closer to function start (CVE-2008-1675)
+
+From: Jeff Garzik <jeff@garzik.org>
+
+Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream
+
+Noticed by davem.
+
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/tehuti.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tehuti.c
++++ b/drivers/net/tehuti.c
+@@ -649,6 +649,9 @@ static int bdx_ioctl_priv(struct net_dev
+ DBG("%d 0x%x 0x%x\n", data[0], data[1], data[2]);
+ }
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ switch (data[0]) {
+
+ case BDX_OP_READ:
+@@ -664,8 +667,6 @@ static int bdx_ioctl_priv(struct net_dev
+ break;
+
+ case BDX_OP_WRITE:
+- if (!capable(CAP_NET_ADMIN))
+- return -EPERM;
+ error = bdx_range_check(priv, data[1]);
+ if (error < 0)
+ return error;
--- /dev/null
+From 6131a2601f42cd7fdbac0e960713396fe68af59f Mon Sep 17 00:00:00 2001
+From: Francois Romieu <romieu@fr.zoreil.com>
+Date: Sun, 20 Apr 2008 19:32:34 +0200
+Subject: tehuti: check register size (CVE-2008-1675)
+
+From: Francois Romieu <romieu@fr.zoreil.com>
+
+Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/tehuti.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/net/tehuti.c
++++ b/drivers/net/tehuti.c
+@@ -625,6 +625,12 @@ static void __init bdx_firmware_endianes
+ s_firmLoad[i] = CPU_CHIP_SWAP32(s_firmLoad[i]);
+ }
+
++static int bdx_range_check(struct bdx_priv *priv, u32 offset)
++{
++ return (offset > (u32) (BDX_REGS_SIZE / priv->nic->port_num)) ?
++ -EINVAL : 0;
++}
++
+ static int bdx_ioctl_priv(struct net_device *ndev, struct ifreq *ifr, int cmd)
+ {
+ struct bdx_priv *priv = ndev->priv;
+@@ -646,6 +652,9 @@ static int bdx_ioctl_priv(struct net_dev
+ switch (data[0]) {
+
+ case BDX_OP_READ:
++ error = bdx_range_check(priv, data[1]);
++ if (error < 0)
++ return error;
+ data[2] = READ_REG(priv, data[1]);
+ DBG("read_reg(0x%x)=0x%x (dec %d)\n", data[1], data[2],
+ data[2]);
+@@ -655,6 +664,11 @@ static int bdx_ioctl_priv(struct net_dev
+ break;
+
+ case BDX_OP_WRITE:
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++ error = bdx_range_check(priv, data[1]);
++ if (error < 0)
++ return error;
+ WRITE_REG(priv, data[1], data[2]);
+ DBG("write_reg(0x%x, 0x%x)\n", data[1], data[2]);
+ break;
--- /dev/null
+From f946dffed6334f08da065a89ed65026ebf8b33b4 Mon Sep 17 00:00:00 2001
+From: Jeff Garzik <jeff@garzik.org>
+Date: Fri, 25 Apr 2008 03:11:31 -0400
+Subject: tehuti: move ioctl perm check closer to function start (CVE-2008-1675)
+
+From: Jeff Garzik <jeff@garzik.org>
+
+Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream
+
+Noticed by davem.
+
+Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/tehuti.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/tehuti.c
++++ b/drivers/net/tehuti.c
+@@ -649,6 +649,9 @@ static int bdx_ioctl_priv(struct net_dev
+ DBG("%d 0x%x 0x%x\n", data[0], data[1], data[2]);
+ }
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ switch (data[0]) {
+
+ case BDX_OP_READ:
+@@ -664,8 +667,6 @@ static int bdx_ioctl_priv(struct net_dev
+ break;
+
+ case BDX_OP_WRITE:
+- if (!capable(CAP_NET_ADMIN))
+- return -EPERM;
+ error = bdx_range_check(priv, data[1]);
+ if (error < 0)
+ return error;
projects / thirdparty / kernel / stable-queue.git / commitdiff
