Linux v3.9.10

block-do-not-pass-disk-names-as-format-strings.patch

@@ -1,64 +0,0 @@
-Disk names may contain arbitrary strings, so they must not be interpreted
-as format strings. It seems that only md allows arbitrary strings to be
-used for disk names, but this could allow for a local memory corruption
-from uid 0 into ring 0.
-
-CVE-2013-2851
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Cc: Jens Axboe <axboe@kernel.dk>
----
- block/genhd.c              |    2 +-
- drivers/block/nbd.c        |    3 ++-
- drivers/scsi/osd/osd_uld.c |    2 +-
- 3 files changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/block/genhd.c b/block/genhd.c
-index 20625ee..cdeb527 100644
---- a/block/genhd.c
-+++ b/block/genhd.c
-@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
- 
- 	ddev->parent = disk->driverfs_dev;
- 
--	dev_set_name(ddev, disk->disk_name);
-+	dev_set_name(ddev, "%s", disk->disk_name);
- 
- 	/* delay uevents, until we scanned partition table */
- 	dev_set_uevent_suppress(ddev, 1);
-diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
-index 037288e..46b35f7 100644
---- a/drivers/block/nbd.c
-+++ b/drivers/block/nbd.c
-@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
- 		else
- 			blk_queue_flush(nbd->disk->queue, 0);
- 
--		thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
-+		thread = kthread_create(nbd_thread, nbd, "%s",
-+					nbd->disk->disk_name);
- 		if (IS_ERR(thread)) {
- 			mutex_lock(&nbd->tx_lock);
- 			return PTR_ERR(thread);
-diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
-index 0fab6b5..9d86947 100644
---- a/drivers/scsi/osd/osd_uld.c
-+++ b/drivers/scsi/osd/osd_uld.c
-@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
- 	oud->class_dev.class = &osd_uld_class;
- 	oud->class_dev.parent = dev;
- 	oud->class_dev.release = __remove;
--	error = dev_set_name(&oud->class_dev, disk->disk_name);
-+	error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
- 	if (error) {
- 		OSD_ERR("dev_set_name failed => %d\n", error);
- 		goto err_put_cdev;
--- 
-1.7.9.5
-
---
-To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at  http://vger.kernel.org/majordomo-info.html
-Please read the FAQ at  http://www.tux.org/lkml/

cdrom-use-kzalloc-for-failing-hardware.patch

@@ -1,45 +0,0 @@
-From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001
-From: Jonathan Salwan <jonathan.salwan@gmail.com>
-Date: Thu, 06 Jun 2013 00:39:39 +0000
-Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
-
-In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
-area with kmalloc in line 2885.
-
-2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
-2886         if (cgc->buffer == NULL)
-2887                 return -ENOMEM;
-
-In line 2908 we can find the copy_to_user function:
-
-2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
-
-The cgc->buffer is never cleaned and initialized before this function.  If
-ret = 0 with the previous basic block, it's possible to display some
-memory bytes in kernel space from userspace.
-
-When we read a block from the disk it normally fills the ->buffer but if
-the drive is malfunctioning there is a chance that it would only be
-partially filled.  The result is an leak information to userspace.
-
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Cc: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
----
-(limited to 'drivers/cdrom/cdrom.c')
-
-diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
-index d620b44..8a3aff7 100644
---- a/drivers/cdrom/cdrom.c
-+++ b/drivers/cdrom/cdrom.c
-@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
- 	if (lba < 0)
- 		return -EINVAL;
- 
--	cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
-+	cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
- 	if (cgc->buffer == NULL)
- 		return -ENOMEM;
- 
---
-cgit v0.9.2

ceph-fix.patch

@@ -1,24 +0,0 @@
-diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c
-index 925ca58..0ef2458 100644
---- a/net/ceph/auth_none.c
-+++ b/net/ceph/auth_none.c
-@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac)
- 	return xi->starting;
- }
- 
-+static int build_request(struct ceph_auth_client *ac, void *buf, void *end)
-+{
-+       return 0;
-+}
-+
- /*
-  * the generic auth code decode the global_id, and we carry no actual
-  * authenticate state, so nothing happens here.
-@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = {
- 	.destroy = destroy,
- 	.is_authenticated = is_authenticated,
- 	.should_authenticate = should_authenticate,
-+	.build_request = build_request,
- 	.handle_reply = handle_reply,
- 	.create_authorizer = ceph_auth_none_create_authorizer,
- 	.destroy_authorizer = ceph_auth_none_destroy_authorizer,

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 103
+%global baserelease 100
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -66,7 +66,7 @@ Summary: The Linux kernel
 %if 0%{?released_kernel}
 
 # Do we have a -stable update to apply?
-%define stable_update 9
+%define stable_update 10
 # Is it a -stable RC?
 %define stable_rc 0
 # Set rpm version accordingly
@@ -743,12 +743,6 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch
 #CVE-2013-2148 rhbz 971258 971261
 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch
 
-#CVE-2013-2851 rhbz 969515 971662
-Patch25035: block-do-not-pass-disk-names-as-format-strings.patch
-
-#CVE-2013-2164 rhbz 973100 973109
-Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch
-
 #rhbz 969644
 Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
 
@@ -774,9 +768,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch
 #CVE-2013-2234 rhbz 980995 981007
 Patch25058: af_key-fix-info-leaks-in-notify-messages.patch
 
-#CVE-2013-1059 rhbz 977356 980341
-Patch25059: ceph-fix.patch
-
 #CVE-2013-2232 rhbz 981552 981564
 Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
 
@@ -1486,12 +1477,6 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch
 #CVE-2013-2148 rhbz 971258 971261
 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch
 
-#CVE-2013-2851 rhbz 969515 971662
-ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch
-
-#CVE-2013-2164 rhbz 973100 973109
-ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch
-
 #rhbz 969644
 ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch
 
@@ -1516,9 +1501,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch
 #CVE-2013-2234 rhbz 980995 981007
 ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch
 
-#CVE-2013-1059 rhbz 977356 980341
-ApplyPatch ceph-fix.patch
-
 #CVE-2013-2232 rhbz 981552 981564
 ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch
 
@@ -2377,6 +2359,9 @@ fi
 #    '-'      |  |
 #              '-'
 %changelog
+* Sat Jul 13 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.10-100
+- Linux v3.9.10
+
 * Fri Jul 12 2013 Dave Jones <davej@redhat.com> - 3.9.9-103
 - Disable LATENCYTOP/SCHEDSTATS in non-debug builds.
 

sources

@@ -1,2 +1,2 @@
 4348c9b6b2eb3144d601e87c19d5d909  linux-3.9.tar.xz
-41f350c2fd6aa14414bf39f173a8e6a3  patch-3.9.9.xz
+9ceaca9b18b47e126858900bd7502672  patch-3.9.10.xz