forked from rpms/kernel
		
	Linux v3.9-rc2-292-ga2362d2
- Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device
This commit is contained in:
		
							parent
							
								
									930f974036
								
							
						
					
					
						commit
						73964d96a7
					
				
							
								
								
									
										248
									
								
								alps-v2.patch
									
									
									
									
									
								
							
							
						
						
									
										248
									
								
								alps-v2.patch
									
									
									
									
									
								
							| @ -1,248 +0,0 @@ | ||||
| From db7192fa07fa5c70c9849d8f658a7ff696cff99d Mon Sep 17 00:00:00 2001 | ||||
| From: Kevin Cernekee <cernekee@gmail.com> | ||||
| Date: Sat, 16 Feb 2013 22:40:03 -0800 | ||||
| Subject: [PATCH 14/15] Input: ALPS - Remove unused argument to | ||||
|  alps_enter_command_mode() | ||||
| 
 | ||||
| Now that alps_identify() explicitly issues an EC report using | ||||
| alps_rpt_cmd(), we no longer need to look at the magic numbers returned | ||||
| by alps_enter_command_mode(). | ||||
| 
 | ||||
| Signed-off-by: Kevin Cernekee <cernekee@gmail.com> | ||||
| ---
 | ||||
|  drivers/input/mouse/alps.c | 18 +++++++----------- | ||||
|  1 file changed, 7 insertions(+), 11 deletions(-) | ||||
| 
 | ||||
| diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
 | ||||
| index 7b99fc7..9c97531 100644
 | ||||
| --- a/drivers/input/mouse/alps.c
 | ||||
| +++ b/drivers/input/mouse/alps.c
 | ||||
| @@ -994,8 +994,7 @@ static int alps_rpt_cmd(struct psmouse *psmouse, int init_command,
 | ||||
|  	return 0; | ||||
|  } | ||||
|   | ||||
| -static int alps_enter_command_mode(struct psmouse *psmouse,
 | ||||
| -				   unsigned char *resp)
 | ||||
| +static int alps_enter_command_mode(struct psmouse *psmouse)
 | ||||
|  { | ||||
|  	unsigned char param[4]; | ||||
|   | ||||
| @@ -1009,9 +1008,6 @@ static int alps_enter_command_mode(struct psmouse *psmouse,
 | ||||
|  			    "unknown response while entering command mode\n"); | ||||
|  		return -1; | ||||
|  	} | ||||
| -
 | ||||
| -	if (resp)
 | ||||
| -		*resp = param[2];
 | ||||
|  	return 0; | ||||
|  } | ||||
|   | ||||
| @@ -1176,7 +1172,7 @@ static int alps_passthrough_mode_v3(struct psmouse *psmouse,
 | ||||
|  { | ||||
|  	int reg_val, ret = -1; | ||||
|   | ||||
| -	if (alps_enter_command_mode(psmouse, NULL))
 | ||||
| +	if (alps_enter_command_mode(psmouse))
 | ||||
|  		return -1; | ||||
|   | ||||
|  	reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x0008); | ||||
| @@ -1216,7 +1212,7 @@ static int alps_probe_trackstick_v3(struct psmouse *psmouse, int reg_base)
 | ||||
|  { | ||||
|  	int ret = -EIO, reg_val; | ||||
|   | ||||
| -	if (alps_enter_command_mode(psmouse, NULL))
 | ||||
| +	if (alps_enter_command_mode(psmouse))
 | ||||
|  		goto error; | ||||
|   | ||||
|  	reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x08); | ||||
| @@ -1279,7 +1275,7 @@ static int alps_setup_trackstick_v3(struct psmouse *psmouse, int reg_base)
 | ||||
|  		 * supported by this driver. If bit 1 isn't set the packet | ||||
|  		 * format is different. | ||||
|  		 */ | ||||
| -		if (alps_enter_command_mode(psmouse, NULL) ||
 | ||||
| +		if (alps_enter_command_mode(psmouse) ||
 | ||||
|  		    alps_command_mode_write_reg(psmouse, | ||||
|  						reg_base + 0x08, 0x82) || | ||||
|  		    alps_exit_command_mode(psmouse)) | ||||
| @@ -1306,7 +1302,7 @@ static int alps_hw_init_v3(struct psmouse *psmouse)
 | ||||
|  	    alps_setup_trackstick_v3(psmouse, ALPS_REG_BASE_PINNACLE) == -EIO) | ||||
|  		goto error; | ||||
|   | ||||
| -	if (alps_enter_command_mode(psmouse, NULL) ||
 | ||||
| +	if (alps_enter_command_mode(psmouse) ||
 | ||||
|  	    alps_absolute_mode_v3(psmouse)) { | ||||
|  		psmouse_err(psmouse, "Failed to enter absolute mode\n"); | ||||
|  		goto error; | ||||
| @@ -1381,7 +1377,7 @@ static int alps_hw_init_rushmore_v3(struct psmouse *psmouse)
 | ||||
|  			priv->flags &= ~ALPS_DUALPOINT; | ||||
|  	} | ||||
|   | ||||
| -	if (alps_enter_command_mode(psmouse, NULL) ||
 | ||||
| +	if (alps_enter_command_mode(psmouse) ||
 | ||||
|  	    alps_command_mode_read_reg(psmouse, 0xc2d9) == -1 || | ||||
|  	    alps_command_mode_write_reg(psmouse, 0xc2cb, 0x00)) | ||||
|  		goto error; | ||||
| @@ -1431,7 +1427,7 @@ static int alps_hw_init_v4(struct psmouse *psmouse)
 | ||||
|  	struct ps2dev *ps2dev = &psmouse->ps2dev; | ||||
|  	unsigned char param[4]; | ||||
|   | ||||
| -	if (alps_enter_command_mode(psmouse, NULL))
 | ||||
| +	if (alps_enter_command_mode(psmouse))
 | ||||
|  		goto error; | ||||
|   | ||||
|  	if (alps_absolute_mode_v4(psmouse)) { | ||||
| -- 
 | ||||
| 1.8.1.2 | ||||
| 
 | ||||
| 
 | ||||
| From 10740a25bb3b895b5de7773f926a978416b38409 Mon Sep 17 00:00:00 2001 | ||||
| From: Dave Turvene <dturvene@dahetral.com> | ||||
| Date: Sat, 16 Feb 2013 22:40:04 -0800 | ||||
| Subject: [PATCH 15/15] Input: ALPS - Add "Dolphin V1" touchpad support | ||||
| 
 | ||||
| These touchpads use a different protocol; they have been seen on Dell | ||||
| N5110, Dell 17R SE, and others. | ||||
| 
 | ||||
| The official ALPS driver identifies them by looking for an exact match | ||||
| on the E7 report: 73 03 50.  Dolphin V1 returns an EC report of | ||||
| 73 01 xx (02 and 0d have been seen); Dolphin V2 returns an EC report of | ||||
| 73 02 xx (02 has been seen). | ||||
| 
 | ||||
| Dolphin V2 probably needs a different initialization sequence and/or | ||||
| report parser, so it is left for a future commit. | ||||
| 
 | ||||
| Signed-off-by: Dave Turvene <dturvene@dahetral.com> | ||||
| Signed-off-by: Kevin Cernekee <cernekee@gmail.com> | ||||
| ---
 | ||||
|  drivers/input/mouse/alps.c | 67 ++++++++++++++++++++++++++++++++++++++++++++-- | ||||
|  drivers/input/mouse/alps.h |  1 + | ||||
|  2 files changed, 66 insertions(+), 2 deletions(-) | ||||
| 
 | ||||
| diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
 | ||||
| index 9c97531..0238e0e 100644
 | ||||
| --- a/drivers/input/mouse/alps.c
 | ||||
| +++ b/drivers/input/mouse/alps.c
 | ||||
| @@ -490,6 +490,29 @@ static void alps_decode_rushmore(struct alps_fields *f, unsigned char *p)
 | ||||
|  	f->y_map |= (p[5] & 0x20) << 6; | ||||
|  } | ||||
|   | ||||
| +static void alps_decode_dolphin(struct alps_fields *f, unsigned char *p)
 | ||||
| +{
 | ||||
| +	f->first_mp = !!(p[0] & 0x02);
 | ||||
| +	f->is_mp = !!(p[0] & 0x20);
 | ||||
| +
 | ||||
| +	f->fingers = ((p[0] & 0x6) >> 1 |
 | ||||
| +		     (p[0] & 0x10) >> 2);
 | ||||
| +	f->x_map = ((p[2] & 0x60) >> 5) |
 | ||||
| +		   ((p[4] & 0x7f) << 2) |
 | ||||
| +		   ((p[5] & 0x7f) << 9) |
 | ||||
| +		   ((p[3] & 0x07) << 16) |
 | ||||
| +		   ((p[3] & 0x70) << 15) |
 | ||||
| +		   ((p[0] & 0x01) << 22);
 | ||||
| +	f->y_map = (p[1] & 0x7f) |
 | ||||
| +		   ((p[2] & 0x1f) << 7);
 | ||||
| +
 | ||||
| +	f->x = ((p[1] & 0x7f) | ((p[4] & 0x0f) << 7));
 | ||||
| +	f->y = ((p[2] & 0x7f) | ((p[4] & 0xf0) << 3));
 | ||||
| +	f->z = (p[0] & 4) ? 0 : p[5] & 0x7f;
 | ||||
| +
 | ||||
| +	alps_decode_buttons_v3(f, p);
 | ||||
| +}
 | ||||
| +
 | ||||
|  static void alps_process_touchpad_packet_v3(struct psmouse *psmouse) | ||||
|  { | ||||
|  	struct alps_data *priv = psmouse->private; | ||||
| @@ -874,7 +897,8 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse)
 | ||||
|  	} | ||||
|   | ||||
|  	/* Bytes 2 - pktsize should have 0 in the highest bit */ | ||||
| -	if (psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize &&
 | ||||
| +	if (priv->proto_version != ALPS_PROTO_V5 &&
 | ||||
| +	    psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize &&
 | ||||
|  	    (psmouse->packet[psmouse->pktcnt - 1] & 0x80)) { | ||||
|  		psmouse_dbg(psmouse, "refusing packet[%i] = %x\n", | ||||
|  			    psmouse->pktcnt - 1, | ||||
| @@ -1003,7 +1027,8 @@ static int alps_enter_command_mode(struct psmouse *psmouse)
 | ||||
|  		return -1; | ||||
|  	} | ||||
|   | ||||
| -	if (param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) {
 | ||||
| +	if ((param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) &&
 | ||||
| +	    param[0] != 0x73) {
 | ||||
|  		psmouse_dbg(psmouse, | ||||
|  			    "unknown response while entering command mode\n"); | ||||
|  		return -1; | ||||
| @@ -1495,6 +1520,23 @@ error:
 | ||||
|  	return -1; | ||||
|  } | ||||
|   | ||||
| +static int alps_hw_init_dolphin_v1(struct psmouse *psmouse)
 | ||||
| +{
 | ||||
| +	struct ps2dev *ps2dev = &psmouse->ps2dev;
 | ||||
| +	unsigned char param[2];
 | ||||
| +
 | ||||
| +	/* This is dolphin "v1" as empirically defined by florin9doi */
 | ||||
| +	param[0] = 0x64;
 | ||||
| +	param[1] = 0x28;
 | ||||
| +
 | ||||
| +	if (ps2_command(ps2dev, NULL, PSMOUSE_CMD_SETSTREAM) ||
 | ||||
| +	    ps2_command(ps2dev, ¶m[0], PSMOUSE_CMD_SETRATE) ||
 | ||||
| +	    ps2_command(ps2dev, ¶m[1], PSMOUSE_CMD_SETRATE))
 | ||||
| +		return -1;
 | ||||
| +
 | ||||
| +	return 0;
 | ||||
| +}
 | ||||
| +
 | ||||
|  static void alps_set_defaults(struct alps_data *priv) | ||||
|  { | ||||
|  	priv->byte0 = 0x8f; | ||||
| @@ -1528,6 +1570,21 @@ static void alps_set_defaults(struct alps_data *priv)
 | ||||
|  		priv->nibble_commands = alps_v4_nibble_commands; | ||||
|  		priv->addr_command = PSMOUSE_CMD_DISABLE; | ||||
|  		break; | ||||
| +	case ALPS_PROTO_V5:
 | ||||
| +		priv->hw_init = alps_hw_init_dolphin_v1;
 | ||||
| +		priv->process_packet = alps_process_packet_v3;
 | ||||
| +		priv->decode_fields = alps_decode_dolphin;
 | ||||
| +		priv->set_abs_params = alps_set_abs_params_mt;
 | ||||
| +		priv->nibble_commands = alps_v3_nibble_commands;
 | ||||
| +		priv->addr_command = PSMOUSE_CMD_RESET_WRAP;
 | ||||
| +		priv->byte0 = 0xc8;
 | ||||
| +		priv->mask0 = 0xc8;
 | ||||
| +		priv->flags = 0;
 | ||||
| +		priv->x_max = 1360;
 | ||||
| +		priv->y_max = 660;
 | ||||
| +		priv->x_bits = 23;
 | ||||
| +		priv->y_bits = 12;
 | ||||
| +		break;
 | ||||
|  	} | ||||
|  } | ||||
|   | ||||
| @@ -1588,6 +1645,12 @@ static int alps_identify(struct psmouse *psmouse, struct alps_data *priv)
 | ||||
|   | ||||
|  	if (alps_match_table(psmouse, priv, e7, ec) == 0) { | ||||
|  		return 0; | ||||
| +	} else if (e7[0] == 0x73 && e7[1] == 0x03 && e7[2] == 0x50 &&
 | ||||
| +		   ec[0] == 0x73 && ec[1] == 0x01) {
 | ||||
| +		priv->proto_version = ALPS_PROTO_V5;
 | ||||
| +		alps_set_defaults(priv);
 | ||||
| +
 | ||||
| +		return 0;
 | ||||
|  	} else if (ec[0] == 0x88 && ec[1] == 0x08) { | ||||
|  		priv->proto_version = ALPS_PROTO_V3; | ||||
|  		alps_set_defaults(priv); | ||||
| diff --git a/drivers/input/mouse/alps.h b/drivers/input/mouse/alps.h
 | ||||
| index 9704805..eee5985 100644
 | ||||
| --- a/drivers/input/mouse/alps.h
 | ||||
| +++ b/drivers/input/mouse/alps.h
 | ||||
| @@ -16,6 +16,7 @@
 | ||||
|  #define ALPS_PROTO_V2	2 | ||||
|  #define ALPS_PROTO_V3	3 | ||||
|  #define ALPS_PROTO_V4	4 | ||||
| +#define ALPS_PROTO_V5	5
 | ||||
|   | ||||
|  /** | ||||
|   * struct alps_model_info - touchpad ID table | ||||
| -- 
 | ||||
| 1.8.1.2 | ||||
| 
 | ||||
							
								
								
									
										32
									
								
								kernel.spec
									
									
									
									
									
								
							
							
						
						
									
										32
									
								
								kernel.spec
									
									
									
									
									
								
							| @ -62,7 +62,7 @@ Summary: The Linux kernel | ||||
| # For non-released -rc kernels, this will be appended after the rcX and | ||||
| # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" | ||||
| # | ||||
| %global baserelease 3 | ||||
| %global baserelease 1 | ||||
| %global fedora_build %{baserelease} | ||||
| 
 | ||||
| # base_sublevel is the kernel version we're starting with and patching | ||||
| @ -95,7 +95,7 @@ Summary: The Linux kernel | ||||
| # The rc snapshot level | ||||
| %define rcrev 2 | ||||
| # The git snapshot level | ||||
| %define gitrev 0 | ||||
| %define gitrev 1 | ||||
| # Set rpm version accordingly | ||||
| %define rpmversion 3.%{upstream_sublevel}.0 | ||||
| %endif | ||||
| @ -724,27 +724,15 @@ Patch21247: ath9k_rx_dma_stop_check.patch | ||||
| #rhbz 844750 | ||||
| Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch | ||||
| 
 | ||||
| #rhbz 812111 | ||||
| Patch21260: alps-v2.patch | ||||
| 
 | ||||
| #rhbz 903192 | ||||
| Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch | ||||
| 
 | ||||
| #rhbz 914737 | ||||
| Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch | ||||
| 
 | ||||
| # CVE-2013-1792 rhbz 916646,919021 | ||||
| Patch21267: keys-fix-race-with-concurrent-install_user_keyrings.patch | ||||
| 
 | ||||
| #rhbz 857954 | ||||
| Patch21268: w1-fix-oops-when-w1_search-is-called-from.patch | ||||
| 
 | ||||
| #rhbz 911771 | ||||
| Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch | ||||
| 
 | ||||
| #CVE-2013-0914 rhbz 920499 920510 | ||||
| Patch21270: signal-always-clear-sa_restorer-on-execve.patch | ||||
| 
 | ||||
| #CVE-2013-0913 rhbz 920471 920529 | ||||
| Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch | ||||
| 
 | ||||
| @ -1434,27 +1422,15 @@ ApplyPatch ath9k_rx_dma_stop_check.patch | ||||
| #rhbz 844750 | ||||
| ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch | ||||
| 
 | ||||
| #rhbz 812111 | ||||
| ApplyPatch alps-v2.patch | ||||
| 
 | ||||
| #rhbz 903192 | ||||
| ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch | ||||
| 
 | ||||
| #rhbz 914737 | ||||
| ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch | ||||
| 
 | ||||
| # CVE-2013-1792 rhbz 916646,919021 | ||||
| ApplyPatch keys-fix-race-with-concurrent-install_user_keyrings.patch | ||||
| 
 | ||||
| #rhbz 857954 | ||||
| ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch | ||||
| 
 | ||||
| #rhbz 911771 | ||||
| ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch | ||||
| 
 | ||||
| #CVE-2013-0914 rhbz 920499 920510 | ||||
| ApplyPatch signal-always-clear-sa_restorer-on-execve.patch | ||||
| 
 | ||||
| #CVE-2013-0913 rhbz 920471 920529 | ||||
| ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch | ||||
| 
 | ||||
| @ -2303,6 +2279,10 @@ fi | ||||
| #                 ||----w | | ||||
| #                 ||     || | ||||
| %changelog | ||||
| * Fri Mar 15 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc2.git1.1 | ||||
| - Linux v3.9-rc2-292-ga2362d2 | ||||
| - Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device | ||||
| 
 | ||||
| * Thu Mar 14 2013 Dave Jones <davej@redhat.com> | ||||
| - Move cpufreq drivers to be modular (rhbz 746372) | ||||
| 
 | ||||
|  | ||||
| @ -1,15 +0,0 @@ | ||||
| diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
 | ||||
| index 58dfe08..c5ec083 100644
 | ||||
| --- a/security/keys/process_keys.c
 | ||||
| +++ b/security/keys/process_keys.c
 | ||||
| @@ -57,7 +57,7 @@ int install_user_keyrings(void)
 | ||||
|   | ||||
|  	kenter("%p{%u}", user, uid); | ||||
|   | ||||
| -	if (user->uid_keyring) {
 | ||||
| +	if (user->uid_keyring && user->session_keyring) {
 | ||||
|  		kleave(" = 0 [exist]"); | ||||
|  		return 0; | ||||
|  	} | ||||
| 
 | ||||
|    | ||||
| @ -1,40 +1,3 @@ | ||||
| commit 801d929ca7d935ee199fd61d8ef914f51e892270 | ||||
| Author: Felix Fietkau <nbd@openwrt.org> | ||||
| Date:   Sat Mar 2 19:05:47 2013 +0100 | ||||
| 
 | ||||
|     mac80211: another fix for idle handling in monitor mode | ||||
|      | ||||
|     When setting a monitor interface up or down, the idle state needs to be | ||||
|     recalculated, otherwise the hardware will just stay in its previous idle | ||||
|     state. | ||||
|      | ||||
|     Signed-off-by: Felix Fietkau <nbd@openwrt.org> | ||||
|     Signed-off-by: Johannes Berg <johannes.berg@intel.com> | ||||
| 
 | ||||
| diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
 | ||||
| index 640afab..baaa860 100644
 | ||||
| --- a/net/mac80211/iface.c
 | ||||
| +++ b/net/mac80211/iface.c
 | ||||
| @@ -541,6 +541,9 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
 | ||||
|   | ||||
|  		ieee80211_adjust_monitor_flags(sdata, 1); | ||||
|  		ieee80211_configure_filter(local); | ||||
| +		mutex_lock(&local->mtx);
 | ||||
| +		ieee80211_recalc_idle(local);
 | ||||
| +		mutex_unlock(&local->mtx);
 | ||||
|   | ||||
|  		netif_carrier_on(dev); | ||||
|  		break; | ||||
| @@ -812,6 +815,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
 | ||||
|   | ||||
|  		ieee80211_adjust_monitor_flags(sdata, -1); | ||||
|  		ieee80211_configure_filter(local); | ||||
| +		mutex_lock(&local->mtx);
 | ||||
| +		ieee80211_recalc_idle(local);
 | ||||
| +		mutex_unlock(&local->mtx);
 | ||||
|  		break; | ||||
|  	case NL80211_IFTYPE_P2P_DEVICE: | ||||
|  		/* relies on synchronize_rcu() below */ | ||||
| diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
 | ||||
| index baaa860..7a3d675 100644
 | ||||
| --- a/net/mac80211/iface.c
 | ||||
|  | ||||
| @ -1,63 +0,0 @@ | ||||
| From e94256528a988231ccc7a2a0b6b206a1131cb358 Mon Sep 17 00:00:00 2001 | ||||
| From: Josh Boyer <jwboyer@redhat.com> | ||||
| Date: Fri, 8 Mar 2013 21:13:52 -0500 | ||||
| Subject: [PATCH] serial: 8250: Keep 8250.<xxxx> module options functional | ||||
|  after driver rename | ||||
| 
 | ||||
| With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the | ||||
| 8250 driver was renamed to 8250_core.  This means any existing usage of | ||||
| the 8259.<xxxx> module parameters or as a kernel command line switch is | ||||
| now broken, as the 8250_core driver doesn't parse options belonging to | ||||
| something called "8250". | ||||
| 
 | ||||
| To solve this, we redefine the module options in a dummy function using | ||||
| a redefined MODULE_PARAM_PREFX when built into the kernel.  In the case | ||||
| where we're building as a module, we provide an alias to the old 8250 | ||||
| name.  The dummy function prevents compiler errors due to global variable | ||||
| redefinitions that happen as part of the module_param_ macro expansions. | ||||
| 
 | ||||
| Signed-off-by: Josh Boyer <jwboyer@redhat.com> | ||||
| ---
 | ||||
|  drivers/tty/serial/8250/8250.c | 29 +++++++++++++++++++++++++++++ | ||||
|  1 file changed, 29 insertions(+) | ||||
| 
 | ||||
| diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c
 | ||||
| index 0efc815..f982633 100644
 | ||||
| --- a/drivers/tty/serial/8250/8250.c
 | ||||
| +++ b/drivers/tty/serial/8250/8250.c
 | ||||
| @@ -3396,3 +3396,32 @@ module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444);
 | ||||
|  MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA"); | ||||
|  #endif | ||||
|  MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR); | ||||
| +
 | ||||
| +#ifndef MODULE
 | ||||
| +/* This module was renamed to 8250_core in 3.7.  Keep the old "8250" name
 | ||||
| + * working as well for the module options so we don't break people.  We
 | ||||
| + * need to keep the names identical and the convenient macros will happily
 | ||||
| + * refuse to let us do that by failing the build with redefinition errors
 | ||||
| + * of global variables.  So we stick them inside a dummy function to avoid
 | ||||
| + * those conflicts.  The options still get parsed, and the redefined
 | ||||
| + * MODULE_PARAM_PREFIX lets us keep the "8250." syntax alive.
 | ||||
| + *
 | ||||
| + * This is hacky.  I'm sorry.
 | ||||
| + */
 | ||||
| +static void __used s8250_options(void)
 | ||||
| +{
 | ||||
| +#undef MODULE_PARAM_PREFIX
 | ||||
| +#define MODULE_PARAM_PREFIX "8250."
 | ||||
| +
 | ||||
| +	module_param_cb(share_irqs, ¶m_ops_uint, &share_irqs, 0644);
 | ||||
| +	module_param_cb(nr_uarts, ¶m_ops_uint, &nr_uarts, 0644);
 | ||||
| +	module_param_cb(skip_txen_test, ¶m_ops_uint, &skip_txen_test, 0644);
 | ||||
| +#ifdef CONFIG_SERIAL_8250_RSA
 | ||||
| +	__module_param_call(MODULE_PARAM_PREFIX, probe_rsa,
 | ||||
| +		¶m_array_ops, .arr = &__param_arr_probe_rsa,
 | ||||
| +		0444, -1);
 | ||||
| +#endif
 | ||||
| +}
 | ||||
| +#else
 | ||||
| +MODULE_ALIAS("8250");
 | ||||
| +#endif
 | ||||
| -- 
 | ||||
| 1.8.1.2 | ||||
| 
 | ||||
| @ -1,113 +0,0 @@ | ||||
|                                                                                                                                                                                                                                                                 | ||||
| Delivered-To: jwboyer@gmail.com | ||||
| Received: by 10.76.169.233 with SMTP id ah9csp99159oac; | ||||
|         Mon, 11 Mar 2013 13:14:17 -0700 (PDT) | ||||
| X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671; | ||||
|         Mon, 11 Mar 2013 13:14:16 -0700 (PDT) | ||||
| Return-Path: <linux-kernel-owner@vger.kernel.org> | ||||
| Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) | ||||
|         by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10; | ||||
|         Mon, 11 Mar 2013 13:14:16 -0700 (PDT) | ||||
| Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; | ||||
| Authentication-Results: mx.google.com; | ||||
|        spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org | ||||
| Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand | ||||
| 	id S1754069Ab3CKUN4 (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others); | ||||
| 	Mon, 11 Mar 2013 16:13:56 -0400 | ||||
| Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net" | ||||
| 	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP | ||||
| 	id S1753913Ab3CKUN4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); | ||||
| 	Mon, 11 Mar 2013 16:13:56 -0400 | ||||
| Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) | ||||
| 	by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201; | ||||
| 	Mon, 11 Mar 2013 13:13:43 -0700 | ||||
| Date:	Mon, 11 Mar 2013 13:13:42 -0700 | ||||
| From:	Kees Cook <keescook@chromium.org> | ||||
| To:	linux-kernel@vger.kernel.org | ||||
| Cc:	Al Viro <viro@zeniv.linux.org.uk>, Oleg Nesterov <oleg@redhat.com>, | ||||
| 	Andrew Morton <akpm@linux-foundation.org>, | ||||
| 	"Eric W. Biederman" <ebiederm@xmission.com>, | ||||
| 	Serge Hallyn <serge.hallyn@canonical.com>, | ||||
| 	Emese Revfy <re.emese@gmail.com>, | ||||
| 	PaX Team <pageexec@freemail.hu>, jln@google.com | ||||
| Subject: [PATCH v2] signal: always clear sa_restorer on execve | ||||
| Message-ID: <20130311201342.GA19824@www.outflux.net> | ||||
| MIME-Version: 1.0 | ||||
| Content-Type: text/plain; charset=us-ascii | ||||
| Content-Disposition: inline | ||||
| X-MIMEDefang-Filter: outflux$Revision: 1.316 $ | ||||
| X-HELO:	www.outflux.net | ||||
| X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 | ||||
| Sender:	linux-kernel-owner@vger.kernel.org | ||||
| Precedence: bulk | ||||
| List-ID: <linux-kernel.vger.kernel.org> | ||||
| X-Mailing-List:	linux-kernel@vger.kernel.org | ||||
| 
 | ||||
| When the new signal handlers are set up, the location of sa_restorer | ||||
| is not cleared, leaking a parent process's address space location to | ||||
| children. This allows for a potential bypass of the parent's ASLR by | ||||
| examining the sa_restorer value returned when calling sigaction(). | ||||
| 
 | ||||
| Based on what should be considered "secret" about addresses, it only | ||||
| matters across the exec not the fork (since the VMAs haven't changed | ||||
| until the exec). But since exec sets SIG_DFL and keeps sa_restorer, | ||||
| this is where it should be fixed. | ||||
| 
 | ||||
| Given the few uses of sa_restorer, a "set" function was not written | ||||
| since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER, | ||||
| as already done in other places. | ||||
| 
 | ||||
| Example of the leak before applying this patch: | ||||
| 
 | ||||
| $ cat /proc/$$/maps | ||||
| ... | ||||
| 7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so | ||||
| ... | ||||
| $ ./leak | ||||
| ... | ||||
| 7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so | ||||
| ... | ||||
| 1 0 (nil) 0x7fb9f30b94a0 | ||||
| 2 4000000 (nil) 0x7f278bcaa4a0 | ||||
| 3 4000000 (nil) 0x7f278bcaa4a0 | ||||
| 4 0 (nil) 0x7fb9f30b94a0 | ||||
| ... | ||||
| 
 | ||||
| Signed-off-by: Kees Cook <keescook@chromium.org> | ||||
| Reported-by: Emese Revfy <re.emese@gmail.com> | ||||
| Cc: Emese Revfy <re.emese@gmail.com> | ||||
| Cc: PaX Team <pageexec@freemail.hu> | ||||
| Cc: stable@vger.kernel.org | ||||
| ---
 | ||||
| v2: | ||||
|  - clarify commit, explain use of #ifdef. | ||||
| ---
 | ||||
|  kernel/signal.c |    3 +++ | ||||
|  1 file changed, 3 insertions(+) | ||||
| 
 | ||||
| diff --git a/kernel/signal.c b/kernel/signal.c
 | ||||
| index 2ec870a..8c8e3ca 100644
 | ||||
| --- a/kernel/signal.c
 | ||||
| +++ b/kernel/signal.c
 | ||||
| @@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
 | ||||
|  		if (force_default || ka->sa.sa_handler != SIG_IGN) | ||||
|  			ka->sa.sa_handler = SIG_DFL; | ||||
|  		ka->sa.sa_flags = 0; | ||||
| +#ifdef __ARCH_HAS_SA_RESTORER
 | ||||
| +		ka->sa.sa_restorer = NULL;
 | ||||
| +#endif
 | ||||
|  		sigemptyset(&ka->sa.sa_mask); | ||||
|  		ka++; | ||||
|  	} | ||||
| -- 
 | ||||
| 1.7.9.5 | ||||
| 
 | ||||
| 
 | ||||
| -- 
 | ||||
| Kees Cook | ||||
| Chrome OS Security | ||||
| --
 | ||||
| To unsubscribe from this list: send the line "unsubscribe linux-kernel" in | ||||
| the body of a message to majordomo@vger.kernel.org | ||||
| More majordomo info at  http://vger.kernel.org/majordomo-info.html | ||||
| Please read the FAQ at  http://www.tux.org/lkml/ | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user