--- /dev/null
+From 2c42be2dd4f6586728dba5c4e197afd5cfaded78 Mon Sep 17 00:00:00 2001
+From: Andy Grover <agrover@redhat.com>
+Date: Fri, 4 Apr 2014 16:44:37 -0700
+Subject: target/tcm_fc: Fix use-after-free of ft_tpg
+
+From: Andy Grover <agrover@redhat.com>
+
+commit 2c42be2dd4f6586728dba5c4e197afd5cfaded78 upstream.
+
+ft_del_tpg checks tpg->tport is set before unlinking the tpg from the
+tport when the tpg is being removed. Set this pointer in ft_tport_create,
+or the unlinking won't happen in ft_del_tpg and tport->tpg will reference
+a deleted object.
+
+This patch sets tpg->tport in ft_tport_create, because that's what
+ft_del_tpg checks, and is the only way to get back to the tport to
+clear tport->tpg.
+
+The bug was occuring when:
+
+- lport created, tport (our per-lport, per-provider context) is
+ allocated.
+ tport->tpg = NULL
+- tpg created
+- a PRLI is received. ft_tport_create is called, tpg is found and
+ tport->tpg is set
+- tpg removed. ft_tpg is freed in ft_del_tpg. Since tpg->tport was not
+ set, tport->tpg is not cleared and points at freed memory
+- Future calls to ft_tport_create return tport via first conditional,
+ instead of searching for new tpg by calling ft_lport_find_tpg.
+ tport->tpg is still invalid, and will access freed memory.
+
+see https://bugzilla.redhat.com/show_bug.cgi?id=1071340
+
+Signed-off-by: Andy Grover <agrover@redhat.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/tcm_fc/tfc_sess.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/target/tcm_fc/tfc_sess.c
++++ b/drivers/target/tcm_fc/tfc_sess.c
+@@ -68,6 +68,7 @@ static struct ft_tport *ft_tport_create(
+
+ if (tport) {
+ tport->tpg = tpg;
++ tpg->tport = tport;
+ return tport;
+ }
+
--- /dev/null
+From 7e8213c1f3acc064aef37813a39f13cbfe7c3ce7 Mon Sep 17 00:00:00 2001
+From: Matt Fleming <matt@console-pimps.org>
+Date: Tue, 8 Apr 2014 13:14:00 +0100
+Subject: x86/efi: Correct EFI boot stub use of code32_start
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Matt Fleming <matt@console-pimps.org>
+
+commit 7e8213c1f3acc064aef37813a39f13cbfe7c3ce7 upstream.
+
+code32_start should point at the start of the protected mode code, and
+*not* at the beginning of the bzImage. This is much easier to do in
+assembly so document that callers of make_boot_params() need to fill out
+code32_start.
+
+The fallout from this bug is that we would end up relocating the image
+but copying the image at some offset, resulting in what appeared to be
+memory corruption.
+
+Reported-by: Thomas Bächler <thomas@archlinux.org>
+Signed-off-by: Matt Fleming <matt.fleming@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/boot/compressed/eboot.c | 5 +++--
+ arch/x86/boot/compressed/head_32.S | 14 ++++++++------
+ arch/x86/boot/compressed/head_64.S | 9 +++------
+ 3 files changed, 14 insertions(+), 14 deletions(-)
+
+--- a/arch/x86/boot/compressed/eboot.c
++++ b/arch/x86/boot/compressed/eboot.c
+@@ -865,6 +865,9 @@ fail:
+ * Because the x86 boot code expects to be passed a boot_params we
+ * need to create one ourselves (usually the bootloader would create
+ * one for us).
++ *
++ * The caller is responsible for filling out ->code32_start in the
++ * returned boot_params.
+ */
+ struct boot_params *make_boot_params(void *handle, efi_system_table_t *_table)
+ {
+@@ -921,8 +924,6 @@ struct boot_params *make_boot_params(voi
+ hdr->vid_mode = 0xffff;
+ hdr->boot_flag = 0xAA55;
+
+- hdr->code32_start = (__u64)(unsigned long)image->image_base;
+-
+ hdr->type_of_loader = 0x21;
+
+ /* Convert unicode cmdline to ascii */
+--- a/arch/x86/boot/compressed/head_32.S
++++ b/arch/x86/boot/compressed/head_32.S
+@@ -50,6 +50,13 @@ ENTRY(efi_pe_entry)
+ pushl %eax
+ pushl %esi
+ pushl %ecx
++
++ call reloc
++reloc:
++ popl %ecx
++ subl reloc, %ecx
++ movl %ecx, BP_code32_start(%eax)
++
+ sub $0x4, %esp
+
+ ENTRY(efi_stub_entry)
+@@ -63,12 +70,7 @@ ENTRY(efi_stub_entry)
+ hlt
+ jmp 1b
+ 2:
+- call 3f
+-3:
+- popl %eax
+- subl $3b, %eax
+- subl BP_pref_address(%esi), %eax
+- add BP_code32_start(%esi), %eax
++ movl BP_code32_start(%esi), %eax
+ leal preferred_addr(%eax), %eax
+ jmp *%eax
+
+--- a/arch/x86/boot/compressed/head_64.S
++++ b/arch/x86/boot/compressed/head_64.S
+@@ -217,6 +217,8 @@ ENTRY(efi_pe_entry)
+ cmpq $0,%rax
+ je 1f
+ mov %rax, %rdx
++ leaq startup_32(%rip), %rax
++ movl %eax, BP_code32_start(%rdx)
+ popq %rsi
+ popq %rdi
+
+@@ -230,12 +232,7 @@ ENTRY(efi_stub_entry)
+ hlt
+ jmp 1b
+ 2:
+- call 3f
+-3:
+- popq %rax
+- subq $3b, %rax
+- subq BP_pref_address(%rsi), %rax
+- add BP_code32_start(%esi), %eax
++ movl BP_code32_start(%esi), %eax
+ leaq preferred_addr(%rax), %rax
+ jmp *%rax
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
