Git-Url: http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=commitdiff;h=e4794b43dbadc5ae437c88a6f9690969db1fbb41
commit e4794b43dbadc5ae437c88a6f9690969db1fbb41 Author: Miklos Vajna <vmik...@frugalware.org> Date: Thu Oct 21 11:33:41 2010 +0200 kernel-2.6.35-5-i686 - add fixes for CVE-2010-2963 and CVE-2010-3904 - so that we won't be in a rush to upgrade to 2.6.36 without enough testing diff --git a/source/base/kernel/CVE-2010-2963.patch b/source/base/kernel/CVE-2010-2963.patch new file mode 100644 index 0000000..401c741 --- /dev/null +++ b/source/base/kernel/CVE-2010-2963.patch @@ -0,0 +1,85 @@ +From: Linus Torvalds <torva...@linux-foundation.org> +Date: Fri, 15 Oct 2010 18:12:38 +0000 (-0700) +Subject: v4l1: fix 32-bit compat microcode loading translation +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=3e645d6b485446c54c6745c5e2cf5c528fe4deec + +v4l1: fix 32-bit compat microcode loading translation + +The compat code for the VIDIOCSMICROCODE ioctl is totally buggered. +It's only used by the VIDEO_STRADIS driver, and that one is scheduled to +staging and eventually removed unless somebody steps up to maintain it +(at which point it should use request_firmware() rather than some magic +ioctl). So we'll get rid of it eventually. + +But in the meantime, the compatibility ioctl code is broken, and this +tries to get it to at least limp along (even if Mauro suggested just +deleting it entirely, which may be the right thing to do - I don't think +the compatibility translation code has ever worked unless you were very +lucky). + +Reported-by: Kees Cook <kees.c...@canonical.com> +Cc: Mauro Carvalho Chehab <mche...@infradead.org> +Cc: sta...@kernel.org +Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> +--- + +diff --git a/drivers/media/video/v4l2-compat-ioctl32.c b/drivers/media/video/v4l2-compat-ioctl32.c +index 073f013..86294ed3 100644 +--- a/drivers/media/video/v4l2-compat-ioctl32.c ++++ b/drivers/media/video/v4l2-compat-ioctl32.c +@@ -193,17 +193,24 @@ static int put_video_window32(struct video_window *kp, struct video_window32 __u + struct video_code32 { + char loadwhat[16]; /* name or tag of file being passed */ + compat_int_t datasize; +- unsigned char *data; ++ compat_uptr_t data; + }; + +-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up) ++static struct video_code __user *get_microcode32(struct video_code32 *kp) + { +- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) || +- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) || +- get_user(kp->datasize, &up->datasize) || +- copy_from_user(kp->data, up->data, up->datasize)) +- return -EFAULT; +- return 0; ++ struct video_code __user *up; ++ ++ up = compat_alloc_user_space(sizeof(*up)); ++ ++ /* ++ * NOTE! We don't actually care if these fail. If the ++ * user address is invalid, the native ioctl will do ++ * the error handling for us ++ */ ++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat)); ++ (void) put_user(kp->datasize, &up->datasize); ++ (void) put_user(compat_ptr(kp->data), &up->data); ++ return up; + } + + #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32) +@@ -739,7 +746,7 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar + struct video_tuner vt; + struct video_buffer vb; + struct video_window vw; +- struct video_code vc; ++ struct video_code32 vc; + struct video_audio va; + #endif + struct v4l2_format v2f; +@@ -818,8 +825,11 @@ static long do_video_ioctl(struct file *file, unsigned int cmd, unsigned long ar + break; + + case VIDIOCSMICROCODE: +- err = get_microcode32(&karg.vc, up); +- compatible_arg = 0; ++ /* Copy the 32-bit "video_code32" to kernel space */ ++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc))) ++ return -EFAULT; ++ /* Convert the 32-bit version to a 64-bit version in user space */ ++ up = get_microcode32(&karg.vc); + break; + + case VIDIOCSFREQ: diff --git a/source/base/kernel/CVE-2010-3904.patch b/source/base/kernel/CVE-2010-3904.patch new file mode 100644 index 0000000..f6009f9 --- /dev/null +++ b/source/base/kernel/CVE-2010-3904.patch @@ -0,0 +1,75 @@ +From: Linus Torvalds <torva...@linux-foundation.org> +Date: Fri, 15 Oct 2010 18:09:28 +0000 (-0700) +Subject: De-pessimize rds_page_copy_user +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=799c10559d60f159ab2232203f222f18fa3c4a5f + +De-pessimize rds_page_copy_user + +Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and +the unsafe atomic user mode accessor functions. It's actually slower +than the straightforward code on any reasonable modern CPU. + +Back when the code was written (although probably not by the time it was +actually merged, though), 32-bit x86 may have been the dominant +architecture. And there kmap_atomic() can be a lot faster than kmap() +(unless you have very good locality, in which case the virtual address +caching by kmap() can overcome all the downsides). + +But these days, x86-64 may not be more populous, but it's getting there +(and if you care about performance, it's definitely already there - +you'd have upgraded your CPU's already in the last few years). And on +x86-64, the non-kmap_atomic() version is faster, simply because the code +is simpler and doesn't have the "re-try page fault" case. + +People with old hardware are not likely to care about RDS anyway, and +the optimization for the 32-bit case is simply buggy, since it doesn't +verify the user addresses properly. + +Reported-by: Dan Rosenberg <drosenb...@vsecurity.com> +Acked-by: Andrew Morton <a...@linux-foundation.org> +Cc: sta...@kernel.org +Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> +--- + +diff --git a/net/rds/page.c b/net/rds/page.c +index 595a952..1dfbfea 100644 +--- a/net/rds/page.c ++++ b/net/rds/page.c +@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page, unsigned long offset, + unsigned long ret; + void *addr; + +- if (to_user) ++ addr = kmap(page); ++ if (to_user) { + rds_stats_add(s_copy_to_user, bytes); +- else ++ ret = copy_to_user(ptr, addr + offset, bytes); ++ } else { + rds_stats_add(s_copy_from_user, bytes); +- +- addr = kmap_atomic(page, KM_USER0); +- if (to_user) +- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes); +- else +- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes); +- kunmap_atomic(addr, KM_USER0); +- +- if (ret) { +- addr = kmap(page); +- if (to_user) +- ret = copy_to_user(ptr, addr + offset, bytes); +- else +- ret = copy_from_user(addr + offset, ptr, bytes); +- kunmap(page); +- if (ret) +- return -EFAULT; ++ ret = copy_from_user(addr + offset, ptr, bytes); + } ++ kunmap(page); + +- return 0; ++ return ret ? -EFAULT : 0; + } + EXPORT_SYMBOL_GPL(rds_page_copy_user); + diff --git a/source/base/kernel/FrugalBuild b/source/base/kernel/FrugalBuild index 4046447..6d0c5e3 100644 --- a/source/base/kernel/FrugalBuild +++ b/source/base/kernel/FrugalBuild @@ -10,6 +10,8 @@ if Fuse $USE_DEVEL; then pkgrel=1 _F_scm_type="git" _F_scm_url="git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6" +else + _F_kernel_patches=(CVE-2010-2963.patch CVE-2010-3904.patch) fi Finclude kernel _______________________________________________ Frugalware-git mailing list Frugalware-git@frugalware.org http://frugalware.org/mailman/listinfo/frugalware-git