rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to the 3.0.6 stable release (2.6.40.6) 

patch-3.0.6.bz2 was generated from git as previously done with some of the 3.1
rc patches.  Hopefully kernel.org will have a generated and signed copy for the
next stable release.
This commit is contained in:
Josh Boyer 2011-10-03 20:14:47 -04:00
parent e0adc28e63
commit 9788e320b3
11 changed files with 9 additions and 460 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
TPM-Call-tpm_transmit-with-correct-size.patch
View File

@ -1,43 +0,0 @@
From 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 Mon Sep 17 00:00:00 2001
From: Peter Huewe <huewe.external.infineon@googlemail.com>
Date: Thu, 15 Sep 2011 14:37:43 -0300
Subject: [PATCH] TPM: Call tpm_transmit with correct size
This patch changes the call of tpm_transmit by supplying the size of the
userspace buffer instead of TPM_BUFSIZE.
This got assigned CVE-2011-1161.
[The first hunk didn't make sense given one could expect
way less data than TPM_BUFSIZE, so added tpm_transmit boundary
check over bufsiz instead
The last parameter of tpm_transmit() reflects the amount
of data expected from the device, and not the buffer size
being supplied to it. It isn't ideal to parse it directly,
so we just set it to the maximum the input buffer can handle
and let the userspace API to do such job.]
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
---
drivers/char/tpm/tpm.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index caf8012..1fe9793 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -383,6 +383,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
u32 count, ordinal;
unsigned long stop;
+ if (bufsiz > TPM_BUFSIZE)
+ bufsiz = TPM_BUFSIZE;
+
count = be32_to_cpu(*((__be32 *) (buf + 2)));
ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
if (count == 0)
--
1.7.6

45
TPM-Zero-buffer-after-copying-to-userspace.patch
View File

@ -1,45 +0,0 @@
From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001
From: Peter Huewe <huewe.external.infineon@googlemail.com>
Date: Thu, 15 Sep 2011 14:47:42 -0300
Subject: [PATCH] TPM: Zero buffer after copying to userspace
Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.
This got assigned CVE-2011-1162.
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
---
drivers/char/tpm/tpm.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 1fe9793..9ca5c02 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
{
struct tpm_chip *chip = file->private_data;
ssize_t ret_size;
+ int rc;
del_singleshot_timer_sync(&chip->user_read_timer);
flush_work_sync(&chip->work);
@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
ret_size = size;
mutex_lock(&chip->buffer_mutex);
- if (copy_to_user(buf, chip->data_buffer, ret_size))
+ rc = copy_to_user(buf, chip->data_buffer, ret_size);
+ memset(chip->data_buffer, 0, ret_size);
+ if (rc)
ret_size = -EFAULT;
+
mutex_unlock(&chip->buffer_mutex);
}
--
1.7.6

71
block-Free-queue-resources-at-blk_release_queue.patch
View File

@ -1,71 +0,0 @@
From 3a527bb7e00bb9650f28d273f56c872db03452c5 Mon Sep 17 00:00:00 2001
From: Hannes Reinecke <hare@suse.de>
Date: Wed, 28 Sep 2011 08:07:01 -0600
Subject: [PATCH] block: Free queue resources at blk_release_queue()
A kernel crash is observed when a mounted ext3/ext4 filesystem is
physically removed. The problem is that blk_cleanup_queue() frees up
some resources eg by calling elevator_exit(), which are not checked for
in normal operation. So we should rather move these calls to the
destructor function blk_release_queue() as at that point all remaining
references are gone. However, in doing so we have to ensure that any
externally supplied queue_lock is disconnected as the driver might free
up the lock after the call of blk_cleanup_queue(),
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
block/blk-core.c | 13 ++++++-------
block/blk-sysfs.c | 5 +++++
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/block/blk-core.c b/block/blk-core.c
index 1d49e1c..847d04e 100644
--- a/block/blk-core.c
+++ b/block/blk-core.c
@@ -348,9 +348,10 @@ void blk_put_queue(struct request_queue *q)
EXPORT_SYMBOL(blk_put_queue);
/*
- * Note: If a driver supplied the queue lock, it should not zap that lock
- * unexpectedly as some queue cleanup components like elevator_exit() and
- * blk_throtl_exit() need queue lock.
+ * Note: If a driver supplied the queue lock, it is disconnected
+ * by this function. The actual state of the lock doesn't matter
+ * here as the request_queue isn't accessible after this point
+ * (QUEUE_FLAG_DEAD is set) and no other requests will be queued.
*/
void blk_cleanup_queue(struct request_queue *q)
{
@@ -367,10 +368,8 @@ void blk_cleanup_queue(struct request_queue *q)
queue_flag_set_unlocked(QUEUE_FLAG_DEAD, q);
mutex_unlock(&q->sysfs_lock);
- if (q->elevator)
- elevator_exit(q->elevator);
-
- blk_throtl_exit(q);
+ if (q->queue_lock != &q->__queue_lock)
+ q->queue_lock = &q->__queue_lock;
blk_put_queue(q);
}
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
index d935bd8..45c56d8 100644
--- a/block/blk-sysfs.c
+++ b/block/blk-sysfs.c
@@ -472,6 +472,11 @@ static void blk_release_queue(struct kobject *kobj)
blk_sync_queue(q);
+ if (q->elevator)
+ elevator_exit(q->elevator);
+
+ blk_throtl_exit(q);
+
if (rl->rq_pool)
mempool_destroy(rl->rq_pool);
--
1.7.6

82
cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
View File

@ -1,82 +0,0 @@
Path: news.gmane.org!not-for-mail
From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Newsgroups: gmane.linux.kernel.cifs
Subject: [PATCH] cifs: fix possible memory corruption in CIFSFindNext
Date: Tue, 23 Aug 2011 07:21:28 -0400
Lines: 37
Approved: news@gmane.org
Message-ID: <1314098488-1547-1-git-send-email-jlayton@redhat.com>
NNTP-Posting-Host: lo.gmane.org
X-Trace: dough.gmane.org 1314098501 27164 80.91.229.12 (23 Aug 2011 11:21:41 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Tue, 23 Aug 2011 11:21:41 +0000 (UTC)
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org
To: smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
Original-X-From: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Tue Aug 23 13:21:37 2011
Return-path: <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Envelope-to: glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org
Original-Received: from vger.kernel.org ([209.132.180.67])
by lo.gmane.org with esmtp (Exim 4.69)
(envelope-from <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>)
id 1Qvp33-0003JC-05
for glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org; Tue, 23 Aug 2011 13:21:37 +0200
Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand
id S1752435Ab1HWLVg (ORCPT <rfc822;glkc-linux-cifs@m.gmane.org>);
Tue, 23 Aug 2011 07:21:36 -0400
Original-Received: from mail-gy0-f174.google.com ([209.85.160.174]:43114 "EHLO
mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S1751065Ab1HWLVf (ORCPT
<rfc822;linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>); Tue, 23 Aug 2011 07:21:35 -0400
Original-Received: by gya6 with SMTP id 6so4228912gya.19
for <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>; Tue, 23 Aug 2011 04:21:35 -0700 (PDT)
Original-Received: by 10.101.144.18 with SMTP id w18mr3505731ann.133.1314098494691;
Tue, 23 Aug 2011 04:21:34 -0700 (PDT)
Original-Received: from salusa.poochiereds.net (cpe-075-177-182-191.nc.res.rr.com [75.177.182.191])
by mx.google.com with ESMTPS id d33sm48355ano.35.2011.08.23.04.21.32
(version=SSLv3 cipher=OTHER);
Tue, 23 Aug 2011 04:21:33 -0700 (PDT)
X-Mailer: git-send-email 1.7.6
Original-Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Precedence: bulk
List-ID: <linux-cifs.vger.kernel.org>
X-Mailing-List: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Xref: news.gmane.org gmane.linux.kernel.cifs:4006
Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.cifs/4006>
The name_len variable in CIFSFindNext is a signed int that gets set to
the resume_name_len in the cifs_search_info. The resume_name_len however
is unsigned and for some infolevels is populated directly from a 32 bit
value sent by the server.
If the server sends a very large value for this, then that value could
look negative when converted to a signed int. That would make that
value pass the PATH_MAX check later in CIFSFindNext. The name_len would
then be used as a length value for a memcpy. It would then be treated
as unsigned again, and the memcpy scribbles over a ton of memory.
Fix this by making the name_len an unsigned value in CIFSFindNext.
Cc: <stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Reported-by: Darren Lavender <dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org>
Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
---
fs/cifs/cifssmb.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
index f4d0988..950464d 100644
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -4089,7 +4089,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon,
T2_FNEXT_RSP_PARMS *parms;
char *response_data;
int rc = 0;
- int bytes_returned, name_len;
+ int bytes_returned;
+ unsigned int name_len;
__u16 params, byte_count;
cFYI(1, "In FindNext");
--
1.7.6

1
config-arm-omap-generic
View File

@ -127,6 +127,7 @@ CONFIG_ARM_ERRATA_720789=y
# CONFIG_ARM_ERRATA_753970 is not set
# CONFIG_ARM_ERRATA_754322 is not set
# CONFIG_ARM_ERRATA_754327 is not set
# CONFIG_ARM_ERRATA_764369 is not set
CONFIG_ARM_GIC=y
# CONFIG_PCI_SYSCALL is not set
# CONFIG_PCCARD is not set

1
config-arm-tegra
View File

@ -40,6 +40,7 @@ CONFIG_ARM_ERRATA_720789=y
# CONFIG_ARM_ERRATA_753970 is not set
# CONFIG_ARM_ERRATA_754322 is not set
# CONFIG_ARM_ERRATA_754327 is not set
# CONFIG_ARM_ERRATA_764369 is not set
CONFIG_SMP_ON_UP=y
CONFIG_LOCAL_TIMERS=y
# CONFIG_THUMB2_KERNEL is not set

114
fix-cdc-ncm-dma-stack-vars.patch
View File

@ -1,114 +0,0 @@
commit d072ef23b8ee6bcabc00beff0b5702e704a473cb
Author: Josh Boyer <jwboyer@redhat.com>
Date: Tue Aug 2 08:09:56 2011 -0400
usbnet/cdc_ncm: Don't use stack variables for DMA buffers
The cdc_ncm driver still has a few places where stack variables are passed
to the cdc_ncm_do_request function. This triggers a stack trace in
lib/dma-debug.c if the CONFIG_DEBUG_DMA_API option is set.
Adjust these calls to pass parameters that have been allocated with kzalloc.
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index fd622a6..96dd386 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -260,23 +260,38 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
req.wIndex = cpu_to_le16(iface_no);
if (flags & USB_CDC_NCM_NCAP_NTB_INPUT_SIZE) {
- struct usb_cdc_ncm_ndp_input_size ndp_in_sz;
+ struct usb_cdc_ncm_ndp_input_size *ndp_in_sz;
+
+ ndp_in_sz = kzalloc(sizeof(*ndp_in_sz), GFP_KERNEL);
+ if (!ndp_in_sz) {
+ err = -ENOMEM;
+ goto size_err;
+ }
req.wLength = 8;
- ndp_in_sz.dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
- ndp_in_sz.wNtbInMaxDatagrams =
+ ndp_in_sz->dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
+ ndp_in_sz->wNtbInMaxDatagrams =
cpu_to_le16(CDC_NCM_DPT_DATAGRAMS_MAX);
- ndp_in_sz.wReserved = 0;
- err = cdc_ncm_do_request(ctx, &req, &ndp_in_sz, 0, NULL,
+ ndp_in_sz->wReserved = 0;
+ err = cdc_ncm_do_request(ctx, &req, ndp_in_sz, 0, NULL,
1000);
+ kfree(ndp_in_sz);
} else {
- __le32 dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
+ __le32 *dwNtbInMaxSize;
+ dwNtbInMaxSize = kzalloc(sizeof(*dwNtbInMaxSize), GFP_KERNEL);
+ if (!dwNtbInMaxSize) {
+ err = -ENOMEM;
+ goto size_err;
+ }
+ *dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
req.wLength = 4;
- err = cdc_ncm_do_request(ctx, &req, &dwNtbInMaxSize, 0,
+ err = cdc_ncm_do_request(ctx, &req, dwNtbInMaxSize, 0,
NULL, 1000);
+ kfree(dwNtbInMaxSize);
}
+size_err:
if (err)
pr_debug("Setting NTB Input Size failed\n");
}
@@ -362,9 +377,15 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
/* set Max Datagram Size (MTU) */
if (flags & USB_CDC_NCM_NCAP_MAX_DATAGRAM_SIZE) {
- __le16 max_datagram_size;
+ __le16 *max_datagram_size;
u16 eth_max_sz = le16_to_cpu(ctx->ether_desc->wMaxSegmentSize);
+ max_datagram_size = kzalloc(sizeof(*max_datagram_size), GFP_KERNEL);
+ if (!max_datagram_size) {
+ err = -ENOMEM;
+ goto max_dgram_err;
+ }
+
req.bmRequestType = USB_TYPE_CLASS | USB_DIR_IN |
USB_RECIP_INTERFACE;
req.bNotificationType = USB_CDC_GET_MAX_DATAGRAM_SIZE;
@@ -372,13 +393,15 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
req.wIndex = cpu_to_le16(iface_no);
req.wLength = cpu_to_le16(2);
- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size, 0, NULL,
+ err = cdc_ncm_do_request(ctx, &req, max_datagram_size, 0, NULL,
1000);
+
if (err) {
pr_debug("GET_MAX_DATAGRAM_SIZE failed, use size=%u\n",
CDC_NCM_MIN_DATAGRAM_SIZE);
+ kfree(max_datagram_size);
} else {
- ctx->max_datagram_size = le16_to_cpu(max_datagram_size);
+ ctx->max_datagram_size = le16_to_cpu(*max_datagram_size);
/* Check Eth descriptor value */
if (eth_max_sz < CDC_NCM_MAX_DATAGRAM_SIZE) {
if (ctx->max_datagram_size > eth_max_sz)
@@ -401,10 +424,12 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
req.wValue = 0;
req.wIndex = cpu_to_le16(iface_no);
req.wLength = 2;
- max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
+ *max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size,
+ err = cdc_ncm_do_request(ctx, &req, max_datagram_size,
0, NULL, 1000);
+ kfree(max_datagram_size);
+max_dgram_err:
if (err)
pr_debug("SET_MAX_DATAGRAM_SIZE failed\n");
}

13
iwlagn-revert-max-aggregate-size.patch
View File

@ -1,13 +0,0 @@
diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c
index b0ae4de..afa00ec 100644
--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
@@ -2140,8 +2140,6 @@ static int iwl_mac_setup_register(struct iwl_priv *priv,
IEEE80211_HW_SPECTRUM_MGMT |
IEEE80211_HW_REPORTS_TX_ACK_STATUS;
- hw->max_tx_aggregation_subframes = LINK_QUAL_AGG_FRAME_LIMIT_DEF;
-
hw->flags |= IEEE80211_HW_SUPPORTS_PS |
IEEE80211_HW_SUPPORTS_DYNAMIC_PS;

37
kernel.spec
View File

@ -42,7 +42,7 @@ Summary: The Linux kernel
# When changing real_sublevel below, reset this by hand to 1
# (or to 0 and then use rpmdev-bumpspec).
#
%global baserelease 6
%global baserelease 0
%global fedora_build %{baserelease}
# real_sublevel is the 3.x kernel version we're starting with
@ -51,7 +51,7 @@ Summary: The Linux kernel
%define fake_sublevel %(echo $((40 + %{real_sublevel})))
# Do we have a -stable update to apply?
%define stable_update 4
%define stable_update 6
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@ -644,7 +644,6 @@ Patch12010: add-appleir-usb-driver.patch
Patch12016: disable-i8042-check-on-apple-mac.patch
Patch12022: fix-cdc-ncm-dma-stack-vars.patch
Patch12023: ums-realtek-driver-uses-stack-memory-for-DMA.patch
Patch12024: usb-add-quirk-for-logitech-webcams.patch
Patch12025: crypto-register-cryptd-first.patch
@ -659,7 +658,6 @@ Patch13001: epoll-fix-spurious-lockdep-warnings.patch
Patch13002: hfsplus-ensure-bio-requests-are-not-smaller-than-the.patch
Patch13010: iwlagn-check-for-priv--txq-in-iwlagn_wait_tx_queue_empty.patch
Patch13011: iwlagn-revert-max-aggregate-size.patch
Patch20000: utrace.patch
@ -681,19 +679,9 @@ Patch21004: vfs-fix-automount-for-negative-autofs-dentries.patch
# rhbz#727927 rhbz#731278 rhbz#732934
Patch21005: cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch
# from 3.0.5 patch queue
Patch21006: sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
# rhbz #735437
Patch21007: ucvideo-fix-crash-when-linking-entities.patch
# CVE-2011-3192
Patch21008: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
# CVE-2011-1161 CVE-2011-1162
Patch21009: TPM-Call-tpm_transmit-with-correct-size.patch
Patch21010: TPM-Zero-buffer-after-copying-to-userspace.patch
# rhbz #740645
Patch21011: md-dont-delay-reboot-by-1-second-if-no-MD-devices.patch
@ -703,8 +691,6 @@ Patch21012: hid-magicmouse-ignore-ivalid-report-id-while-switching-modes-v2.patc
# rhbz #496975
Patch21013: Platform-fix-samsung-laptop-DMI-identification-for-N.patch
Patch21014: block-Free-queue-resources-at-blk_release_queue.patch
# rhbz #700718
Patch21015: x86-Save-stack-pointer-in-perf-live-regs-savings.patch
Patch21016: x86-Fetch-stack-from-regs-when-possible-in-dump_trac.patch
@ -1238,7 +1224,6 @@ ApplyPatch disable-i8042-check-on-apple-mac.patch
ApplyPatch add-appleir-usb-driver.patch
ApplyPatch fix-cdc-ncm-dma-stack-vars.patch
ApplyPatch ums-realtek-driver-uses-stack-memory-for-DMA.patch
ApplyPatch usb-add-quirk-for-logitech-webcams.patch
ApplyPatch crypto-register-cryptd-first.patch
@ -1251,7 +1236,6 @@ ApplyPatch epoll-fix-spurious-lockdep-warnings.patch
ApplyPatch hfsplus-ensure-bio-requests-are-not-smaller-than-the.patch
ApplyPatch iwlagn-check-for-priv--txq-in-iwlagn_wait_tx_queue_empty.patch
ApplyPatch iwlagn-revert-max-aggregate-size.patch
ApplyPatch utrace.patch
@ -1262,19 +1246,9 @@ ApplyPatch vfs-fix-automount-for-negative-autofs-dentries.patch
# cifs-possible-memory-corruption-on-mount.patch is already queued for 3.0.4
ApplyPatch cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch
# from 3.0.5 patch queue
ApplyPatch sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
#rhbz 735437
ApplyPatch ucvideo-fix-crash-when-linking-entities.patch
# CVE-2011-3191
ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
# CVE-2011-1161 CVE-2011-1162
ApplyPatch TPM-Call-tpm_transmit-with-correct-size.patch
ApplyPatch TPM-Zero-buffer-after-copying-to-userspace.patch
#rhbz 740645
ApplyPatch md-dont-delay-reboot-by-1-second-if-no-MD-devices.patch
@ -1284,8 +1258,6 @@ ApplyPatch hid-magicmouse-ignore-ivalid-report-id-while-switching-modes-v2.patch
# rhbz #496675
ApplyPatch Platform-fix-samsung-laptop-DMI-identification-for-N.patch
ApplyPatch block-Free-queue-resources-at-blk_release_queue.patch
# rhbz #700718
ApplyPatch x86-Save-stack-pointer-in-perf-live-regs-savings.patch
ApplyPatch x86-Fetch-stack-from-regs-when-possible-in-dump_trac.patch
@ -1913,7 +1885,10 @@ fi
# and build.
%changelog
* Mon Oct 04 2011 Josh Boyer <jwboyer@redhat.com> 2.6.40.4-6
* Mon Oct 03 2011 Josh Boyer <jwboyer@redhat.com> 2.6.40.6-0
- Linux 3.0.6 stable release
* Mon Oct 03 2011 Josh Boyer <jwboyer@redhat.com> 2.6.40.4-6
- Add patch to fix PIE execution when ASLR is disabled at runtime (rhbz 708563)
* Thu Sep 29 2011 Josh Boyer <jwboyer@redhat.com>

60
sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
View File

@ -1,60 +0,0 @@
From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Date: Wed, 24 Aug 2011 19:45:03 -0700
Subject: sendmmsg/sendmsg: fix unsafe user pointer access
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream.
Dereferencing a user pointer directly from kernel-space without going
through the copy_from_user family of functions is a bad idea. Two of
such usages can be found in the sendmsg code path called from sendmmsg,
added by
commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.
Usages are performed through memcmp() and memcpy() directly. Fix those
by using the already copied msg_sys structure instead of the __user *msg
structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
or verify_iovec(), which requires additional NULL pointer checks.
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
CC: Anton Blanchard <anton@samba.org>
CC: David S. Miller <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/socket.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/net/socket.c
+++ b/net/socket.c
@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket *
* used_address->name_len is initialized to UINT_MAX so that the first
* destination address never matches.
*/
- if (used_address && used_address->name_len == msg_sys->msg_namelen &&
- !memcmp(&used_address->name, msg->msg_name,
+ if (used_address && msg_sys->msg_name &&
+ used_address->name_len == msg_sys->msg_namelen &&
+ !memcmp(&used_address->name, msg_sys->msg_name,
used_address->name_len)) {
err = sock_sendmsg_nosec(sock, msg_sys, total_len);
goto out_freectl;
@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket *
*/
if (used_address && err >= 0) {
used_address->name_len = msg_sys->msg_namelen;
- memcpy(&used_address->name, msg->msg_name,
- used_address->name_len);
+ if (msg_sys->msg_name)
+ memcpy(&used_address->name, msg_sys->msg_name,
+ used_address->name_len);
}
out_freectl:

2
sources
View File

@ -1,2 +1,2 @@
398e95866794def22b12dfbc15ce89c0 linux-3.0.tar.bz2
62ca5f3caed233617127b2b3b7a87d15 patch-3.0.4.bz2
4751b440e1c840229468e16617d5b539 patch-3.0.6.bz2