From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 7 Dec 2010 00:33:48 +0000 (-0800)
Subject: .32 patches
X-Git-Tag: v2.6.27.57~25
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=11035f4de4f0a1696a643f7fb8b33e152d54a8d4;p=thirdparty%2Fkernel%2Fstable-queue.git

.32 patches
---

diff --git a/queue-2.6.32/hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_ioctl.patch b/queue-2.6.32/hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_ioctl.patch
new file mode 100644
index 00000000000..16cefd31041
--- /dev/null
+++ b/queue-2.6.32/hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_ioctl.patch
@@ -0,0 +1,54 @@
+From d20d5ffab92f00188f360c44c791a5ffb988247c Mon Sep 17 00:00:00 2001
+From: Antonio Ospite <ospite@studenti.unina.it>
+Date: Tue, 5 Oct 2010 17:20:16 +0200
+Subject: HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl
+
+From: Antonio Ospite <ospite@studenti.unina.it>
+
+commit d20d5ffab92f00188f360c44c791a5ffb988247c upstream.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
+IP: [<ffffffffa02c66b4>] hidraw_ioctl+0xfc/0x32c [hid]
+[...]
+
+This is reproducible by disconnecting the device while userspace does
+ioctl in a loop and doesn't check return values in order to exit the
+loop.
+
+Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/hid/hidraw.c |   10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/hid/hidraw.c
++++ b/drivers/hid/hidraw.c
+@@ -237,11 +237,16 @@ static long hidraw_ioctl(struct file *fi
+ 	struct inode *inode = file->f_path.dentry->d_inode;
+ 	unsigned int minor = iminor(inode);
+ 	long ret = 0;
+-	/* FIXME: What stops hidraw_table going NULL */
+-	struct hidraw *dev = hidraw_table[minor];
++	struct hidraw *dev;
+ 	void __user *user_arg = (void __user*) arg;
+ 
+ 	lock_kernel();
++	dev = hidraw_table[minor];
++	if (!dev) {
++		ret = -ENODEV;
++		goto out;
++	}
++
+ 	switch (cmd) {
+ 		case HIDIOCGRDESCSIZE:
+ 			if (put_user(dev->hid->rsize, (int __user *)arg))
+@@ -314,6 +319,7 @@ static long hidraw_ioctl(struct file *fi
+ 
+ 		ret = -ENOTTY;
+ 	}
++out:
+ 	unlock_kernel();
+ 	return ret;
+ }
diff --git a/queue-2.6.32/net-sched-fix-kernel-leak-in-act_police.patch b/queue-2.6.32/net-sched-fix-kernel-leak-in-act_police.patch
new file mode 100644
index 00000000000..c8d1e7bd565
--- /dev/null
+++ b/queue-2.6.32/net-sched-fix-kernel-leak-in-act_police.patch
@@ -0,0 +1,61 @@
+From 0f04cfd098fb81fded74e78ea1a1b86cc6c6c31e Mon Sep 17 00:00:00 2001
+From: Jeff Mahoney <jeffm@suse.com>
+Date: Tue, 31 Aug 2010 13:21:42 +0000
+Subject: net sched: fix kernel leak in act_police
+
+From: Jeff Mahoney <jeffm@suse.com>
+
+commit 0f04cfd098fb81fded74e78ea1a1b86cc6c6c31e upstream.
+
+While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
+ audited other users of tc_action_ops->dump for information leaks.
+
+ That commit covered almost all of them but act_police still had a leak.
+
+ opt.limit and opt.capab aren't zeroed out before the structure is
+ passed out.
+
+ This patch uses the C99 initializers to zero everything unused out.
+
+Signed-off-by: Jeff Mahoney <jeffm@suse.com>
+Acked-by: Jeff Mahoney <jeffm@suse.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/sched/act_police.c |   19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/net/sched/act_police.c
++++ b/net/sched/act_police.c
+@@ -340,22 +340,19 @@ tcf_act_police_dump(struct sk_buff *skb,
+ {
+ 	unsigned char *b = skb_tail_pointer(skb);
+ 	struct tcf_police *police = a->priv;
+-	struct tc_police opt;
++	struct tc_police opt = {
++		.index = police->tcf_index,
++		.action = police->tcf_action,
++		.mtu = police->tcfp_mtu,
++		.burst = police->tcfp_burst,
++		.refcnt = police->tcf_refcnt - ref,
++		.bindcnt = police->tcf_bindcnt - bind,
++	};
+ 
+-	opt.index = police->tcf_index;
+-	opt.action = police->tcf_action;
+-	opt.mtu = police->tcfp_mtu;
+-	opt.burst = police->tcfp_burst;
+-	opt.refcnt = police->tcf_refcnt - ref;
+-	opt.bindcnt = police->tcf_bindcnt - bind;
+ 	if (police->tcfp_R_tab)
+ 		opt.rate = police->tcfp_R_tab->rate;
+-	else
+-		memset(&opt.rate, 0, sizeof(opt.rate));
+ 	if (police->tcfp_P_tab)
+ 		opt.peakrate = police->tcfp_P_tab->rate;
+-	else
+-		memset(&opt.peakrate, 0, sizeof(opt.peakrate));
+ 	NLA_PUT(skb, TCA_POLICE_TBF, sizeof(opt), &opt);
+ 	if (police->tcfp_result)
+ 		NLA_PUT_U32(skb, TCA_POLICE_RESULT, police->tcfp_result);
diff --git a/queue-2.6.32/series b/queue-2.6.32/series
index c75dc134f6d..7ce83a5f935 100644
--- a/queue-2.6.32/series
+++ b/queue-2.6.32/series
@@ -91,3 +91,5 @@ arm-6489-1-thumb2-fix-incorrect-optimisation-in-usracc.patch
 arm-6482-2-fix-find_next_zero_bit-and-related-assembly.patch
 staging-frontier-fix-up-some-sysfs-attribute-permissions.patch
 staging-rtl8187se-change-panic-to-warn-when-rf-switch-turned-off.patch
+net-sched-fix-kernel-leak-in-act_police.patch
+hid-hidraw-fix-a-null-pointer-dereference-in-hidraw_ioctl.patch