.33 patches

4 files changed, 145 insertions, 0 deletions

diff --git a/queue-2.6.33/ima-fix-add-lsm-rule-bug.patch b/queue-2.6.33/ima-fix-add-lsm-rule-bug.patch
new file mode 100644
index 0000000..e42079c
--- /dev/null
+++ b/queue-2.6.33/ima-fix-add-lsm-rule-bug.patch
@@ -0,0 +1,64 @@
+From 867c20265459d30a01b021a9c1e81fb4c5832aa9 Mon Sep 17 00:00:00 2001
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Date: Mon, 3 Jan 2011 14:59:10 -0800
+Subject: ima: fix add LSM rule bug
+
+From: Mimi Zohar <zohar@linux.vnet.ibm.com>
+
+commit 867c20265459d30a01b021a9c1e81fb4c5832aa9 upstream.
+
+If security_filter_rule_init() doesn't return a rule, then not everything
+is as fine as the return code implies.
+
+This bug only occurs when the LSM (eg. SELinux) is disabled at runtime.
+
+Adding an empty LSM rule causes ima_match_rules() to always succeed,
+ignoring any remaining rules.
+
+ default IMA TCB policy:
+  # PROC_SUPER_MAGIC
+  dont_measure fsmagic=0x9fa0
+  # SYSFS_MAGIC
+  dont_measure fsmagic=0x62656572
+  # DEBUGFS_MAGIC
+  dont_measure fsmagic=0x64626720
+  # TMPFS_MAGIC
+  dont_measure fsmagic=0x01021994
+  # SECURITYFS_MAGIC
+  dont_measure fsmagic=0x73636673
+
+  < LSM specific rule >
+  dont_measure obj_type=var_log_t
+
+  measure func=BPRM_CHECK
+  measure func=FILE_MMAP mask=MAY_EXEC
+  measure func=FILE_CHECK mask=MAY_READ uid=0
+
+Thus without the patch, with the boot parameters 'tcb selinux=0', adding
+the above 'dont_measure obj_type=var_log_t' rule to the default IMA TCB
+measurement policy, would result in nothing being measured.  The patch
+prevents the default TCB policy from being replaced.
+
+Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
+Cc: James Morris <jmorris@namei.org>
+Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
+Cc: David Safford <safford@watson.ibm.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/integrity/ima/ima_policy.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/integrity/ima/ima_policy.c
++++ b/security/integrity/ima/ima_policy.c
+@@ -249,6 +249,8 @@ static int ima_lsm_rule_init(struct ima_
+ 	result = security_filter_rule_init(entry->lsm[lsm_rule].type,
+ 					   Audit_equal, args,
+ 					   &entry->lsm[lsm_rule].rule);
++	if (!entry->lsm[lsm_rule].rule)
++		return -EINVAL;
+ 	return result;
+ }
+ 
diff --git a/queue-2.6.33/mv_xor-fix-race-in-tasklet-function.patch b/queue-2.6.33/mv_xor-fix-race-in-tasklet-function.patch
new file mode 100644
index 0000000..37ed75f
--- /dev/null
+++ b/queue-2.6.33/mv_xor-fix-race-in-tasklet-function.patch
@@ -0,0 +1,31 @@
+From 8333f65ef094e47020cd01452b4637e7daf5a77f Mon Sep 17 00:00:00 2001
+From: Saeed Bishara <saeed@marvell.com>
+Date: Tue, 21 Dec 2010 16:53:39 +0200
+Subject: mv_xor: fix race in tasklet function
+
+From: Saeed Bishara <saeed@marvell.com>
+
+commit 8333f65ef094e47020cd01452b4637e7daf5a77f upstream.
+
+use mv_xor_slot_cleanup() instead of __mv_xor_slot_cleanup() as the former function
+aquires the spin lock that needed to protect the drivers data.
+
+Signed-off-by: Saeed Bishara <saeed@marvell.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/dma/mv_xor.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/dma/mv_xor.c
++++ b/drivers/dma/mv_xor.c
+@@ -448,7 +448,7 @@ mv_xor_slot_cleanup(struct mv_xor_chan *
+ static void mv_xor_tasklet(unsigned long data)
+ {
+ 	struct mv_xor_chan *chan = (struct mv_xor_chan *) data;
+-	__mv_xor_slot_cleanup(chan);
++	mv_xor_slot_cleanup(chan);
+ }
+ 
+ static struct mv_xor_desc_slot *
diff --git a/queue-2.6.33/series b/queue-2.6.33/series
index 23c45b3..bf6a238 100644
--- a/queue-2.6.33/series
+++ b/queue-2.6.33/series
@@ -243,3 +243,6 @@ usb-misc-uss720.c-add-another-vendor-product-id.patch
 usb-usb-storage-unusual_devs-entry-for-the-samsung-yp-cp3.patch
 p54usb-add-5-more-usbids.patch
 p54usb-new-usb-id-for-gemtek-wubi-100gw.patch
+sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch
+mv_xor-fix-race-in-tasklet-function.patch
+ima-fix-add-lsm-rule-bug.patch
diff --git a/queue-2.6.33/sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch b/queue-2.6.33/sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch
new file mode 100644
index 0000000..d39f058
--- /dev/null
+++ b/queue-2.6.33/sound-prevent-buffer-overflow-in-oss-load_mixer_volumes.patch
@@ -0,0 +1,47 @@
+From d81a12bc29ae4038770e05dce4ab7f26fd5880fb Mon Sep 17 00:00:00 2001
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+Date: Sat, 25 Dec 2010 16:23:40 -0500
+Subject: sound: Prevent buffer overflow in OSS load_mixer_volumes
+
+From: Dan Rosenberg <drosenberg@vsecurity.com>
+
+commit d81a12bc29ae4038770e05dce4ab7f26fd5880fb upstream.
+
+The load_mixer_volumes() function, which can be triggered by
+unprivileged users via the SOUND_MIXER_SETLEVELS ioctl, is vulnerable to
+a buffer overflow.  Because the provided "name" argument isn't
+guaranteed to be NULL terminated at the expected 32 bytes, it's possible
+to overflow past the end of the last element in the mixer_vols array.
+Further exploitation can result in an arbitrary kernel write (via
+subsequent calls to load_mixer_volumes()) leading to privilege
+escalation, or arbitrary kernel reads via get_mixer_levels().  In
+addition, the strcmp() may leak bytes beyond the mixer_vols array.
+
+Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/oss/soundcard.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/oss/soundcard.c
++++ b/sound/oss/soundcard.c
+@@ -87,7 +87,7 @@ int *load_mixer_volumes(char *name, int
+ 	int             i, n;
+ 
+ 	for (i = 0; i < num_mixer_volumes; i++) {
+-		if (strcmp(name, mixer_vols[i].name) == 0) {
++		if (strncmp(name, mixer_vols[i].name, 32) == 0) {
+ 			if (present)
+ 				mixer_vols[i].num = i;
+ 			return mixer_vols[i].levels;
+@@ -99,7 +99,7 @@ int *load_mixer_volumes(char *name, int
+ 	}
+ 	n = num_mixer_volumes++;
+ 
+-	strcpy(mixer_vols[n].name, name);
++	strncpy(mixer_vols[n].name, name, 32);
+ 
+ 	if (present)
+ 		mixer_vols[n].num = n;