Linux kernel source tree https://git.amat.us/linux/atom/?h=v2.6.34.9 2011-04-17T20:16:27Z 2011-04-17T20:16:27Z Paul Gortmaker paul.gortmaker@windriver.com 2011-04-17T20:16:27Z urn:sha1:4af3051b26124834deea42b25a2543c5034031f1 2011-04-17T20:16:18Z Ben Hutchings bhutchings@solarflare.com 2010-09-07T04:35:19Z urn:sha1:6a6c24b6917692f826525ca5cb550f98982e39e8 commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9 upstream. niu_get_ethtool_tcam_all() assumes that its output buffer is the right size, and warns before returning if it is not. However, the output buffer size is under user control and ETHTOOL_GRXCLSRLALL is an unprivileged ethtool command. Therefore this is at least a local denial-of-service vulnerability. Change it to check before writing each entry and to return an error if the buffer is already full. Compile-tested only. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-04-17T20:16:18Z Roland Dreier roland@purestorage.com 2011-03-28T21:13:35Z urn:sha1:40b77a71b25fd1ec84fdc3abc2f928a872884b10 commit 243b422af9ea9af4ead07a8ad54c90d4f9b6081a upstream. Commit da48524eb206 ("Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code") made the check on si_code too strict. There are several legitimate places where glibc wants to queue a negative si_code different from SI_QUEUE: - This was first noticed with glibc's aio implementation, which wants to queue a signal with si_code SI_ASYNCIO; the current kernel causes glibc's tst-aio4 test to fail because rt_sigqueueinfo() fails with EPERM. - Further examination of the glibc source shows that getaddrinfo_a() wants to use SI_ASYNCNL (which the kernel does not even define). The timer_create() fallback code wants to queue signals with SI_TIMER. As suggested by Oleg Nesterov <oleg@redhat.com>, loosen the check to forbid only the problematic SI_TKILL case. Reported-by: Klaus Dittrich <kladit@arcor.de> Acked-by: Julien Tinnes <jln@google.com> Signed-off-by: Roland Dreier <roland@purestorage.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-04-17T20:16:17Z Julien Tinnes jln@google.com 2011-03-18T22:05:21Z urn:sha1:9eab773eb3eda5d8336a8f0ac68c5e1faa5f88d5 commit da48524eb20662618854bb3df2db01fc65f3070c upstream. Userland should be able to trust the pid and uid of the sender of a signal if the si_code is SI_TKILL. Unfortunately, the kernel has historically allowed sigqueueinfo() to send any si_code at all (as long as it was negative - to distinguish it from kernel-generated signals like SIGILL etc), so it could spoof a SI_TKILL with incorrect siginfo values. Happily, it looks like glibc has always set si_code to the appropriate SI_QUEUE, so there are probably no actual user code that ever uses anything but the appropriate SI_QUEUE flag. So just tighten the check for si_code (we used to allow any negative value), and add a (one-time) warning in case there are binaries out there that might depend on using other si_code values. Signed-off-by: Julien Tinnes <jln@google.com> Acked-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-04-17T20:16:17Z Takashi Iwai tiwai@suse.de 2011-02-14T21:45:59Z urn:sha1:c95610ef5cf44dcef45434ca6de0832aa9b02708 commit eaae55dac6b64c0616046436b294e69fc5311581 upstream Use strlcpy() to assure not to overflow the string array sizes by too long USB device name string. Reported-by: Rafa <rafa@mwrinfosecurity.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-04-17T20:16:17Z Xiaotian Feng dfeng@redhat.com 2010-11-29T09:03:55Z urn:sha1:7eab63eb262398e1e3b94dee3cc7f96b9ca92abe commit 5478755616ae2ef1ce144dded589b62b2a50d575 upstream. commit 9284bcf checks for proper length of iov entries in blk_rq_map_user_iov(). But if the map is unaligned, kernel will break out the loop without checking for the proper length. So we need to check the proper length before the unalign check. Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Signed-off-by: Jens Axboe <jaxboe@fusionio.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-04-17T20:16:17Z Dan Rosenberg drosenberg@vsecurity.com 2010-10-01T11:51:47Z urn:sha1:799c3ec501854be3d6be56c1db5452e2e8371ef4 commit 51e97a12bef19b7e43199fc153cf9bd5f2140362 upstream The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids array and attempts to ensure that only a supported hmac entry is returned. The current code fails to do this properly - if the last id in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the id integer remains set after exiting the loop, and the address of an out-of-bounds entry will be returned and subsequently used in the parent function, causing potentially ugly memory corruption. This patch resets the id integer to 0 on encountering an invalid id so that NULL will be returned after finishing the loop if no valid ids are found. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-04-17T20:16:17Z Li Zefan lizf@cn.fujitsu.com 2010-03-11T22:08:10Z urn:sha1:eef557db3e67f4897c21423d4f2d41392458aa9c commit a5990ea1254cd186b38744507aeec3136a0c1c95 upstream Don't forget to release the module refcnt if seq_open() returns failure. Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> Cc: J. Bruce Fields <bfields@fieldses.org> Cc: Neil Brown <neilb@suse.de> Cc: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-04-17T20:16:16Z Guenter Roeck guenter.roeck@ericsson.com 2011-01-21T08:42:17Z urn:sha1:c81ac5970095a62139f4904e638c304b220e76e5 [extraction from commit da2e025590cf7038440132d4bbc967a579b11112 upstream] The value of max_output and step_output registers isn't read from the respective registers. As a result, zero values are returned to the user through the respective sysfs attributes, instead of the actual fan control settings. The problem is fixed by updating the fan max output and fan step output information from data in registers. Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com> Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> 2011-04-17T20:16:16Z stephen hemminger shemminger@vyatta.com 2011-03-10T11:43:19Z urn:sha1:595e0399c0ab27188f4067e44274662fbe3aa4ce commit 6dfbd87a20a737641ef228230c77f4262434fa24 upstream. Add necessary alias to autoload ip6ip6 tunnel module. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>