From: Greg Kroah-Hartman Date: Wed, 16 Feb 2011 23:06:26 +0000 (-0800) Subject: .37 patches X-Git-Tag: v2.6.36.4~5 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=acf79f3442fe27f44883f1235f2a7efaf2265627;p=thirdparty%2Fkernel%2Fstable-queue.git .37 patches --- diff --git a/queue-2.6.37/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_info.patch b/queue-2.6.37/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_info.patch new file mode 100644 index 00000000000..ea1952ede5a --- /dev/null +++ b/queue-2.6.37/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_info.patch @@ -0,0 +1,79 @@ +From 51788b1bdd0d68345bab0af4301e7fa429277228 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Mon, 14 Feb 2011 16:04:23 -0500 +Subject: btrfs: prevent heap corruption in btrfs_ioctl_space_info() + +From: Dan Rosenberg + +commit 51788b1bdd0d68345bab0af4301e7fa429277228 upstream. + +Commit bf5fc093c5b625e4259203f1cee7ca73488a5620 refactored +btrfs_ioctl_space_info() and introduced several security issues. + +space_args.space_slots is an unsigned 64-bit type controlled by a +possibly unprivileged caller. The comparison as a signed int type +allows providing values that are treated as negative and cause the +subsequent allocation size calculation to wrap, or be truncated to 0. +By providing a size that's truncated to 0, kmalloc() will return +ZERO_SIZE_PTR. It's also possible to provide a value smaller than the +slot count. The subsequent loop ignores the allocation size when +copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR. + +The fix changes the slot count type and comparison typecast to u64, +which prevents truncation or signedness errors, and also ensures that we +don't copy more data than we've allocated in the subsequent loop. Note +that zero-size allocations are no longer possible since there is already +an explicit check for space_args.space_slots being 0 and truncation of +this value is no longer an issue. + +Signed-off-by: Dan Rosenberg +Signed-off-by: Josef Bacik +Reviewed-by: Josef Bacik +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -2087,7 +2087,7 @@ long btrfs_ioctl_space_info(struct btrfs + int num_types = 4; + int alloc_size; + int ret = 0; +- int slot_count = 0; ++ u64 slot_count = 0; + int i, c; + + if (copy_from_user(&space_args, +@@ -2126,7 +2126,7 @@ long btrfs_ioctl_space_info(struct btrfs + goto out; + } + +- slot_count = min_t(int, space_args.space_slots, slot_count); ++ slot_count = min_t(u64, space_args.space_slots, slot_count); + + alloc_size = sizeof(*dest) * slot_count; + +@@ -2146,6 +2146,9 @@ long btrfs_ioctl_space_info(struct btrfs + for (i = 0; i < num_types; i++) { + struct btrfs_space_info *tmp; + ++ if (!slot_count) ++ break; ++ + info = NULL; + rcu_read_lock(); + list_for_each_entry_rcu(tmp, &root->fs_info->space_info, +@@ -2167,7 +2170,10 @@ long btrfs_ioctl_space_info(struct btrfs + memcpy(dest, &space, sizeof(space)); + dest++; + space_args.total_spaces++; ++ slot_count--; + } ++ if (!slot_count) ++ break; + } + up_read(&info->groups_sem); + } diff --git a/queue-2.6.37/cred-fix-bug-upon-security_cred_alloc_blank-failure.patch b/queue-2.6.37/cred-fix-bug-upon-security_cred_alloc_blank-failure.patch new file mode 100644 index 00000000000..980ddf911f3 --- /dev/null +++ b/queue-2.6.37/cred-fix-bug-upon-security_cred_alloc_blank-failure.patch @@ -0,0 +1,82 @@ +From 2edeaa34a6e3f2c43b667f6c4f7b27944b811695 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 7 Feb 2011 13:36:10 +0000 +Subject: CRED: Fix BUG() upon security_cred_alloc_blank() failure + +From: Tetsuo Handa + +commit 2edeaa34a6e3f2c43b667f6c4f7b27944b811695 upstream. + +In cred_alloc_blank() since 2.6.32, abort_creds(new) is called with +new->security == NULL and new->magic == 0 when security_cred_alloc_blank() +returns an error. As a result, BUG() will be triggered if SELinux is enabled +or CONFIG_DEBUG_CREDENTIALS=y. + +If CONFIG_DEBUG_CREDENTIALS=y, BUG() is called from __invalid_creds() because +cred->magic == 0. Failing that, BUG() is called from selinux_cred_free() +because selinux_cred_free() is not expecting cred->security == NULL. This does +not affect smack_cred_free(), tomoyo_cred_free() or apparmor_cred_free(). + +Fix these bugs by + +(1) Set new->magic before calling security_cred_alloc_blank(). + +(2) Handle null cred->security in creds_are_invalid() and selinux_cred_free(). + +Signed-off-by: Tetsuo Handa +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cred.c | 12 ++++++++---- + security/selinux/hooks.c | 6 +++++- + 2 files changed, 13 insertions(+), 5 deletions(-) + +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -252,13 +252,13 @@ struct cred *cred_alloc_blank(void) + #endif + + atomic_set(&new->usage, 1); ++#ifdef CONFIG_DEBUG_CREDENTIALS ++ new->magic = CRED_MAGIC; ++#endif + + if (security_cred_alloc_blank(new, GFP_KERNEL) < 0) + goto error; + +-#ifdef CONFIG_DEBUG_CREDENTIALS +- new->magic = CRED_MAGIC; +-#endif + return new; + + error: +@@ -748,7 +748,11 @@ bool creds_are_invalid(const struct cred + if (cred->magic != CRED_MAGIC) + return true; + #ifdef CONFIG_SECURITY_SELINUX +- if (selinux_is_enabled()) { ++ /* ++ * cred->security == NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ if (selinux_is_enabled() && cred->security) { + if ((unsigned long) cred->security < PAGE_SIZE) + return true; + if ((*(u32 *)cred->security & 0xffffff00) == +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -3198,7 +3198,11 @@ static void selinux_cred_free(struct cre + { + struct task_security_struct *tsec = cred->security; + +- BUG_ON((unsigned long) cred->security < PAGE_SIZE); ++ /* ++ * cred->security == NULL if security_cred_alloc_blank() or ++ * security_prepare_creds() returned an error. ++ */ ++ BUG_ON(cred->security && (unsigned long) cred->security < PAGE_SIZE); + cred->security = (void *) 0x7UL; + kfree(tsec); + } diff --git a/queue-2.6.37/cred-fix-memory-and-refcount-leaks-upon-security_prepare_creds-failure.patch b/queue-2.6.37/cred-fix-memory-and-refcount-leaks-upon-security_prepare_creds-failure.patch new file mode 100644 index 00000000000..7ef5cde95b9 --- /dev/null +++ b/queue-2.6.37/cred-fix-memory-and-refcount-leaks-upon-security_prepare_creds-failure.patch @@ -0,0 +1,46 @@ +From fb2b2a1d37f80cc818fd4487b510f4e11816e5e1 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 7 Feb 2011 13:36:16 +0000 +Subject: CRED: Fix memory and refcount leaks upon security_prepare_creds() failure + +From: Tetsuo Handa + +commit fb2b2a1d37f80cc818fd4487b510f4e11816e5e1 upstream. + +In prepare_kernel_cred() since 2.6.29, put_cred(new) is called without +assigning new->usage when security_prepare_creds() returned an error. As a +result, memory for new and refcount for new->{user,group_info,tgcred} are +leaked because put_cred(new) won't call __put_cred() unless old->usage == 1. + +Fix these leaks by assigning new->usage (and new->subscribers which was added +in 2.6.32) before calling security_prepare_creds(). + +Signed-off-by: Tetsuo Handa +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cred.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/cred.c ++++ b/kernel/cred.c +@@ -657,6 +657,8 @@ struct cred *prepare_kernel_cred(struct + validate_creds(old); + + *new = *old; ++ atomic_set(&new->usage, 1); ++ set_cred_subscribers(new, 0); + get_uid(new->user); + get_group_info(new->group_info); + +@@ -674,8 +676,6 @@ struct cred *prepare_kernel_cred(struct + if (security_prepare_creds(new, old, GFP_KERNEL) < 0) + goto error; + +- atomic_set(&new->usage, 1); +- set_cred_subscribers(new, 0); + put_cred(old); + validate_creds(new); + return new; diff --git a/queue-2.6.37/series b/queue-2.6.37/series index 6c744e47e4b..7a4d319a1b9 100644 --- a/queue-2.6.37/series +++ b/queue-2.6.37/series @@ -22,3 +22,7 @@ xfs-fix-dquot-shaker-deadlock.patch hid-add-add-cando-touch-screen-10.1-inch-product-id.patch hid-switch-turbox-mosart-touchscreen-to-hid-mosart.patch cred-fix-kernel-panic-upon-security_file_alloc-failure.patch +btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_info.patch +cred-fix-bug-upon-security_cred_alloc_blank-failure.patch +cred-fix-memory-and-refcount-leaks-upon-security_prepare_creds-failure.patch +staging-brcm80211-bugfix-for-softmac-crash-on-multi-cpu-configurations.patch diff --git a/queue-2.6.37/staging-brcm80211-bugfix-for-softmac-crash-on-multi-cpu-configurations.patch b/queue-2.6.37/staging-brcm80211-bugfix-for-softmac-crash-on-multi-cpu-configurations.patch new file mode 100644 index 00000000000..e0315e2ecaf --- /dev/null +++ b/queue-2.6.37/staging-brcm80211-bugfix-for-softmac-crash-on-multi-cpu-configurations.patch @@ -0,0 +1,38 @@ +From 6a3be6e6e7feb4cb35275475d6a863b748d59cc3 Mon Sep 17 00:00:00 2001 +From: Roland Vossen +Date: Tue, 25 Jan 2011 11:51:56 +0100 +Subject: staging: brcm80211: bugfix for softmac crash on multi cpu configurations + +From: Roland Vossen + +commit 6a3be6e6e7feb4cb35275475d6a863b748d59cc3 upstream. + +Solved a locking issue that resulted in driver crashes with the 43224 and 43225 +chips. The problem has been reported on several fora. Root cause was two fold: +hardware was being manipulated by two unsynchronized threads, and a scan +operation could interfere with an ongoing dynamic calibration process. Fix was +to invoke a lock on wl_ops_config() operation and to set internal flags when a +scan operation is started and stopped. + +Please add this to the staging-linus branch. + +Signed-off-by: Roland Vossen +Acked-by: Brett Rudley +Signed-off-by: Arend van Spriel +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/staging/brcm80211/sys/wlc_mac80211.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/staging/brcm80211/sys/wlc_mac80211.c ++++ b/drivers/staging/brcm80211/sys/wlc_mac80211.c +@@ -5336,7 +5336,6 @@ wlc_sendpkt_mac80211(wlc_info_t *wlc, vo + fifo = prio2fifo[prio]; + + ASSERT((uint) PKTHEADROOM(sdu) >= TXOFF); +- ASSERT(!PKTSHARED(sdu)); + ASSERT(!PKTNEXT(sdu)); + ASSERT(!PKTLINK(sdu)); + ASSERT(fifo < NFIFO);