Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Apr 14, 2011
  1. @gregkh

    Linux 2.6.33.10

    gregkh authored
  2. @gregkh

    xfs: zero proper structure size for geometry calls

    Alex Elder authored gregkh committed
    commit af24ee9 upstream.
    
    Commit 493f335 added this call to
    xfs_fs_geometry() in order to avoid passing kernel stack data back
    to user space:
    
    +       memset(geo, 0, sizeof(*geo));
    
    Unfortunately, one of the callers of that function passes the
    address of a smaller data type, cast to fit the type that
    xfs_fs_geometry() requires.  As a result, this can happen:
    
    Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
    in: f87aca93
    
    Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
    Call Trace:
    
    [<c12991ac>] ? panic+0x50/0x150
    [<c102ed71>] ? __stack_chk_fail+0x10/0x18
    [<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
    
    Fix this by fixing that one caller to pass the right type and then
    copy out the subset it is interested in.
    
    Note: This patch is an alternative to one originally proposed by
    Eric Sandeen.
    
    Reported-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
    Signed-off-by: Alex Elder <aelder@sgi.com>
    Reviewed-by: Eric Sandeen <sandeen@redhat.com>
    Tested-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @torvalds @gregkh

    net: fix rds_iovec page count overflow

    torvalds authored gregkh committed
    commit 1b1f693 upstream.
    
    As reported by Thomas Pollet, the rdma page counting can overflow.  We
    get the rdma sizes in 64-bit unsigned entities, but then limit it to
    UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
    an unaligned address).
    
    So each individual page count fits comfortably in an 'unsigned int' (not
    even close to overflowing into signed), but as they are added up, they
    might end up resulting in a signed return value. Which would be wrong.
    
    Catch the case of tot_pages turning negative, and return the appropriate
    error code.
    
    Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Andy Grover <andy.grover@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  4. @utrace @gregkh

    exec: copy-and-paste the fixes into compat_do_execve() paths

    utrace authored gregkh committed
    commit 114279b upstream.
    
    Note: this patch targets 2.6.37 and tries to be as simple as possible.
    That is why it adds more copy-and-paste horror into fs/compat.c and
    uglifies fs/exec.c, this will be cleanuped later.
    
    compat_copy_strings() plays with bprm->vma/mm directly and thus has
    two problems: it lacks the RLIMIT_STACK check and argv/envp memory
    is not visible to oom killer.
    
    Export acct_arg_size() and get_arg_page(), change compat_copy_strings()
    to use get_arg_page(), change compat_do_execve() to do acct_arg_size(0)
    as do_execve() does.
    
    Add the fatal_signal_pending/cond_resched checks into compat_count() and
    compat_copy_strings(), this matches the code in fs/exec.c and certainly
    makes sense.
    
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Andi Kleen <ak@linux.intel.com>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @utrace @gregkh

    exec: make argv/envp memory visible to oom-killer

    utrace authored gregkh committed
    commit 3c77f84 upstream.
    
    Brad Spengler published a local memory-allocation DoS that
    evades the OOM-killer (though not the virtual memory RLIMIT):
    http://www.grsecurity.net/~spender/64bit_dos.c
    
    execve()->copy_strings() can allocate a lot of memory, but
    this is not visible to oom-killer, nobody can see the nascent
    bprm->mm and take it into account.
    
    With this patch get_arg_page() increments current's MM_ANONPAGES
    counter every time we allocate the new page for argv/envp. When
    do_execve() succeds or fails, we change this counter back.
    
    Technically this is not 100% correct, we can't know if the new
    page is swapped out and turn MM_ANONPAGES into MM_SWAPENTS, but
    I don't think this really matters and everything becomes correct
    once exec changes ->mm or fails.
    
    Reported-by: Brad Spengler <spender@grsecurity.net>
    Reviewed-and-discussed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Signed-off-by: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @gregkh

    CAN: Use inode instead of kernel address for /proc file

    Dan Rosenberg authored gregkh committed
    commit 9f260e0 upstream.
    
    Since the socket address is just being used as a unique identifier, its
    inode number is an alternative that does not leak potentially sensitive
    information.
    
    CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  7. @gregkh

    irda: prevent integer underflow in IRLMP_ENUMDEVICES

    Dan Rosenberg authored gregkh committed
    commit fdac1e0 upstream.
    
    If the user-provided len is less than the expected offset, the
    IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
    size value.  While this isn't be a security issue on x86 because it will
    get caught by the access_ok() check, it may leak large amounts of kernel
    heap on other architectures.  In any event, this patch fixes it.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @davem330 @gregkh

    econet: Fix crash in aun_incoming().

    davem330 authored gregkh committed
    commit 4e085e7 upstream.
    
    Unconditional use of skb->dev won't work here,
    try to fetch the econet device via skb_dst()->dev
    instead.
    
    Suggested by Eric Dumazet.
    
    Reported-by: Nelson Elhage <nelhage@ksplice.com>
    Tested-by: Nelson Elhage <nelhage@ksplice.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    [jmm: Slightly adapted for 2.6.32]
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  9. @nelhage @gregkh

    inet_diag: Make sure we actually run the same bytecode we audited.

    nelhage authored gregkh committed
    commit 22e76c8 upstream.
    
    We were using nlmsg_find_attr() to look up the bytecode by attribute when
    auditing, but then just using the first attribute when actually running
    bytecode. So, if we received a message with two attribute elements, where only
    the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
    bytecode strings.
    
    Fix this by consistently using nlmsg_find_attr everywhere.
    
    Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
    Signed-off-by: Thomas Graf <tgraf@infradead.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  10. @segoon @gregkh

    net: tipc: fix information leak to userland

    segoon authored gregkh committed
    commit 88f8a5e upstream.
    
    Structure sockaddr_tipc is copied to userland with padding bytes after
    "id" field in union field "name" unitialized.  It leads to leaking of
    contents of kernel stack memory.  We have to initialize them to zero.
    
    Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  11. @gregkh

    nfsd: fix auth_domain reference leak on nlm operations

    J. Bruce Fields authored gregkh committed
    commit 954032d upstream.
    
    This was noticed by users who performed more than 2^32 lock operations
    and hence made this counter overflow (eventually leading to
    use-after-free's).  Setting rq_client to NULL here means that it won't
    later get auth_domain_put() when it should be.
    
    Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth
    domain lookup into svcauth" which moved most of the rq_client handling
    to common svcauth code, but left behind this one line.
    
    Cc: Neil Brown <neilb@suse.de>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  12. @YANGYongqiang @gregkh

    ext4: fix credits computing for indirect mapped files

    YANGYongqiang authored gregkh committed
    commit 5b41395 upstream.
    
    When writing a contiguous set of blocks, two indirect blocks could be
    needed depending on how the blocks are aligned, so we need to increase
    the number of credits needed by one.
    
    [ Also fixed a another bug which could further underestimate the
      number of journal credits needed by 1; the code was using integer
      division instead of DIV_ROUND_UP() -- tytso]
    
    Signed-off-by: Yongqiang Yang <xiaoqiangnk@gmail.com>
    Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  13. @segoon @gregkh

    net: packet: fix information leak to userland

    segoon authored gregkh committed
    commit 6728664 upstream.
    
    packet_getname_spkt() doesn't initialize all members of sa_data field of
    sockaddr struct if strlen(dev->name) < 13.  This structure is then copied
    to userland.  It leads to leaking of contents of kernel stack memory.
    We have to fully fill sa_data with strncpy() instead of strlcpy().
    
    The same with packet_getname(): it doesn't initialize sll_pkttype field of
    sockaddr_ll.  Set it to zero.
    
    Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Moritz Muehlenhoff <jmm@debian.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  14. @segoon @gregkh

    net: ax25: fix information leak to userland

    segoon authored gregkh committed
    commit fe10ae5 upstream.
    
    Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
    field of fsa struct, also the struct has padding bytes between
    sax25_call and sax25_ndigis fields.  This structure is then copied to
    userland.  It leads to leaking of contents of kernel stack memory.
    
    Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  15. @pprindeville @gregkh

    atm/solos-pci: Don't include frame pseudo-header on transmit hex-dump

    pprindeville authored gregkh committed
    commit 18b429e upstream.
    
    Omit pkt_hdr preamble when dumping transmitted packet as hex-dump;
    we can pull this up because the frame has already been sent, and
    dumping it is the last thing we do with it before freeing it.
    
    Also include the size, vpi, and vci in the debug as is done on
    receive.
    
    Use "port" consistently instead of "device" intermittently.
    
    Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  16. @plougher @gregkh

    Squashfs: handle corruption of directory structure

    plougher authored gregkh committed
    commit 44cff8a upstream.
    
    Handle the rare case where a directory metadata block is uncompressed and
    corrupted, leading to a kernel oops in directory scanning (memcpy).
    Normally corruption is detected at the decompression stage and dealt with
    then, however, this will not happen if:
    
    - metadata isn't compressed (users can optionally request no metadata
      compression), or
    - the compressed metadata block was larger than the original, in which
      case the uncompressed version was used, or
    - the data was corrupt after decompression
    
    This patch fixes this by adding some sanity checks against known maximum
    values.
    
    Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  17. @gregkh

    Revert "x86: Cleanup highmap after brk is concluded"

    gregkh authored
    This reverts upstream commit e5f15b4
    
    It caused problems in the stable tree and should not have been there.
    
    Cc: Yinghai Lu <yinghai@kernel.org>
    Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
    Cc: H. Peter Anvin <hpa@zytor.com>
    Cc: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  18. @bkamalesh @gregkh

    powerpc: Fix default_machine_crash_shutdown #ifdef botch

    bkamalesh authored gregkh committed
    powerpc: Fix default_machine_crash_shutdown #ifdef botch
    
    Commit: c2be054 upstream
    
    crash_kexec_wait_realmode() is defined only if CONFIG_PPC_STD_MMU_64
    and CONFIG_SMP, but is called if CONFIG_PPC_STD_MMU_64 even if !CONFIG_SMP.
    Fix the conditional compilation around the invocation.
    
    Reported-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Acked-by: Michael Neuling <mikey@neuling.org>
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
    cc: Anton Blanchard <anton@samba.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  19. @bkamalesh @gregkh

    powerpc/kexec: Add ifdef CONFIG_PPC_STD_MMU_64 to PPC64 code

    bkamalesh authored gregkh committed
    powerpc/kexec: Add ifdef CONFIG_PPC_STD_MMU_64 to PPC64 code
    
    This patch introduces PPC64 specific #ifdef bits from the upstream
    commit: b3df895.
    
    Reported-and-tested-by: dann frazier <dannf@dannf.org>
    Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
    Signed-off-by: Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>
    cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    cc: Anton Blanchard <anton@samba.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  20. @gregkh

    gro: reset skb_iif on reuse

    Andy Gospodarek authored gregkh committed
    commit 6d152e2 upstream.
    
    Like Herbert's change from a few days ago:
    
    66c46d7 gro: Reset dev pointer on reuse
    
    this may not be necessary at this point, but we should still clean up
    the skb->skb_iif.  If not we may end up with an invalid valid for
    skb->skb_iif when the skb is reused and the check is done in
    __netif_receive_skb.
    
    Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brandon Philips <bphilips@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  21. @herbertx @gregkh

    gro: Reset dev pointer on reuse

    herbertx authored gregkh committed
    commit 66c46d7 upstream.
    
    On older kernels the VLAN code may zero skb->dev before dropping
    it and causing it to be reused by GRO.
    
    Unfortunately we didn't reset skb->dev in that case which causes
    the next GRO user to get a bogus skb->dev pointer.
    
    This particular problem no longer happens with the current upstream
    kernel due to changes in VLAN processing.
    
    However, for correctness we should still reset the skb->dev pointer
    in the GRO reuse function in case a future user does the same thing.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Brandon Philips <bphilips@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  22. @jwessel @gregkh

    repair gdbstub to match the gdbserial protocol specification

    jwessel authored gregkh committed
    commit fb82c0f upstream.
    
    The gdbserial protocol handler should return an empty packet instead
    of an error string when ever it responds to a command it does not
    implement.
    
    The problem cases come from a debugger client sending
    qTBuffer, qTStatus, qSearch, qSupported.
    
    The incorrect response from the gdbstub leads the debugger clients to
    not function correctly.  Recent versions of gdb will not detach correctly as a result of this behavior.
    
    Backport-request-by: Frank Pan <frankpzh@gmail.com>
    Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
    Signed-off-by: Dongdong Deng <dongdong.deng@windriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  23. @segoon @gregkh

    sound: oss: midi_synth: check get_user() return value

    segoon authored gregkh committed
    commit b3390ce upstream.
    
    get_user() may fail, if so return -EFAULT.
    
    Signed-off-by: Kulikov Vasiliy <segooon@gmail.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  24. @gregkh

    sound/oss: remove offset from load_patch callbacks

    Dan Rosenberg authored gregkh committed
    commit b769f49 upstream.
    
    Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
    uninitialized value, and signedness issue
    
    The offset passed to midi_synth_load_patch() can be essentially
    arbitrary.  If it's greater than the header length, this will result in
    a copy_from_user(dst, src, negative_val).  While this will just return
    -EFAULT on x86, on other architectures this may cause memory corruption.
    Additionally, the length field of the sysex_info structure may not be
    initialized prior to its use.  Finally, a signed comparison may result
    in an unintentionally large loop.
    
    On suggestion by Takashi Iwai, version two removes the offset argument
    from the load_patch callbacks entirely, which also resolves similar
    issues in opl3.  Compile tested only.
    
    v3 adjusts comments and hopefully gets copy offsets right.
    
    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  25. @gregkh

    netfilter: h323: bug in parsing of ASN1 SEQOF field

    David Sterba authored gregkh committed
    commit b4232a2 upstream.
    
    Static analyzer of clang found a dead store which appears to be a bug in
    reading count of items in SEQOF field, only the lower byte of word is
    stored. This may lead to corrupted read and communication shutdown.
    
    The bug has been in the module since it's first inclusion into linux
    kernel.
    
    [Patrick: the bug is real, but without practical consequence since the
     largest amount of sequence-of members we parse is 30.]
    
    Signed-off-by: David Sterba <dsterba@suse.cz>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  26. @gregkh

    econet: 4 byte infoleak to the network

    Vasiliy Kulikov authored gregkh committed
    commit 67c5c6c upstream.
    
    struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
    x86_64.  These bytes are not initialized in the variable 'ah' before
    sending 'ah' to the network.  This leads to 4 bytes kernel stack
    infoleak.
    
    This bug was introduced before the git epoch.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  27. @gregkh

    drivers/misc/ep93xx_pwm.c: world-writable sysfs files

    Vasiliy Kulikov authored gregkh committed
    commit deb187e upstream.
    
    Don't allow everybody to change device settings.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Hartley Sweeten <hartleys@visionengravers.com>
    Cc: Matthieu Crapet <mcrapet@gmail.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  28. @gregkh

    drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file

    Vasiliy Kulikov authored gregkh committed
    commit 49d50fb upstream.
    
    Don't allow everybogy to write to NVRAM.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Cc: Andy Sharp <andy.sharp@onstor.com>
    Cc: Alessandro Zummo <a.zummo@towertech.it>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  29. @gregkh

    mfd: ab3100: world-writable debugfs *_priv files

    Vasiliy Kulikov authored gregkh committed
    commit f8a0697 upstream.
    
    Don't allow everybody to change device hardware registers.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Linus Walleij <linus.walleij@stericsson.com>
    Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  30. @gregkh

    ipv6: netfilter: ip6_tables: fix infoleak to userspace

    Vasiliy Kulikov authored gregkh committed
    commit 6a8ab06 upstream.
    
    Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.
    
    The first bug was introduced before the git epoch;  the second was
    introduced in 3bc3fe5 (v2.6.25-rc1);  the third is introduced by
    6b7d31f (v2.6.15-rc1).  To trigger the bug one should have
    CAP_NET_ADMIN.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  31. @gregkh

    netfilter: ipt_CLUSTERIP: fix buffer overflow

    Vasiliy Kulikov authored gregkh committed
    commit 961ed18 upstream.
    
    'buffer' string is copied from userspace.  It is not checked whether it is
    zero terminated.  This may lead to overflow inside of simple_strtoul().
    Changli Gao suggested to copy not more than user supplied 'size' bytes.
    
    It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
    root writable only by default, however, on some setups permissions might be
    relaxed to e.g. network admin user.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Changli Gao <xiaosuo@gmail.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  32. @gregkh

    netfilter: arp_tables: fix infoleak to userspace

    Vasiliy Kulikov authored gregkh committed
    commit 42eab94 upstream.
    
    Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.
    
    The first bug was introduced before the git epoch;  the second is
    introduced by 6b7d31f (v2.6.15-rc1);  the third is introduced by
    6b7d31f (v2.6.15-rc1).  To trigger the bug one should have
    CAP_NET_ADMIN.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  33. @gregkh

    netfilter: ip_tables: fix infoleak to userspace

    Vasiliy Kulikov authored gregkh committed
    commit 78b7987 upstream.
    
    Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.
    
    The first and the third bugs were introduced before the git epoch; the
    second was introduced in 2722971 (v2.6.17-rc1).  To trigger the bug
    one should have CAP_NET_ADMIN.
    
    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  34. @gregkh

    char/tpm: Fix unitialized usage of data buffer

    Peter Huewe authored gregkh committed
    commit 1309d7a upstream.
    
    This patch fixes information leakage to the userspace by initializing
    the data buffer to zero.
    
    Reported-by: Peter Huewe <huewe.external@infineon.com>
    Signed-off-by: Peter Huewe <huewe.external@infineon.com>
    Signed-off-by: Marcel Selhorst <m.selhorst@sirrix.com>
    [ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
      deeper problems than a simple multiplication can fix.   - Linus ]
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  35. @goldwynr @gregkh

    Treat writes as new when holes span across page boundaries

    goldwynr authored gregkh committed
    commit 272b62c upstream.
    
    When a hole spans across page boundaries, the next write forces
    a read of the block. This could end up reading existing garbage
    data from the disk in ocfs2_map_page_blocks. This leads to
    non-zero holes. In order to avoid this, mark the writes as new
    when the holes span across page boundaries.
    
    Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.de>
    Signed-off-by: jlbec <jlbec@evilplan.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Something went wrong with that request. Please try again.