Update to the 3.0.6 stable release (2.6.40.6)
patch-3.0.6.bz2 was generated from git as previously done with some of the 3.1 rc patches. Hopefully kernel.org will have a generated and signed copy for the next stable release.
This commit is contained in:
parent
e0adc28e63
commit
9788e320b3
|
@ -1,43 +0,0 @@
|
|||
From 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Huewe <huewe.external.infineon@googlemail.com>
|
||||
Date: Thu, 15 Sep 2011 14:37:43 -0300
|
||||
Subject: [PATCH] TPM: Call tpm_transmit with correct size
|
||||
|
||||
This patch changes the call of tpm_transmit by supplying the size of the
|
||||
userspace buffer instead of TPM_BUFSIZE.
|
||||
|
||||
This got assigned CVE-2011-1161.
|
||||
|
||||
[The first hunk didn't make sense given one could expect
|
||||
way less data than TPM_BUFSIZE, so added tpm_transmit boundary
|
||||
check over bufsiz instead
|
||||
The last parameter of tpm_transmit() reflects the amount
|
||||
of data expected from the device, and not the buffer size
|
||||
being supplied to it. It isn't ideal to parse it directly,
|
||||
so we just set it to the maximum the input buffer can handle
|
||||
and let the userspace API to do such job.]
|
||||
|
||||
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
|
||||
Cc: Stable Kernel <stable@kernel.org>
|
||||
Signed-off-by: James Morris <jmorris@namei.org>
|
||||
---
|
||||
drivers/char/tpm/tpm.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
|
||||
index caf8012..1fe9793 100644
|
||||
--- a/drivers/char/tpm/tpm.c
|
||||
+++ b/drivers/char/tpm/tpm.c
|
||||
@@ -383,6 +383,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
|
||||
u32 count, ordinal;
|
||||
unsigned long stop;
|
||||
|
||||
+ if (bufsiz > TPM_BUFSIZE)
|
||||
+ bufsiz = TPM_BUFSIZE;
|
||||
+
|
||||
count = be32_to_cpu(*((__be32 *) (buf + 2)));
|
||||
ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
|
||||
if (count == 0)
|
||||
--
|
||||
1.7.6
|
||||
|
|
@ -1,45 +0,0 @@
|
|||
From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Huewe <huewe.external.infineon@googlemail.com>
|
||||
Date: Thu, 15 Sep 2011 14:47:42 -0300
|
||||
Subject: [PATCH] TPM: Zero buffer after copying to userspace
|
||||
|
||||
Since the buffer might contain security related data it might be a good idea to
|
||||
zero the buffer after we have copied it to userspace.
|
||||
|
||||
This got assigned CVE-2011-1162.
|
||||
|
||||
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
|
||||
Cc: Stable Kernel <stable@kernel.org>
|
||||
Signed-off-by: James Morris <jmorris@namei.org>
|
||||
---
|
||||
drivers/char/tpm/tpm.c | 6 +++++-
|
||||
1 files changed, 5 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
|
||||
index 1fe9793..9ca5c02 100644
|
||||
--- a/drivers/char/tpm/tpm.c
|
||||
+++ b/drivers/char/tpm/tpm.c
|
||||
@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
|
||||
{
|
||||
struct tpm_chip *chip = file->private_data;
|
||||
ssize_t ret_size;
|
||||
+ int rc;
|
||||
|
||||
del_singleshot_timer_sync(&chip->user_read_timer);
|
||||
flush_work_sync(&chip->work);
|
||||
@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
|
||||
ret_size = size;
|
||||
|
||||
mutex_lock(&chip->buffer_mutex);
|
||||
- if (copy_to_user(buf, chip->data_buffer, ret_size))
|
||||
+ rc = copy_to_user(buf, chip->data_buffer, ret_size);
|
||||
+ memset(chip->data_buffer, 0, ret_size);
|
||||
+ if (rc)
|
||||
ret_size = -EFAULT;
|
||||
+
|
||||
mutex_unlock(&chip->buffer_mutex);
|
||||
}
|
||||
|
||||
--
|
||||
1.7.6
|
||||
|
|
@ -1,71 +0,0 @@
|
|||
From 3a527bb7e00bb9650f28d273f56c872db03452c5 Mon Sep 17 00:00:00 2001
|
||||
From: Hannes Reinecke <hare@suse.de>
|
||||
Date: Wed, 28 Sep 2011 08:07:01 -0600
|
||||
Subject: [PATCH] block: Free queue resources at blk_release_queue()
|
||||
|
||||
A kernel crash is observed when a mounted ext3/ext4 filesystem is
|
||||
physically removed. The problem is that blk_cleanup_queue() frees up
|
||||
some resources eg by calling elevator_exit(), which are not checked for
|
||||
in normal operation. So we should rather move these calls to the
|
||||
destructor function blk_release_queue() as at that point all remaining
|
||||
references are gone. However, in doing so we have to ensure that any
|
||||
externally supplied queue_lock is disconnected as the driver might free
|
||||
up the lock after the call of blk_cleanup_queue(),
|
||||
|
||||
Signed-off-by: Hannes Reinecke <hare@suse.de>
|
||||
Signed-off-by: Jens Axboe <axboe@kernel.dk>
|
||||
---
|
||||
block/blk-core.c | 13 ++++++-------
|
||||
block/blk-sysfs.c | 5 +++++
|
||||
2 files changed, 11 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/block/blk-core.c b/block/blk-core.c
|
||||
index 1d49e1c..847d04e 100644
|
||||
--- a/block/blk-core.c
|
||||
+++ b/block/blk-core.c
|
||||
@@ -348,9 +348,10 @@ void blk_put_queue(struct request_queue *q)
|
||||
EXPORT_SYMBOL(blk_put_queue);
|
||||
|
||||
/*
|
||||
- * Note: If a driver supplied the queue lock, it should not zap that lock
|
||||
- * unexpectedly as some queue cleanup components like elevator_exit() and
|
||||
- * blk_throtl_exit() need queue lock.
|
||||
+ * Note: If a driver supplied the queue lock, it is disconnected
|
||||
+ * by this function. The actual state of the lock doesn't matter
|
||||
+ * here as the request_queue isn't accessible after this point
|
||||
+ * (QUEUE_FLAG_DEAD is set) and no other requests will be queued.
|
||||
*/
|
||||
void blk_cleanup_queue(struct request_queue *q)
|
||||
{
|
||||
@@ -367,10 +368,8 @@ void blk_cleanup_queue(struct request_queue *q)
|
||||
queue_flag_set_unlocked(QUEUE_FLAG_DEAD, q);
|
||||
mutex_unlock(&q->sysfs_lock);
|
||||
|
||||
- if (q->elevator)
|
||||
- elevator_exit(q->elevator);
|
||||
-
|
||||
- blk_throtl_exit(q);
|
||||
+ if (q->queue_lock != &q->__queue_lock)
|
||||
+ q->queue_lock = &q->__queue_lock;
|
||||
|
||||
blk_put_queue(q);
|
||||
}
|
||||
diff --git a/block/blk-sysfs.c b/block/blk-sysfs.c
|
||||
index d935bd8..45c56d8 100644
|
||||
--- a/block/blk-sysfs.c
|
||||
+++ b/block/blk-sysfs.c
|
||||
@@ -472,6 +472,11 @@ static void blk_release_queue(struct kobject *kobj)
|
||||
|
||||
blk_sync_queue(q);
|
||||
|
||||
+ if (q->elevator)
|
||||
+ elevator_exit(q->elevator);
|
||||
+
|
||||
+ blk_throtl_exit(q);
|
||||
+
|
||||
if (rl->rq_pool)
|
||||
mempool_destroy(rl->rq_pool);
|
||||
|
||||
--
|
||||
1.7.6
|
||||
|
|
@ -1,82 +0,0 @@
|
|||
Path: news.gmane.org!not-for-mail
|
||||
From: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
|
||||
Newsgroups: gmane.linux.kernel.cifs
|
||||
Subject: [PATCH] cifs: fix possible memory corruption in CIFSFindNext
|
||||
Date: Tue, 23 Aug 2011 07:21:28 -0400
|
||||
Lines: 37
|
||||
Approved: news@gmane.org
|
||||
Message-ID: <1314098488-1547-1-git-send-email-jlayton@redhat.com>
|
||||
NNTP-Posting-Host: lo.gmane.org
|
||||
X-Trace: dough.gmane.org 1314098501 27164 80.91.229.12 (23 Aug 2011 11:21:41 GMT)
|
||||
X-Complaints-To: usenet@dough.gmane.org
|
||||
NNTP-Posting-Date: Tue, 23 Aug 2011 11:21:41 +0000 (UTC)
|
||||
Cc: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org
|
||||
To: smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
|
||||
Original-X-From: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Tue Aug 23 13:21:37 2011
|
||||
Return-path: <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
|
||||
Envelope-to: glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org
|
||||
Original-Received: from vger.kernel.org ([209.132.180.67])
|
||||
by lo.gmane.org with esmtp (Exim 4.69)
|
||||
(envelope-from <linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>)
|
||||
id 1Qvp33-0003JC-05
|
||||
for glkc-linux-cifs-1dZseelyfdZg9hUCZPvPmw@public.gmane.org; Tue, 23 Aug 2011 13:21:37 +0200
|
||||
Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand
|
||||
id S1752435Ab1HWLVg (ORCPT <rfc822;glkc-linux-cifs@m.gmane.org>);
|
||||
Tue, 23 Aug 2011 07:21:36 -0400
|
||||
Original-Received: from mail-gy0-f174.google.com ([209.85.160.174]:43114 "EHLO
|
||||
mail-gy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
|
||||
with ESMTP id S1751065Ab1HWLVf (ORCPT
|
||||
<rfc822;linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>); Tue, 23 Aug 2011 07:21:35 -0400
|
||||
Original-Received: by gya6 with SMTP id 6so4228912gya.19
|
||||
for <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>; Tue, 23 Aug 2011 04:21:35 -0700 (PDT)
|
||||
Original-Received: by 10.101.144.18 with SMTP id w18mr3505731ann.133.1314098494691;
|
||||
Tue, 23 Aug 2011 04:21:34 -0700 (PDT)
|
||||
Original-Received: from salusa.poochiereds.net (cpe-075-177-182-191.nc.res.rr.com [75.177.182.191])
|
||||
by mx.google.com with ESMTPS id d33sm48355ano.35.2011.08.23.04.21.32
|
||||
(version=SSLv3 cipher=OTHER);
|
||||
Tue, 23 Aug 2011 04:21:33 -0700 (PDT)
|
||||
X-Mailer: git-send-email 1.7.6
|
||||
Original-Sender: linux-cifs-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
|
||||
Precedence: bulk
|
||||
List-ID: <linux-cifs.vger.kernel.org>
|
||||
X-Mailing-List: linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
|
||||
Xref: news.gmane.org gmane.linux.kernel.cifs:4006
|
||||
Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.cifs/4006>
|
||||
|
||||
The name_len variable in CIFSFindNext is a signed int that gets set to
|
||||
the resume_name_len in the cifs_search_info. The resume_name_len however
|
||||
is unsigned and for some infolevels is populated directly from a 32 bit
|
||||
value sent by the server.
|
||||
|
||||
If the server sends a very large value for this, then that value could
|
||||
look negative when converted to a signed int. That would make that
|
||||
value pass the PATH_MAX check later in CIFSFindNext. The name_len would
|
||||
then be used as a length value for a memcpy. It would then be treated
|
||||
as unsigned again, and the memcpy scribbles over a ton of memory.
|
||||
|
||||
Fix this by making the name_len an unsigned value in CIFSFindNext.
|
||||
|
||||
Cc: <stable-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
|
||||
Reported-by: Darren Lavender <dcl-HN4QTLPn1qTvY7RNz7mR4EEOCMrvLtNR@public.gmane.org>
|
||||
Signed-off-by: Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
|
||||
---
|
||||
fs/cifs/cifssmb.c | 3 ++-
|
||||
1 files changed, 2 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
|
||||
index f4d0988..950464d 100644
|
||||
--- a/fs/cifs/cifssmb.c
|
||||
+++ b/fs/cifs/cifssmb.c
|
||||
@@ -4089,7 +4089,8 @@ int CIFSFindNext(const int xid, struct cifs_tcon *tcon,
|
||||
T2_FNEXT_RSP_PARMS *parms;
|
||||
char *response_data;
|
||||
int rc = 0;
|
||||
- int bytes_returned, name_len;
|
||||
+ int bytes_returned;
|
||||
+ unsigned int name_len;
|
||||
__u16 params, byte_count;
|
||||
|
||||
cFYI(1, "In FindNext");
|
||||
--
|
||||
1.7.6
|
||||
|
|
@ -127,6 +127,7 @@ CONFIG_ARM_ERRATA_720789=y
|
|||
# CONFIG_ARM_ERRATA_753970 is not set
|
||||
# CONFIG_ARM_ERRATA_754322 is not set
|
||||
# CONFIG_ARM_ERRATA_754327 is not set
|
||||
# CONFIG_ARM_ERRATA_764369 is not set
|
||||
CONFIG_ARM_GIC=y
|
||||
# CONFIG_PCI_SYSCALL is not set
|
||||
# CONFIG_PCCARD is not set
|
||||
|
|
|
@ -40,6 +40,7 @@ CONFIG_ARM_ERRATA_720789=y
|
|||
# CONFIG_ARM_ERRATA_753970 is not set
|
||||
# CONFIG_ARM_ERRATA_754322 is not set
|
||||
# CONFIG_ARM_ERRATA_754327 is not set
|
||||
# CONFIG_ARM_ERRATA_764369 is not set
|
||||
CONFIG_SMP_ON_UP=y
|
||||
CONFIG_LOCAL_TIMERS=y
|
||||
# CONFIG_THUMB2_KERNEL is not set
|
||||
|
|
|
@ -1,114 +0,0 @@
|
|||
commit d072ef23b8ee6bcabc00beff0b5702e704a473cb
|
||||
Author: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Tue Aug 2 08:09:56 2011 -0400
|
||||
|
||||
usbnet/cdc_ncm: Don't use stack variables for DMA buffers
|
||||
|
||||
The cdc_ncm driver still has a few places where stack variables are passed
|
||||
to the cdc_ncm_do_request function. This triggers a stack trace in
|
||||
lib/dma-debug.c if the CONFIG_DEBUG_DMA_API option is set.
|
||||
|
||||
Adjust these calls to pass parameters that have been allocated with kzalloc.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
||||
|
||||
diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
|
||||
index fd622a6..96dd386 100644
|
||||
--- a/drivers/net/usb/cdc_ncm.c
|
||||
+++ b/drivers/net/usb/cdc_ncm.c
|
||||
@@ -260,23 +260,38 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
|
||||
req.wIndex = cpu_to_le16(iface_no);
|
||||
|
||||
if (flags & USB_CDC_NCM_NCAP_NTB_INPUT_SIZE) {
|
||||
- struct usb_cdc_ncm_ndp_input_size ndp_in_sz;
|
||||
+ struct usb_cdc_ncm_ndp_input_size *ndp_in_sz;
|
||||
+
|
||||
+ ndp_in_sz = kzalloc(sizeof(*ndp_in_sz), GFP_KERNEL);
|
||||
+ if (!ndp_in_sz) {
|
||||
+ err = -ENOMEM;
|
||||
+ goto size_err;
|
||||
+ }
|
||||
|
||||
req.wLength = 8;
|
||||
- ndp_in_sz.dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
|
||||
- ndp_in_sz.wNtbInMaxDatagrams =
|
||||
+ ndp_in_sz->dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
|
||||
+ ndp_in_sz->wNtbInMaxDatagrams =
|
||||
cpu_to_le16(CDC_NCM_DPT_DATAGRAMS_MAX);
|
||||
- ndp_in_sz.wReserved = 0;
|
||||
- err = cdc_ncm_do_request(ctx, &req, &ndp_in_sz, 0, NULL,
|
||||
+ ndp_in_sz->wReserved = 0;
|
||||
+ err = cdc_ncm_do_request(ctx, &req, ndp_in_sz, 0, NULL,
|
||||
1000);
|
||||
+ kfree(ndp_in_sz);
|
||||
} else {
|
||||
- __le32 dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
|
||||
+ __le32 *dwNtbInMaxSize;
|
||||
+ dwNtbInMaxSize = kzalloc(sizeof(*dwNtbInMaxSize), GFP_KERNEL);
|
||||
+ if (!dwNtbInMaxSize) {
|
||||
+ err = -ENOMEM;
|
||||
+ goto size_err;
|
||||
+ }
|
||||
+ *dwNtbInMaxSize = cpu_to_le32(ctx->rx_max);
|
||||
|
||||
req.wLength = 4;
|
||||
- err = cdc_ncm_do_request(ctx, &req, &dwNtbInMaxSize, 0,
|
||||
+ err = cdc_ncm_do_request(ctx, &req, dwNtbInMaxSize, 0,
|
||||
NULL, 1000);
|
||||
+ kfree(dwNtbInMaxSize);
|
||||
}
|
||||
|
||||
+size_err:
|
||||
if (err)
|
||||
pr_debug("Setting NTB Input Size failed\n");
|
||||
}
|
||||
@@ -362,9 +377,15 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
|
||||
|
||||
/* set Max Datagram Size (MTU) */
|
||||
if (flags & USB_CDC_NCM_NCAP_MAX_DATAGRAM_SIZE) {
|
||||
- __le16 max_datagram_size;
|
||||
+ __le16 *max_datagram_size;
|
||||
u16 eth_max_sz = le16_to_cpu(ctx->ether_desc->wMaxSegmentSize);
|
||||
|
||||
+ max_datagram_size = kzalloc(sizeof(*max_datagram_size), GFP_KERNEL);
|
||||
+ if (!max_datagram_size) {
|
||||
+ err = -ENOMEM;
|
||||
+ goto max_dgram_err;
|
||||
+ }
|
||||
+
|
||||
req.bmRequestType = USB_TYPE_CLASS | USB_DIR_IN |
|
||||
USB_RECIP_INTERFACE;
|
||||
req.bNotificationType = USB_CDC_GET_MAX_DATAGRAM_SIZE;
|
||||
@@ -372,13 +393,15 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
|
||||
req.wIndex = cpu_to_le16(iface_no);
|
||||
req.wLength = cpu_to_le16(2);
|
||||
|
||||
- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size, 0, NULL,
|
||||
+ err = cdc_ncm_do_request(ctx, &req, max_datagram_size, 0, NULL,
|
||||
1000);
|
||||
+
|
||||
if (err) {
|
||||
pr_debug("GET_MAX_DATAGRAM_SIZE failed, use size=%u\n",
|
||||
CDC_NCM_MIN_DATAGRAM_SIZE);
|
||||
+ kfree(max_datagram_size);
|
||||
} else {
|
||||
- ctx->max_datagram_size = le16_to_cpu(max_datagram_size);
|
||||
+ ctx->max_datagram_size = le16_to_cpu(*max_datagram_size);
|
||||
/* Check Eth descriptor value */
|
||||
if (eth_max_sz < CDC_NCM_MAX_DATAGRAM_SIZE) {
|
||||
if (ctx->max_datagram_size > eth_max_sz)
|
||||
@@ -401,10 +424,12 @@ static u8 cdc_ncm_setup(struct cdc_ncm_ctx *ctx)
|
||||
req.wValue = 0;
|
||||
req.wIndex = cpu_to_le16(iface_no);
|
||||
req.wLength = 2;
|
||||
- max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
|
||||
+ *max_datagram_size = cpu_to_le16(ctx->max_datagram_size);
|
||||
|
||||
- err = cdc_ncm_do_request(ctx, &req, &max_datagram_size,
|
||||
+ err = cdc_ncm_do_request(ctx, &req, max_datagram_size,
|
||||
0, NULL, 1000);
|
||||
+ kfree(max_datagram_size);
|
||||
+max_dgram_err:
|
||||
if (err)
|
||||
pr_debug("SET_MAX_DATAGRAM_SIZE failed\n");
|
||||
}
|
|
@ -1,13 +0,0 @@
|
|||
diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c
|
||||
index b0ae4de..afa00ec 100644
|
||||
--- a/drivers/net/wireless/iwlwifi/iwl-agn.c
|
||||
+++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
|
||||
@@ -2140,8 +2140,6 @@ static int iwl_mac_setup_register(struct iwl_priv *priv,
|
||||
IEEE80211_HW_SPECTRUM_MGMT |
|
||||
IEEE80211_HW_REPORTS_TX_ACK_STATUS;
|
||||
|
||||
- hw->max_tx_aggregation_subframes = LINK_QUAL_AGG_FRAME_LIMIT_DEF;
|
||||
-
|
||||
hw->flags |= IEEE80211_HW_SUPPORTS_PS |
|
||||
IEEE80211_HW_SUPPORTS_DYNAMIC_PS;
|
||||
|
37
kernel.spec
37
kernel.spec
|
@ -42,7 +42,7 @@ Summary: The Linux kernel
|
|||
# When changing real_sublevel below, reset this by hand to 1
|
||||
# (or to 0 and then use rpmdev-bumpspec).
|
||||
#
|
||||
%global baserelease 6
|
||||
%global baserelease 0
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# real_sublevel is the 3.x kernel version we're starting with
|
||||
|
@ -51,7 +51,7 @@ Summary: The Linux kernel
|
|||
%define fake_sublevel %(echo $((40 + %{real_sublevel})))
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 4
|
||||
%define stable_update 6
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -644,7 +644,6 @@ Patch12010: add-appleir-usb-driver.patch
|
|||
|
||||
Patch12016: disable-i8042-check-on-apple-mac.patch
|
||||
|
||||
Patch12022: fix-cdc-ncm-dma-stack-vars.patch
|
||||
Patch12023: ums-realtek-driver-uses-stack-memory-for-DMA.patch
|
||||
Patch12024: usb-add-quirk-for-logitech-webcams.patch
|
||||
Patch12025: crypto-register-cryptd-first.patch
|
||||
|
@ -659,7 +658,6 @@ Patch13001: epoll-fix-spurious-lockdep-warnings.patch
|
|||
Patch13002: hfsplus-ensure-bio-requests-are-not-smaller-than-the.patch
|
||||
|
||||
Patch13010: iwlagn-check-for-priv--txq-in-iwlagn_wait_tx_queue_empty.patch
|
||||
Patch13011: iwlagn-revert-max-aggregate-size.patch
|
||||
|
||||
Patch20000: utrace.patch
|
||||
|
||||
|
@ -681,19 +679,9 @@ Patch21004: vfs-fix-automount-for-negative-autofs-dentries.patch
|
|||
# rhbz#727927 rhbz#731278 rhbz#732934
|
||||
Patch21005: cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch
|
||||
|
||||
# from 3.0.5 patch queue
|
||||
Patch21006: sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
|
||||
|
||||
# rhbz #735437
|
||||
Patch21007: ucvideo-fix-crash-when-linking-entities.patch
|
||||
|
||||
# CVE-2011-3192
|
||||
Patch21008: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
|
||||
|
||||
# CVE-2011-1161 CVE-2011-1162
|
||||
Patch21009: TPM-Call-tpm_transmit-with-correct-size.patch
|
||||
Patch21010: TPM-Zero-buffer-after-copying-to-userspace.patch
|
||||
|
||||
# rhbz #740645
|
||||
Patch21011: md-dont-delay-reboot-by-1-second-if-no-MD-devices.patch
|
||||
|
||||
|
@ -703,8 +691,6 @@ Patch21012: hid-magicmouse-ignore-ivalid-report-id-while-switching-modes-v2.patc
|
|||
# rhbz #496975
|
||||
Patch21013: Platform-fix-samsung-laptop-DMI-identification-for-N.patch
|
||||
|
||||
Patch21014: block-Free-queue-resources-at-blk_release_queue.patch
|
||||
|
||||
# rhbz #700718
|
||||
Patch21015: x86-Save-stack-pointer-in-perf-live-regs-savings.patch
|
||||
Patch21016: x86-Fetch-stack-from-regs-when-possible-in-dump_trac.patch
|
||||
|
@ -1238,7 +1224,6 @@ ApplyPatch disable-i8042-check-on-apple-mac.patch
|
|||
|
||||
ApplyPatch add-appleir-usb-driver.patch
|
||||
|
||||
ApplyPatch fix-cdc-ncm-dma-stack-vars.patch
|
||||
ApplyPatch ums-realtek-driver-uses-stack-memory-for-DMA.patch
|
||||
ApplyPatch usb-add-quirk-for-logitech-webcams.patch
|
||||
ApplyPatch crypto-register-cryptd-first.patch
|
||||
|
@ -1251,7 +1236,6 @@ ApplyPatch epoll-fix-spurious-lockdep-warnings.patch
|
|||
ApplyPatch hfsplus-ensure-bio-requests-are-not-smaller-than-the.patch
|
||||
|
||||
ApplyPatch iwlagn-check-for-priv--txq-in-iwlagn_wait_tx_queue_empty.patch
|
||||
ApplyPatch iwlagn-revert-max-aggregate-size.patch
|
||||
|
||||
ApplyPatch utrace.patch
|
||||
|
||||
|
@ -1262,19 +1246,9 @@ ApplyPatch vfs-fix-automount-for-negative-autofs-dentries.patch
|
|||
# cifs-possible-memory-corruption-on-mount.patch is already queued for 3.0.4
|
||||
ApplyPatch cifs-fix-ERR_PTR-dereference-in-cifs_get_root.patch
|
||||
|
||||
# from 3.0.5 patch queue
|
||||
ApplyPatch sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch
|
||||
|
||||
#rhbz 735437
|
||||
ApplyPatch ucvideo-fix-crash-when-linking-entities.patch
|
||||
|
||||
# CVE-2011-3191
|
||||
ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
|
||||
|
||||
# CVE-2011-1161 CVE-2011-1162
|
||||
ApplyPatch TPM-Call-tpm_transmit-with-correct-size.patch
|
||||
ApplyPatch TPM-Zero-buffer-after-copying-to-userspace.patch
|
||||
|
||||
#rhbz 740645
|
||||
ApplyPatch md-dont-delay-reboot-by-1-second-if-no-MD-devices.patch
|
||||
|
||||
|
@ -1284,8 +1258,6 @@ ApplyPatch hid-magicmouse-ignore-ivalid-report-id-while-switching-modes-v2.patch
|
|||
# rhbz #496675
|
||||
ApplyPatch Platform-fix-samsung-laptop-DMI-identification-for-N.patch
|
||||
|
||||
ApplyPatch block-Free-queue-resources-at-blk_release_queue.patch
|
||||
|
||||
# rhbz #700718
|
||||
ApplyPatch x86-Save-stack-pointer-in-perf-live-regs-savings.patch
|
||||
ApplyPatch x86-Fetch-stack-from-regs-when-possible-in-dump_trac.patch
|
||||
|
@ -1913,7 +1885,10 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Mon Oct 04 2011 Josh Boyer <jwboyer@redhat.com> 2.6.40.4-6
|
||||
* Mon Oct 03 2011 Josh Boyer <jwboyer@redhat.com> 2.6.40.6-0
|
||||
- Linux 3.0.6 stable release
|
||||
|
||||
* Mon Oct 03 2011 Josh Boyer <jwboyer@redhat.com> 2.6.40.4-6
|
||||
- Add patch to fix PIE execution when ASLR is disabled at runtime (rhbz 708563)
|
||||
|
||||
* Thu Sep 29 2011 Josh Boyer <jwboyer@redhat.com>
|
||||
|
|
|
@ -1,60 +0,0 @@
|
|||
From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001
|
||||
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
|
||||
Date: Wed, 24 Aug 2011 19:45:03 -0700
|
||||
Subject: sendmmsg/sendmsg: fix unsafe user pointer access
|
||||
|
||||
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
|
||||
|
||||
commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream.
|
||||
|
||||
Dereferencing a user pointer directly from kernel-space without going
|
||||
through the copy_from_user family of functions is a bad idea. Two of
|
||||
such usages can be found in the sendmsg code path called from sendmmsg,
|
||||
added by
|
||||
|
||||
commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream.
|
||||
commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree.
|
||||
|
||||
Usages are performed through memcmp() and memcpy() directly. Fix those
|
||||
by using the already copied msg_sys structure instead of the __user *msg
|
||||
structure. Note that msg_sys can be set to NULL by verify_compat_iovec()
|
||||
or verify_iovec(), which requires additional NULL pointer checks.
|
||||
|
||||
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
|
||||
Signed-off-by: David Goulet <dgoulet@ev0ke.net>
|
||||
CC: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
|
||||
CC: Anton Blanchard <anton@samba.org>
|
||||
CC: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
|
||||
|
||||
---
|
||||
net/socket.c | 10 ++++++----
|
||||
1 file changed, 6 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/net/socket.c
|
||||
+++ b/net/socket.c
|
||||
@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket *
|
||||
* used_address->name_len is initialized to UINT_MAX so that the first
|
||||
* destination address never matches.
|
||||
*/
|
||||
- if (used_address && used_address->name_len == msg_sys->msg_namelen &&
|
||||
- !memcmp(&used_address->name, msg->msg_name,
|
||||
+ if (used_address && msg_sys->msg_name &&
|
||||
+ used_address->name_len == msg_sys->msg_namelen &&
|
||||
+ !memcmp(&used_address->name, msg_sys->msg_name,
|
||||
used_address->name_len)) {
|
||||
err = sock_sendmsg_nosec(sock, msg_sys, total_len);
|
||||
goto out_freectl;
|
||||
@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket *
|
||||
*/
|
||||
if (used_address && err >= 0) {
|
||||
used_address->name_len = msg_sys->msg_namelen;
|
||||
- memcpy(&used_address->name, msg->msg_name,
|
||||
- used_address->name_len);
|
||||
+ if (msg_sys->msg_name)
|
||||
+ memcpy(&used_address->name, msg_sys->msg_name,
|
||||
+ used_address->name_len);
|
||||
}
|
||||
|
||||
out_freectl:
|
Loading…
Reference in New Issue