--- /dev/null
+From 51788b1bdd0d68345bab0af4301e7fa429277228 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Mon, 14 Feb 2011 16:04:23 -0500
+Subject: btrfs: prevent heap corruption in btrfs_ioctl_space_info()
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit 51788b1bdd0d68345bab0af4301e7fa429277228 upstream.
+
+Commit bf5fc093c5b625e4259203f1cee7ca73488a5620 refactored
+btrfs_ioctl_space_info() and introduced several security issues.
+
+space_args.space_slots is an unsigned 64-bit type controlled by a
+possibly unprivileged caller. The comparison as a signed int type
+allows providing values that are treated as negative and cause the
+subsequent allocation size calculation to wrap, or be truncated to 0.
+By providing a size that's truncated to 0, kmalloc() will return
+ZERO_SIZE_PTR. It's also possible to provide a value smaller than the
+slot count. The subsequent loop ignores the allocation size when
+copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR.
+
+The fix changes the slot count type and comparison typecast to u64,
+which prevents truncation or signedness errors, and also ensures that we
+don't copy more data than we've allocated in the subsequent loop. Note
+that zero-size allocations are no longer possible since there is already
+an explicit check for space_args.space_slots being 0 and truncation of
+this value is no longer an issue.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Josef Bacik <josef@redhat.com>
+Reviewed-by: Josef Bacik <josef@redhat.com>
+Signed-off-by: Chris Mason <chris.mason@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/btrfs/ioctl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2087,7 +2087,7 @@ long btrfs_ioctl_space_info(struct btrfs
+ int num_types = 4;
+ int alloc_size;
+ int ret = 0;
+- int slot_count = 0;
++ u64 slot_count = 0;
+ int i, c;
+
+ if (copy_from_user(&space_args,
+@@ -2126,7 +2126,7 @@ long btrfs_ioctl_space_info(struct btrfs
+ goto out;
+ }
+
+- slot_count = min_t(int, space_args.space_slots, slot_count);
++ slot_count = min_t(u64, space_args.space_slots, slot_count);
+
+ alloc_size = sizeof(*dest) * slot_count;
+
+@@ -2146,6 +2146,9 @@ long btrfs_ioctl_space_info(struct btrfs
+ for (i = 0; i < num_types; i++) {
+ struct btrfs_space_info *tmp;
+
++ if (!slot_count)
++ break;
++
+ info = NULL;
+ rcu_read_lock();
+ list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
+@@ -2167,7 +2170,10 @@ long btrfs_ioctl_space_info(struct btrfs
+ memcpy(dest, &space, sizeof(space));
+ dest++;
+ space_args.total_spaces++;
++ slot_count--;
+ }
++ if (!slot_count)
++ break;
+ }
+ up_read(&info->groups_sem);
+ }
--- /dev/null
+From 2edeaa34a6e3f2c43b667f6c4f7b27944b811695 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 7 Feb 2011 13:36:10 +0000
+Subject: CRED: Fix BUG() upon security_cred_alloc_blank() failure
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 2edeaa34a6e3f2c43b667f6c4f7b27944b811695 upstream.
+
+In cred_alloc_blank() since 2.6.32, abort_creds(new) is called with
+new->security == NULL and new->magic == 0 when security_cred_alloc_blank()
+returns an error. As a result, BUG() will be triggered if SELinux is enabled
+or CONFIG_DEBUG_CREDENTIALS=y.
+
+If CONFIG_DEBUG_CREDENTIALS=y, BUG() is called from __invalid_creds() because
+cred->magic == 0. Failing that, BUG() is called from selinux_cred_free()
+because selinux_cred_free() is not expecting cred->security == NULL. This does
+not affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free().
+
+Fix these bugs by
+
+(1) Set new->magic before calling security_cred_alloc_blank().
+
+(2) Handle null cred->security in creds_are_invalid() and selinux_cred_free().
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/cred.c | 12 ++++++++----
+ security/selinux/hooks.c | 6 +++++-
+ 2 files changed, 13 insertions(+), 5 deletions(-)
+
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -252,13 +252,13 @@ struct cred *cred_alloc_blank(void)
+ #endif
+
+ atomic_set(&new->usage, 1);
++#ifdef CONFIG_DEBUG_CREDENTIALS
++ new->magic = CRED_MAGIC;
++#endif
+
+ if (security_cred_alloc_blank(new, GFP_KERNEL) < 0)
+ goto error;
+
+-#ifdef CONFIG_DEBUG_CREDENTIALS
+- new->magic = CRED_MAGIC;
+-#endif
+ return new;
+
+ error:
+@@ -748,7 +748,11 @@ bool creds_are_invalid(const struct cred
+ if (cred->magic != CRED_MAGIC)
+ return true;
+ #ifdef CONFIG_SECURITY_SELINUX
+- if (selinux_is_enabled()) {
++ /*
++ * cred->security == NULL if security_cred_alloc_blank() or
++ * security_prepare_creds() returned an error.
++ */
++ if (selinux_is_enabled() && cred->security) {
+ if ((unsigned long) cred->security < PAGE_SIZE)
+ return true;
+ if ((*(u32 *)cred->security & 0xffffff00) ==
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3198,7 +3198,11 @@ static void selinux_cred_free(struct cre
+ {
+ struct task_security_struct *tsec = cred->security;
+
+- BUG_ON((unsigned long) cred->security < PAGE_SIZE);
++ /*
++ * cred->security == NULL if security_cred_alloc_blank() or
++ * security_prepare_creds() returned an error.
++ */
++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE);
+ cred->security = (void *) 0x7UL;
+ kfree(tsec);
+ }
--- /dev/null
+From fb2b2a1d37f80cc818fd4487b510f4e11816e5e1 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 7 Feb 2011 13:36:16 +0000
+Subject: CRED: Fix memory and refcount leaks upon security_prepare_creds() failure
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit fb2b2a1d37f80cc818fd4487b510f4e11816e5e1 upstream.
+
+In prepare_kernel_cred() since 2.6.29, put_cred(new) is called without
+assigning new->usage when security_prepare_creds() returned an error. As a
+result, memory for new and refcount for new->{user,group_info,tgcred} are
+leaked because put_cred(new) won't call __put_cred() unless old->usage == 1.
+
+Fix these leaks by assigning new->usage (and new->subscribers which was added
+in 2.6.32) before calling security_prepare_creds().
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/cred.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/cred.c
++++ b/kernel/cred.c
+@@ -657,6 +657,8 @@ struct cred *prepare_kernel_cred(struct
+ validate_creds(old);
+
+ *new = *old;
++ atomic_set(&new->usage, 1);
++ set_cred_subscribers(new, 0);
+ get_uid(new->user);
+ get_group_info(new->group_info);
+
+@@ -674,8 +676,6 @@ struct cred *prepare_kernel_cred(struct
+ if (security_prepare_creds(new, old, GFP_KERNEL) < 0)
+ goto error;
+
+- atomic_set(&new->usage, 1);
+- set_cred_subscribers(new, 0);
+ put_cred(old);
+ validate_creds(new);
+ return new;
hid-add-add-cando-touch-screen-10.1-inch-product-id.patch
hid-switch-turbox-mosart-touchscreen-to-hid-mosart.patch
cred-fix-kernel-panic-upon-security_file_alloc-failure.patch
+btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_info.patch
+cred-fix-bug-upon-security_cred_alloc_blank-failure.patch
+cred-fix-memory-and-refcount-leaks-upon-security_prepare_creds-failure.patch
+staging-brcm80211-bugfix-for-softmac-crash-on-multi-cpu-configurations.patch
--- /dev/null
+From 6a3be6e6e7feb4cb35275475d6a863b748d59cc3 Mon Sep 17 00:00:00 2001
+From: Roland Vossen <rvossen@broadcom.com>
+Date: Tue, 25 Jan 2011 11:51:56 +0100
+Subject: staging: brcm80211: bugfix for softmac crash on multi cpu configurations
+
+From: Roland Vossen <rvossen@broadcom.com>
+
+commit 6a3be6e6e7feb4cb35275475d6a863b748d59cc3 upstream.
+
+Solved a locking issue that resulted in driver crashes with the 43224 and 43225
+chips. The problem has been reported on several fora. Root cause was two fold:
+hardware was being manipulated by two unsynchronized threads, and a scan
+operation could interfere with an ongoing dynamic calibration process. Fix was
+to invoke a lock on wl_ops_config() operation and to set internal flags when a
+scan operation is started and stopped.
+
+Please add this to the staging-linus branch.
+
+Signed-off-by: Roland Vossen <rvossen@broadcom.com>
+Acked-by: Brett Rudley <brudley@broadcom.com>
+Signed-off-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/staging/brcm80211/sys/wlc_mac80211.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/staging/brcm80211/sys/wlc_mac80211.c
++++ b/drivers/staging/brcm80211/sys/wlc_mac80211.c
+@@ -5336,7 +5336,6 @@ wlc_sendpkt_mac80211(wlc_info_t *wlc, vo
+ fifo = prio2fifo[prio];
+
+ ASSERT((uint) PKTHEADROOM(sdu) >= TXOFF);
+- ASSERT(!PKTSHARED(sdu));
+ ASSERT(!PKTNEXT(sdu));
+ ASSERT(!PKTLINK(sdu));
+ ASSERT(fifo < NFIFO);
projects / thirdparty / kernel / stable-queue.git / commitdiff
