Update to 3.10.1
svn path=/dists/sid/linux/; revision=20347
This commit is contained in:
parent
b1e43bc985
commit
4351c3dd80
|
@ -1,8 +1,28 @@
|
||||||
linux (3.10-1~exp1) UNRELEASED; urgency=low
|
linux (3.10.1-1) UNRELEASED; urgency=low
|
||||||
|
|
||||||
* New upstream release: http://kernelnewbies.org/Linux_3.10
|
* New upstream release: http://kernelnewbies.org/Linux_3.10
|
||||||
- netfilter: nf_nat_sip: fix mangling (Closes: #715822)
|
- netfilter: nf_nat_sip: fix mangling (Closes: #715822)
|
||||||
- Interrupt storm detection in intel driver (Closes: #572537)
|
- Interrupt storm detection in intel driver (Closes: #572537)
|
||||||
|
* New upstream stable update:
|
||||||
|
http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.10.1
|
||||||
|
- libceph: Fix NULL pointer dereference in auth client code (CVE-2013-1059)
|
||||||
|
- ceph: fix sleeping function called from invalid context.
|
||||||
|
- libceph: fix invalid unsigned->signed conversion for timespec encoding
|
||||||
|
- module: do percpu allocation after uniqueness check. No, really!
|
||||||
|
- charger-manager: Ensure event is not used as format string
|
||||||
|
- hpfs: better test for errors
|
||||||
|
- crypto: sanitize argument for format string
|
||||||
|
- MAINTAINERS: add stable_kernel_rules.txt to stable maintainer information
|
||||||
|
- futex: Take hugepages into account when generating futex_key
|
||||||
|
- tty: Reset itty for other pty
|
||||||
|
- Revert "serial: 8250_pci: add support for another kind of NetMos
|
||||||
|
Technology PCI 9835 Multi-I/O Controller"
|
||||||
|
- NFSv4.1 end back channel session draining
|
||||||
|
- nfsd4: fix decoding of compounds across page boundaries
|
||||||
|
- KVM: VMX: mark unusable segment as nonpresent
|
||||||
|
- SCSI: sd: Fix parsing of 'temporary ' cache mode prefix
|
||||||
|
- cpufreq: Fix cpufreq regression after suspend/resume
|
||||||
|
- Revert "memcg: avoid dangling reference count in creation failure"
|
||||||
|
|
||||||
[ Ben Hutchings ]
|
[ Ben Hutchings ]
|
||||||
* cassini: Make missing firmware non-fatal (Closes: #714128)
|
* cassini: Make missing firmware non-fatal (Closes: #714128)
|
||||||
|
|
|
@ -1,61 +0,0 @@
|
||||||
From: Kees Cook <keescook@chromium.org>
|
|
||||||
Date: Wed, 19 Jun 2013 10:05:44 +1000
|
|
||||||
Subject: block: do not pass disk names as format strings
|
|
||||||
Origin: http://www.ozlabs.org/~akpm/mmotm/broken-out/block-do-not-pass-disk-names-as-format-strings.patch
|
|
||||||
|
|
||||||
Disk names may contain arbitrary strings, so they must not be interpreted
|
|
||||||
as format strings. It seems that only md allows arbitrary strings to be
|
|
||||||
used for disk names, but this could allow for a local memory corruption
|
|
||||||
from uid 0 into ring 0.
|
|
||||||
|
|
||||||
CVE-2013-2851
|
|
||||||
|
|
||||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
||||||
Cc: Jens Axboe <axboe@kernel.dk>
|
|
||||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
|
||||||
---
|
|
||||||
block/genhd.c | 2 +-
|
|
||||||
drivers/block/nbd.c | 3 ++-
|
|
||||||
drivers/scsi/osd/osd_uld.c | 2 +-
|
|
||||||
3 files changed, 4 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/block/genhd.c b/block/genhd.c
|
|
||||||
index e9094b3..dadf42b 100644
|
|
||||||
--- a/block/genhd.c
|
|
||||||
+++ b/block/genhd.c
|
|
||||||
@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
|
|
||||||
|
|
||||||
ddev->parent = disk->driverfs_dev;
|
|
||||||
|
|
||||||
- dev_set_name(ddev, disk->disk_name);
|
|
||||||
+ dev_set_name(ddev, "%s", disk->disk_name);
|
|
||||||
|
|
||||||
/* delay uevents, until we scanned partition table */
|
|
||||||
dev_set_uevent_suppress(ddev, 1);
|
|
||||||
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
|
|
||||||
index 037288e..46b35f7 100644
|
|
||||||
--- a/drivers/block/nbd.c
|
|
||||||
+++ b/drivers/block/nbd.c
|
|
||||||
@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
|
|
||||||
else
|
|
||||||
blk_queue_flush(nbd->disk->queue, 0);
|
|
||||||
|
|
||||||
- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
|
|
||||||
+ thread = kthread_create(nbd_thread, nbd, "%s",
|
|
||||||
+ nbd->disk->disk_name);
|
|
||||||
if (IS_ERR(thread)) {
|
|
||||||
mutex_lock(&nbd->tx_lock);
|
|
||||||
return PTR_ERR(thread);
|
|
||||||
diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
|
|
||||||
index 0fab6b5..9d86947 100644
|
|
||||||
--- a/drivers/scsi/osd/osd_uld.c
|
|
||||||
+++ b/drivers/scsi/osd/osd_uld.c
|
|
||||||
@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
|
|
||||||
oud->class_dev.class = &osd_uld_class;
|
|
||||||
oud->class_dev.parent = dev;
|
|
||||||
oud->class_dev.release = __remove;
|
|
||||||
- error = dev_set_name(&oud->class_dev, disk->disk_name);
|
|
||||||
+ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
|
|
||||||
if (error) {
|
|
||||||
OSD_ERR("dev_set_name failed => %d\n", error);
|
|
||||||
goto err_put_cdev;
|
|
|
@ -1,44 +0,0 @@
|
||||||
From: Jonathan Salwan <jonathan.salwan@gmail.com>
|
|
||||||
Date: Wed, 19 Jun 2013 10:05:44 +1000
|
|
||||||
Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
|
|
||||||
Origin: http://www.ozlabs.org/~akpm/mmotm/broken-out/drivers-cdrom-cdromc-use-kzalloc-for-failing-hardware.patch
|
|
||||||
|
|
||||||
In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
|
|
||||||
area with kmalloc in line 2885.
|
|
||||||
|
|
||||||
2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
|
||||||
2886 if (cgc->buffer == NULL)
|
|
||||||
2887 return -ENOMEM;
|
|
||||||
|
|
||||||
In line 2908 we can find the copy_to_user function:
|
|
||||||
|
|
||||||
2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
|
|
||||||
|
|
||||||
The cgc->buffer is never cleaned and initialized before this function. If
|
|
||||||
ret = 0 with the previous basic block, it's possible to display some
|
|
||||||
memory bytes in kernel space from userspace.
|
|
||||||
|
|
||||||
When we read a block from the disk it normally fills the ->buffer but if
|
|
||||||
the drive is malfunctioning there is a chance that it would only be
|
|
||||||
partially filled. The result is an leak information to userspace.
|
|
||||||
|
|
||||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
|
||||||
Cc: Jens Axboe <axboe@kernel.dk>
|
|
||||||
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
|
|
||||||
---
|
|
||||||
drivers/cdrom/cdrom.c | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
|
|
||||||
index d620b44..8a3aff7 100644
|
|
||||||
--- a/drivers/cdrom/cdrom.c
|
|
||||||
+++ b/drivers/cdrom/cdrom.c
|
|
||||||
@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
|
|
||||||
if (lba < 0)
|
|
||||||
return -EINVAL;
|
|
||||||
|
|
||||||
- cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
|
|
||||||
+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
|
|
||||||
if (cgc->buffer == NULL)
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
|
@ -72,8 +72,6 @@ features/all/cpu-devices/Partially-revert-cpufreq-Add-support-for-x86-cpuinfo.pa
|
||||||
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
|
bugfix/x86/viafb-autoload-on-olpc-xo1.5-only.patch
|
||||||
bugfix/all/misc-bmp085-Enable-building-as-a-module.patch
|
bugfix/all/misc-bmp085-Enable-building-as-a-module.patch
|
||||||
bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch
|
bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch
|
||||||
bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
|
|
||||||
bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch
|
|
||||||
|
|
||||||
# ARM hardware support
|
# ARM hardware support
|
||||||
features/arm/ARM-dts-imx-add-imx5x-usbmisc-entries.patch
|
features/arm/ARM-dts-imx-add-imx5x-usbmisc-entries.patch
|
||||||
|
|
Loading…
Reference in New Issue