[meego-commits] 15295: Changes to MeeGo:1.1:Core:Update:Testing/kernel
jieyang
no_reply at build.meego.com
Mon Mar 28 02:20:00 UTC 2011
Hi,
I have made the following changes to kernel in project MeeGo:1.1:Core:Update:Testing. Please review and accept ASAP.
Thank You,
jieyang
[This message was auto-generated]
---
Request #15295:
submit: home:jieyang:branches:MeeGo:1.1:Core:Update:Testing/kernel(r3)(cleanup) -> MeeGo:1.1:Core:Update:Testing/kernel
Message:
Backport CVE kernel patches to 2.6.35 for #BMC 6474 8378 8392 8393 8377
State: new 2011-03-27T19:19:54 jieyang
Comment: None
changes files:
--------------
--- kernel.changes
+++ kernel.changes
@@ -0,0 +1,3 @@
+* Mon May 28 2011 Jie Yang <yang.jie at intel.com> 2.6.35.3
+- Backport CVE kernel patches to 2.6.35 for #BMC 6474 8378 8392 8393 8377
+
new:
----
linux-2.6.35-irda-failure-handling.patch
linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
spec files:
-----------
--- kernel-ivi.spec
+++ kernel-ivi.spec
@@ -185,13 +185,19 @@
Patch101: linux-2.6.36-battery.patch
Patch102: linux-2.6.36-battery2.patch
+Patch103: linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+Patch104: linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+Patch105: linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+Patch106: linux-2.6.35-irda-failure-handling.patch
+Patch107: linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
# cherry picking the important security/corruption fixes from
# the stable series
-Patch103: linux-2.6.35-stable-cherry-picks.patch
+Patch108: linux-2.6.35-stable-cherry-picks.patch
#
# End of the Direct Backports section
@@ -581,6 +587,17 @@
# linux-2.6.36-battery2.patch
%patch102 -p1
+# linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+%patch103 -p1
+# linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+%patch104 -p1
+# linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+%patch105 -p1
+# linux-2.6.35-irda-failure-handling.patch
+%patch106 -p1
+# linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+%patch107 -p1
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
@@ -588,7 +605,7 @@
# the stable series
# linux-2.6.35-stable-cherry-picks.patch
-%patch103 -p1
+%patch108 -p1
#
# End of the Direct Backports section
--- kernel-mrst.spec
+++ kernel-mrst.spec
@@ -186,13 +186,19 @@
Patch101: linux-2.6.36-battery.patch
Patch102: linux-2.6.36-battery2.patch
+Patch103: linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+Patch104: linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+Patch105: linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+Patch106: linux-2.6.35-irda-failure-handling.patch
+Patch107: linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
# cherry picking the important security/corruption fixes from
# the stable series
-Patch103: linux-2.6.35-stable-cherry-picks.patch
+Patch108: linux-2.6.35-stable-cherry-picks.patch
#
# End of the Direct Backports section
@@ -582,6 +588,17 @@
# linux-2.6.36-battery2.patch
%patch102 -p1
+# linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+%patch103 -p1
+# linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+%patch104 -p1
+# linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+%patch105 -p1
+# linux-2.6.35-irda-failure-handling.patch
+%patch106 -p1
+# linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+%patch107 -p1
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
@@ -589,7 +606,7 @@
# the stable series
# linux-2.6.35-stable-cherry-picks.patch
-%patch103 -p1
+%patch108 -p1
#
# End of the Direct Backports section
--- kernel-n900.spec
+++ kernel-n900.spec
@@ -185,13 +185,19 @@
Patch101: linux-2.6.36-battery.patch
Patch102: linux-2.6.36-battery2.patch
+Patch103: linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+Patch104: linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+Patch105: linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+Patch106: linux-2.6.35-irda-failure-handling.patch
+Patch107: linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
# cherry picking the important security/corruption fixes from
# the stable series
-Patch103: linux-2.6.35-stable-cherry-picks.patch
+Patch108: linux-2.6.35-stable-cherry-picks.patch
#
# End of the Direct Backports section
@@ -581,6 +587,17 @@
# linux-2.6.36-battery2.patch
%patch102 -p1
+# linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+%patch103 -p1
+# linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+%patch104 -p1
+# linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+%patch105 -p1
+# linux-2.6.35-irda-failure-handling.patch
+%patch106 -p1
+# linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+%patch107 -p1
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
@@ -588,7 +605,7 @@
# the stable series
# linux-2.6.35-stable-cherry-picks.patch
-%patch103 -p1
+%patch108 -p1
#
# End of the Direct Backports section
--- kernel-netbook.spec
+++ kernel-netbook.spec
@@ -185,13 +185,19 @@
Patch101: linux-2.6.36-battery.patch
Patch102: linux-2.6.36-battery2.patch
+Patch103: linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+Patch104: linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+Patch105: linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+Patch106: linux-2.6.35-irda-failure-handling.patch
+Patch107: linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
# cherry picking the important security/corruption fixes from
# the stable series
-Patch103: linux-2.6.35-stable-cherry-picks.patch
+Patch108: linux-2.6.35-stable-cherry-picks.patch
#
# End of the Direct Backports section
@@ -581,6 +587,17 @@
# linux-2.6.36-battery2.patch
%patch102 -p1
+# linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+%patch103 -p1
+# linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+%patch104 -p1
+# linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+%patch105 -p1
+# linux-2.6.35-irda-failure-handling.patch
+%patch106 -p1
+# linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+%patch107 -p1
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
@@ -588,7 +605,7 @@
# the stable series
# linux-2.6.35-stable-cherry-picks.patch
-%patch103 -p1
+%patch108 -p1
#
# End of the Direct Backports section
--- kernel.spec
+++ kernel.spec
@@ -197,13 +197,19 @@
Patch101: linux-2.6.36-battery.patch
Patch102: linux-2.6.36-battery2.patch
+Patch103: linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+Patch104: linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+Patch105: linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+Patch106: linux-2.6.35-irda-failure-handling.patch
+Patch107: linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
# cherry picking the important security/corruption fixes from
# the stable series
-Patch103: linux-2.6.35-stable-cherry-picks.patch
+Patch108: linux-2.6.35-stable-cherry-picks.patch
#
# End of the Direct Backports section
@@ -623,6 +629,17 @@
# linux-2.6.36-battery2.patch
%patch102 -p1
+# linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+%patch103 -p1
+# linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+%patch104 -p1
+# linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+%patch105 -p1
+# linux-2.6.35-irda-failure-handling.patch
+%patch106 -p1
+# linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+%patch107 -p1
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
@@ -630,7 +647,7 @@
# the stable series
# linux-2.6.35-stable-cherry-picks.patch
-%patch103 -p1
+%patch108 -p1
#
# End of the Direct Backports section
other changes:
--------------
++++++ linux-2.6.35-irda-failure-handling.patch (new)
--- linux-2.6.35-irda-failure-handling.patch
+++ linux-2.6.35-irda-failure-handling.patch
+diff -urN linux-2.6.33-orig/net/irda/af_irda.c linux-2.6.33/net/irda/af_irda.c
+--- linux-2.6.33-orig/net/irda/af_irda.c 2010-02-25 02:52:17.000000000 +0800
++++ linux-2.6.33/net/irda/af_irda.c 2010-10-26 09:17:42.000000000 +0800
+@@ -823,8 +823,8 @@
+
+ err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name);
+ if (err < 0) {
+- kfree(self->ias_obj->name);
+- kfree(self->ias_obj);
++ irias_delete_object(self->ias_obj);
++ self->ias_obj = NULL;
+ goto out;
+ }
+
++++++ linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch (new)
--- linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+++ linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+--- a/drivers/net/niu.c 2010-08-02 06:11:14.000000000 +0800
++++ b/drivers/net/niu.c 2011-03-28 09:51:33.839777587 +0800
+@@ -7270,32 +7270,29 @@
+ struct niu_parent *parent = np->parent;
+ struct niu_tcam_entry *tp;
+ int i, idx, cnt;
+- u16 n_entries;
+ unsigned long flags;
+
++ int ret = 0;
+
+ /* put the tcam size here */
+ nfc->data = tcam_get_size(np);
+
+ niu_lock_parent(np, flags);
+- n_entries = nfc->rule_cnt;
+ for (cnt = 0, i = 0; i < nfc->data; i++) {
+ idx = tcam_get_index(np, i);
+ tp = &parent->tcam[idx];
+ if (!tp->valid)
+ continue;
++ if (cnt == nfc->rule_cnt) {
++ ret = -EMSGSIZE;
++ break;
++ }
+ rule_locs[cnt] = i;
+ cnt++;
+ }
+ niu_unlock_parent(np, flags);
+
+- if (n_entries != cnt) {
+- /* print warning, this should not happen */
+- netdev_info(np->dev, "niu%d: In %s(): n_entries[%d] != cnt[%d]!!!\n",
+- np->parent->index, __func__, n_entries, cnt);
+- }
+-
+- return 0;
++ return ret;
+ }
+
+ static int niu_get_nfc(struct net_device *dev, struct ethtool_rxnfc *cmd,
++++++ linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch (new)
--- linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+++ linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+From 5591bf07225523600450edd9e6ad258bb877b779 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Tue, 28 Sep 2010 14:18:20 -0400
+Subject: [PATCH] ALSA: prevent heap corruption in snd_ctl_new()
+
+The snd_ctl_new() function in sound/core/control.c allocates space for a
+snd_kcontrol struct by performing arithmetic operations on a
+user-provided size without checking for integer overflow. If a user
+provides a large enough size, an overflow will occur, the allocated
+chunk will be too small, and a second user-influenced value will be
+written repeatedly past the bounds of this chunk. This code is
+reachable by unprivileged users who have permission to open
+a /dev/snd/controlC* device (on many distros, this is group "audio") via
+the SNDRV_CTL_IOCTL_ELEM_ADD and SNDRV_CTL_IOCTL_ELEM_REPLACE ioctls.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: <stable at kernel.org>
+Signed-off-by: Takashi Iwai <tiwai at suse.de>
+---
+ sound/core/control.c | 5 +++++
+ 1 files changed, 5 insertions(+), 0 deletions(-)
+
+diff --git a/sound/core/control.c b/sound/core/control.c
+index 070aab4..45a8180 100644
+--- a/sound/core/control.c
++++ b/sound/core/control.c
+@@ -31,6 +31,7 @@
+
+ /* max number of user-defined controls */
+ #define MAX_USER_CONTROLS 32
++#define MAX_CONTROL_COUNT 1028
+
+ struct snd_kctl_ioctl {
+ struct list_head list; /* list of all ioctls */
+@@ -195,6 +196,10 @@ static struct snd_kcontrol *snd_ctl_new(struct snd_kcontrol *control,
+
+ if (snd_BUG_ON(!control || !control->count))
+ return NULL;
++
++ if (control->count > MAX_CONTROL_COUNT)
++ return NULL;
++
+ kctl = kzalloc(sizeof(*kctl) + sizeof(struct snd_kcontrol_volatile) * control->count, GFP_KERNEL);
+ if (kctl == NULL) {
+ snd_printk(KERN_ERR "Cannot allocate control instance\n");
+--
+1.7.3.2
+
++++++ linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch (new)
--- linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+++ linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+From 9828e6e6e3f19efcb476c567b9999891d051f52f Mon Sep 17 00:00:00 2001
+From: David S. Miller <davem at davemloft.net>
+Date: Mon, 20 Sep 2010 15:40:35 -0700
+Subject: [PATCH] rose: Fix signedness issues wrt. digi count.
+
+Just use explicit casts, since we really can't change the
+types of structures exported to userspace which have been
+around for 15 years or so.
+
+Reported-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/rose/af_rose.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index 8e45e76..d952e7e 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -679,7 +679,7 @@ static int rose_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
+ if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
+ return -EINVAL;
+
+- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
+ return -EINVAL;
+
+ if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
+@@ -739,7 +739,7 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le
+ if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
+ return -EINVAL;
+
+- if (addr->srose_ndigis > ROSE_MAX_DIGIS)
++ if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
+ return -EINVAL;
+
+ /* Source + Destination digis should not exceed ROSE_MAX_DIGIS */
+--
+1.7.3.2
+
++++++ linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch (new)
--- linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+++ linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+From 252a52aa4fa22a668f019e55b3aac3ff71ec1c29 Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Mon, 27 Sep 2010 12:30:28 -0400
+Subject: [PATCH] Fix pktcdvd ioctl dev_minor range check
+
+The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
+pktcdvd_device from the global pkt_devs array. The index into this
+array is provided directly by the user and is a signed integer, so the
+comparison to ensure that it falls within the bounds of this array will
+fail when provided with a negative index.
+
+This can be used to read arbitrary kernel memory or cause a crash due to
+an invalid pointer dereference. This can be exploited by users with
+permission to open /dev/pktcdvd/control (on many distributions, this is
+readable by group "cdrom").
+
+Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+[ Rather than add a cast, just make the function take the right type -Linus ]
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ drivers/block/pktcdvd.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
+index b1cbeb5..37a2bb5 100644
+--- a/drivers/block/pktcdvd.c
++++ b/drivers/block/pktcdvd.c
+@@ -2369,7 +2369,7 @@ static void pkt_release_dev(struct pktcdvd_device *pd, int flush)
+ pkt_shrink_pktlist(pd);
+ }
+
+-static struct pktcdvd_device *pkt_find_dev_from_minor(int dev_minor)
++static struct pktcdvd_device *pkt_find_dev_from_minor(unsigned int dev_minor)
+ {
+ if (dev_minor >= MAX_WRITERS)
+ return NULL;
+--
+1.7.3.2
+
++++++ series
--- series
+++ series
@@ -30,6 +30,12 @@
linux-2.6.36-battery.patch
linux-2.6.36-battery2.patch
+linux-2.6.36-rc5-fix-signedness-issues-in-af_rose.patch
+linux-2.6.36-rc6-fix-pktcdvd-ioctl-dev_minor-range-check.patch
+linux-2.6.36-rc5-alsa-prevent-heap-corruption.patch
+linux-2.6.35-irda-failure-handling.patch
+linux-2.6.36-rc4-fix-overflow-in-niu_get_ethtool_tcam_all.patch
+
# Kernel CVE patches - these go last in the backport section
# no non-cve patches should go here!
More information about the MeeGo-commits
mailing list