Merge changes from sid up to 3.9.8-1

svn path=/dists/trunk/linux/; revision=20301
2013-06-30 18:30:22 +00:00 · 2013-06-30 18:30:22 +00:00 · 7e2ba80295
parent 1a53d52cfc 8b6d6f2812
commit 7e2ba80295
6 changed files with 226 additions and 0 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -67,6 +67,68 @@ linux (3.10~rc4-1~exp1) experimental; urgency=low

 -- Ben Hutchings <ben@decadent.org.uk>  Mon, 03 Jun 2013 02:43:51 +0100

+linux (3.9.8-1) unstable; urgency=low
+
+  * New upstream stable update:
+    http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.9.7
+    - b43: stop format string leaking into error msgs (CVE-2013-2852)
+    - ACPI / video: Do not bind to device objects with a scan handler
+    - libceph: must hold mutex for reset_changed_osds()
+    - ceph: ceph_pagelist_append might sleep while atomic
+    - rbd: don't destroy ceph_opts in rbd_add()
+    - Bluetooth: Fix missing length checks for L2CAP signalling PDUs
+    - kmsg: honor dmesg_restrict sysctl on /dev/kmsg
+    - memcg: don't initialize kmem-cache destroying work for root caches
+    - md/raid1: consider WRITE as successful only if at least one non-Faulty
+      and non-rebuilding drive completed it.
+    - md/raid1,5,10: Disable WRITE SAME until a recovery strategy is in place
+    - [x86] Modify UEFI anti-bricking code
+    - powerpc: Fix stack overflow crash in resume_kernel when ftracing
+    - USB: pl2303: fix device initialisation at open
+    - USB: f81232: fix device initialisation at open
+    - USB: spcp8x5: fix device initialisation at open
+  * New upstream stable update:
+    http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.9.8
+    - ARM: 7752/1: errata: LoUIS bit field in CLIDR register is incorrect
+    - clk: remove notifier from list before freeing it
+    - [hppa] make interrupt and interruption stack allocation reentrant
+    - ACPI / dock: Take ACPI scan lock in write_undock()
+    - net: fec: fix kernel oops when plug/unplug cable many times
+    - tcp: fix tcp_md5_hash_skb_data()
+    - net/802/mrp: fix lockdep splat
+    - ipv6: fix possible crashes in ip6_cork_release()
+    - r8169: fix offloaded tx checksum for small packets.
+    - xfrm: properly handle invalid states as an error
+    - ip_tunnel: fix kernel panic with icmp_dest_unreach
+    - net: Block MSG_CMSG_COMPAT in send(m)msg and recv(m)msg
+    - net: force a reload of first item in hlist_nulls_for_each_entry_rcu
+    - vhost_net: clear msg.control for non-zerocopy case during tx
+    - net: sctp: fix NULL pointer dereference in socket destruction
+    - team: check return value of team_get_port_by_index_rcu() for NULL
+    - team: move add to port list before port enablement
+    - l2tp: Fix PPP header erasure and memory leak
+    - sctp: fully initialize sctp_outq in sctp_outq_init
+    - macvtap: set transport header before passing skb to lower device
+    - tuntap: set transport header before passing it to kernel
+    - packet: set transport header before doing xmit
+    - netback: set transport header before passing it to kernel
+    - net_sched: better precise estimation on packet length for untrusted
+      packets
+    - firmware loader: fix use-after-free by double abort
+    - target/iscsi: don't corrupt bh_count in iscsit_stop_time2retain_timer()
+    - rbd: use the correct length for format 2 object names
+    - perf: Fix perf mmap bugs
+    - perf: Fix mmap() accounting hole
+
+  [ Ben Hutchings ]
+  * yama: Disable ptrace restrictions by default, and change boot message
+    to indicate this (Closes: #712740)
+  * fanotify: info leak in copy_event_to_user() (CVE-2013-2148)
+  * drivers/cdrom/cdrom.c: use kzalloc() for failing hardware (CVE-2013-2164)
+  * block: do not pass disk names as format strings (CVE-2013-2851)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sat, 29 Jun 2013 18:44:21 +0100
+
 linux (3.9.6-1) unstable; urgency=low

  * New upstream stable update:
--- a/debian/patches/bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch
+++ b/debian/patches/bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch
@ -0,0 +1,62 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 19 Jun 2013 10:05:44 +1000
+Subject: block: do not pass disk names as format strings
+
+commit 00a10d269c161c4dc61e4d87d7941082c5b57488 upstream.
+
+Disk names may contain arbitrary strings, so they must not be interpreted
+as format strings. It seems that only md allows arbitrary strings to be
+used for disk names, but this could allow for a local memory corruption
+from uid 0 into ring 0.
+
+CVE-2013-2851
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+---
+ block/genhd.c              |    2 +-
+ drivers/block/nbd.c        |    3 ++-
+ drivers/scsi/osd/osd_uld.c |    2 +-
+ 3 files changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/block/genhd.c b/block/genhd.c
+index e9094b3..dadf42b 100644
+--- a/block/genhd.c
+++ b/block/genhd.c
+@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk)
+ 
+ 	ddev->parent = disk->driverfs_dev;
+ 
+-	dev_set_name(ddev, disk->disk_name);
+	dev_set_name(ddev, "%s", disk->disk_name);
+ 
+ 	/* delay uevents, until we scanned partition table */
+ 	dev_set_uevent_suppress(ddev, 1);
+diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
+index 037288e..46b35f7 100644
+--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
+@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd,
+ 		else
+ 			blk_queue_flush(nbd->disk->queue, 0);
+ 
+-		thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name);
+		thread = kthread_create(nbd_thread, nbd, "%s",
+					nbd->disk->disk_name);
+ 		if (IS_ERR(thread)) {
+ 			mutex_lock(&nbd->tx_lock);
+ 			return PTR_ERR(thread);
+diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c
+index 0fab6b5..9d86947 100644
+--- a/drivers/scsi/osd/osd_uld.c
+++ b/drivers/scsi/osd/osd_uld.c
+@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev)
+ 	oud->class_dev.class = &osd_uld_class;
+ 	oud->class_dev.parent = dev;
+ 	oud->class_dev.release = __remove;
+-	error = dev_set_name(&oud->class_dev, disk->disk_name);
+	error = dev_set_name(&oud->class_dev, "%s", disk->disk_name);
+ 	if (error) {
+ 		OSD_ERR("dev_set_name failed => %d\n", error);
+ 		goto err_put_cdev;
--- a/debian/patches/bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
+++ b/debian/patches/bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
@ -0,0 +1,45 @@
+From: Jonathan Salwan <jonathan.salwan@gmail.com>
+Date: Wed, 19 Jun 2013 10:05:44 +1000
+Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware
+
+commit 410b0fa7c0ffe191a0596430e1b414192a111fe0 upstream.
+
+In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory
+area with kmalloc in line 2885.
+
+2885         cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
+2886         if (cgc->buffer == NULL)
+2887                 return -ENOMEM;
+
+In line 2908 we can find the copy_to_user function:
+
+2908         if (!ret && copy_to_user(arg, cgc->buffer, blocksize))
+
+The cgc->buffer is never cleaned and initialized before this function.  If
+ret = 0 with the previous basic block, it's possible to display some
+memory bytes in kernel space from userspace.
+
+When we read a block from the disk it normally fills the ->buffer but if
+the drive is malfunctioning there is a chance that it would only be
+partially filled.  The result is an leak information to userspace.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+---
+ drivers/cdrom/cdrom.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
+index d620b44..8a3aff7 100644
+--- a/drivers/cdrom/cdrom.c
+++ b/drivers/cdrom/cdrom.c
+@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi,
+ 	if (lba < 0)
+ 		return -EINVAL;
+ 
+-	cgc->buffer = kmalloc(blocksize, GFP_KERNEL);
+	cgc->buffer = kzalloc(blocksize, GFP_KERNEL);
+ 	if (cgc->buffer == NULL)
+ 		return -ENOMEM;
+ 
--- a/debian/patches/bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch
+++ b/debian/patches/bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch
@ -0,0 +1,27 @@
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 19 Jun 2013 10:05:29 +1000
+Subject: fanotify: info leak in copy_event_to_user()
+
+commit d2e5df23489623877fa0a587570c44fe08be2f8f upstream.
+
+The ->reserverd field isn't cleared so we leak one byte of stack
+information to userspace.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: Eric Paris <eparis@redhat.com>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+---
+ fs/notify/fanotify/fanotify_user.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
+@@ -121,6 +121,7 @@ static int fill_event_metadata(struct fs
+ 	metadata->event_len = FAN_EVENT_METADATA_LEN;
+ 	metadata->metadata_len = FAN_EVENT_METADATA_LEN;
+ 	metadata->vers = FANOTIFY_METADATA_VERSION;
+	metadata->reserved = 0;
+ 	metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS;
+ 	metadata->pid = pid_vnr(event->tgid);
+ 	if (unlikely(event->mask & FAN_Q_OVERFLOW))
--- a/debian/patches/debian/yama-disable-by-default.patch
+++ b/debian/patches/debian/yama-disable-by-default.patch
@ -0,0 +1,26 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Subject: yama: Disable by default
+Date: Wed, 19 Jun 2013 04:35:28 +0100
+Bug-Debian: http://bugs.debian.org/712740
+Forwarded: not-needed
+
+--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
+@@ -24,7 +24,7 @@
+ #define YAMA_SCOPE_CAPABILITY	2
+ #define YAMA_SCOPE_NO_ATTACH	3
+ 
+-static int ptrace_scope = YAMA_SCOPE_RELATIONAL;
+static int ptrace_scope = YAMA_SCOPE_DISABLED;
+ 
+ /* describe a ptrace relationship for potential exception */
+ struct ptrace_relation {
+@@ -425,7 +425,7 @@ static __init int yama_init(void)
+ 		return 0;
+ #endif
+ 
+-	printk(KERN_INFO "Yama: becoming mindful.\n");
+	printk(KERN_INFO "Yama: disabled by default; enable with sysctl kernel.yama.*\n");
+ 
+ #ifndef CONFIG_SECURITY_YAMA_STACKED
+ 	if (register_security(&yama_ops))
--- a/debian/patches/series
+++ b/debian/patches/series
@ -97,3 +97,7 @@ features/arm/sunxi-emac/0008-net-sun4i-emac-remove-erroneous-assignment.patch
 features/arm/sunxi-emac/0009-net-sun4i-emac-Remove-redundant-platform_set_drvdata.patch
 features/arm/sunxi-emac/0010-net-sun4i-emac-Staticize-local-symbols.patch
 bugfix/all/misc-bmp085-Enable-building-as-a-module.patch
+debian/yama-disable-by-default.patch
+bugfix/all/fanotify-info-leak-in-copy_event_to_user.patch
+bugfix/all/drivers-cdrom-cdrom.c-use-kzalloc-for-failing-hardwa.patch
+bugfix/all/block-do-not-pass-disk-names-as-format-strings.patch