[meego-commits] 10373: Changes to MeeGo:1.0:Core:Update:Testing/kernel
Han Dai
no_reply at build.meego.com
Tue Nov 30 02:58:42 UTC 2010
Hi,
I have made the following changes to kernel in project MeeGo:1.0:Core:Update:Testing. Please review and accept ASAP.
Thank You,
Han Dai
[This message was auto-generated]
---
Request #10373:
submit: home:daihan:branches:MeeGo:1.0:Core:Update:Testing/kernel(r2)(cleanup) -> MeeGo:1.0:Core:Update:Testing/kernel
Message:
Backport CVE kernel patches to 2.6.33 for #BMC 5921 8182 8184 8186 8190 8207 8213
State: new 2010-11-29T18:58:42 daihan
Comment: None
changes files:
--------------
--- kernel.changes
+++ kernel.changes
@@ -0,0 +1,5 @@
+
+* Tue Nov 30 2010 Jie Yang <yang.jie at intel.com> 2.6.33.6
+- Backport CVE kernel patches to 2.6.33 for #BMC 5921 8182 8184 8186 8190 8207 8213
+
+
new:
----
linux-2.6.33-CVE-fix-ETHTOOL_GRXCLSRLALL-overflow.patch
linux-2.6.34-CVE-ext4-consolidate-in-range.patch
linux-2.6.35-CVE-dont-allow-os2-xattr-ns-overlap.patch
linux-2.6.36-CVE-alsa-prevent-heap-corruption.patch
linux-2.6.36-CVE-fix-overflow-in-niu_get_ethtool_tcam_all.patch
linux-2.6.36-CVE-fix-pktcdvd-ioctl-dev_minor-range-check.patch
linux-2.6.36-CVE-fix-signedness-issues-in-af_rose.patch
spec files:
-----------
--- kernel.spec
+++ kernel.spec
@@ -215,33 +215,45 @@
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
-Patch21: linux-2.6.34-CVE-CIFS-Allow-null-nd-as-nfs-server-uses-on-create.patch
-Patch22: linux-2.6.34-CVE-sctp-Fix-skb_over_panic-resulting-from-multiple-inv.patch
-Patch23: linux-2.6.34-CVE-KEYS-find_keyring_by_name.patch
-
-Patch24: linux-2.6.35-CVE-avoid-buffer-overflow-in-ecrptfs.patch
-Patch25: linux-2.6.35-CVE-avoid_overwrite_appendonly_file.patch
-Patch26: linux-2.6.35-CVE-C99-initializers-to-fix-act-polic-dump.patch
-Patch27: linux-2.6.35-CVE-C99-initializers-to-fix-holes.patch
-Patch28: linux-2.6.35-CVE-check-for-multiplication-overflow.patch
-Patch29: linux-2.6.35-CVE-drm-stop-information-leak-of-old-kernel-stack.patch
-Patch30: linux-2.6.35-CVE-enable-reproducer-programs.patch
-Patch31: linux-2.6.35-CVE-fix-checks-in-BTRFS_IOC_CLONE_RANGE.patch
-Patch32: linux-2.6.35-CVE-fix-double-free-at-snd_seq_oss_open.patch
-Patch33: linux-2.6.35-CVE-fix-integer-overflow.patch
-Patch34: linux-2.6.35-CVE-fix-malicious-redirect-problem-in-DNS-lookup.patch
-Patch35: linux-2.6.35-CVE-fix-no-session-keyring.patch
-Patch36: linux-2.6.35-CVE-fix-RCU-no-lock-warning.patch
-Patch37: linux-2.6.35-CVE-initialize-structures-to-leverage-off-by-one-error.patch
-Patch38: linux-2.6.35-CVE-irda-failure-handling.patch
-Patch39: linux-2.6.35-CVE-not-allow-llseek-to-set_ftrace_filter.patch
-Patch40: linux-2.6.35-CVE-prevent-reading-cxgb3-uninitialized-stack-memory.patch
-Patch41: linux-2.6.35-CVE-prevent-reading-eql-uninitialized-stack-memory.patch
-Patch42: linux-2.6.35-CVE-prevent-reading-hso-uninitialized-stack-memory.patch
-Patch43: linux-2.6.35-CVE-xfs-prevent-reading-uninitialized-stack.patch
+
+#MeeGo Bug 8182 - CVE-2010-2478 [kernel] Integer overflow allows local users to cause a DoS or have unspecified other impact
+Patch21: linux-2.6.33-CVE-fix-ETHTOOL_GRXCLSRLALL-overflow.patch
+
+
+Patch22: linux-2.6.34-CVE-CIFS-Allow-null-nd-as-nfs-server-uses-on-create.patch
+Patch23: linux-2.6.34-CVE-sctp-Fix-skb_over_panic-resulting-from-multiple-inv.patch
+Patch24: linux-2.6.34-CVE-KEYS-find_keyring_by_name.patch
+Patch25: linux-2.6.34-CVE-ext4-consolidate-in-range.patch
+
+Patch26: linux-2.6.35-CVE-avoid-buffer-overflow-in-ecrptfs.patch
+Patch27: linux-2.6.35-CVE-avoid_overwrite_appendonly_file.patch
+Patch28: linux-2.6.35-CVE-C99-initializers-to-fix-act-polic-dump.patch
+Patch29: linux-2.6.35-CVE-C99-initializers-to-fix-holes.patch
+Patch30: linux-2.6.35-CVE-check-for-multiplication-overflow.patch
+Patch31: linux-2.6.35-CVE-drm-stop-information-leak-of-old-kernel-stack.patch
+Patch32: linux-2.6.35-CVE-enable-reproducer-programs.patch
+Patch33: linux-2.6.35-CVE-fix-checks-in-BTRFS_IOC_CLONE_RANGE.patch
+Patch34: linux-2.6.35-CVE-fix-double-free-at-snd_seq_oss_open.patch
+Patch35: linux-2.6.35-CVE-fix-integer-overflow.patch
+Patch36: linux-2.6.35-CVE-fix-malicious-redirect-problem-in-DNS-lookup.patch
+Patch37: linux-2.6.35-CVE-fix-no-session-keyring.patch
+Patch38: linux-2.6.35-CVE-fix-RCU-no-lock-warning.patch
+Patch39: linux-2.6.35-CVE-initialize-structures-to-leverage-off-by-one-error.patch
+Patch40: linux-2.6.35-CVE-irda-failure-handling.patch
+Patch41: linux-2.6.35-CVE-not-allow-llseek-to-set_ftrace_filter.patch
+Patch42: linux-2.6.35-CVE-prevent-reading-cxgb3-uninitialized-stack-memory.patch
+Patch43: linux-2.6.35-CVE-prevent-reading-eql-uninitialized-stack-memory.patch
+Patch44: linux-2.6.35-CVE-prevent-reading-hso-uninitialized-stack-memory.patch
+Patch45: linux-2.6.35-CVE-xfs-prevent-reading-uninitialized-stack.patch
+Patch46: linux-2.6.35-CVE-dont-allow-os2-xattr-ns-overlap.patch
+
+Patch47: linux-2.6.36-CVE-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+Patch48: linux-2.6.36-CVE-fix-signedness-issues-in-af_rose.patch
+Patch49: linux-2.6.36-CVE-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+Patch50: linux-2.6.36-CVE-alsa-prevent-heap-corruption.patch
# MeeGo Bug #5212: Patch to fix backlight support missing in intel_opregion_init failure path
-Patch44: linux-2.6.33-acpi-video-register.patch
+Patch51: linux-2.6.33-acpi-video-register.patch
#
# End of the "straight backport" patches
@@ -250,147 +262,147 @@
# core architecture and other invasive patches go first, then minor tweaks
-Patch45: linux-2.6.34-moorestown-platform-enabling.patch
-Patch46: linux-2.6.34-moorestown-nand-driver-1.0.patch
-Patch47: linux-2.6.34-moorestown-touchscreen-driver.patch
-Patch48: linux-2.6.34-moorestown-still-image-gadget-driver.patch
-
-Patch49: linux-2.6.35-moorestown-camera-driver-10.0-1-3.patch
-Patch50: linux-2.6.35-moorestown-camera-driver-10.0-2-3.patch
-Patch51: linux-2.6.35-moorestown-camera-driver-10.0-3-3.patch
-
-Patch52: linux-2.6.34-moorestown-keypad-driver.patch
-Patch53: linux-2.6.34-moorestown-audio-driver-5.0.patch
-Patch54: linux-2.6.34-moorestown-ericsson-mbm-driver.patch
-Patch55: linux-2.6.34-moorestown-langwell-dma-driver-3.0.patch
-Patch56: linux-2.6.34-moorestown-sensor-driver-1.1.patch
-Patch57: linux-2.6.34-moorestown-gpe-fix-for-sensor.patch
-Patch58: linux-2.6.34-moorestown-analog-accelerometer-driver.patch
-Patch59: linux-2.6.34-moorestown-pmic-battery-driver.patch
-Patch60: linux-2.6.34-moorestown-thermal-emc1403-driver.patch
-Patch61: linux-2.6.34-moorestown-spi-slave-controller-driver-1.1.patch
-Patch62: linux-2.6.34-moorestown-gtm501l-driver-1.2.patch
-Patch63: linux-2.6.34-moorestown-rar-handler-driver-3.1.patch
-Patch64: linux-2.6.34-moorestown-ifxgps-driver.patch
-Patch65: linux-2.6.34-moorestown-ipc-host-driver.patch
-Patch66: linux-2.6.34-moorestown-mmc-driver-1.0.patch
-Patch67: linux-2.6.34-moorestown-usb-otg-client-driver-3.0.patch
-Patch68: linux-2.6.34-moorestown-usb-otg-transceiver-driver-1.0.patch
-
-Patch69: linux-2.6.34-img-graphics-driver.patch
-
-Patch70: linux-2.6.34-moorestown-aava-specific-changes.patch
-Patch71: linux-2.6.34-moorestown-only-enable-mrst-pciquirks-on-mrst.patch
-Patch72: linux-2.6.34-moorestown-fix-hw-qh-prefetch-bug.patch
+Patch52: linux-2.6.34-moorestown-platform-enabling.patch
+Patch53: linux-2.6.34-moorestown-nand-driver-1.0.patch
+Patch54: linux-2.6.34-moorestown-touchscreen-driver.patch
+Patch55: linux-2.6.34-moorestown-still-image-gadget-driver.patch
+
+Patch56: linux-2.6.35-moorestown-camera-driver-10.0-1-3.patch
+Patch57: linux-2.6.35-moorestown-camera-driver-10.0-2-3.patch
+Patch58: linux-2.6.35-moorestown-camera-driver-10.0-3-3.patch
+
+Patch59: linux-2.6.34-moorestown-keypad-driver.patch
+Patch60: linux-2.6.34-moorestown-audio-driver-5.0.patch
+Patch61: linux-2.6.34-moorestown-ericsson-mbm-driver.patch
+Patch62: linux-2.6.34-moorestown-langwell-dma-driver-3.0.patch
+Patch63: linux-2.6.34-moorestown-sensor-driver-1.1.patch
+Patch64: linux-2.6.34-moorestown-gpe-fix-for-sensor.patch
+Patch65: linux-2.6.34-moorestown-analog-accelerometer-driver.patch
+Patch66: linux-2.6.34-moorestown-pmic-battery-driver.patch
+Patch67: linux-2.6.34-moorestown-thermal-emc1403-driver.patch
+Patch68: linux-2.6.34-moorestown-spi-slave-controller-driver-1.1.patch
+Patch69: linux-2.6.34-moorestown-gtm501l-driver-1.2.patch
+Patch70: linux-2.6.34-moorestown-rar-handler-driver-3.1.patch
+Patch71: linux-2.6.34-moorestown-ifxgps-driver.patch
+Patch72: linux-2.6.34-moorestown-ipc-host-driver.patch
+Patch73: linux-2.6.34-moorestown-mmc-driver-1.0.patch
+Patch74: linux-2.6.34-moorestown-usb-otg-client-driver-3.0.patch
+Patch75: linux-2.6.34-moorestown-usb-otg-transceiver-driver-1.0.patch
+
+Patch76: linux-2.6.34-img-graphics-driver.patch
+
+Patch77: linux-2.6.34-moorestown-aava-specific-changes.patch
+Patch78: linux-2.6.34-moorestown-only-enable-mrst-pciquirks-on-mrst.patch
+Patch79: linux-2.6.34-moorestown-fix-hw-qh-prefetch-bug.patch
#
# Patch to try mounting / before all devices (the mouse)
# are done probing. This saves several seconds of boot time.
#
-Patch73: linux-2.6.29-dont-wait-for-mouse.patch
+Patch80: linux-2.6.29-dont-wait-for-mouse.patch
#
# Patch to support the old sreadahead versions
#
-Patch74: linux-2.6.29-sreadahead.patch
+Patch81: linux-2.6.29-sreadahead.patch
#
# KMS (note: upstream backports go in the backport section higher up!)
#
-Patch75: linux-2.6.29-kms-edid-cache.patch
-Patch76: linux-2.6.29-kms-run-async.patch
-Patch77: linux-2.6.29-kms-after-sata.patch
+Patch82: linux-2.6.29-kms-edid-cache.patch
+Patch83: linux-2.6.29-kms-run-async.patch
+Patch84: linux-2.6.29-kms-after-sata.patch
#
# Quiet down some printks that shows up falsly during boot
#
-Patch78: linux-2.6.29-silence-acer-message.patch
-Patch79: linux-2.6.31-silence-wacom.patch
+Patch85: linux-2.6.29-silence-acer-message.patch
+Patch86: linux-2.6.31-silence-wacom.patch
# Timberdale drivers
-Patch80: linux-2.6.33-rc8-timberdale.patch
-Patch81: linux-2.6.33-timberdale-audio-fix.patch
+Patch87: linux-2.6.33-rc8-timberdale.patch
+Patch88: linux-2.6.33-timberdale-audio-fix.patch
#
# USB Selective Suspend patches
#
-Patch82: linux-2.6-driver-level-usb-autosuspend.patch
-Patch83: linux-2.6-usb-uvc-autosuspend.patch
-Patch84: linux-2.6-usb-bt-autosuspend.patch
-
-Patch85: linux-2.6.33-usb-storage-suspend.patch
-Patch86: linux-2.6.33-usb-storage-suspend-enable.patch
-Patch87: linux-2.6.33-usb-suspend-hub.patch
+Patch89: linux-2.6-driver-level-usb-autosuspend.patch
+Patch90: linux-2.6-usb-uvc-autosuspend.patch
+Patch91: linux-2.6-usb-bt-autosuspend.patch
+
+Patch92: linux-2.6.33-usb-storage-suspend.patch
+Patch93: linux-2.6.33-usb-storage-suspend-enable.patch
+Patch94: linux-2.6.33-usb-suspend-hub.patch
#
# Patches to help PowerTOP
#
-Patch88: linux-2.6.33-vfs-tracepoints.patch
-Patch89: linux-2.6.33-ahci-alpm-accounting.patch
-Patch90: linux-2.6.33-ahci-fix-oops-on-dummy-port.patch
+Patch95: linux-2.6.33-vfs-tracepoints.patch
+Patch96: linux-2.6.33-ahci-alpm-accounting.patch
+Patch97: linux-2.6.33-ahci-fix-oops-on-dummy-port.patch
# two patches to expose driver state to powertop
# linux-2.6.33-drm-fbc-status.patch
# linux-2.6.33-drm-sr-status.patch
# spurious debug spew
-Patch91: linux-2.6.34-rt2860-no-debug.patch
+Patch98: linux-2.6.34-rt2860-no-debug.patch
# Fix 2 bugs in the rt2860 driver
-Patch92: linux-2.6.33-rt2860-1-2.patch
-Patch93: linux-2.6.33-rt2860-2-2.patch
+Patch99: linux-2.6.33-rt2860-1-2.patch
+Patch100: linux-2.6.33-rt2860-2-2.patch
# Patchset from Sam to fix MB#6315
-Patch94: rtl8192_no_autoconnect.patch
-Patch95: rtl8192_no_WAP_unassoc.patch
-Patch96: rtl8192_carrier_off.patch
+Patch101: rtl8192_no_autoconnect.patch
+Patch102: rtl8192_no_WAP_unassoc.patch
+Patch103: rtl8192_carrier_off.patch
# OKI device drivers -- posted upstream already
-Patch97: linux-2.6.34-pch-gbe.patch
-Patch98: linux-2.6.34-pch-i2c.patch
-Patch99: linux-2.6.34-pch-ieee1588.patch
-Patch100: linux-2.6.34-pch-pcieqos.patch
-Patch101: linux-2.6.34-pch-gpio.patch
-Patch102: linux-2.6.34-pch-spi.patch
-Patch103: linux-2.6.34-pch-usbdev.patch
-Patch104: linux-2.6.34-pch-can.patch
-Patch105: linux-2.6.34-pch-dma.patch
-Patch106: linux-2.6.34-pch-uart.patch
+Patch104: linux-2.6.34-pch-gbe.patch
+Patch105: linux-2.6.34-pch-i2c.patch
+Patch106: linux-2.6.34-pch-ieee1588.patch
+Patch107: linux-2.6.34-pch-pcieqos.patch
+Patch108: linux-2.6.34-pch-gpio.patch
+Patch109: linux-2.6.34-pch-spi.patch
+Patch110: linux-2.6.34-pch-usbdev.patch
+Patch111: linux-2.6.34-pch-can.patch
+Patch112: linux-2.6.34-pch-dma.patch
+Patch113: linux-2.6.34-pch-uart.patch
-Patch107: linux-2.6.34-stantum-multitouch-driver.patch
-Patch108: linux-2.6.34-fix-marvell-firmware-path.patch
+Patch114: linux-2.6.34-stantum-multitouch-driver.patch
+Patch115: linux-2.6.34-fix-marvell-firmware-path.patch
#
# ARM N900 patches
#
# Display
-Patch109: linux-2.6.35-OMAP-DSS2-Add-Kconfig-option-for-DPI-display-type.patch
-Patch110: linux-2.6.35-OMAP-DSS2-Use-vdds_sdi-regulator-supply-in-SDI.patch
-Patch111: linux-2.6.35-OMAP-DSS2-Add-ACX565AKM-Panel-Driver.patch
-Patch112: linux-2.6.35-OMAP-RX51-Add-LCD-Panel-support.patch
-Patch113: linux-2.6.35-OMAP-RX51-Add-vdds_sdi-supply-voltage-for-SDI.patch
-Patch114: linux-2.6.35-OMAP-RX51-Add-Touch-Controller-in-SPI-board-info.patch
+Patch116: linux-2.6.35-OMAP-DSS2-Add-Kconfig-option-for-DPI-display-type.patch
+Patch117: linux-2.6.35-OMAP-DSS2-Use-vdds_sdi-regulator-supply-in-SDI.patch
+Patch118: linux-2.6.35-OMAP-DSS2-Add-ACX565AKM-Panel-Driver.patch
+Patch119: linux-2.6.35-OMAP-RX51-Add-LCD-Panel-support.patch
+Patch120: linux-2.6.35-OMAP-RX51-Add-vdds_sdi-supply-voltage-for-SDI.patch
+Patch121: linux-2.6.35-OMAP-RX51-Add-Touch-Controller-in-SPI-board-info.patch
# Touch screen
-Patch115: linux-2.6.35-input-touchscreen-introduce-tsc2005-driver.patch
-Patch116: linux-2.6.35-omap-rx-51-enable-tsc2005.patch
+Patch122: linux-2.6.35-input-touchscreen-introduce-tsc2005-driver.patch
+Patch123: linux-2.6.35-omap-rx-51-enable-tsc2005.patch
# USB
-Patch117: linux-2.6.34-USB-gadget-introduce-g_nokia-gadget-driver.patch
-Patch118: linux-2.6.34-USB-otg-add-notifier-support.patch
+Patch124: linux-2.6.34-USB-gadget-introduce-g_nokia-gadget-driver.patch
+Patch125: linux-2.6.34-USB-otg-add-notifier-support.patch
# MeeGo bug 1268
-Patch119: linux-2.6.33-sched-ilb-logic.patch
+Patch126: linux-2.6.33-sched-ilb-logic.patch
# MeeGo bug 1269
-Patch120: linux-2.6.33-fix-wake-affine.patch
+Patch127: linux-2.6.33-fix-wake-affine.patch
# MeeGo bug 1271
-Patch121: linux-2.6.33-default-slack.patch
+Patch128: linux-2.6.33-default-slack.patch
# MeeGo bug 2168
-Patch122: linux-2.6.35-drm-i915-Add-CxSR-support-on-Pineview-DDR3.patch
+Patch129: linux-2.6.35-drm-i915-Add-CxSR-support-on-Pineview-DDR3.patch
# MeeGo bug 1566
-Patch123: linux-2.6.35-ath9k-led.patch
+Patch130: linux-2.6.35-ath9k-led.patch
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -605,57 +617,76 @@
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
-# linux-2.6.34-CVE-CIFS-Allow-null-nd-as-nfs-server-uses-on-create.patch
+
+#MeeGo Bug 8182 - CVE-2010-2478 [kernel] Integer overflow allows local users to cause a DoS or have unspecified other impact
+# linux-2.6.33-CVE-fix-ETHTOOL_GRXCLSRLALL-overflow.patch
%patch21 -p1
-# linux-2.6.34-CVE-sctp-Fix-skb_over_panic-resulting-from-multiple-inv.patch
+
+
+# linux-2.6.34-CVE-CIFS-Allow-null-nd-as-nfs-server-uses-on-create.patch
%patch22 -p1
-# linux-2.6.34-CVE-KEYS-find_keyring_by_name.patch
+# linux-2.6.34-CVE-sctp-Fix-skb_over_panic-resulting-from-multiple-inv.patch
%patch23 -p1
+# linux-2.6.34-CVE-KEYS-find_keyring_by_name.patch
+%patch24 -p1
+# linux-2.6.34-CVE-ext4-consolidate-in-range.patch
+%patch25 -p1
# linux-2.6.35-CVE-avoid-buffer-overflow-in-ecrptfs.patch
-%patch24 -p1
+%patch26 -p1
# linux-2.6.35-CVE-avoid_overwrite_appendonly_file.patch
-%patch25 -p1
+%patch27 -p1
# linux-2.6.35-CVE-C99-initializers-to-fix-act-polic-dump.patch
-%patch26 -p1
+%patch28 -p1
# linux-2.6.35-CVE-C99-initializers-to-fix-holes.patch
-%patch27 -p1
+%patch29 -p1
# linux-2.6.35-CVE-check-for-multiplication-overflow.patch
-%patch28 -p1
+%patch30 -p1
# linux-2.6.35-CVE-drm-stop-information-leak-of-old-kernel-stack.patch
-%patch29 -p1
+%patch31 -p1
# linux-2.6.35-CVE-enable-reproducer-programs.patch
-%patch30 -p1
+%patch32 -p1
# linux-2.6.35-CVE-fix-checks-in-BTRFS_IOC_CLONE_RANGE.patch
-%patch31 -p1
+%patch33 -p1
# linux-2.6.35-CVE-fix-double-free-at-snd_seq_oss_open.patch
-%patch32 -p1
+%patch34 -p1
# linux-2.6.35-CVE-fix-integer-overflow.patch
-%patch33 -p1
+%patch35 -p1
# linux-2.6.35-CVE-fix-malicious-redirect-problem-in-DNS-lookup.patch
-%patch34 -p1
+%patch36 -p1
# linux-2.6.35-CVE-fix-no-session-keyring.patch
-%patch35 -p1
+%patch37 -p1
# linux-2.6.35-CVE-fix-RCU-no-lock-warning.patch
-%patch36 -p1
+%patch38 -p1
# linux-2.6.35-CVE-initialize-structures-to-leverage-off-by-one-error.patch
-%patch37 -p1
+%patch39 -p1
# linux-2.6.35-CVE-irda-failure-handling.patch
-%patch38 -p1
+%patch40 -p1
# linux-2.6.35-CVE-not-allow-llseek-to-set_ftrace_filter.patch
-%patch39 -p1
+%patch41 -p1
# linux-2.6.35-CVE-prevent-reading-cxgb3-uninitialized-stack-memory.patch
-%patch40 -p1
+%patch42 -p1
# linux-2.6.35-CVE-prevent-reading-eql-uninitialized-stack-memory.patch
-%patch41 -p1
+%patch43 -p1
# linux-2.6.35-CVE-prevent-reading-hso-uninitialized-stack-memory.patch
-%patch42 -p1
+%patch44 -p1
# linux-2.6.35-CVE-xfs-prevent-reading-uninitialized-stack.patch
-%patch43 -p1
+%patch45 -p1
+# linux-2.6.35-CVE-dont-allow-os2-xattr-ns-overlap.patch
+%patch46 -p1
+
+# linux-2.6.36-CVE-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+%patch47 -p1
+# linux-2.6.36-CVE-fix-signedness-issues-in-af_rose.patch
+%patch48 -p1
+# linux-2.6.36-CVE-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+%patch49 -p1
+# linux-2.6.36-CVE-alsa-prevent-heap-corruption.patch
+%patch50 -p1
# MeeGo Bug #5212: Patch to fix backlight support missing in intel_opregion_init failure path
# linux-2.6.33-acpi-video-register.patch
-%patch44 -p1
+%patch51 -p1
#
# End of the "straight backport" patches
@@ -665,65 +696,65 @@
# core architecture and other invasive patches go first, then minor tweaks
# linux-2.6.34-moorestown-platform-enabling.patch
-%patch45 -p1
+%patch52 -p1
# linux-2.6.34-moorestown-nand-driver-1.0.patch
-%patch46 -p1
+%patch53 -p1
# linux-2.6.34-moorestown-touchscreen-driver.patch
-%patch47 -p1
+%patch54 -p1
# linux-2.6.34-moorestown-still-image-gadget-driver.patch
-%patch48 -p1
+%patch55 -p1
# linux-2.6.35-moorestown-camera-driver-10.0-1-3.patch
-%patch49 -p1
+%patch56 -p1
# linux-2.6.35-moorestown-camera-driver-10.0-2-3.patch
-%patch50 -p1
+%patch57 -p1
# linux-2.6.35-moorestown-camera-driver-10.0-3-3.patch
-%patch51 -p1
+%patch58 -p1
# linux-2.6.34-moorestown-keypad-driver.patch
-%patch52 -p1
+%patch59 -p1
# linux-2.6.34-moorestown-audio-driver-5.0.patch
-%patch53 -p1
+%patch60 -p1
# linux-2.6.34-moorestown-ericsson-mbm-driver.patch
-%patch54 -p1
+%patch61 -p1
# linux-2.6.34-moorestown-langwell-dma-driver-3.0.patch
-%patch55 -p1
+%patch62 -p1
# linux-2.6.34-moorestown-sensor-driver-1.1.patch
-%patch56 -p1
+%patch63 -p1
# linux-2.6.34-moorestown-gpe-fix-for-sensor.patch
-%patch57 -p1
+%patch64 -p1
# linux-2.6.34-moorestown-analog-accelerometer-driver.patch
-%patch58 -p1
+%patch65 -p1
# linux-2.6.34-moorestown-pmic-battery-driver.patch
-%patch59 -p1
+%patch66 -p1
# linux-2.6.34-moorestown-thermal-emc1403-driver.patch
-%patch60 -p1
+%patch67 -p1
# linux-2.6.34-moorestown-spi-slave-controller-driver-1.1.patch
-%patch61 -p1
+%patch68 -p1
# linux-2.6.34-moorestown-gtm501l-driver-1.2.patch
-%patch62 -p1
+%patch69 -p1
# linux-2.6.34-moorestown-rar-handler-driver-3.1.patch
-%patch63 -p1
+%patch70 -p1
# linux-2.6.34-moorestown-ifxgps-driver.patch
-%patch64 -p1
+%patch71 -p1
# linux-2.6.34-moorestown-ipc-host-driver.patch
-%patch65 -p1
+%patch72 -p1
# linux-2.6.34-moorestown-mmc-driver-1.0.patch
-%patch66 -p1
+%patch73 -p1
# linux-2.6.34-moorestown-usb-otg-client-driver-3.0.patch
-%patch67 -p1
+%patch74 -p1
# linux-2.6.34-moorestown-usb-otg-transceiver-driver-1.0.patch
-%patch68 -p1
+%patch75 -p1
# linux-2.6.34-img-graphics-driver.patch
-%patch69 -p1
+%patch76 -p1
# linux-2.6.34-moorestown-aava-specific-changes.patch
-%patch70 -p1
+%patch77 -p1
# linux-2.6.34-moorestown-only-enable-mrst-pciquirks-on-mrst.patch
-%patch71 -p1
+%patch78 -p1
# linux-2.6.34-moorestown-fix-hw-qh-prefetch-bug.patch
-%patch72 -p1
+%patch79 -p1
#
@@ -731,111 +762,111 @@
# are done probing. This saves several seconds of boot time.
#
# linux-2.6.29-dont-wait-for-mouse.patch
-%patch73 -p1
+%patch80 -p1
#
# Patch to support the old sreadahead versions
#
# linux-2.6.29-sreadahead.patch
-%patch74 -p1
+%patch81 -p1
#
# KMS (note: upstream backports go in the backport section higher up!)
#
# linux-2.6.29-kms-edid-cache.patch
-%patch75 -p1
+%patch82 -p1
# linux-2.6.29-kms-run-async.patch
-%patch76 -p1
+%patch83 -p1
# linux-2.6.29-kms-after-sata.patch
-%patch77 -p1
+%patch84 -p1
#
# Quiet down some printks that shows up falsly during boot
#
# linux-2.6.29-silence-acer-message.patch
-%patch78 -p1
+%patch85 -p1
# linux-2.6.31-silence-wacom.patch
-%patch79 -p1
+%patch86 -p1
# Timberdale drivers
# linux-2.6.33-rc8-timberdale.patch
-%patch80 -p1
+%patch87 -p1
# linux-2.6.33-timberdale-audio-fix.patch
-%patch81 -p1
+%patch88 -p1
#
# USB Selective Suspend patches
#
# linux-2.6-driver-level-usb-autosuspend.patch
-%patch82 -p1
+%patch89 -p1
# linux-2.6-usb-uvc-autosuspend.patch
-%patch83 -p1
+%patch90 -p1
# linux-2.6-usb-bt-autosuspend.patch
-%patch84 -p1
+%patch91 -p1
# linux-2.6.33-usb-storage-suspend.patch
-%patch85 -p1
+%patch92 -p1
# linux-2.6.33-usb-storage-suspend-enable.patch
-%patch86 -p1
+%patch93 -p1
# linux-2.6.33-usb-suspend-hub.patch
-%patch87 -p1
+%patch94 -p1
#
# Patches to help PowerTOP
#
# linux-2.6.33-vfs-tracepoints.patch
-%patch88 -p1
+%patch95 -p1
# linux-2.6.33-ahci-alpm-accounting.patch
-%patch89 -p1
+%patch96 -p1
# linux-2.6.33-ahci-fix-oops-on-dummy-port.patch
-%patch90 -p1
+%patch97 -p1
# two patches to expose driver state to powertop
# linux-2.6.33-drm-fbc-status.patch
# linux-2.6.33-drm-sr-status.patch
# spurious debug spew
# linux-2.6.34-rt2860-no-debug.patch
-%patch91 -p1
+%patch98 -p1
# Fix 2 bugs in the rt2860 driver
# linux-2.6.33-rt2860-1-2.patch
-%patch92 -p1
+%patch99 -p1
# linux-2.6.33-rt2860-2-2.patch
-%patch93 -p1
+%patch100 -p1
# Patchset from Sam to fix MB#6315
# rtl8192_no_autoconnect.patch
-%patch94 -p1
+%patch101 -p1
# rtl8192_no_WAP_unassoc.patch
-%patch95 -p1
+%patch102 -p1
# rtl8192_carrier_off.patch
-%patch96 -p1
+%patch103 -p1
# OKI device drivers -- posted upstream already
# linux-2.6.34-pch-gbe.patch
-%patch97 -p1
+%patch104 -p1
# linux-2.6.34-pch-i2c.patch
-%patch98 -p1
+%patch105 -p1
# linux-2.6.34-pch-ieee1588.patch
-%patch99 -p1
+%patch106 -p1
# linux-2.6.34-pch-pcieqos.patch
-%patch100 -p1
+%patch107 -p1
# linux-2.6.34-pch-gpio.patch
-%patch101 -p1
+%patch108 -p1
# linux-2.6.34-pch-spi.patch
-%patch102 -p1
+%patch109 -p1
# linux-2.6.34-pch-usbdev.patch
-%patch103 -p1
+%patch110 -p1
# linux-2.6.34-pch-can.patch
-%patch104 -p1
+%patch111 -p1
# linux-2.6.34-pch-dma.patch
-%patch105 -p1
+%patch112 -p1
# linux-2.6.34-pch-uart.patch
-%patch106 -p1
+%patch113 -p1
# linux-2.6.34-stantum-multitouch-driver.patch
-%patch107 -p1
+%patch114 -p1
# linux-2.6.34-fix-marvell-firmware-path.patch
-%patch108 -p1
+%patch115 -p1
#
# ARM N900 patches
@@ -843,47 +874,47 @@
# Display
# linux-2.6.35-OMAP-DSS2-Add-Kconfig-option-for-DPI-display-type.patch
-%patch109 -p1
+%patch116 -p1
# linux-2.6.35-OMAP-DSS2-Use-vdds_sdi-regulator-supply-in-SDI.patch
-%patch110 -p1
+%patch117 -p1
# linux-2.6.35-OMAP-DSS2-Add-ACX565AKM-Panel-Driver.patch
-%patch111 -p1
+%patch118 -p1
# linux-2.6.35-OMAP-RX51-Add-LCD-Panel-support.patch
-%patch112 -p1
+%patch119 -p1
# linux-2.6.35-OMAP-RX51-Add-vdds_sdi-supply-voltage-for-SDI.patch
-%patch113 -p1
+%patch120 -p1
# linux-2.6.35-OMAP-RX51-Add-Touch-Controller-in-SPI-board-info.patch
-%patch114 -p1
+%patch121 -p1
# Touch screen
# linux-2.6.35-input-touchscreen-introduce-tsc2005-driver.patch
-%patch115 -p1
+%patch122 -p1
# linux-2.6.35-omap-rx-51-enable-tsc2005.patch
-%patch116 -p1
+%patch123 -p1
# USB
# linux-2.6.34-USB-gadget-introduce-g_nokia-gadget-driver.patch
-%patch117 -p1
+%patch124 -p1
# linux-2.6.34-USB-otg-add-notifier-support.patch
-%patch118 -p1
+%patch125 -p1
# MeeGo bug 1268
# linux-2.6.33-sched-ilb-logic.patch
-%patch119 -p1
+%patch126 -p1
# MeeGo bug 1269
# linux-2.6.33-fix-wake-affine.patch
-%patch120 -p1
+%patch127 -p1
# MeeGo bug 1271
# linux-2.6.33-default-slack.patch
-%patch121 -p1
+%patch128 -p1
# MeeGo bug 2168
# linux-2.6.35-drm-i915-Add-CxSR-support-on-Pineview-DDR3.patch
-%patch122 -p1
+%patch129 -p1
# MeeGo bug 1566
# linux-2.6.35-ath9k-led.patch
-%patch123 -p1
+%patch130 -p1
cd ..
other changes:
--------------
++++++ linux-2.6.33-CVE-fix-ETHTOOL_GRXCLSRLALL-overflow.patch (new)
--- linux-2.6.33-CVE-fix-ETHTOOL_GRXCLSRLALL-overflow.patch
+++ linux-2.6.33-CVE-fix-ETHTOOL_GRXCLSRLALL-overflow.patch
+From db048b69037e7fa6a7d9e95a1271a50dc08ae233 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <bhutchings at solarflare.com>
+Date: Mon, 28 Jun 2010 08:44:07 +0000
+Subject: [PATCH 1/1] ethtool: Fix potential kernel buffer overflow in ETHTOOL_GRXCLSRLALL
+
+On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer
+overflow and the buffer may be smaller than needed. Since
+ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at
+least denial of service.
+
+Signed-off-by: Ben Hutchings <bhutchings at solarflare.com>
+Cc: stable at kernel.org
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/core/ethtool.c | 5 +++--
+ 1 files changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/core/ethtool.c b/net/core/ethtool.c
+index a0f4964..a3a7e9a 100644
+--- a/net/core/ethtool.c
++++ b/net/core/ethtool.c
+@@ -347,8 +347,9 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
+
+ if (info.cmd == ETHTOOL_GRXCLSRLALL) {
+ if (info.rule_cnt > 0) {
+- rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
+- GFP_USER);
++ if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32))
++ rule_buf = kmalloc(info.rule_cnt * sizeof(u32),
++ GFP_USER);
+ if (!rule_buf)
+ return -ENOMEM;
+ }
+--
+1.7.3.2
+
++++++ linux-2.6.34-CVE-ext4-consolidate-in-range.patch (new)
--- linux-2.6.34-CVE-ext4-consolidate-in-range.patch
+++ linux-2.6.34-CVE-ext4-consolidate-in-range.patch
+From 731eb1a03a8445cde2cb23ecfb3580c6fa7bb690 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita at gmail.com>
+Date: Wed, 3 Mar 2010 23:55:01 -0500
+Subject: [PATCH] ext4: consolidate in_range() definitions
+
+There are duplicate macro definitions of in_range() in mballoc.h and
+balloc.c. This consolidates these two definitions into ext4.h, and
+changes extents.c to use in_range() as well.
+
+Signed-off-by: Akinobu Mita <akinobu.mita at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Cc: Andreas Dilger <adilger at sun.com>
+---
+ fs/ext4/balloc.c | 3 ---
+ fs/ext4/ext4.h | 2 ++
+ fs/ext4/extents.c | 4 ++--
+ fs/ext4/mballoc.h | 2 --
+ 4 files changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index fadbc4d..d2f37a5 100644
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -188,9 +188,6 @@ unsigned ext4_init_block_bitmap(struct super_block *sb, struct buffer_head *bh,
+ * when a file system is mounted (see ext4_fill_super).
+ */
+
+-
+-#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
+-
+ /**
+ * ext4_get_group_desc() -- load group descriptor from disk
+ * @sb: super block
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index 3d85bbb..9b17916 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1819,6 +1819,8 @@ static inline void set_bitmap_uptodate(struct buffer_head *bh)
+ set_bit(BH_BITMAP_UPTODATE, &(bh)->b_state);
+ }
+
++#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
++
+ #endif /* __KERNEL__ */
+
+ #endif /* _EXT4_H */
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 3c0bae1..94c8ee8 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -2051,7 +2051,7 @@ ext4_ext_in_cache(struct inode *inode, ext4_lblk_t block,
+
+ BUG_ON(cex->ec_type != EXT4_EXT_CACHE_GAP &&
+ cex->ec_type != EXT4_EXT_CACHE_EXTENT);
+- if (block >= cex->ec_block && block < cex->ec_block + cex->ec_len) {
++ if (in_range(block, cex->ec_block, cex->ec_len)) {
+ ex->ee_block = cpu_to_le32(cex->ec_block);
+ ext4_ext_store_pblock(ex, cex->ec_start);
+ ex->ee_len = cpu_to_le16(cex->ec_len);
+@@ -3364,7 +3364,7 @@ int ext4_ext_get_blocks(handle_t *handle, struct inode *inode,
+ */
+ ee_len = ext4_ext_get_actual_len(ex);
+ /* if found extent covers block, simply return it */
+- if (iblock >= ee_block && iblock < ee_block + ee_len) {
++ if (in_range(iblock, ee_block, ee_len)) {
+ newblock = iblock - ee_block + ee_start;
+ /* number of remaining blocks in the extent */
+ allocated = ee_len - (iblock - ee_block);
+diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
+index 9b2deed..b619322 100644
+--- a/fs/ext4/mballoc.h
++++ b/fs/ext4/mballoc.h
+@@ -220,8 +220,6 @@ struct ext4_buddy {
+ #define EXT4_MB_BITMAP(e4b) ((e4b)->bd_bitmap)
+ #define EXT4_MB_BUDDY(e4b) ((e4b)->bd_buddy)
+
+-#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
+-
+ static inline ext4_fsblk_t ext4_grp_offs_to_block(struct super_block *sb,
+ struct ext4_free_extent *fex)
+ {
+--
+1.7.3.2
+
++++++ linux-2.6.35-CVE-dont-allow-os2-xattr-ns-overlap.patch (new)
--- linux-2.6.35-CVE-dont-allow-os2-xattr-ns-overlap.patch
+++ linux-2.6.35-CVE-dont-allow-os2-xattr-ns-overlap.patch
+From aca0fa34bdaba39bfddddba8ca70dba4782e8fe6 Mon Sep 17 00:00:00 2001
+From: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+Date: Mon, 9 Aug 2010 15:57:38 -0500
+Subject: [PATCH] jfs: don't allow os2 xattr namespace overlap with others
+
+It's currently possible to bypass xattr namespace access rules by
+prefixing valid xattr names with "os2.", since the os2 namespace stores
+extended attributes in a legacy format with no prefix.
+
+This patch adds checking to deny access to any valid namespace prefix
+following "os2.".
+
+Signed-off-by: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+Reported-by: Sergey Vlasov <vsu at altlinux.ru>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ fs/jfs/xattr.c | 87 ++++++++++++++++++++++++-------------------------------
+ 1 files changed, 38 insertions(+), 49 deletions(-)
+
+diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
+index fa96bbb..2d7f165 100644
+--- a/fs/jfs/xattr.c
++++ b/fs/jfs/xattr.c
+@@ -86,46 +86,25 @@ struct ea_buffer {
+ #define EA_MALLOC 0x0008
+
+
++static int is_known_namespace(const char *name)
++{
++ if (strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) &&
++ strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
++ strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) &&
++ strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
++ return false;
++
++ return true;
++}
++
+ /*
+ * These three routines are used to recognize on-disk extended attributes
+ * that are in a recognized namespace. If the attribute is not recognized,
+ * "os2." is prepended to the name
+ */
+-static inline int is_os2_xattr(struct jfs_ea *ea)
++static int is_os2_xattr(struct jfs_ea *ea)
+ {
+- /*
+- * Check for "system."
+- */
+- if ((ea->namelen >= XATTR_SYSTEM_PREFIX_LEN) &&
+- !strncmp(ea->name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+- return false;
+- /*
+- * Check for "user."
+- */
+- if ((ea->namelen >= XATTR_USER_PREFIX_LEN) &&
+- !strncmp(ea->name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+- return false;
+- /*
+- * Check for "security."
+- */
+- if ((ea->namelen >= XATTR_SECURITY_PREFIX_LEN) &&
+- !strncmp(ea->name, XATTR_SECURITY_PREFIX,
+- XATTR_SECURITY_PREFIX_LEN))
+- return false;
+- /*
+- * Check for "trusted."
+- */
+- if ((ea->namelen >= XATTR_TRUSTED_PREFIX_LEN) &&
+- !strncmp(ea->name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
+- return false;
+- /*
+- * Add any other valid namespace prefixes here
+- */
+-
+- /*
+- * We assume it's OS/2's flat namespace
+- */
+- return true;
++ return !is_known_namespace(ea->name);
+ }
+
+ static inline int name_size(struct jfs_ea *ea)
+@@ -764,13 +743,23 @@ static int can_set_xattr(struct inode *inode, const char *name,
+ if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ return can_set_system_xattr(inode, name, value, value_len);
+
++ if (!strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN)) {
++ /*
++ * This makes sure that we aren't trying to set an
++ * attribute in a different namespace by prefixing it
++ * with "os2."
++ */
++ if (is_known_namespace(name + XATTR_OS2_PREFIX_LEN))
++ return -EOPNOTSUPP;
++ return 0;
++ }
++
+ /*
+ * Don't allow setting an attribute in an unknown namespace.
+ */
+ if (strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) &&
+ strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) &&
+- strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
+- strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN))
++ strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+ return -EOPNOTSUPP;
+
+ return 0;
+@@ -952,19 +941,8 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data,
+ int xattr_size;
+ ssize_t size;
+ int namelen = strlen(name);
+- char *os2name = NULL;
+ char *value;
+
+- if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) {
+- os2name = kmalloc(namelen - XATTR_OS2_PREFIX_LEN + 1,
+- GFP_KERNEL);
+- if (!os2name)
+- return -ENOMEM;
+- strcpy(os2name, name + XATTR_OS2_PREFIX_LEN);
+- name = os2name;
+- namelen -= XATTR_OS2_PREFIX_LEN;
+- }
+-
+ down_read(&JFS_IP(inode)->xattr_sem);
+
+ xattr_size = ea_get(inode, &ea_buf, 0);
+@@ -1002,8 +980,6 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data,
+ out:
+ up_read(&JFS_IP(inode)->xattr_sem);
+
+- kfree(os2name);
+-
+ return size;
+ }
+
+@@ -1012,6 +988,19 @@ ssize_t jfs_getxattr(struct dentry *dentry, const char *name, void *data,
+ {
+ int err;
+
++ if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) {
++ /*
++ * skip past "os2." prefix
++ */
++ name += XATTR_OS2_PREFIX_LEN;
++ /*
++ * Don't allow retrieving properly prefixed attributes
++ * by prepending them with "os2."
++ */
++ if (is_known_namespace(name))
++ return -EOPNOTSUPP;
++ }
++
+ err = __jfs_getxattr(dentry->d_inode, name, data, buf_size);
+
+ return err;
+--
+1.7.3.2
+
++++++ linux-2.6.36-CVE-alsa-prevent-heap-corruption.patch (new)
--- linux-2.6.36-CVE-alsa-prevent-heap-corruption.patch
+++ linux-2.6.36-CVE-alsa-prevent-heap-corruption.patch
+From 5591bf07225523600450edd9e6ad258bb877b779 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Tue, 28 Sep 2010 14:18:20 -0400
+Subject: [PATCH] ALSA: prevent heap corruption in snd_ctl_new()
+
+The snd_ctl_new() function in sound/core/control.c allocates space for a
+snd_kcontrol struct by performing arithmetic operations on a
+user-provided size without checking for integer overflow. If a user
+provides a large enough size, an overflow will occur, the allocated
+chunk will be too small, and a second user-influenced value will be
+written repeatedly past the bounds of this chunk. This code is
+reachable by unprivileged users who have permission to open
+a /dev/snd/controlC* device (on many distros, this is group "audio") via
+the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: <stable at kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/control.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/sound/core/control.c b/sound/core/control.c
+index 070aab4..45a8180 100644
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -31,6 +31,7 @@
+
+ /* max number of user-defined controls */
+ #define MAX_USER_CONTROLS 32
++#define MAX_CONTROL_COUNT 1028
+
+ struct snd_kctl_ioctl {
+ struct list_head list; /* list of all ioctls */
+@@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
+
+ if (snd_BUG_ON(!control || !control->count))
+ return NULL;
++
++ if (control->count > MAX_CONTROL_COUNT)
++ return NULL;
++
+ kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
+ if (kctl == NULL) {
+ snd_printk(KERN_ERR "Cannot allocate control instance\n");
+--
+1.7.3.2
+
++++++ linux-2.6.36-CVE-fix-overflow-in-niu_get_ethtool_tcam_all.patch (new)
--- linux-2.6.36-CVE-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+++ linux-2.6.36-CVE-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+--- a/drivers/net/niu.c 2010-02-25 02:52:17.000000000 +0800
++++ b/drivers/net/niu.c 2010-11-29 16:45:24.911674280 +0800
+@@ -7311,33 +7311,29 @@
+ struct niu_parent *parent = np->parent;
+ struct niu_tcam_entry *tp;
+ int i, idx, cnt;
+- u16 n_entries;
+ unsigned long flags;
+
++ int ret = 0;
+
+ /* put the tcam size here */
+ nfc->data = tcam_get_size(np);
+
+ niu_lock_parent(np, flags);
+- n_entries = nfc->rule_cnt;
+ for (cnt = 0, i = 0; i < nfc->data; i++) {
+ idx = tcam_get_index(np, i);
+ tp = &parent->tcam[idx];
+ if (!tp->valid)
+ continue;
++ if (cnt == nfc->rule_cnt) {
++ ret = -EMSGSIZE;
++ break;
++ }
+ rule_locs[cnt] = i;
+ cnt++;
+ }
+ niu_unlock_parent(np, flags);
+
+- if (n_entries != cnt) {
+- /* print warning, this should not happen */
+- pr_info(PFX "niu%d: %s In niu_get_ethtool_tcam_all, "
+- "n_entries[%d] != cnt[%d]!!!\n\n",
+- np->parent->index, np->dev->name, n_entries, cnt);
+- }
+-
+- return 0;
++ return ret;
+ }
+
+ static int niu_get_nfc(struct net_device *dev, struct ethtool_rxnfc *cmd,
++++++ linux-2.6.36-CVE-fix-pktcdvd-ioctl-dev_minor-range-check.patch (new)
--- linux-2.6.36-CVE-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+++ linux-2.6.36-CVE-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+From 252a52aa4fa22a668f019e55b3aac3ff71ec1c29 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Mon, 27 Sep 2010 12:30:28 -0400
+Subject: [PATCH] Fix pktcdvd ioctl dev_minor range check
+
+The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
+pktcdvd_device from the global pkt_devs array. The index into this
+array is provided directly by the user and is a signed integer, so the
+comparison to ensure that it falls within the bounds of this array will
+fail when provided with a negative index.
+
+This can be used to read arbitrary kernel memory or cause a crash due to
+an invalid pointer dereference. This can be exploited by users with
+permission to open /dev/pktcdvd/control (on many distributions, this is
+readable by group "cdrom").
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+[ Rather than add a cast, just make the function take the right type -Linus ]
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ drivers/block/pktcdvd.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
+index b1cbeb5..37a2bb5 100644
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -2369,7 +2369,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)
+ pkt_shrink_pktlist(pd);
+ }
+
+-static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
++static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
+ {
+ if (dev_minor >= MAX_WRITERS)
+ return NULL;
+--
+1.7.3.2
+
++++++ linux-2.6.36-CVE-fix-signedness-issues-in-af_rose.patch (new)
--- linux-2.6.36-CVE-fix-signedness-issues-in-af_rose.patch
+++ linux-2.6.36-CVE-fix-signedness-issues-in-af_rose.patch
+From 9828e6e6e3f19efcb476c567b9999891d051f52f Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem at davemloft.net>
+Date: Mon, 20 Sep 2010 15:40:35 -0700
+Subject: [PATCH] rose: Fix signedness issues wrt. digi count.
+
+Just use explicit casts, since we really can't change the
+types of structures exported to userspace which have been
+around for 15 years or so.
+
+Reported-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rose/af_rose.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 8e45e76..d952e7e 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -679,7 +679,7 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
+ return -EINVAL;
+
+- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
+ return -EINVAL;
+
+ if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
+@@ -739,7 +739,7 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+ if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
+ return -EINVAL;
+
+- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
+ return -EINVAL;
+
+ /* Source + Destination digis should not exceed ROSE_MAX_DIGIS */
+--
+1.7.3.2
+
++++++ series
--- series
+++ series
@@ -57,9 +57,15 @@
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
+
+#MeeGo Bug 8182 - CVE-2010-2478 [kernel] Integer overflow allows local users to cause a DoS or have unspecified other impact
+linux-2.6.33-CVE-fix-ETHTOOL_GRXCLSRLALL-overflow.patch
+
+
linux-2.6.34-CVE-CIFS-Allow-null-nd-as-nfs-server-uses-on-create.patch
linux-2.6.34-CVE-sctp-Fix-skb_over_panic-resulting-from-multiple-inv.patch
linux-2.6.34-CVE-KEYS-find_keyring_by_name.patch
+linux-2.6.34-CVE-ext4-consolidate-in-range.patch
linux-2.6.35-CVE-avoid-buffer-overflow-in-ecrptfs.patch
linux-2.6.35-CVE-avoid_overwrite_appendonly_file.patch
@@ -81,6 +87,12 @@
linux-2.6.35-CVE-prevent-reading-eql-uninitialized-stack-memory.patch
linux-2.6.35-CVE-prevent-reading-hso-uninitialized-stack-memory.patch
linux-2.6.35-CVE-xfs-prevent-reading-uninitialized-stack.patch
+linux-2.6.35-CVE-dont-allow-os2-xattr-ns-overlap.patch
+
+linux-2.6.36-CVE-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+linux-2.6.36-CVE-fix-signedness-issues-in-af_rose.patch
+linux-2.6.36-CVE-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+linux-2.6.36-CVE-alsa-prevent-heap-corruption.patch
# MeeGo Bug #5212: Patch to fix backlight support missing in intel_opregion_init failure path
linux-2.6.33-acpi-video-register.patch
More information about the MeeGo-commits
mailing list