<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux, branch v2.6.33.10</title>
<subtitle>Linux kernel source tree</subtitle>
<id>https://git.amat.us/linux/atom/?h=v2.6.33.10</id>
<link rel='self' href='https://git.amat.us/linux/atom/?h=v2.6.33.10'/>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/'/>
<updated>2011-04-14T23:53:30Z</updated>
<entry>
<title>Linux 2.6.33.10</title>
<updated>2011-04-14T23:53:30Z</updated>
<author>
<name>Greg Kroah-Hartman</name>
<email>gregkh@suse.de</email>
</author>
<published>2011-04-14T23:53:30Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=7b2f414b87f515b63a0821f6601aea4b8b005691'/>
<id>urn:sha1:7b2f414b87f515b63a0821f6601aea4b8b005691</id>
<content type='text'>
</content>
</entry>
<entry>
<title>xfs: zero proper structure size for geometry calls</title>
<updated>2011-04-14T23:53:16Z</updated>
<author>
<name>Alex Elder</name>
<email>aelder@sgi.com</email>
</author>
<published>2011-03-01T17:50:00Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=277678c4089dc0a9b3235eb58547878dacfe336b'/>
<id>urn:sha1:277678c4089dc0a9b3235eb58547878dacfe336b</id>
<content type='text'>
commit af24ee9ea8d532e16883251a6684dfa1be8eec29 upstream.

Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
xfs_fs_geometry() in order to avoid passing kernel stack data back
to user space:

+       memset(geo, 0, sizeof(*geo));

Unfortunately, one of the callers of that function passes the
address of a smaller data type, cast to fit the type that
xfs_fs_geometry() requires.  As a result, this can happen:

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
in: f87aca93

Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
Call Trace:

[&lt;c12991ac&gt;] ? panic+0x50/0x150
[&lt;c102ed71&gt;] ? __stack_chk_fail+0x10/0x18
[&lt;f87aca93&gt;] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]

Fix this by fixing that one caller to pass the right type and then
copy out the subset it is interested in.

Note: This patch is an alternative to one originally proposed by
Eric Sandeen.

Reported-by: Jeffrey Hundstad &lt;jeffrey.hundstad@mnsu.edu&gt;
Signed-off-by: Alex Elder &lt;aelder@sgi.com&gt;
Reviewed-by: Eric Sandeen &lt;sandeen@redhat.com&gt;
Tested-by: Jeffrey Hundstad &lt;jeffrey.hundstad@mnsu.edu&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>net: fix rds_iovec page count overflow</title>
<updated>2011-04-14T23:53:15Z</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2010-10-28T15:40:55Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=b291661643c93044e6d4a228d3268649ccf30a0c'/>
<id>urn:sha1:b291661643c93044e6d4a228d3268649ccf30a0c</id>
<content type='text'>
commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream.

As reported by Thomas Pollet, the rdma page counting can overflow.  We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).

So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.

Catch the case of tot_pages turning negative, and return the appropriate
error code.

Reported-by: Thomas Pollet &lt;thomas.pollet@gmail.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Andy Grover &lt;andy.grover@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>exec: copy-and-paste the fixes into compat_do_execve() paths</title>
<updated>2011-04-14T23:53:15Z</updated>
<author>
<name>Oleg Nesterov</name>
<email>oleg@redhat.com</email>
</author>
<published>2010-11-30T19:56:02Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=f4cee52eb81b6a8893f6f52e3b9d952ed0dbcbf6'/>
<id>urn:sha1:f4cee52eb81b6a8893f6f52e3b9d952ed0dbcbf6</id>
<content type='text'>
commit 114279be2120a916e8a04feeb2ac976a10016f2f upstream.

Note: this patch targets 2.6.37 and tries to be as simple as possible.
That is why it adds more copy-and-paste horror into fs/compat.c and
uglifies fs/exec.c, this will be cleanuped later.

compat_copy_strings() plays with bprm-&gt;vma/mm directly and thus has
two problems: it lacks the RLIMIT_STACK check and argv/envp memory
is not visible to oom killer.

Export acct_arg_size() and get_arg_page(), change compat_copy_strings()
to use get_arg_page(), change compat_do_execve() to do acct_arg_size(0)
as do_execve() does.

Add the fatal_signal_pending/cond_resched checks into compat_count() and
compat_copy_strings(), this matches the code in fs/exec.c and certainly
makes sense.

Signed-off-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Cc: KOSAKI Motohiro &lt;kosaki.motohiro@jp.fujitsu.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Andi Kleen &lt;ak@linux.intel.com&gt;
Cc: Moritz Muehlenhoff &lt;jmm@debian.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>exec: make argv/envp memory visible to oom-killer</title>
<updated>2011-04-14T23:53:15Z</updated>
<author>
<name>Oleg Nesterov</name>
<email>oleg@redhat.com</email>
</author>
<published>2010-11-30T19:55:34Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=6c0fcffc6c1c8cfe963a252c47c6ac91406b6489'/>
<id>urn:sha1:6c0fcffc6c1c8cfe963a252c47c6ac91406b6489</id>
<content type='text'>
commit 3c77f845722158206a7209c45ccddc264d19319c upstream.

Brad Spengler published a local memory-allocation DoS that
evades the OOM-killer (though not the virtual memory RLIMIT):
http://www.grsecurity.net/~spender/64bit_dos.c

execve()-&gt;copy_strings() can allocate a lot of memory, but
this is not visible to oom-killer, nobody can see the nascent
bprm-&gt;mm and take it into account.

With this patch get_arg_page() increments current's MM_ANONPAGES
counter every time we allocate the new page for argv/envp. When
do_execve() succeds or fails, we change this counter back.

Technically this is not 100% correct, we can't know if the new
page is swapped out and turn MM_ANONPAGES into MM_SWAPENTS, but
I don't think this really matters and everything becomes correct
once exec changes -&gt;mm or fails.

Reported-by: Brad Spengler &lt;spender@grsecurity.net&gt;
Reviewed-and-discussed-by: KOSAKI Motohiro &lt;kosaki.motohiro@jp.fujitsu.com&gt;
Signed-off-by: Oleg Nesterov &lt;oleg@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Cc: Moritz Muehlenhoff &lt;jmm@debian.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>CAN: Use inode instead of kernel address for /proc file</title>
<updated>2011-04-14T23:53:14Z</updated>
<author>
<name>Dan Rosenberg</name>
<email>drosenberg@vsecurity.com</email>
</author>
<published>2010-12-26T06:54:53Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=b5ee7ec47851f8f85c9b96f20abc17b605823edd'/>
<id>urn:sha1:b5ee7ec47851f8f85c9b96f20abc17b605823edd</id>
<content type='text'>
commit 9f260e0efa4766e56d0ac14f1aeea6ee5eb8fe83 upstream.

Since the socket address is just being used as a unique identifier, its
inode number is an alternative that does not leak potentially sensitive
information.

CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.

Signed-off-by: Dan Rosenberg &lt;drosenberg@vsecurity.com&gt;
Acked-by: Oliver Hartkopp &lt;socketcan@hartkopp.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Moritz Muehlenhoff &lt;jmm@debian.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>irda: prevent integer underflow in IRLMP_ENUMDEVICES</title>
<updated>2011-04-14T23:53:14Z</updated>
<author>
<name>Dan Rosenberg</name>
<email>drosenberg@vsecurity.com</email>
</author>
<published>2010-12-22T13:58:27Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=69273e33a6d22d73dd89e4a68d54a0af3bd0e460'/>
<id>urn:sha1:69273e33a6d22d73dd89e4a68d54a0af3bd0e460</id>
<content type='text'>
commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.

If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value.  While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures.  In any event, this patch fixes it.

Signed-off-by: Dan Rosenberg &lt;drosenberg@vsecurity.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Moritz Muehlenhoff &lt;jmm@debian.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;


</content>
</entry>
<entry>
<title>econet: Fix crash in aun_incoming().</title>
<updated>2011-04-14T23:53:13Z</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2010-12-09T02:42:23Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=de00d49034d47ceaf4d44b6720b77deb40ca1692'/>
<id>urn:sha1:de00d49034d47ceaf4d44b6720b77deb40ca1692</id>
<content type='text'>
commit 4e085e76cbe558b79b54cbab772f61185879bc64 upstream.

Unconditional use of skb-&gt;dev won't work here,
try to fetch the econet device via skb_dst()-&gt;dev
instead.

Suggested by Eric Dumazet.

Reported-by: Nelson Elhage &lt;nelhage@ksplice.com&gt;
Tested-by: Nelson Elhage &lt;nelhage@ksplice.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Moritz Muehlenhoff &lt;jmm@debian.org&gt;
[jmm: Slightly adapted for 2.6.32]
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>inet_diag: Make sure we actually run the same bytecode we audited.</title>
<updated>2011-04-14T23:53:13Z</updated>
<author>
<name>Nelson Elhage</name>
<email>nelhage@ksplice.com</email>
</author>
<published>2010-11-03T16:35:41Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=49600c713e0a46e38a6ac1c560cac5561d464adb'/>
<id>urn:sha1:49600c713e0a46e38a6ac1c560cac5561d464adb</id>
<content type='text'>
commit 22e76c849d505d87c5ecf3d3e6742a65f0ff4860 upstream.

We were using nlmsg_find_attr() to look up the bytecode by attribute when
auditing, but then just using the first attribute when actually running
bytecode. So, if we received a message with two attribute elements, where only
the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
bytecode strings.

Fix this by consistently using nlmsg_find_attr everywhere.

Signed-off-by: Nelson Elhage &lt;nelhage@ksplice.com&gt;
Signed-off-by: Thomas Graf &lt;tgraf@infradead.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
<entry>
<title>net: tipc: fix information leak to userland</title>
<updated>2011-04-14T23:53:13Z</updated>
<author>
<name>Kulikov Vasiliy</name>
<email>segooon@gmail.com</email>
</author>
<published>2010-10-31T07:10:32Z</published>
<link rel='alternate' type='text/html' href='https://git.amat.us/linux/commit/?id=51d7a20fca5f8e96646e51bf9645da08f14e7a22'/>
<id>urn:sha1:51d7a20fca5f8e96646e51bf9645da08f14e7a22</id>
<content type='text'>
commit 88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52 upstream.

Structure sockaddr_tipc is copied to userland with padding bytes after
"id" field in union field "name" unitialized.  It leads to leaking of
contents of kernel stack memory.  We have to initialize them to zero.

Signed-off-by: Vasiliy Kulikov &lt;segooon@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Moritz Muehlenhoff &lt;jmm@debian.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
</entry>
</feed>
