From: Greg Kroah-Hartman Date: Fri, 2 May 2014 03:10:32 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.4.89~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=82cab600359b90f6c11706f53a721ca067b3f1fd;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: target-tcm_fc-fix-use-after-free-of-ft_tpg.patch x86-efi-correct-efi-boot-stub-use-of-code32_start.patch --- diff --git a/queue-3.10/series b/queue-3.10/series index c0be9cfbe21..7264431a165 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -53,3 +53,5 @@ ib_srpt-use-correct-ib_sg_dma-primitives.patch scsi-qla2xxx-fix-error-handling-of-qla2x00_mem_alloc.patch scsi-arcmsr-upper-32-of-dma-address-lost.patch iscsi-target-fix-erl-2-async_event-connection-pointer-bug.patch +target-tcm_fc-fix-use-after-free-of-ft_tpg.patch +x86-efi-correct-efi-boot-stub-use-of-code32_start.patch diff --git a/queue-3.10/target-tcm_fc-fix-use-after-free-of-ft_tpg.patch b/queue-3.10/target-tcm_fc-fix-use-after-free-of-ft_tpg.patch new file mode 100644 index 00000000000..528cfe9dd4d --- /dev/null +++ b/queue-3.10/target-tcm_fc-fix-use-after-free-of-ft_tpg.patch @@ -0,0 +1,52 @@ +From 2c42be2dd4f6586728dba5c4e197afd5cfaded78 Mon Sep 17 00:00:00 2001 +From: Andy Grover +Date: Fri, 4 Apr 2014 16:44:37 -0700 +Subject: target/tcm_fc: Fix use-after-free of ft_tpg + +From: Andy Grover + +commit 2c42be2dd4f6586728dba5c4e197afd5cfaded78 upstream. + +ft_del_tpg checks tpg->tport is set before unlinking the tpg from the +tport when the tpg is being removed. Set this pointer in ft_tport_create, +or the unlinking won't happen in ft_del_tpg and tport->tpg will reference +a deleted object. + +This patch sets tpg->tport in ft_tport_create, because that's what +ft_del_tpg checks, and is the only way to get back to the tport to +clear tport->tpg. + +The bug was occuring when: + +- lport created, tport (our per-lport, per-provider context) is + allocated. + tport->tpg = NULL +- tpg created +- a PRLI is received. ft_tport_create is called, tpg is found and + tport->tpg is set +- tpg removed. ft_tpg is freed in ft_del_tpg. Since tpg->tport was not + set, tport->tpg is not cleared and points at freed memory +- Future calls to ft_tport_create return tport via first conditional, + instead of searching for new tpg by calling ft_lport_find_tpg. + tport->tpg is still invalid, and will access freed memory. + +see https://bugzilla.redhat.com/show_bug.cgi?id=1071340 + +Signed-off-by: Andy Grover +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/tcm_fc/tfc_sess.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/target/tcm_fc/tfc_sess.c ++++ b/drivers/target/tcm_fc/tfc_sess.c +@@ -68,6 +68,7 @@ static struct ft_tport *ft_tport_create( + + if (tport) { + tport->tpg = tpg; ++ tpg->tport = tport; + return tport; + } + diff --git a/queue-3.10/x86-efi-correct-efi-boot-stub-use-of-code32_start.patch b/queue-3.10/x86-efi-correct-efi-boot-stub-use-of-code32_start.patch new file mode 100644 index 00000000000..c205bb45c83 --- /dev/null +++ b/queue-3.10/x86-efi-correct-efi-boot-stub-use-of-code32_start.patch @@ -0,0 +1,107 @@ +From 7e8213c1f3acc064aef37813a39f13cbfe7c3ce7 Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Tue, 8 Apr 2014 13:14:00 +0100 +Subject: x86/efi: Correct EFI boot stub use of code32_start +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matt Fleming + +commit 7e8213c1f3acc064aef37813a39f13cbfe7c3ce7 upstream. + +code32_start should point at the start of the protected mode code, and +*not* at the beginning of the bzImage. This is much easier to do in +assembly so document that callers of make_boot_params() need to fill out +code32_start. + +The fallout from this bug is that we would end up relocating the image +but copying the image at some offset, resulting in what appeared to be +memory corruption. + +Reported-by: Thomas Bächler +Signed-off-by: Matt Fleming +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/boot/compressed/eboot.c | 5 +++-- + arch/x86/boot/compressed/head_32.S | 14 ++++++++------ + arch/x86/boot/compressed/head_64.S | 9 +++------ + 3 files changed, 14 insertions(+), 14 deletions(-) + +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -865,6 +865,9 @@ fail: + * Because the x86 boot code expects to be passed a boot_params we + * need to create one ourselves (usually the bootloader would create + * one for us). ++ * ++ * The caller is responsible for filling out ->code32_start in the ++ * returned boot_params. + */ + struct boot_params *make_boot_params(void *handle, efi_system_table_t *_table) + { +@@ -921,8 +924,6 @@ struct boot_params *make_boot_params(voi + hdr->vid_mode = 0xffff; + hdr->boot_flag = 0xAA55; + +- hdr->code32_start = (__u64)(unsigned long)image->image_base; +- + hdr->type_of_loader = 0x21; + + /* Convert unicode cmdline to ascii */ +--- a/arch/x86/boot/compressed/head_32.S ++++ b/arch/x86/boot/compressed/head_32.S +@@ -50,6 +50,13 @@ ENTRY(efi_pe_entry) + pushl %eax + pushl %esi + pushl %ecx ++ ++ call reloc ++reloc: ++ popl %ecx ++ subl reloc, %ecx ++ movl %ecx, BP_code32_start(%eax) ++ + sub $0x4, %esp + + ENTRY(efi_stub_entry) +@@ -63,12 +70,7 @@ ENTRY(efi_stub_entry) + hlt + jmp 1b + 2: +- call 3f +-3: +- popl %eax +- subl $3b, %eax +- subl BP_pref_address(%esi), %eax +- add BP_code32_start(%esi), %eax ++ movl BP_code32_start(%esi), %eax + leal preferred_addr(%eax), %eax + jmp *%eax + +--- a/arch/x86/boot/compressed/head_64.S ++++ b/arch/x86/boot/compressed/head_64.S +@@ -217,6 +217,8 @@ ENTRY(efi_pe_entry) + cmpq $0,%rax + je 1f + mov %rax, %rdx ++ leaq startup_32(%rip), %rax ++ movl %eax, BP_code32_start(%rdx) + popq %rsi + popq %rdi + +@@ -230,12 +232,7 @@ ENTRY(efi_stub_entry) + hlt + jmp 1b + 2: +- call 3f +-3: +- popq %rax +- subq $3b, %rax +- subq BP_pref_address(%rsi), %rax +- add BP_code32_start(%esi), %eax ++ movl BP_code32_start(%esi), %eax + leaq preferred_addr(%rax), %rax + jmp *%rax +