diff --git a/aio-check-for-multiplication-overflow-in-do_io_submit.patch b/aio-check-for-multiplication-overflow-in-do_io_submit.patch deleted file mode 100644 index 8706792..0000000 --- a/aio-check-for-multiplication-overflow-in-do_io_submit.patch +++ /dev/null @@ -1,47 +0,0 @@ -From be18992d0630149403bfae5882601cf01a7d4eea Mon Sep 17 00:00:00 2001 -From: Jeff Moyer -Date: Fri, 10 Sep 2010 14:16:00 -0700 -Subject: [PATCH 4/4] aio: check for multiplication overflow in do_io_submit -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Tavis Ormandy pointed out that do_io_submit does not do proper bounds -checking on the passed-in iocb array: - -       if (unlikely(nr < 0)) -               return -EINVAL; - -       if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(iocbpp))))) -               return -EFAULT;                      ^^^^^^^^^^^^^^^^^^ - -The attached patch checks for overflow, and if it is detected, the -number of iocbs submitted is scaled down to a number that will fit in -the long.  This is an ok thing to do, as sys_io_submit is documented as -returning the number of iocbs submitted, so callers should handle a -return value of less than the 'nr' argument passed in. - -Reported-by: Tavis Ormandy -Signed-off-by: Jeff Moyer -Signed-off-by: Linus Torvalds ---- - fs/aio.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/fs/aio.c b/fs/aio.c -index 02a2c93..b84a769 100644 ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -1639,6 +1639,9 @@ SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr, - if (unlikely(nr < 0)) - return -EINVAL; - -+ if (unlikely(nr > LONG_MAX/sizeof(*iocbpp))) -+ nr = LONG_MAX/sizeof(*iocbpp); -+ - if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp))))) - return -EFAULT; - --- -1.7.2.3 - diff --git a/inotify-fix-inotify-oneshot-support.patch b/inotify-fix-inotify-oneshot-support.patch deleted file mode 100644 index ba63e10..0000000 --- a/inotify-fix-inotify-oneshot-support.patch +++ /dev/null @@ -1,25 +0,0 @@ -#607327 - -During the large inotify rewrite to fsnotify I completely dropped support -for IN_ONESHOT. Reimplement that support. - -Signed-off-by: Eric Paris ---- - - fs/notify/inotify/inotify_fsnotify.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/fs/notify/inotify/inotify_fsnotify.c b/fs/notify/inotify/inotify_fsnotify.c -index daa666a..388a150 100644 ---- a/fs/notify/inotify/inotify_fsnotify.c -+++ b/fs/notify/inotify/inotify_fsnotify.c -@@ -126,6 +126,9 @@ static int inotify_handle_event(struct fsnotify_group *group, struct fsnotify_ev - ret = 0; - } - -+ if (entry->mask & IN_ONESHOT) -+ fsnotify_destroy_mark_by_entry(entry); -+ - /* - * If we hold the entry until after the event is on the queue - * IN_IGNORED won't be able to pass this event in the queue diff --git a/inotify-send-IN_UNMOUNT-events.patch b/inotify-send-IN_UNMOUNT-events.patch deleted file mode 100644 index cf1d4c4..0000000 --- a/inotify-send-IN_UNMOUNT-events.patch +++ /dev/null @@ -1,29 +0,0 @@ -#607327 ? - -Since the .31 or so notify rewrite inotify has not sent events about -inodes which are unmounted. This patch restores those events. - -Signed-off-by: Eric Paris ---- - - fs/notify/inotify/inotify_user.c | 7 +++++-- - 1 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c -index 44aeb0f..f381daf 100644 ---- a/fs/notify/inotify/inotify_user.c -+++ b/fs/notify/inotify/inotify_user.c -@@ -90,8 +90,11 @@ static inline __u32 inotify_arg_to_mask(u32 arg) - { - __u32 mask; - -- /* everything should accept their own ignored and cares about children */ -- mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD); -+ /* -+ * everything should accept their own ignored, cares about children, -+ * and should receive events when the inode is unmounted -+ */ -+ mask = (FS_IN_IGNORED | FS_EVENT_ON_CHILD | FS_UNMOUNT); - - /* mask off the flags used to open the fd */ - mask |= (arg & (IN_ALL_EVENTS | IN_ONESHOT)); diff --git a/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch b/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch deleted file mode 100644 index a36f8af..0000000 --- a/irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: David S. Miller -Date: Tue, 31 Aug 2010 01:35:24 +0000 (-0700) -Subject: irda: Correctly clean up self->ias_obj on irda_bind() failure. -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fdavem%2Fnet-2.6.git;a=commitdiff_plain;h=628e300cccaa628d8fb92aa28cb7530a3d5f2257 - -irda: Correctly clean up self->ias_obj on irda_bind() failure. - -If irda_open_tsap() fails, the irda_bind() code tries to destroy -the ->ias_obj object by hand, but does so wrongly. - -In particular, it fails to a) release the hashbin attached to the -object and b) reset the self->ias_obj pointer to NULL. - -Fix both problems by using irias_delete_object() and explicitly -setting self->ias_obj to NULL, just as irda_release() does. - -Reported-by: Tavis Ormandy -Signed-off-by: David S. Miller ---- - -diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c -index 79986a6..fd55b51 100644 ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -824,8 +824,8 @@ static int irda_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len) - - err = irda_open_tsap(self, addr->sir_lsap_sel, addr->sir_name); - if (err < 0) { -- kfree(self->ias_obj->name); -- kfree(self->ias_obj); -+ irias_delete_object(self->ias_obj); -+ self->ias_obj = NULL; - return err; - } - diff --git a/kernel.spec b/kernel.spec index db75c73..6705021 100644 --- a/kernel.spec +++ b/kernel.spec @@ -47,7 +47,7 @@ Summary: The Linux kernel # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec). # scripts/rebase.sh should be made to do that for you, actually. # -%global baserelease 169 +%global baserelease 170 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -59,7 +59,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 22 +%define stable_update 23 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -638,8 +638,6 @@ Patch21: linux-2.6-tracehook.patch Patch22: linux-2.6-utrace.patch Patch23: linux-2.6-utrace-ptrace.patch -Patch103: aio-check-for-multiplication-overflow-in-do_io_submit.patch - Patch141: linux-2.6-ps3-storage-alias.patch Patch143: linux-2.6-g5-therm-shutdown.patch Patch144: linux-2.6-vio-modalias.patch @@ -829,16 +827,11 @@ Patch12923: mac80211-explicitly-disable-enable-QoS.patch # l2tp: fix oops in pppol2tp_xmit (#607054) Patch13030: l2tp-fix-oops-in-pppol2tp_xmit.patch -Patch14020: inotify-fix-inotify-oneshot-support.patch -Patch14030: inotify-send-IN_UNMOUNT-events.patch - Patch14050: crypto-add-async-hash-testing.patch # Red Hat Bugzilla #610911 Patch14130: kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch -Patch14150: irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch - Patch14200: net-do-not-check-capable-if-kernel.patch # Mitigate DOS with large argument lists @@ -846,10 +839,6 @@ Patch14210: execve-improve-interactivity-with-large-arguments.patch Patch14211: execve-make-responsive-to-sigkill-with-large-arguments.patch Patch14212: setup_arg_pages-diagnose-excessive-argument-size.patch -# CVE-2010-2960 -Patch14230: keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch -Patch14231: keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch - # ============================================================================== %endif @@ -1323,8 +1312,6 @@ ApplyPatch linux-2.6-execshield.patch # # bugfixes to drivers and filesystems # -# CVE-2010-3067 -ApplyPatch aio-check-for-multiplication-overflow-in-do_io_submit.patch # ext4 @@ -1546,18 +1533,11 @@ ApplyPatch iwlwifi-manage-QoS-by-mac-stack.patch # l2tp: fix oops in pppol2tp_xmit (#607054) ApplyPatch l2tp-fix-oops-in-pppol2tp_xmit.patch -# fix broken oneshot support and missing umount events (F13#607327) -ApplyPatch inotify-fix-inotify-oneshot-support.patch -ApplyPatch inotify-send-IN_UNMOUNT-events.patch - # add tests for crypto async hashing (#571577) ApplyPatch crypto-add-async-hash-testing.patch ApplyPatch kvm-mmu-fix-conflict-access-permissions-in-direct-sp.patch -# CVE-2010-2954 -ApplyPatch irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch - # rhbz #598796 ApplyPatch net-do-not-check-capable-if-kernel.patch @@ -1566,10 +1546,6 @@ ApplyPatch execve-improve-interactivity-with-large-arguments.patch ApplyPatch execve-make-responsive-to-sigkill-with-large-arguments.patch ApplyPatch setup_arg_pages-diagnose-excessive-argument-size.patch -# CVE-2010-2960 -ApplyPatch keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch -ApplyPatch keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch - # END OF PATCH APPLICATIONS ==================================================== %endif @@ -2222,7 +2198,17 @@ fi %kernel_variant_files -k vmlinux %{with_kdump} kdump %changelog -* Mon Sep 20 2010 Chuck Ebbert 2.6.32.21-169 +* Mon Sep 27 2010 Chuck Ebbert 2.6.32.23-170 +- Linux 2.6.32.22 +- Drop merged patches: + aio-check-for-multiplication-overflow-in-do_io_submit.patch + inotify-fix-inotify-oneshot-support.patch + inotify-send-IN_UNMOUNT-events.patch + irda-correctly-clean-up-self-ias_obj-on-irda_bind-failure.patch + keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch + keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch + +* Mon Sep 20 2010 Chuck Ebbert 2.6.32.22-169 - Linux 2.6.32.22 - Drop merged patches: 01-compat-make-compat_alloc_user_space-incorporate-the-access_ok-check.patch diff --git a/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch b/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch deleted file mode 100644 index fb62519..0000000 --- a/keys-fix-bug-in-keyctl_session_to_parent-if-parent-has-no-session-keyring.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: David Howells -Date: Fri, 10 Sep 2010 08:59:51 +0000 (+0100) -Subject: KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3d96406c7da1ed5811ea52a3b0905f4f0e295376 - -KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring - -Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership -of the parent process's session keyring whether or not the parent has a session -keyring [CVE-2010-2960]. - -This results in the following oops: - - BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0 - IP: [] keyctl_session_to_parent+0x251/0x443 - ... - Call Trace: - [] ? keyctl_session_to_parent+0x67/0x443 - [] ? __do_fault+0x24b/0x3d0 - [] sys_keyctl+0xb4/0xb8 - [] system_call_fastpath+0x16/0x1b - -if the parent process has no session keyring. - -If the system is using pam_keyinit then it mostly protected against this as all -processes derived from a login will have inherited the session keyring created -by pam_keyinit during the log in procedure. - -To test this, pam_keyinit calls need to be commented out in /etc/pam.d/. - -Reported-by: Tavis Ormandy -Signed-off-by: David Howells -Acked-by: Tavis Ormandy -Signed-off-by: Linus Torvalds ---- - -[ 2.6.32 backport ] - -diff a/security/keys/keyctl.c b/security/keys/keyctl.c ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -1291,7 +1291,8 @@ long keyctl_session_to_parent(void) - goto not_permitted; - - /* the keyrings must have the same UID */ -- if (pcred ->tgcred->session_keyring->uid != mycred->euid || -+ if ((pcred->tgcred->session_keyring && -+ pcred->tgcred->session_keyring->uid != mycred->euid) || - mycred->tgcred->session_keyring->uid != mycred->euid) - goto not_permitted; - - diff --git a/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch b/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch deleted file mode 100644 index 5318f7e..0000000 --- a/keys-fix-rcu-no-lock-warning-in-keyctl_session_to_parent.patch +++ /dev/null @@ -1,64 +0,0 @@ -From: David Howells -Date: Fri, 10 Sep 2010 08:59:46 +0000 (+0100) -Subject: KEYS: Fix RCU no-lock warning in keyctl_session_to_parent() -X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9d1ac65a9698513d00e5608d93fca0c53f536c14 - -KEYS: Fix RCU no-lock warning in keyctl_session_to_parent() - -There's an protected access to the parent process's credentials in the middle -of keyctl_session_to_parent(). This results in the following RCU warning: - - =================================================== - [ INFO: suspicious rcu_dereference_check() usage. ] - --------------------------------------------------- - security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection! - - other info that might help us debug this: - - rcu_scheduler_active = 1, debug_locks = 0 - 1 lock held by keyctl-session-/2137: - #0: (tasklist_lock){.+.+..}, at: [] keyctl_session_to_parent+0x60/0x236 - - stack backtrace: - Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1 - Call Trace: - [] lockdep_rcu_dereference+0xaa/0xb3 - [] keyctl_session_to_parent+0xed/0x236 - [] sys_keyctl+0xb4/0xb6 - [] system_call_fastpath+0x16/0x1b - -The code should take the RCU read lock to make sure the parents credentials -don't go away, even though it's holding a spinlock and has IRQ disabled. - -Signed-off-by: David Howells -Signed-off-by: Linus Torvalds ---- - -diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c -index b2b0998..3868c67 100644 ---- a/security/keys/keyctl.c -+++ b/security/keys/keyctl.c -@@ -1272,6 +1272,7 @@ long keyctl_session_to_parent(void) - keyring_r = NULL; - - me = current; -+ rcu_read_lock(); - write_lock_irq(&tasklist_lock); - - parent = me->real_parent; -@@ -1319,6 +1320,7 @@ long keyctl_session_to_parent(void) - set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME); - - write_unlock_irq(&tasklist_lock); -+ rcu_read_unlock(); - if (oldcred) - put_cred(oldcred); - return 0; -@@ -1327,6 +1329,7 @@ already_same: - ret = 0; - not_permitted: - write_unlock_irq(&tasklist_lock); -+ rcu_read_unlock(); - put_cred(cred); - return ret; - diff --git a/sources b/sources index 2f21808..70d5251 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2 -da1431a1d659298c6bd11714416c840f patch-2.6.32.22.bz2 +6eac9aebbf9e74546b7c44c0fb9348a7 patch-2.6.32.23.bz2