Linux v3.9-rc2-292-ga2362d2
- Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device
This commit is contained in:
parent
930f974036
commit
73964d96a7
248
alps-v2.patch
248
alps-v2.patch
@ -1,248 +0,0 @@
|
||||
From db7192fa07fa5c70c9849d8f658a7ff696cff99d Mon Sep 17 00:00:00 2001
|
||||
From: Kevin Cernekee <cernekee@gmail.com>
|
||||
Date: Sat, 16 Feb 2013 22:40:03 -0800
|
||||
Subject: [PATCH 14/15] Input: ALPS - Remove unused argument to
|
||||
alps_enter_command_mode()
|
||||
|
||||
Now that alps_identify() explicitly issues an EC report using
|
||||
alps_rpt_cmd(), we no longer need to look at the magic numbers returned
|
||||
by alps_enter_command_mode().
|
||||
|
||||
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
|
||||
---
|
||||
drivers/input/mouse/alps.c | 18 +++++++-----------
|
||||
1 file changed, 7 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
|
||||
index 7b99fc7..9c97531 100644
|
||||
--- a/drivers/input/mouse/alps.c
|
||||
+++ b/drivers/input/mouse/alps.c
|
||||
@@ -994,8 +994,7 @@ static int alps_rpt_cmd(struct psmouse *psmouse, int init_command,
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static int alps_enter_command_mode(struct psmouse *psmouse,
|
||||
- unsigned char *resp)
|
||||
+static int alps_enter_command_mode(struct psmouse *psmouse)
|
||||
{
|
||||
unsigned char param[4];
|
||||
|
||||
@@ -1009,9 +1008,6 @@ static int alps_enter_command_mode(struct psmouse *psmouse,
|
||||
"unknown response while entering command mode\n");
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
- if (resp)
|
||||
- *resp = param[2];
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -1176,7 +1172,7 @@ static int alps_passthrough_mode_v3(struct psmouse *psmouse,
|
||||
{
|
||||
int reg_val, ret = -1;
|
||||
|
||||
- if (alps_enter_command_mode(psmouse, NULL))
|
||||
+ if (alps_enter_command_mode(psmouse))
|
||||
return -1;
|
||||
|
||||
reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x0008);
|
||||
@@ -1216,7 +1212,7 @@ static int alps_probe_trackstick_v3(struct psmouse *psmouse, int reg_base)
|
||||
{
|
||||
int ret = -EIO, reg_val;
|
||||
|
||||
- if (alps_enter_command_mode(psmouse, NULL))
|
||||
+ if (alps_enter_command_mode(psmouse))
|
||||
goto error;
|
||||
|
||||
reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x08);
|
||||
@@ -1279,7 +1275,7 @@ static int alps_setup_trackstick_v3(struct psmouse *psmouse, int reg_base)
|
||||
* supported by this driver. If bit 1 isn't set the packet
|
||||
* format is different.
|
||||
*/
|
||||
- if (alps_enter_command_mode(psmouse, NULL) ||
|
||||
+ if (alps_enter_command_mode(psmouse) ||
|
||||
alps_command_mode_write_reg(psmouse,
|
||||
reg_base + 0x08, 0x82) ||
|
||||
alps_exit_command_mode(psmouse))
|
||||
@@ -1306,7 +1302,7 @@ static int alps_hw_init_v3(struct psmouse *psmouse)
|
||||
alps_setup_trackstick_v3(psmouse, ALPS_REG_BASE_PINNACLE) == -EIO)
|
||||
goto error;
|
||||
|
||||
- if (alps_enter_command_mode(psmouse, NULL) ||
|
||||
+ if (alps_enter_command_mode(psmouse) ||
|
||||
alps_absolute_mode_v3(psmouse)) {
|
||||
psmouse_err(psmouse, "Failed to enter absolute mode\n");
|
||||
goto error;
|
||||
@@ -1381,7 +1377,7 @@ static int alps_hw_init_rushmore_v3(struct psmouse *psmouse)
|
||||
priv->flags &= ~ALPS_DUALPOINT;
|
||||
}
|
||||
|
||||
- if (alps_enter_command_mode(psmouse, NULL) ||
|
||||
+ if (alps_enter_command_mode(psmouse) ||
|
||||
alps_command_mode_read_reg(psmouse, 0xc2d9) == -1 ||
|
||||
alps_command_mode_write_reg(psmouse, 0xc2cb, 0x00))
|
||||
goto error;
|
||||
@@ -1431,7 +1427,7 @@ static int alps_hw_init_v4(struct psmouse *psmouse)
|
||||
struct ps2dev *ps2dev = &psmouse->ps2dev;
|
||||
unsigned char param[4];
|
||||
|
||||
- if (alps_enter_command_mode(psmouse, NULL))
|
||||
+ if (alps_enter_command_mode(psmouse))
|
||||
goto error;
|
||||
|
||||
if (alps_absolute_mode_v4(psmouse)) {
|
||||
--
|
||||
1.8.1.2
|
||||
|
||||
|
||||
From 10740a25bb3b895b5de7773f926a978416b38409 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Turvene <dturvene@dahetral.com>
|
||||
Date: Sat, 16 Feb 2013 22:40:04 -0800
|
||||
Subject: [PATCH 15/15] Input: ALPS - Add "Dolphin V1" touchpad support
|
||||
|
||||
These touchpads use a different protocol; they have been seen on Dell
|
||||
N5110, Dell 17R SE, and others.
|
||||
|
||||
The official ALPS driver identifies them by looking for an exact match
|
||||
on the E7 report: 73 03 50. Dolphin V1 returns an EC report of
|
||||
73 01 xx (02 and 0d have been seen); Dolphin V2 returns an EC report of
|
||||
73 02 xx (02 has been seen).
|
||||
|
||||
Dolphin V2 probably needs a different initialization sequence and/or
|
||||
report parser, so it is left for a future commit.
|
||||
|
||||
Signed-off-by: Dave Turvene <dturvene@dahetral.com>
|
||||
Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
|
||||
---
|
||||
drivers/input/mouse/alps.c | 67 ++++++++++++++++++++++++++++++++++++++++++++--
|
||||
drivers/input/mouse/alps.h | 1 +
|
||||
2 files changed, 66 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
|
||||
index 9c97531..0238e0e 100644
|
||||
--- a/drivers/input/mouse/alps.c
|
||||
+++ b/drivers/input/mouse/alps.c
|
||||
@@ -490,6 +490,29 @@ static void alps_decode_rushmore(struct alps_fields *f, unsigned char *p)
|
||||
f->y_map |= (p[5] & 0x20) << 6;
|
||||
}
|
||||
|
||||
+static void alps_decode_dolphin(struct alps_fields *f, unsigned char *p)
|
||||
+{
|
||||
+ f->first_mp = !!(p[0] & 0x02);
|
||||
+ f->is_mp = !!(p[0] & 0x20);
|
||||
+
|
||||
+ f->fingers = ((p[0] & 0x6) >> 1 |
|
||||
+ (p[0] & 0x10) >> 2);
|
||||
+ f->x_map = ((p[2] & 0x60) >> 5) |
|
||||
+ ((p[4] & 0x7f) << 2) |
|
||||
+ ((p[5] & 0x7f) << 9) |
|
||||
+ ((p[3] & 0x07) << 16) |
|
||||
+ ((p[3] & 0x70) << 15) |
|
||||
+ ((p[0] & 0x01) << 22);
|
||||
+ f->y_map = (p[1] & 0x7f) |
|
||||
+ ((p[2] & 0x1f) << 7);
|
||||
+
|
||||
+ f->x = ((p[1] & 0x7f) | ((p[4] & 0x0f) << 7));
|
||||
+ f->y = ((p[2] & 0x7f) | ((p[4] & 0xf0) << 3));
|
||||
+ f->z = (p[0] & 4) ? 0 : p[5] & 0x7f;
|
||||
+
|
||||
+ alps_decode_buttons_v3(f, p);
|
||||
+}
|
||||
+
|
||||
static void alps_process_touchpad_packet_v3(struct psmouse *psmouse)
|
||||
{
|
||||
struct alps_data *priv = psmouse->private;
|
||||
@@ -874,7 +897,8 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse)
|
||||
}
|
||||
|
||||
/* Bytes 2 - pktsize should have 0 in the highest bit */
|
||||
- if (psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize &&
|
||||
+ if (priv->proto_version != ALPS_PROTO_V5 &&
|
||||
+ psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize &&
|
||||
(psmouse->packet[psmouse->pktcnt - 1] & 0x80)) {
|
||||
psmouse_dbg(psmouse, "refusing packet[%i] = %x\n",
|
||||
psmouse->pktcnt - 1,
|
||||
@@ -1003,7 +1027,8 @@ static int alps_enter_command_mode(struct psmouse *psmouse)
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) {
|
||||
+ if ((param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) &&
|
||||
+ param[0] != 0x73) {
|
||||
psmouse_dbg(psmouse,
|
||||
"unknown response while entering command mode\n");
|
||||
return -1;
|
||||
@@ -1495,6 +1520,23 @@ error:
|
||||
return -1;
|
||||
}
|
||||
|
||||
+static int alps_hw_init_dolphin_v1(struct psmouse *psmouse)
|
||||
+{
|
||||
+ struct ps2dev *ps2dev = &psmouse->ps2dev;
|
||||
+ unsigned char param[2];
|
||||
+
|
||||
+ /* This is dolphin "v1" as empirically defined by florin9doi */
|
||||
+ param[0] = 0x64;
|
||||
+ param[1] = 0x28;
|
||||
+
|
||||
+ if (ps2_command(ps2dev, NULL, PSMOUSE_CMD_SETSTREAM) ||
|
||||
+ ps2_command(ps2dev, ¶m[0], PSMOUSE_CMD_SETRATE) ||
|
||||
+ ps2_command(ps2dev, ¶m[1], PSMOUSE_CMD_SETRATE))
|
||||
+ return -1;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static void alps_set_defaults(struct alps_data *priv)
|
||||
{
|
||||
priv->byte0 = 0x8f;
|
||||
@@ -1528,6 +1570,21 @@ static void alps_set_defaults(struct alps_data *priv)
|
||||
priv->nibble_commands = alps_v4_nibble_commands;
|
||||
priv->addr_command = PSMOUSE_CMD_DISABLE;
|
||||
break;
|
||||
+ case ALPS_PROTO_V5:
|
||||
+ priv->hw_init = alps_hw_init_dolphin_v1;
|
||||
+ priv->process_packet = alps_process_packet_v3;
|
||||
+ priv->decode_fields = alps_decode_dolphin;
|
||||
+ priv->set_abs_params = alps_set_abs_params_mt;
|
||||
+ priv->nibble_commands = alps_v3_nibble_commands;
|
||||
+ priv->addr_command = PSMOUSE_CMD_RESET_WRAP;
|
||||
+ priv->byte0 = 0xc8;
|
||||
+ priv->mask0 = 0xc8;
|
||||
+ priv->flags = 0;
|
||||
+ priv->x_max = 1360;
|
||||
+ priv->y_max = 660;
|
||||
+ priv->x_bits = 23;
|
||||
+ priv->y_bits = 12;
|
||||
+ break;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1588,6 +1645,12 @@ static int alps_identify(struct psmouse *psmouse, struct alps_data *priv)
|
||||
|
||||
if (alps_match_table(psmouse, priv, e7, ec) == 0) {
|
||||
return 0;
|
||||
+ } else if (e7[0] == 0x73 && e7[1] == 0x03 && e7[2] == 0x50 &&
|
||||
+ ec[0] == 0x73 && ec[1] == 0x01) {
|
||||
+ priv->proto_version = ALPS_PROTO_V5;
|
||||
+ alps_set_defaults(priv);
|
||||
+
|
||||
+ return 0;
|
||||
} else if (ec[0] == 0x88 && ec[1] == 0x08) {
|
||||
priv->proto_version = ALPS_PROTO_V3;
|
||||
alps_set_defaults(priv);
|
||||
diff --git a/drivers/input/mouse/alps.h b/drivers/input/mouse/alps.h
|
||||
index 9704805..eee5985 100644
|
||||
--- a/drivers/input/mouse/alps.h
|
||||
+++ b/drivers/input/mouse/alps.h
|
||||
@@ -16,6 +16,7 @@
|
||||
#define ALPS_PROTO_V2 2
|
||||
#define ALPS_PROTO_V3 3
|
||||
#define ALPS_PROTO_V4 4
|
||||
+#define ALPS_PROTO_V5 5
|
||||
|
||||
/**
|
||||
* struct alps_model_info - touchpad ID table
|
||||
--
|
||||
1.8.1.2
|
||||
|
32
kernel.spec
32
kernel.spec
@ -62,7 +62,7 @@ Summary: The Linux kernel
|
||||
# For non-released -rc kernels, this will be appended after the rcX and
|
||||
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
|
||||
#
|
||||
%global baserelease 3
|
||||
%global baserelease 1
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
@ -95,7 +95,7 @@ Summary: The Linux kernel
|
||||
# The rc snapshot level
|
||||
%define rcrev 2
|
||||
# The git snapshot level
|
||||
%define gitrev 0
|
||||
%define gitrev 1
|
||||
# Set rpm version accordingly
|
||||
%define rpmversion 3.%{upstream_sublevel}.0
|
||||
%endif
|
||||
@ -724,27 +724,15 @@ Patch21247: ath9k_rx_dma_stop_check.patch
|
||||
#rhbz 844750
|
||||
Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
|
||||
|
||||
#rhbz 812111
|
||||
Patch21260: alps-v2.patch
|
||||
|
||||
#rhbz 903192
|
||||
Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
|
||||
|
||||
#rhbz 914737
|
||||
Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
|
||||
|
||||
# CVE-2013-1792 rhbz 916646,919021
|
||||
Patch21267: keys-fix-race-with-concurrent-install_user_keyrings.patch
|
||||
|
||||
#rhbz 857954
|
||||
Patch21268: w1-fix-oops-when-w1_search-is-called-from.patch
|
||||
|
||||
#rhbz 911771
|
||||
Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
|
||||
|
||||
#CVE-2013-0914 rhbz 920499 920510
|
||||
Patch21270: signal-always-clear-sa_restorer-on-execve.patch
|
||||
|
||||
#CVE-2013-0913 rhbz 920471 920529
|
||||
Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch
|
||||
|
||||
@ -1434,27 +1422,15 @@ ApplyPatch ath9k_rx_dma_stop_check.patch
|
||||
#rhbz 844750
|
||||
ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
|
||||
|
||||
#rhbz 812111
|
||||
ApplyPatch alps-v2.patch
|
||||
|
||||
#rhbz 903192
|
||||
ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
|
||||
|
||||
#rhbz 914737
|
||||
ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
|
||||
|
||||
# CVE-2013-1792 rhbz 916646,919021
|
||||
ApplyPatch keys-fix-race-with-concurrent-install_user_keyrings.patch
|
||||
|
||||
#rhbz 857954
|
||||
ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch
|
||||
|
||||
#rhbz 911771
|
||||
ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
|
||||
|
||||
#CVE-2013-0914 rhbz 920499 920510
|
||||
ApplyPatch signal-always-clear-sa_restorer-on-execve.patch
|
||||
|
||||
#CVE-2013-0913 rhbz 920471 920529
|
||||
ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch
|
||||
|
||||
@ -2303,6 +2279,10 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Fri Mar 15 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc2.git1.1
|
||||
- Linux v3.9-rc2-292-ga2362d2
|
||||
- Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device
|
||||
|
||||
* Thu Mar 14 2013 Dave Jones <davej@redhat.com>
|
||||
- Move cpufreq drivers to be modular (rhbz 746372)
|
||||
|
||||
|
@ -1,15 +0,0 @@
|
||||
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
|
||||
index 58dfe08..c5ec083 100644
|
||||
--- a/security/keys/process_keys.c
|
||||
+++ b/security/keys/process_keys.c
|
||||
@@ -57,7 +57,7 @@ int install_user_keyrings(void)
|
||||
|
||||
kenter("%p{%u}", user, uid);
|
||||
|
||||
- if (user->uid_keyring) {
|
||||
+ if (user->uid_keyring && user->session_keyring) {
|
||||
kleave(" = 0 [exist]");
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -1,40 +1,3 @@
|
||||
commit 801d929ca7d935ee199fd61d8ef914f51e892270
|
||||
Author: Felix Fietkau <nbd@openwrt.org>
|
||||
Date: Sat Mar 2 19:05:47 2013 +0100
|
||||
|
||||
mac80211: another fix for idle handling in monitor mode
|
||||
|
||||
When setting a monitor interface up or down, the idle state needs to be
|
||||
recalculated, otherwise the hardware will just stay in its previous idle
|
||||
state.
|
||||
|
||||
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
|
||||
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
|
||||
index 640afab..baaa860 100644
|
||||
--- a/net/mac80211/iface.c
|
||||
+++ b/net/mac80211/iface.c
|
||||
@@ -541,6 +541,9 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
|
||||
|
||||
ieee80211_adjust_monitor_flags(sdata, 1);
|
||||
ieee80211_configure_filter(local);
|
||||
+ mutex_lock(&local->mtx);
|
||||
+ ieee80211_recalc_idle(local);
|
||||
+ mutex_unlock(&local->mtx);
|
||||
|
||||
netif_carrier_on(dev);
|
||||
break;
|
||||
@@ -812,6 +815,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
|
||||
|
||||
ieee80211_adjust_monitor_flags(sdata, -1);
|
||||
ieee80211_configure_filter(local);
|
||||
+ mutex_lock(&local->mtx);
|
||||
+ ieee80211_recalc_idle(local);
|
||||
+ mutex_unlock(&local->mtx);
|
||||
break;
|
||||
case NL80211_IFTYPE_P2P_DEVICE:
|
||||
/* relies on synchronize_rcu() below */
|
||||
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
|
||||
index baaa860..7a3d675 100644
|
||||
--- a/net/mac80211/iface.c
|
||||
|
@ -1,63 +0,0 @@
|
||||
From e94256528a988231ccc7a2a0b6b206a1131cb358 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@redhat.com>
|
||||
Date: Fri, 8 Mar 2013 21:13:52 -0500
|
||||
Subject: [PATCH] serial: 8250: Keep 8250.<xxxx> module options functional
|
||||
after driver rename
|
||||
|
||||
With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the
|
||||
8250 driver was renamed to 8250_core. This means any existing usage of
|
||||
the 8259.<xxxx> module parameters or as a kernel command line switch is
|
||||
now broken, as the 8250_core driver doesn't parse options belonging to
|
||||
something called "8250".
|
||||
|
||||
To solve this, we redefine the module options in a dummy function using
|
||||
a redefined MODULE_PARAM_PREFX when built into the kernel. In the case
|
||||
where we're building as a module, we provide an alias to the old 8250
|
||||
name. The dummy function prevents compiler errors due to global variable
|
||||
redefinitions that happen as part of the module_param_ macro expansions.
|
||||
|
||||
Signed-off-by: Josh Boyer <jwboyer@redhat.com>
|
||||
---
|
||||
drivers/tty/serial/8250/8250.c | 29 +++++++++++++++++++++++++++++
|
||||
1 file changed, 29 insertions(+)
|
||||
|
||||
diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c
|
||||
index 0efc815..f982633 100644
|
||||
--- a/drivers/tty/serial/8250/8250.c
|
||||
+++ b/drivers/tty/serial/8250/8250.c
|
||||
@@ -3396,3 +3396,32 @@ module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444);
|
||||
MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA");
|
||||
#endif
|
||||
MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR);
|
||||
+
|
||||
+#ifndef MODULE
|
||||
+/* This module was renamed to 8250_core in 3.7. Keep the old "8250" name
|
||||
+ * working as well for the module options so we don't break people. We
|
||||
+ * need to keep the names identical and the convenient macros will happily
|
||||
+ * refuse to let us do that by failing the build with redefinition errors
|
||||
+ * of global variables. So we stick them inside a dummy function to avoid
|
||||
+ * those conflicts. The options still get parsed, and the redefined
|
||||
+ * MODULE_PARAM_PREFIX lets us keep the "8250." syntax alive.
|
||||
+ *
|
||||
+ * This is hacky. I'm sorry.
|
||||
+ */
|
||||
+static void __used s8250_options(void)
|
||||
+{
|
||||
+#undef MODULE_PARAM_PREFIX
|
||||
+#define MODULE_PARAM_PREFIX "8250."
|
||||
+
|
||||
+ module_param_cb(share_irqs, ¶m_ops_uint, &share_irqs, 0644);
|
||||
+ module_param_cb(nr_uarts, ¶m_ops_uint, &nr_uarts, 0644);
|
||||
+ module_param_cb(skip_txen_test, ¶m_ops_uint, &skip_txen_test, 0644);
|
||||
+#ifdef CONFIG_SERIAL_8250_RSA
|
||||
+ __module_param_call(MODULE_PARAM_PREFIX, probe_rsa,
|
||||
+ ¶m_array_ops, .arr = &__param_arr_probe_rsa,
|
||||
+ 0444, -1);
|
||||
+#endif
|
||||
+}
|
||||
+#else
|
||||
+MODULE_ALIAS("8250");
|
||||
+#endif
|
||||
--
|
||||
1.8.1.2
|
||||
|
@ -1,113 +0,0 @@
|
||||
|
||||
Delivered-To: jwboyer@gmail.com
|
||||
Received: by 10.76.169.233 with SMTP id ah9csp99159oac;
|
||||
Mon, 11 Mar 2013 13:14:17 -0700 (PDT)
|
||||
X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671;
|
||||
Mon, 11 Mar 2013 13:14:16 -0700 (PDT)
|
||||
Return-Path: <linux-kernel-owner@vger.kernel.org>
|
||||
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
|
||||
by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10;
|
||||
Mon, 11 Mar 2013 13:14:16 -0700 (PDT)
|
||||
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
|
||||
Authentication-Results: mx.google.com;
|
||||
spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org
|
||||
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
|
||||
id S1754069Ab3CKUN4 (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others);
|
||||
Mon, 11 Mar 2013 16:13:56 -0400
|
||||
Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net"
|
||||
rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
|
||||
id S1753913Ab3CKUN4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
|
||||
Mon, 11 Mar 2013 16:13:56 -0400
|
||||
Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2])
|
||||
by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201;
|
||||
Mon, 11 Mar 2013 13:13:43 -0700
|
||||
Date: Mon, 11 Mar 2013 13:13:42 -0700
|
||||
From: Kees Cook <keescook@chromium.org>
|
||||
To: linux-kernel@vger.kernel.org
|
||||
Cc: Al Viro <viro@zeniv.linux.org.uk>, Oleg Nesterov <oleg@redhat.com>,
|
||||
Andrew Morton <akpm@linux-foundation.org>,
|
||||
"Eric W. Biederman" <ebiederm@xmission.com>,
|
||||
Serge Hallyn <serge.hallyn@canonical.com>,
|
||||
Emese Revfy <re.emese@gmail.com>,
|
||||
PaX Team <pageexec@freemail.hu>, jln@google.com
|
||||
Subject: [PATCH v2] signal: always clear sa_restorer on execve
|
||||
Message-ID: <20130311201342.GA19824@www.outflux.net>
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=us-ascii
|
||||
Content-Disposition: inline
|
||||
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
|
||||
X-HELO: www.outflux.net
|
||||
X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
|
||||
Sender: linux-kernel-owner@vger.kernel.org
|
||||
Precedence: bulk
|
||||
List-ID: <linux-kernel.vger.kernel.org>
|
||||
X-Mailing-List: linux-kernel@vger.kernel.org
|
||||
|
||||
When the new signal handlers are set up, the location of sa_restorer
|
||||
is not cleared, leaking a parent process's address space location to
|
||||
children. This allows for a potential bypass of the parent's ASLR by
|
||||
examining the sa_restorer value returned when calling sigaction().
|
||||
|
||||
Based on what should be considered "secret" about addresses, it only
|
||||
matters across the exec not the fork (since the VMAs haven't changed
|
||||
until the exec). But since exec sets SIG_DFL and keeps sa_restorer,
|
||||
this is where it should be fixed.
|
||||
|
||||
Given the few uses of sa_restorer, a "set" function was not written
|
||||
since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER,
|
||||
as already done in other places.
|
||||
|
||||
Example of the leak before applying this patch:
|
||||
|
||||
$ cat /proc/$$/maps
|
||||
...
|
||||
7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
|
||||
...
|
||||
$ ./leak
|
||||
...
|
||||
7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
|
||||
...
|
||||
1 0 (nil) 0x7fb9f30b94a0
|
||||
2 4000000 (nil) 0x7f278bcaa4a0
|
||||
3 4000000 (nil) 0x7f278bcaa4a0
|
||||
4 0 (nil) 0x7fb9f30b94a0
|
||||
...
|
||||
|
||||
Signed-off-by: Kees Cook <keescook@chromium.org>
|
||||
Reported-by: Emese Revfy <re.emese@gmail.com>
|
||||
Cc: Emese Revfy <re.emese@gmail.com>
|
||||
Cc: PaX Team <pageexec@freemail.hu>
|
||||
Cc: stable@vger.kernel.org
|
||||
---
|
||||
v2:
|
||||
- clarify commit, explain use of #ifdef.
|
||||
---
|
||||
kernel/signal.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/kernel/signal.c b/kernel/signal.c
|
||||
index 2ec870a..8c8e3ca 100644
|
||||
--- a/kernel/signal.c
|
||||
+++ b/kernel/signal.c
|
||||
@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
|
||||
if (force_default || ka->sa.sa_handler != SIG_IGN)
|
||||
ka->sa.sa_handler = SIG_DFL;
|
||||
ka->sa.sa_flags = 0;
|
||||
+#ifdef __ARCH_HAS_SA_RESTORER
|
||||
+ ka->sa.sa_restorer = NULL;
|
||||
+#endif
|
||||
sigemptyset(&ka->sa.sa_mask);
|
||||
ka++;
|
||||
}
|
||||
--
|
||||
1.7.9.5
|
||||
|
||||
|
||||
--
|
||||
Kees Cook
|
||||
Chrome OS Security
|
||||
--
|
||||
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
|
||||
the body of a message to majordomo@vger.kernel.org
|
||||
More majordomo info at http://vger.kernel.org/majordomo-info.html
|
||||
Please read the FAQ at http://www.tux.org/lkml/
|
Loading…
Reference in New Issue
Block a user