Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Mike Pagano (mpagano)" <mpagano@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] linux-patches r1345 - genpatches-2.6/trunk/2.6.25
Date: Mon, 06 Oct 2008 11:16:35
Message-Id: E1Kmo4m-00046r-IM@stork.gentoo.org
1 Author: mpagano
2 Date: 2008-10-06 11:16:31 +0000 (Mon, 06 Oct 2008)
3 New Revision: 1345
4
5 Added:
6 genpatches-2.6/trunk/2.6.25/1016_linux-2.6.25.17.patch
7 genpatches-2.6/trunk/2.6.25/1500_thinkpad_acpi-null-ptr-deref-fix.patch
8 genpatches-2.6/trunk/2.6.25/1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch
9 genpatches-2.6/trunk/2.6.25/1502_wan-sbni_ioctl-add-missing-capability-checks.patch
10 Modified:
11 genpatches-2.6/trunk/2.6.25/0000_README
12 Log:
13 Adding 2.6.25.17, and three security patches. A null pointer dereference in the thinkpad acpi, another one in nfs and missing capability checks.
14
15 Modified: genpatches-2.6/trunk/2.6.25/0000_README
16 ===================================================================
17 --- genpatches-2.6/trunk/2.6.25/0000_README 2008-09-08 19:03:45 UTC (rev 1344)
18 +++ genpatches-2.6/trunk/2.6.25/0000_README 2008-10-06 11:16:31 UTC (rev 1345)
19 @@ -103,6 +103,22 @@
20 From: http://www.kernel.org
21 Desc: Linux 2.6.25.16
22
23 +Patch: 1016_linux-2.6.25.17.patch
24 +From: http://www.kernel.org
25 +Desc: Linux 2.6.25.17
26 +
27 +Patch: 1500_thinkpad_acpi-null-ptr-deref-fix.patch
28 +From: http://bugs.gentoo.org/222331
29 +Desc: Fixes potential NULL pointer deref in Thinkpad ACPI
30 +
31 +Patch: 1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch
32 +From: http://bugs.gentoo.org/222249
33 +Desc: Fixes potential NULL pointer derefs in NFSv{3,4}
34 +
35 +Patch: 1502_wan-sbni_ioctl-add-missing-capability-checks.patch
36 +From: http://www.kernel.org
37 +Desc: Adds missing capability checks in drivers/net/wan/sbni.c -> sbni_ioctl()
38 +
39 Patch: 2500_fix-missing-scsi-inlines.patch
40 From: http://bugs.gentoo.org/232747
41 Desc: Fix missing inlines in header file
42
43 Added: genpatches-2.6/trunk/2.6.25/1016_linux-2.6.25.17.patch
44 ===================================================================
45 --- genpatches-2.6/trunk/2.6.25/1016_linux-2.6.25.17.patch (rev 0)
46 +++ genpatches-2.6/trunk/2.6.25/1016_linux-2.6.25.17.patch 2008-10-06 11:16:31 UTC (rev 1345)
47 @@ -0,0 +1,706 @@
48 +diff --git a/arch/x86/kernel/cpu/mtrr/generic.c b/arch/x86/kernel/cpu/mtrr/generic.c
49 +index 3e18db4..f49c970 100644
50 +--- a/arch/x86/kernel/cpu/mtrr/generic.c
51 ++++ b/arch/x86/kernel/cpu/mtrr/generic.c
52 +@@ -229,6 +229,7 @@ static void generic_get_mtrr(unsigned int reg, unsigned long *base,
53 + unsigned long *size, mtrr_type *type)
54 + {
55 + unsigned int mask_lo, mask_hi, base_lo, base_hi;
56 ++ unsigned int tmp, hi;
57 +
58 + rdmsr(MTRRphysMask_MSR(reg), mask_lo, mask_hi);
59 + if ((mask_lo & 0x800) == 0) {
60 +@@ -242,8 +243,18 @@ static void generic_get_mtrr(unsigned int reg, unsigned long *base,
61 + rdmsr(MTRRphysBase_MSR(reg), base_lo, base_hi);
62 +
63 + /* Work out the shifted address mask. */
64 +- mask_lo = size_or_mask | mask_hi << (32 - PAGE_SHIFT)
65 +- | mask_lo >> PAGE_SHIFT;
66 ++ tmp = mask_hi << (32 - PAGE_SHIFT) | mask_lo >> PAGE_SHIFT;
67 ++ mask_lo = size_or_mask | tmp;
68 ++ /* Expand tmp with high bits to all 1s*/
69 ++ hi = fls(tmp);
70 ++ if (hi > 0) {
71 ++ tmp |= ~((1<<(hi - 1)) - 1);
72 ++
73 ++ if (tmp != mask_lo) {
74 ++ WARN_ON("mtrr: your BIOS has set up an incorrect mask, fixing it up.\n");
75 ++ mask_lo = tmp;
76 ++ }
77 ++ }
78 +
79 + /* This works correctly if size is a power of two, i.e. a
80 + contiguous range. */
81 +diff --git a/crypto/authenc.c b/crypto/authenc.c
82 +index 4b22676..fd9f06c 100644
83 +--- a/crypto/authenc.c
84 ++++ b/crypto/authenc.c
85 +@@ -174,8 +174,9 @@ static int crypto_authenc_genicv(struct aead_request *req, u8 *iv,
86 + static void crypto_authenc_encrypt_done(struct crypto_async_request *req,
87 + int err)
88 + {
89 ++ struct aead_request *areq = req->data;
90 ++
91 + if (!err) {
92 +- struct aead_request *areq = req->data;
93 + struct crypto_aead *authenc = crypto_aead_reqtfm(areq);
94 + struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
95 + struct ablkcipher_request *abreq = aead_request_ctx(areq);
96 +@@ -185,7 +186,7 @@ static void crypto_authenc_encrypt_done(struct crypto_async_request *req,
97 + err = crypto_authenc_genicv(areq, iv, 0);
98 + }
99 +
100 +- aead_request_complete(req->data, err);
101 ++ aead_request_complete(areq, err);
102 + }
103 +
104 + static int crypto_authenc_encrypt(struct aead_request *req)
105 +@@ -216,14 +217,15 @@ static int crypto_authenc_encrypt(struct aead_request *req)
106 + static void crypto_authenc_givencrypt_done(struct crypto_async_request *req,
107 + int err)
108 + {
109 ++ struct aead_request *areq = req->data;
110 ++
111 + if (!err) {
112 +- struct aead_request *areq = req->data;
113 + struct skcipher_givcrypt_request *greq = aead_request_ctx(areq);
114 +
115 + err = crypto_authenc_genicv(areq, greq->giv, 0);
116 + }
117 +
118 +- aead_request_complete(req->data, err);
119 ++ aead_request_complete(areq, err);
120 + }
121 +
122 + static int crypto_authenc_givencrypt(struct aead_givcrypt_request *req)
123 +diff --git a/drivers/net/forcedeth.c b/drivers/net/forcedeth.c
124 +index 8e877e7..5435970 100644
125 +--- a/drivers/net/forcedeth.c
126 ++++ b/drivers/net/forcedeth.c
127 +@@ -5249,7 +5249,7 @@ static int __devinit nv_probe(struct pci_dev *pci_dev, const struct pci_device_i
128 + if (id->driver_data & DEV_HAS_CHECKSUM) {
129 + np->rx_csum = 1;
130 + np->txrxctl_bits |= NVREG_TXRXCTL_RXCHECK;
131 +- dev->features |= NETIF_F_HW_CSUM | NETIF_F_SG;
132 ++ dev->features |= NETIF_F_IP_CSUM | NETIF_F_SG;
133 + dev->features |= NETIF_F_TSO;
134 + }
135 +
136 +@@ -5548,7 +5548,7 @@ static int __devinit nv_probe(struct pci_dev *pci_dev, const struct pci_device_i
137 +
138 + dev_printk(KERN_INFO, &pci_dev->dev, "%s%s%s%s%s%s%s%s%s%sdesc-v%u\n",
139 + dev->features & NETIF_F_HIGHDMA ? "highdma " : "",
140 +- dev->features & (NETIF_F_HW_CSUM | NETIF_F_SG) ?
141 ++ dev->features & (NETIF_F_IP_CSUM | NETIF_F_SG) ?
142 + "csum " : "",
143 + dev->features & (NETIF_F_HW_VLAN_RX | NETIF_F_HW_VLAN_TX) ?
144 + "vlan " : "",
145 +diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c
146 +index 42d7c0a..0e4eb15 100644
147 +--- a/drivers/net/r8169.c
148 ++++ b/drivers/net/r8169.c
149 +@@ -2822,7 +2822,7 @@ static int rtl8169_rx_interrupt(struct net_device *dev,
150 + pkt_size, PCI_DMA_FROMDEVICE);
151 + rtl8169_mark_to_asic(desc, tp->rx_buf_sz);
152 + } else {
153 +- pci_unmap_single(pdev, addr, pkt_size,
154 ++ pci_unmap_single(pdev, addr, tp->rx_buf_sz,
155 + PCI_DMA_FROMDEVICE);
156 + tp->Rx_skbuff[entry] = NULL;
157 + }
158 +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
159 +index d8160fa..9c2b7b4 100644
160 +--- a/drivers/usb/class/cdc-acm.c
161 ++++ b/drivers/usb/class/cdc-acm.c
162 +@@ -531,8 +531,8 @@ static int acm_tty_open(struct tty_struct *tty, struct file *filp)
163 + tasklet_schedule(&acm->urb_task);
164 +
165 + done:
166 +-err_out:
167 + mutex_unlock(&acm->mutex);
168 ++err_out:
169 + mutex_unlock(&open_mutex);
170 + return rv;
171 +
172 +diff --git a/drivers/video/fb_defio.c b/drivers/video/fb_defio.c
173 +index 59df132..4835bdc 100644
174 +--- a/drivers/video/fb_defio.c
175 ++++ b/drivers/video/fb_defio.c
176 +@@ -114,6 +114,17 @@ static struct vm_operations_struct fb_deferred_io_vm_ops = {
177 + .page_mkwrite = fb_deferred_io_mkwrite,
178 + };
179 +
180 ++static int fb_deferred_io_set_page_dirty(struct page *page)
181 ++{
182 ++ if (!PageDirty(page))
183 ++ SetPageDirty(page);
184 ++ return 0;
185 ++}
186 ++
187 ++static const struct address_space_operations fb_deferred_io_aops = {
188 ++ .set_page_dirty = fb_deferred_io_set_page_dirty,
189 ++};
190 ++
191 + static int fb_deferred_io_mmap(struct fb_info *info, struct vm_area_struct *vma)
192 + {
193 + vma->vm_ops = &fb_deferred_io_vm_ops;
194 +@@ -163,6 +174,14 @@ void fb_deferred_io_init(struct fb_info *info)
195 + }
196 + EXPORT_SYMBOL_GPL(fb_deferred_io_init);
197 +
198 ++void fb_deferred_io_open(struct fb_info *info,
199 ++ struct inode *inode,
200 ++ struct file *file)
201 ++{
202 ++ file->f_mapping->a_ops = &fb_deferred_io_aops;
203 ++}
204 ++EXPORT_SYMBOL_GPL(fb_deferred_io_open);
205 ++
206 + void fb_deferred_io_cleanup(struct fb_info *info)
207 + {
208 + void *screen_base = (void __force *) info->screen_base;
209 +diff --git a/drivers/video/fbmem.c b/drivers/video/fbmem.c
210 +index 01072f4..79b410c 100644
211 +--- a/drivers/video/fbmem.c
212 ++++ b/drivers/video/fbmem.c
213 +@@ -1315,6 +1315,10 @@ fb_open(struct inode *inode, struct file *file)
214 + if (res)
215 + module_put(info->fbops->owner);
216 + }
217 ++#ifdef CONFIG_FB_DEFERRED_IO
218 ++ if (info->fbdefio)
219 ++ fb_deferred_io_open(info, inode, file);
220 ++#endif
221 + return res;
222 + }
223 +
224 +diff --git a/fs/cifs/file.c b/fs/cifs/file.c
225 +index 40b6900..a80a917 100644
226 +--- a/fs/cifs/file.c
227 ++++ b/fs/cifs/file.c
228 +@@ -835,6 +835,10 @@ ssize_t cifs_user_write(struct file *file, const char __user *write_data,
229 + return -EBADF;
230 + open_file = (struct cifsFileInfo *) file->private_data;
231 +
232 ++ rc = generic_write_checks(file, poffset, &write_size, 0);
233 ++ if (rc)
234 ++ return rc;
235 ++
236 + xid = GetXid();
237 +
238 + if (*poffset > file->f_path.dentry->d_inode->i_size)
239 +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
240 +index 350680f..b392002 100644
241 +--- a/fs/cramfs/inode.c
242 ++++ b/fs/cramfs/inode.c
243 +@@ -44,58 +44,13 @@ static DEFINE_MUTEX(read_mutex);
244 + static int cramfs_iget5_test(struct inode *inode, void *opaque)
245 + {
246 + struct cramfs_inode *cramfs_inode = opaque;
247 +-
248 +- if (inode->i_ino != CRAMINO(cramfs_inode))
249 +- return 0; /* does not match */
250 +-
251 +- if (inode->i_ino != 1)
252 +- return 1;
253 +-
254 +- /* all empty directories, char, block, pipe, and sock, share inode #1 */
255 +-
256 +- if ((inode->i_mode != cramfs_inode->mode) ||
257 +- (inode->i_gid != cramfs_inode->gid) ||
258 +- (inode->i_uid != cramfs_inode->uid))
259 +- return 0; /* does not match */
260 +-
261 +- if ((S_ISCHR(inode->i_mode) || S_ISBLK(inode->i_mode)) &&
262 +- (inode->i_rdev != old_decode_dev(cramfs_inode->size)))
263 +- return 0; /* does not match */
264 +-
265 +- return 1; /* matches */
266 ++ return inode->i_ino == CRAMINO(cramfs_inode) && inode->i_ino != 1;
267 + }
268 +
269 + static int cramfs_iget5_set(struct inode *inode, void *opaque)
270 + {
271 +- static struct timespec zerotime;
272 + struct cramfs_inode *cramfs_inode = opaque;
273 +- inode->i_mode = cramfs_inode->mode;
274 +- inode->i_uid = cramfs_inode->uid;
275 +- inode->i_size = cramfs_inode->size;
276 +- inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1;
277 +- inode->i_gid = cramfs_inode->gid;
278 +- /* Struct copy intentional */
279 +- inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime;
280 + inode->i_ino = CRAMINO(cramfs_inode);
281 +- /* inode->i_nlink is left 1 - arguably wrong for directories,
282 +- but it's the best we can do without reading the directory
283 +- contents. 1 yields the right result in GNU find, even
284 +- without -noleaf option. */
285 +- if (S_ISREG(inode->i_mode)) {
286 +- inode->i_fop = &generic_ro_fops;
287 +- inode->i_data.a_ops = &cramfs_aops;
288 +- } else if (S_ISDIR(inode->i_mode)) {
289 +- inode->i_op = &cramfs_dir_inode_operations;
290 +- inode->i_fop = &cramfs_directory_operations;
291 +- } else if (S_ISLNK(inode->i_mode)) {
292 +- inode->i_op = &page_symlink_inode_operations;
293 +- inode->i_data.a_ops = &cramfs_aops;
294 +- } else {
295 +- inode->i_size = 0;
296 +- inode->i_blocks = 0;
297 +- init_special_inode(inode, inode->i_mode,
298 +- old_decode_dev(cramfs_inode->size));
299 +- }
300 + return 0;
301 + }
302 +
303 +@@ -105,12 +60,48 @@ static struct inode *get_cramfs_inode(struct super_block *sb,
304 + struct inode *inode = iget5_locked(sb, CRAMINO(cramfs_inode),
305 + cramfs_iget5_test, cramfs_iget5_set,
306 + cramfs_inode);
307 ++ static struct timespec zerotime;
308 ++
309 + if (inode && (inode->i_state & I_NEW)) {
310 ++ inode->i_mode = cramfs_inode->mode;
311 ++ inode->i_uid = cramfs_inode->uid;
312 ++ inode->i_size = cramfs_inode->size;
313 ++ inode->i_blocks = (cramfs_inode->size - 1) / 512 + 1;
314 ++ inode->i_gid = cramfs_inode->gid;
315 ++ /* Struct copy intentional */
316 ++ inode->i_mtime = inode->i_atime = inode->i_ctime = zerotime;
317 ++ /* inode->i_nlink is left 1 - arguably wrong for directories,
318 ++ but it's the best we can do without reading the directory
319 ++ contents. 1 yields the right result in GNU find, even
320 ++ without -noleaf option. */
321 ++ if (S_ISREG(inode->i_mode)) {
322 ++ inode->i_fop = &generic_ro_fops;
323 ++ inode->i_data.a_ops = &cramfs_aops;
324 ++ } else if (S_ISDIR(inode->i_mode)) {
325 ++ inode->i_op = &cramfs_dir_inode_operations;
326 ++ inode->i_fop = &cramfs_directory_operations;
327 ++ } else if (S_ISLNK(inode->i_mode)) {
328 ++ inode->i_op = &page_symlink_inode_operations;
329 ++ inode->i_data.a_ops = &cramfs_aops;
330 ++ } else {
331 ++ inode->i_size = 0;
332 ++ inode->i_blocks = 0;
333 ++ init_special_inode(inode, inode->i_mode,
334 ++ old_decode_dev(cramfs_inode->size));
335 ++ }
336 + unlock_new_inode(inode);
337 + }
338 + return inode;
339 + }
340 +
341 ++static void cramfs_drop_inode(struct inode *inode)
342 ++{
343 ++ if (inode->i_ino == 1)
344 ++ generic_delete_inode(inode);
345 ++ else
346 ++ generic_drop_inode(inode);
347 ++}
348 ++
349 + /*
350 + * We have our own block cache: don't fill up the buffer cache
351 + * with the rom-image, because the way the filesystem is set
352 +@@ -535,6 +526,7 @@ static const struct super_operations cramfs_ops = {
353 + .put_super = cramfs_put_super,
354 + .remount_fs = cramfs_remount,
355 + .statfs = cramfs_statfs,
356 ++ .drop_inode = cramfs_drop_inode,
357 + };
358 +
359 + static int cramfs_get_sb(struct file_system_type *fs_type,
360 +diff --git a/fs/nfsd/nfs4acl.c b/fs/nfsd/nfs4acl.c
361 +index b6ed383..54b8b41 100644
362 +--- a/fs/nfsd/nfs4acl.c
363 ++++ b/fs/nfsd/nfs4acl.c
364 +@@ -443,7 +443,7 @@ init_state(struct posix_acl_state *state, int cnt)
365 + * enough space for either:
366 + */
367 + alloc = sizeof(struct posix_ace_state_array)
368 +- + cnt*sizeof(struct posix_ace_state);
369 ++ + cnt*sizeof(struct posix_user_ace_state);
370 + state->users = kzalloc(alloc, GFP_KERNEL);
371 + if (!state->users)
372 + return -ENOMEM;
373 +diff --git a/include/linux/fb.h b/include/linux/fb.h
374 +index 58c57a3..e1ee345 100644
375 +--- a/include/linux/fb.h
376 ++++ b/include/linux/fb.h
377 +@@ -966,6 +966,9 @@ static inline void __fb_pad_aligned_buffer(u8 *dst, u32 d_pitch,
378 +
379 + /* drivers/video/fb_defio.c */
380 + extern void fb_deferred_io_init(struct fb_info *info);
381 ++extern void fb_deferred_io_open(struct fb_info *info,
382 ++ struct inode *inode,
383 ++ struct file *file);
384 + extern void fb_deferred_io_cleanup(struct fb_info *info);
385 + extern int fb_deferred_io_fsync(struct file *file, struct dentry *dentry,
386 + int datasync);
387 +diff --git a/mm/page_alloc.c b/mm/page_alloc.c
388 +index f7082af..15ff806 100644
389 +--- a/mm/page_alloc.c
390 ++++ b/mm/page_alloc.c
391 +@@ -717,6 +717,9 @@ int move_freepages(struct zone *zone,
392 + #endif
393 +
394 + for (page = start_page; page <= end_page;) {
395 ++ /* Make sure we are not inadvertently changing nodes */
396 ++ VM_BUG_ON(page_to_nid(page) != zone_to_nid(zone));
397 ++
398 + if (!pfn_valid_within(page_to_pfn(page))) {
399 + page++;
400 + continue;
401 +@@ -2476,6 +2479,10 @@ static void setup_zone_migrate_reserve(struct zone *zone)
402 + continue;
403 + page = pfn_to_page(pfn);
404 +
405 ++ /* Watch out for overlapping nodes */
406 ++ if (page_to_nid(page) != zone_to_nid(zone))
407 ++ continue;
408 ++
409 + /* Blocks with reserved pages will never free, skip them. */
410 + if (PageReserved(page))
411 + continue;
412 +diff --git a/net/sched/sch_prio.c b/net/sched/sch_prio.c
413 +index 4aa2b45..d11f8d6 100644
414 +--- a/net/sched/sch_prio.c
415 ++++ b/net/sched/sch_prio.c
416 +@@ -228,14 +228,20 @@ static int prio_tune(struct Qdisc *sch, struct nlattr *opt)
417 + {
418 + struct prio_sched_data *q = qdisc_priv(sch);
419 + struct tc_prio_qopt *qopt;
420 +- struct nlattr *tb[TCA_PRIO_MAX + 1];
421 ++ struct nlattr *tb[TCA_PRIO_MAX + 1] = {0};
422 + int err;
423 + int i;
424 +
425 +- err = nla_parse_nested_compat(tb, TCA_PRIO_MAX, opt, NULL, qopt,
426 +- sizeof(*qopt));
427 +- if (err < 0)
428 +- return err;
429 ++ qopt = nla_data(opt);
430 ++ if (nla_len(opt) < sizeof(*qopt))
431 ++ return -1;
432 ++
433 ++ if (nla_len(opt) >= sizeof(*qopt) + sizeof(struct nlattr)) {
434 ++ err = nla_parse_nested(tb, TCA_PRIO_MAX,
435 ++ (struct nlattr *) (qopt + 1), NULL);
436 ++ if (err < 0)
437 ++ return err;
438 ++ }
439 +
440 + q->bands = qopt->bands;
441 + /* If we're multiqueue, make sure the number of incoming bands
442 +diff --git a/net/sctp/auth.c b/net/sctp/auth.c
443 +index 675a5c3..52db5f6 100644
444 +--- a/net/sctp/auth.c
445 ++++ b/net/sctp/auth.c
446 +@@ -80,6 +80,10 @@ static struct sctp_auth_bytes *sctp_auth_create_key(__u32 key_len, gfp_t gfp)
447 + {
448 + struct sctp_auth_bytes *key;
449 +
450 ++ /* Verify that we are not going to overflow INT_MAX */
451 ++ if ((INT_MAX - key_len) < sizeof(struct sctp_auth_bytes))
452 ++ return NULL;
453 ++
454 + /* Allocate the shared key */
455 + key = kmalloc(sizeof(struct sctp_auth_bytes) + key_len, gfp);
456 + if (!key)
457 +@@ -782,6 +786,9 @@ int sctp_auth_ep_set_hmacs(struct sctp_endpoint *ep,
458 + for (i = 0; i < hmacs->shmac_num_idents; i++) {
459 + id = hmacs->shmac_idents[i];
460 +
461 ++ if (id > SCTP_AUTH_HMAC_ID_MAX)
462 ++ return -EOPNOTSUPP;
463 ++
464 + if (SCTP_AUTH_HMAC_ID_SHA1 == id)
465 + has_sha1 = 1;
466 +
467 +diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
468 +index e39a0cd..4c8d9f4 100644
469 +--- a/net/sctp/endpointola.c
470 ++++ b/net/sctp/endpointola.c
471 +@@ -103,6 +103,7 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
472 +
473 + /* Initialize the CHUNKS parameter */
474 + auth_chunks->param_hdr.type = SCTP_PARAM_CHUNKS;
475 ++ auth_chunks->param_hdr.length = htons(sizeof(sctp_paramhdr_t));
476 +
477 + /* If the Add-IP functionality is enabled, we must
478 + * authenticate, ASCONF and ASCONF-ACK chunks
479 +@@ -110,8 +111,7 @@ static struct sctp_endpoint *sctp_endpoint_init(struct sctp_endpoint *ep,
480 + if (sctp_addip_enable) {
481 + auth_chunks->chunks[0] = SCTP_CID_ASCONF;
482 + auth_chunks->chunks[1] = SCTP_CID_ASCONF_ACK;
483 +- auth_chunks->param_hdr.length =
484 +- htons(sizeof(sctp_paramhdr_t) + 2);
485 ++ auth_chunks->param_hdr.length += htons(2);
486 + }
487 + }
488 +
489 +diff --git a/net/sctp/socket.c b/net/sctp/socket.c
490 +index 2d42260..f8c66d6 100644
491 +--- a/net/sctp/socket.c
492 ++++ b/net/sctp/socket.c
493 +@@ -2983,6 +2983,9 @@ static int sctp_setsockopt_auth_chunk(struct sock *sk,
494 + {
495 + struct sctp_authchunk val;
496 +
497 ++ if (!sctp_auth_enable)
498 ++ return -EACCES;
499 ++
500 + if (optlen != sizeof(struct sctp_authchunk))
501 + return -EINVAL;
502 + if (copy_from_user(&val, optval, optlen))
503 +@@ -3011,8 +3014,12 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
504 + int optlen)
505 + {
506 + struct sctp_hmacalgo *hmacs;
507 ++ u32 idents;
508 + int err;
509 +
510 ++ if (!sctp_auth_enable)
511 ++ return -EACCES;
512 ++
513 + if (optlen < sizeof(struct sctp_hmacalgo))
514 + return -EINVAL;
515 +
516 +@@ -3025,8 +3032,9 @@ static int sctp_setsockopt_hmac_ident(struct sock *sk,
517 + goto out;
518 + }
519 +
520 +- if (hmacs->shmac_num_idents == 0 ||
521 +- hmacs->shmac_num_idents > SCTP_AUTH_NUM_HMACS) {
522 ++ idents = hmacs->shmac_num_idents;
523 ++ if (idents == 0 || idents > SCTP_AUTH_NUM_HMACS ||
524 ++ (idents * sizeof(u16)) > (optlen - sizeof(struct sctp_hmacalgo))) {
525 + err = -EINVAL;
526 + goto out;
527 + }
528 +@@ -3051,6 +3059,9 @@ static int sctp_setsockopt_auth_key(struct sock *sk,
529 + struct sctp_association *asoc;
530 + int ret;
531 +
532 ++ if (!sctp_auth_enable)
533 ++ return -EACCES;
534 ++
535 + if (optlen <= sizeof(struct sctp_authkey))
536 + return -EINVAL;
537 +
538 +@@ -3063,6 +3074,11 @@ static int sctp_setsockopt_auth_key(struct sock *sk,
539 + goto out;
540 + }
541 +
542 ++ if (authkey->sca_keylength > optlen - sizeof(struct sctp_authkey)) {
543 ++ ret = -EINVAL;
544 ++ goto out;
545 ++ }
546 ++
547 + asoc = sctp_id2assoc(sk, authkey->sca_assoc_id);
548 + if (!asoc && authkey->sca_assoc_id && sctp_style(sk, UDP)) {
549 + ret = -EINVAL;
550 +@@ -3088,6 +3104,9 @@ static int sctp_setsockopt_active_key(struct sock *sk,
551 + struct sctp_authkeyid val;
552 + struct sctp_association *asoc;
553 +
554 ++ if (!sctp_auth_enable)
555 ++ return -EACCES;
556 ++
557 + if (optlen != sizeof(struct sctp_authkeyid))
558 + return -EINVAL;
559 + if (copy_from_user(&val, optval, optlen))
560 +@@ -3113,6 +3132,9 @@ static int sctp_setsockopt_del_key(struct sock *sk,
561 + struct sctp_authkeyid val;
562 + struct sctp_association *asoc;
563 +
564 ++ if (!sctp_auth_enable)
565 ++ return -EACCES;
566 ++
567 + if (optlen != sizeof(struct sctp_authkeyid))
568 + return -EINVAL;
569 + if (copy_from_user(&val, optval, optlen))
570 +@@ -5073,19 +5095,29 @@ static int sctp_getsockopt_maxburst(struct sock *sk, int len,
571 + static int sctp_getsockopt_hmac_ident(struct sock *sk, int len,
572 + char __user *optval, int __user *optlen)
573 + {
574 ++ struct sctp_hmacalgo __user *p = (void __user *)optval;
575 + struct sctp_hmac_algo_param *hmacs;
576 +- __u16 param_len;
577 ++ __u16 data_len = 0;
578 ++ u32 num_idents;
579 ++
580 ++ if (!sctp_auth_enable)
581 ++ return -EACCES;
582 +
583 + hmacs = sctp_sk(sk)->ep->auth_hmacs_list;
584 +- param_len = ntohs(hmacs->param_hdr.length);
585 ++ data_len = ntohs(hmacs->param_hdr.length) - sizeof(sctp_paramhdr_t);
586 +
587 +- if (len < param_len)
588 ++ if (len < sizeof(struct sctp_hmacalgo) + data_len)
589 + return -EINVAL;
590 ++
591 ++ len = sizeof(struct sctp_hmacalgo) + data_len;
592 ++ num_idents = data_len / sizeof(u16);
593 ++
594 + if (put_user(len, optlen))
595 + return -EFAULT;
596 +- if (copy_to_user(optval, hmacs->hmac_ids, len))
597 ++ if (put_user(num_idents, &p->shmac_num_idents))
598 ++ return -EFAULT;
599 ++ if (copy_to_user(p->shmac_idents, hmacs->hmac_ids, data_len))
600 + return -EFAULT;
601 +-
602 + return 0;
603 + }
604 +
605 +@@ -5095,6 +5127,9 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
606 + struct sctp_authkeyid val;
607 + struct sctp_association *asoc;
608 +
609 ++ if (!sctp_auth_enable)
610 ++ return -EACCES;
611 ++
612 + if (len < sizeof(struct sctp_authkeyid))
613 + return -EINVAL;
614 + if (copy_from_user(&val, optval, sizeof(struct sctp_authkeyid)))
615 +@@ -5109,6 +5144,12 @@ static int sctp_getsockopt_active_key(struct sock *sk, int len,
616 + else
617 + val.scact_keynumber = sctp_sk(sk)->ep->active_key_id;
618 +
619 ++ len = sizeof(struct sctp_authkeyid);
620 ++ if (put_user(len, optlen))
621 ++ return -EFAULT;
622 ++ if (copy_to_user(optval, &val, len))
623 ++ return -EFAULT;
624 ++
625 + return 0;
626 + }
627 +
628 +@@ -5119,13 +5160,16 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
629 + struct sctp_authchunks val;
630 + struct sctp_association *asoc;
631 + struct sctp_chunks_param *ch;
632 +- u32 num_chunks;
633 ++ u32 num_chunks = 0;
634 + char __user *to;
635 +
636 +- if (len <= sizeof(struct sctp_authchunks))
637 ++ if (!sctp_auth_enable)
638 ++ return -EACCES;
639 ++
640 ++ if (len < sizeof(struct sctp_authchunks))
641 + return -EINVAL;
642 +
643 +- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
644 ++ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
645 + return -EFAULT;
646 +
647 + to = p->gauth_chunks;
648 +@@ -5134,20 +5178,21 @@ static int sctp_getsockopt_peer_auth_chunks(struct sock *sk, int len,
649 + return -EINVAL;
650 +
651 + ch = asoc->peer.peer_chunks;
652 ++ if (!ch)
653 ++ goto num;
654 +
655 + /* See if the user provided enough room for all the data */
656 + num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
657 + if (len < num_chunks)
658 + return -EINVAL;
659 +
660 +- len = num_chunks;
661 +- if (put_user(len, optlen))
662 ++ if (copy_to_user(to, ch->chunks, num_chunks))
663 + return -EFAULT;
664 ++num:
665 ++ len = sizeof(struct sctp_authchunks) + num_chunks;
666 ++ if (put_user(len, optlen)) return -EFAULT;
667 + if (put_user(num_chunks, &p->gauth_number_of_chunks))
668 + return -EFAULT;
669 +- if (copy_to_user(to, ch->chunks, len))
670 +- return -EFAULT;
671 +-
672 + return 0;
673 + }
674 +
675 +@@ -5158,13 +5203,16 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
676 + struct sctp_authchunks val;
677 + struct sctp_association *asoc;
678 + struct sctp_chunks_param *ch;
679 +- u32 num_chunks;
680 ++ u32 num_chunks = 0;
681 + char __user *to;
682 +
683 +- if (len <= sizeof(struct sctp_authchunks))
684 ++ if (!sctp_auth_enable)
685 ++ return -EACCES;
686 ++
687 ++ if (len < sizeof(struct sctp_authchunks))
688 + return -EINVAL;
689 +
690 +- if (copy_from_user(&val, p, sizeof(struct sctp_authchunks)))
691 ++ if (copy_from_user(&val, optval, sizeof(struct sctp_authchunks)))
692 + return -EFAULT;
693 +
694 + to = p->gauth_chunks;
695 +@@ -5177,17 +5225,21 @@ static int sctp_getsockopt_local_auth_chunks(struct sock *sk, int len,
696 + else
697 + ch = sctp_sk(sk)->ep->auth_chunk_list;
698 +
699 ++ if (!ch)
700 ++ goto num;
701 ++
702 + num_chunks = ntohs(ch->param_hdr.length) - sizeof(sctp_paramhdr_t);
703 +- if (len < num_chunks)
704 ++ if (len < sizeof(struct sctp_authchunks) + num_chunks)
705 + return -EINVAL;
706 +
707 +- len = num_chunks;
708 ++ if (copy_to_user(to, ch->chunks, num_chunks))
709 ++ return -EFAULT;
710 ++num:
711 ++ len = sizeof(struct sctp_authchunks) + num_chunks;
712 + if (put_user(len, optlen))
713 + return -EFAULT;
714 + if (put_user(num_chunks, &p->gauth_number_of_chunks))
715 + return -EFAULT;
716 +- if (copy_to_user(to, ch->chunks, len))
717 +- return -EFAULT;
718 +
719 + return 0;
720 + }
721 +diff --git a/net/sunrpc/sysctl.c b/net/sunrpc/sysctl.c
722 +index 0f8c439..5231f7a 100644
723 +--- a/net/sunrpc/sysctl.c
724 ++++ b/net/sunrpc/sysctl.c
725 +@@ -60,24 +60,14 @@ static int proc_do_xprt(ctl_table *table, int write, struct file *file,
726 + void __user *buffer, size_t *lenp, loff_t *ppos)
727 + {
728 + char tmpbuf[256];
729 +- int len;
730 ++ size_t len;
731 ++
732 + if ((*ppos && !write) || !*lenp) {
733 + *lenp = 0;
734 + return 0;
735 + }
736 +- if (write)
737 +- return -EINVAL;
738 +- else {
739 +- len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
740 +- if (!access_ok(VERIFY_WRITE, buffer, len))
741 +- return -EFAULT;
742 +-
743 +- if (__copy_to_user(buffer, tmpbuf, len))
744 +- return -EFAULT;
745 +- }
746 +- *lenp -= len;
747 +- *ppos += len;
748 +- return 0;
749 ++ len = svc_print_xprts(tmpbuf, sizeof(tmpbuf));
750 ++ return simple_read_from_buffer(buffer, *lenp, ppos, tmpbuf, len);
751 + }
752 +
753 + static int
754
755 Added: genpatches-2.6/trunk/2.6.25/1500_thinkpad_acpi-null-ptr-deref-fix.patch
756 ===================================================================
757 --- genpatches-2.6/trunk/2.6.25/1500_thinkpad_acpi-null-ptr-deref-fix.patch (rev 0)
758 +++ genpatches-2.6/trunk/2.6.25/1500_thinkpad_acpi-null-ptr-deref-fix.patch 2008-10-06 11:16:31 UTC (rev 1345)
759 @@ -0,0 +1,27 @@
760 +From: Cyrill Gorcunov <gorcunov@×××××.com>
761 +Date: Fri, 18 Apr 2008 20:27:29 +0000 (-0700)
762 +Subject: thinkpad_acpi: fix possible NULL pointer dereference if kstrdup failed
763 +X-Git-Tag: v2.6.26-rc1~101^2~1^8~3
764 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=90fe17f4df2f830601ffd422b11d1f7f9a9d0355
765 +
766 +thinkpad_acpi: fix possible NULL pointer dereference if kstrdup failed
767 +
768 +Signed-off-by: Cyrill Gorcunov <gorcunov@×××××.com>
769 +Acked-by: Henrique de Moraes Holschuh <hmh@×××××××.br>
770 +Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org>
771 +Signed-off-by: Len Brown <len.brown@×××××.com>
772 +---
773 +
774 +diff --git a/drivers/misc/thinkpad_acpi.c b/drivers/misc/thinkpad_acpi.c
775 +index 6cb7812..31115c9 100644
776 +--- a/drivers/misc/thinkpad_acpi.c
777 ++++ b/drivers/misc/thinkpad_acpi.c
778 +@@ -5826,7 +5826,7 @@ static void __init get_thinkpad_model_data(struct thinkpad_id_data *tp)
779 +
780 + tp->model_str = kstrdup(dmi_get_system_info(DMI_PRODUCT_VERSION),
781 + GFP_KERNEL);
782 +- if (strnicmp(tp->model_str, "ThinkPad", 8) != 0) {
783 ++ if (tp->model_str && strnicmp(tp->model_str, "ThinkPad", 8) != 0) {
784 + kfree(tp->model_str);
785 + tp->model_str = NULL;
786 + }
787
788 Added: genpatches-2.6/trunk/2.6.25/1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch
789 ===================================================================
790 --- genpatches-2.6/trunk/2.6.25/1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch (rev 0)
791 +++ genpatches-2.6/trunk/2.6.25/1501_nfs-validate_mount_data-null-ptr-deref-fixes.patch 2008-10-06 11:16:31 UTC (rev 1345)
792 @@ -0,0 +1,77 @@
793 +From: Cyrill Gorcunov <gorcunov@×××××.com>
794 +Date: Thu, 17 Apr 2008 16:42:09 +0000 (+0400)
795 +Subject: NFS - fix potential NULL pointer dereference v2
796 +X-Git-Tag: v2.6.26-rc1~1082^2^2~3
797 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=63649bd7080a6a50fabcb1935f4b7c4e64155066
798 +
799 +NFS - fix potential NULL pointer dereference v2
800 +
801 +There is possible NULL pointer dereference if kstr[n]dup failed.
802 +So fix them for safety.
803 +
804 +Signed-off-by: Cyrill Gorcunov <gorcunov@×××××.com>
805 +Signed-off-by: Trond Myklebust <Trond.Myklebust@××××××.com>
806 +---
807 +
808 +diff --git a/fs/nfs/super.c b/fs/nfs/super.c
809 +index c99ca1f..2215bcd 100644
810 +--- a/fs/nfs/super.c
811 ++++ b/fs/nfs/super.c
812 +@@ -1297,6 +1297,8 @@ static int nfs_validate_mount_data(void *options,
813 + args->namlen = data->namlen;
814 + args->bsize = data->bsize;
815 + args->auth_flavors[0] = data->pseudoflavor;
816 ++ if (!args->nfs_server.hostname)
817 ++ goto out_nomem;
818 +
819 + /*
820 + * The legacy version 6 binary mount data from userspace has a
821 +@@ -1343,6 +1345,8 @@ static int nfs_validate_mount_data(void *options,
822 + len = c - dev_name;
823 + /* N.B. caller will free nfs_server.hostname in all cases */
824 + args->nfs_server.hostname = kstrndup(dev_name, len, GFP_KERNEL);
825 ++ if (!args->nfs_server.hostname)
826 ++ goto out_nomem;
827 +
828 + c++;
829 + if (strlen(c) > NFS_MAXPATHLEN)
830 +@@ -1386,6 +1390,10 @@ out_v3_not_compiled:
831 + return -EPROTONOSUPPORT;
832 + #endif /* !CONFIG_NFS_V3 */
833 +
834 ++out_nomem:
835 ++ dfprintk(MOUNT, "NFS: not enough memory to handle mount options\n");
836 ++ return -ENOMEM;
837 ++
838 + out_no_address:
839 + dfprintk(MOUNT, "NFS: mount program didn't pass remote address\n");
840 + return -EINVAL;
841 +@@ -1892,12 +1900,16 @@ static int nfs4_validate_mount_data(void *options,
842 + return -ENAMETOOLONG;
843 + /* N.B. caller will free nfs_server.hostname in all cases */
844 + args->nfs_server.hostname = kstrndup(dev_name, len, GFP_KERNEL);
845 ++ if (!args->nfs_server.hostname)
846 ++ goto out_nomem;
847 +
848 + c++; /* step over the ':' */
849 + len = strlen(c);
850 + if (len > NFS4_MAXPATHLEN)
851 + return -ENAMETOOLONG;
852 + args->nfs_server.export_path = kstrndup(c, len, GFP_KERNEL);
853 ++ if (!args->nfs_server.export_path)
854 ++ goto out_nomem;
855 +
856 + dprintk("NFS: MNTPATH: '%s'\n", args->nfs_server.export_path);
857 +
858 +@@ -1919,6 +1931,10 @@ out_inval_auth:
859 + data->auth_flavourlen);
860 + return -EINVAL;
861 +
862 ++out_nomem:
863 ++ dfprintk(MOUNT, "NFS4: not enough memory to handle mount options\n");
864 ++ return -ENOMEM;
865 ++
866 + out_no_address:
867 + dfprintk(MOUNT, "NFS4: mount program didn't pass remote address\n");
868 + return -EINVAL;
869 +
870
871 Added: genpatches-2.6/trunk/2.6.25/1502_wan-sbni_ioctl-add-missing-capability-checks.patch
872 ===================================================================
873 --- genpatches-2.6/trunk/2.6.25/1502_wan-sbni_ioctl-add-missing-capability-checks.patch (rev 0)
874 +++ genpatches-2.6/trunk/2.6.25/1502_wan-sbni_ioctl-add-missing-capability-checks.patch 2008-10-06 11:16:31 UTC (rev 1345)
875 @@ -0,0 +1,79 @@
876 +From: Eugene Teo <eugeneteo@××××××.sg>
877 +Date: Wed, 27 Aug 2008 11:50:30 +0000 (-0700)
878 +Subject: wan: Missing capability checks in sbni_ioctl()
879 +X-Git-Tag: v2.6.27-rc5~8^2~2
880 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f2455eb176ac87081bbfc9a44b21c7cd2bc1967e
881 +
882 +wan: Missing capability checks in sbni_ioctl()
883 +
884 +There are missing capability checks in the following code:
885 +
886 +1300 static int
887 +1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd)
888 +1302 {
889 +[...]
890 +1319 case SIOCDEVRESINSTATS :
891 +1320 if( current->euid != 0 ) /* root only */
892 +1321 return -EPERM;
893 +[...]
894 +1336 case SIOCDEVSHWSTATE :
895 +1337 if( current->euid != 0 ) /* root only */
896 +1338 return -EPERM;
897 +[...]
898 +1357 case SIOCDEVENSLAVE :
899 +1358 if( current->euid != 0 ) /* root only */
900 +1359 return -EPERM;
901 +[...]
902 +1372 case SIOCDEVEMANSIPATE :
903 +1373 if( current->euid != 0 ) /* root only */
904 +1374 return -EPERM;
905 +
906 +Here's my proposed fix:
907 +
908 +Missing capability checks.
909 +
910 +Signed-off-by: Eugene Teo <eugeneteo@××××××.sg>
911 +Signed-off-by: David S. Miller <davem@×××××××××.net>
912 +---
913 +
914 +diff --git a/drivers/net/wan/sbni.c b/drivers/net/wan/sbni.c
915 +index e59255a..6596cd0 100644
916 +--- a/drivers/net/wan/sbni.c
917 ++++ b/drivers/net/wan/sbni.c
918 +@@ -1317,7 +1317,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
919 + break;
920 +
921 + case SIOCDEVRESINSTATS :
922 +- if( current->euid != 0 ) /* root only */
923 ++ if (!capable(CAP_NET_ADMIN))
924 + return -EPERM;
925 + memset( &nl->in_stats, 0, sizeof(struct sbni_in_stats) );
926 + break;
927 +@@ -1334,7 +1334,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
928 + break;
929 +
930 + case SIOCDEVSHWSTATE :
931 +- if( current->euid != 0 ) /* root only */
932 ++ if (!capable(CAP_NET_ADMIN))
933 + return -EPERM;
934 +
935 + spin_lock( &nl->lock );
936 +@@ -1355,7 +1355,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
937 + #ifdef CONFIG_SBNI_MULTILINE
938 +
939 + case SIOCDEVENSLAVE :
940 +- if( current->euid != 0 ) /* root only */
941 ++ if (!capable(CAP_NET_ADMIN))
942 + return -EPERM;
943 +
944 + if (copy_from_user( slave_name, ifr->ifr_data, sizeof slave_name ))
945 +@@ -1370,7 +1370,7 @@ sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd )
946 + return enslave( dev, slave_dev );
947 +
948 + case SIOCDEVEMANSIPATE :
949 +- if( current->euid != 0 ) /* root only */
950 ++ if (!capable(CAP_NET_ADMIN))
951 + return -EPERM;
952 +
953 + return emancipate( dev );
954 +
Report Message
Find on MARC Find on Google Groups