diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-01-04 14:23:56 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-01-04 14:23:56 -0800 |
commit | 678be3a28f949d971c46584e6ab4755ed1ae003e (patch) | |
tree | b71ff410ede575c2439dc1f0e64557ba3456a9d7 | |
parent | 649ea1aaa9cce74d70acbee80f5df99d8b8bb1d2 (diff) | |
download | longterm-queue-2.6.33-678be3a28f949d971c46584e6ab4755ed1ae003e.tar.gz |
.33 patches
-rw-r--r-- | queue-2.6.33/ima-fix-add-lsm-rule-bug.patch | 64 | ||||
-rw-r--r-- | queue-2.6.33/mv_xor-fix-race-in-tasklet-function.patch | 31 | ||||
-rw-r--r-- | queue-2.6.33/series | 3 | ||||
-rw-r--r-- | queue-2.6.33/sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch | 47 |
4 files changed, 145 insertions, 0 deletions
diff --git a/queue-2.6.33/ima-fix-add-lsm-rule-bug.patch b/queue-2.6.33/ima-fix-add-lsm-rule-bug.patch new file mode 100644 index 0000000..e42079c --- /dev/null +++ b/queue-2.6.33/ima-fix-add-lsm-rule-bug.patch @@ -0,0 +1,64 @@ +From 867c20265459d30a01b021a9c1e81fb4c5832aa9 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar <zohar@linux.vnet.ibm.com> +Date: Mon, 3 Jan 2011 14:59:10 -0800 +Subject: ima: fix add LSM rule bug + +From: Mimi Zohar <zohar@linux.vnet.ibm.com> + +commit 867c20265459d30a01b021a9c1e81fb4c5832aa9 upstream. + +If security_filter_rule_init() doesn't return a rule, then not everything +is as fine as the return code implies. + +This bug only occurs when the LSM (eg. SELinux) is disabled at runtime. + +Adding an empty LSM rule causes ima_match_rules() to always succeed, +ignoring any remaining rules. + + default IMA TCB policy: + # PROC_SUPER_MAGIC + dont_measure fsmagic=0x9fa0 + # SYSFS_MAGIC + dont_measure fsmagic=0x62656572 + # DEBUGFS_MAGIC + dont_measure fsmagic=0x64626720 + # TMPFS_MAGIC + dont_measure fsmagic=0x01021994 + # SECURITYFS_MAGIC + dont_measure fsmagic=0x73636673 + + < LSM specific rule > + dont_measure obj_type=var_log_t + + measure func=BPRM_CHECK + measure func=FILE_MMAP mask=MAY_EXEC + measure func=FILE_CHECK mask=MAY_READ uid=0 + +Thus without the patch, with the boot parameters 'tcb selinux=0', adding +the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB +measurement policy, would result in nothing being measured. The patch +prevents the default TCB policy from being replaced. + +Signed-off-by: Mimi Zohar <zohar@us.ibm.com> +Cc: James Morris <jmorris@namei.org> +Acked-by: Serge Hallyn <serge.hallyn@canonical.com> +Cc: David Safford <safford@watson.ibm.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + security/integrity/ima/ima_policy.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/security/integrity/ima/ima_policy.c ++++ b/security/integrity/ima/ima_policy.c +@@ -249,6 +249,8 @@ static int ima_lsm_rule_init(struct ima_ + result = security_filter_rule_init(entry->lsm[lsm_rule].type, + Audit_equal, args, + &entry->lsm[lsm_rule].rule); ++ if (!entry->lsm[lsm_rule].rule) ++ return -EINVAL; + return result; + } + diff --git a/queue-2.6.33/mv_xor-fix-race-in-tasklet-function.patch b/queue-2.6.33/mv_xor-fix-race-in-tasklet-function.patch new file mode 100644 index 0000000..37ed75f --- /dev/null +++ b/queue-2.6.33/mv_xor-fix-race-in-tasklet-function.patch @@ -0,0 +1,31 @@ +From 8333f65ef094e47020cd01452b4637e7daf5a77f Mon Sep 17 00:00:00 2001 +From: Saeed Bishara <saeed@marvell.com> +Date: Tue, 21 Dec 2010 16:53:39 +0200 +Subject: mv_xor: fix race in tasklet function + +From: Saeed Bishara <saeed@marvell.com> + +commit 8333f65ef094e47020cd01452b4637e7daf5a77f upstream. + +use mv_xor_slot_cleanup() instead of __mv_xor_slot_cleanup() as the former function +aquires the spin lock that needed to protect the drivers data. + +Signed-off-by: Saeed Bishara <saeed@marvell.com> +Signed-off-by: Dan Williams <dan.j.williams@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/dma/mv_xor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/mv_xor.c ++++ b/drivers/dma/mv_xor.c +@@ -448,7 +448,7 @@ mv_xor_slot_cleanup(struct mv_xor_chan * + static void mv_xor_tasklet(unsigned long data) + { + struct mv_xor_chan *chan = (struct mv_xor_chan *) data; +- __mv_xor_slot_cleanup(chan); ++ mv_xor_slot_cleanup(chan); + } + + static struct mv_xor_desc_slot * diff --git a/queue-2.6.33/series b/queue-2.6.33/series index 23c45b3..bf6a238 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -243,3 +243,6 @@ usb-misc-uss720.c-add-another-vendor-product-id.patch usb-usb-storage-unusual_devs-entry-for-the-samsung-yp-cp3.patch p54usb-add-5-more-usbids.patch p54usb-new-usb-id-for-gemtek-wubi-100gw.patch +sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch +mv_xor-fix-race-in-tasklet-function.patch +ima-fix-add-lsm-rule-bug.patch diff --git a/queue-2.6.33/sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch b/queue-2.6.33/sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch new file mode 100644 index 0000000..d39f058 --- /dev/null +++ b/queue-2.6.33/sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch @@ -0,0 +1,47 @@ +From d81a12bc29ae4038770e05dce4ab7f26fd5880fb Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Sat, 25 Dec 2010 16:23:40 -0500 +Subject: sound: Prevent buffer overflow in OSS load_mixer_volumes + +From: Dan Rosenberg <drosenberg@vsecurity.com> + +commit d81a12bc29ae4038770e05dce4ab7f26fd5880fb upstream. + +The load_mixer_volumes() function, which can be triggered by +unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to +a buffer overflow. Because the provided "name" argument isn't +guaranteed to be NULL terminated at the expected 32 bytes, it's possible +to overflow past the end of the last element in the mixer_vols array. +Further exploitation can result in an arbitrary kernel write (via +subsequent calls to load_mixer_volumes()) leading to privilege +escalation, or arbitrary kernel reads via get_mixer_levels(). In +addition, the strcmp() may leak bytes beyond the mixer_vols array. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + sound/oss/soundcard.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/oss/soundcard.c ++++ b/sound/oss/soundcard.c +@@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int + int i, n; + + for (i = 0; i < num_mixer_volumes; i++) { +- if (strcmp(name, mixer_vols[i].name) == 0) { ++ if (strncmp(name, mixer_vols[i].name, 32) == 0) { + if (present) + mixer_vols[i].num = i; + return mixer_vols[i].levels; +@@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int + } + n = num_mixer_volumes++; + +- strcpy(mixer_vols[n].name, name); ++ strncpy(mixer_vols[n].name, name, 32); + + if (present) + mixer_vols[n].num = n; |