On 14 April 2014 23:35, Felipe Balbi wrote:
> On Sun, Mar 30, 2014 at 03:34:15PM +0200, Mathias Krause wrote:
>> If we've registered a notifier in pda_power_probe() we must deregister
>> it in pda_power_remove() to not let it work on stale data like, e.g.,
>> the charg
On 30 March 2014 15:34, Mathias Krause wrote:
> The notifier block can and should be initialized statically. Fixed in
> patch 1.
>
> While doing patch 1 I noticed, that the USB notifier that gets registered
> in pda_power_probe() never gets unregistered. Fixed in patch 2.
>
>
On 30 March 2014 23:47, Davidlohr Bueso wrote:
> On Sun, 2014-03-30 at 15:35 +0200, Mathias Krause wrote:
>> There is no need to recreate the very same ipc_ops structure on every
>> kernel entry for msgget/semget/shmget. Just declare it static and be
>> done with it.
>&g
Instead of initializing the notifier block in pda_power_probe(),
initialize it statically. This safes us some code.
Found in the PaX patch, written by the PaX Team.
Cc: PaX Team
Cc: Felipe Balbi
Cc: Anton Vorontsov
Signed-off-by: Mathias Krause
---
drivers/power/pda_power.c |6 --
1
Nadia Derbey
Cc: Andrew Morton
Signed-off-by: Mathias Krause
---
ipc/msg.c |9 -
ipc/sem.c | 10 +-
ipc/shm.c | 10 +-
ipc/util.c |8
ipc/util.h |2 +-
5 files changed, 19 insertions(+), 20 deletions(-)
diff --git a/ipc/msg.c b/ipc/msg.c
If we've registered a notifier in pda_power_probe() we must deregister
it in pda_power_remove() to not let it work on stale data like, e.g.,
the charger timer.
Cc: Felipe Balbi
Cc: Anton Vorontsov
Signed-off-by: Mathias Krause
---
drivers/power/pda_power.c |5 +
1 file chang
!
Please apply!
Mathias Krause (2):
pda_power: Statically initialize notifier block
pda_power: Unregister USB notifier in pda_power_remove()
drivers/power/pda_power.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
--
1.7.10.4
--
To unsubscribe from this list: send the line
Instead of initializing the pm notifier block in register_ftrace_graph(),
initialize it statically. This safes us some code.
Found in the PaX patch, written by the PaX Team.
Cc: PaX Team
Signed-off-by: Mathias Krause
---
kernel/trace/ftrace.c |6 --
1 file changed, 4 insertions(+), 2
Commit-ID: 6cce16f99d7be23cec7cabdf32a8166eec6e5393
Gitweb: http://git.kernel.org/tip/6cce16f99d7be23cec7cabdf32a8166eec6e5393
Author: Mathias Krause
AuthorDate: Fri, 7 Mar 2014 08:52:32 +0100
Committer: H. Peter Anvin
CommitDate: Mon, 10 Mar 2014 17:32:01 -0700
x86, threadinfo: Redo
;"
Cc: Steven Rostedt
Cc: Andrew Morton
Cc: Peter Zijlstra
Cc: Brian Gerst
Cc: Andi Kleen
Cc: H. Peter Anvin
Signed-off-by: Mathias Krause
---
If it's not obvious, this patch should be applied to tip.git on top of
tip/x86/threadinfo.
arch/x86/kernel/irq_32.c |6 +-
1 fil
On 29 January 2014 09:11, Ingo Molnar wrote:
>> But you can see that the symbol is perfectly fine:
>>
>> (gdb) list *(schedule+0x45)
>
> Oh, cool. Thanks for that trick - this will save me quite some time in
> the future.
>
> So we can strip absolute addresses just fine from oopses - cool.
>
> I
igned expressions with bigger data types, e.g size_t.
In case a user still wants to have "unlimited" sizes she could just use
INT_MAX instead.
Signed-off-by: Mathias Krause
Cc: Andrew Morton
---
v2:
- handle msgmnb and msgmni, too
- make the underlying variables unsigned, as per Linus
me patch does.
Signed-off-by: Mathias Krause
Cc: Andrew Morton
Cc: Pax Team
Cc: sta...@vger.kernel.org # v2.3.27+ -- yes, that old ;)
---
v2:
- pass size_t to all users instead of checking for the truncation case,
as per Linus
include/linux/msg.h |6 +++---
ipc/msgutil.c |
crash, as it is now for negative values, but in an OOM killer invocation
instead which can be handled gracefully.
Regards,
Mathias
Mathias Krause (2):
ipc, msg: fix message length check for negative values
ipc, msg: forbid negative values for "msg{max,mnb,mni}"
include/linux/
On 3 November 2013 01:35, Linus Torvalds wrote:
> On Sat, Nov 2, 2013 at 2:26 PM, Mathias Krause wrote:
>> On 64 bit systems the test for negative message sizes is bogus as the
>> size, which may be positive when evaluated as a long, will get truncated
>> to an int wh
st is quite randomly choosen as there seem to be no maintainer for
ipc/. :/
Please apply!
Mathias Krause (2):
ipc, msg: fix message length check for negative values
ipc, msg: forbid negative values for "msgmax"
ipc/ipc_sysctl.c |6 +++---
ipc/msg.c|2 +-
2 f
Negative message lengths make no sense, prevent them from being set.
They do more harm than gain.
In case a user wants to have "unlimited" message sizes she should
just use INT_MAX instead.
Signed-off-by: Mathias Krause
Cc: Andrew Morton
---
ipc/ipc_sysctl.c |6 +++---
1 file
-- e.g. checking slab object sizes on user copy operations as
the usercopy feature of the PaX patch does. Or, for that matter, detect
the long vs. int sign change due to truncation, as the size overflow
plugin of the very same patch does.
Signed-off-by: Mathias Krause
Cc: Andrew Morton
Cc: Pax Tea
Commit a5463cd3 "ARM: make vectors page inaccessible from userspace"
introduced a typo making arch_vma_name() always return "[vectors]".
Fix up that regression (of the hush-hush security fix).
Signed-off-by: Mathias Krause
---
arch/arm/kernel/process.c |2 +-
1 file
On 16 June 2013 04:35, Rusty Russell wrote:
> Mathias Krause writes:
>> If we pass a pointer to a const string in the form "module:symbol"
>> module_kallsyms_lookup_name() will try to split the string at the colon,
>> i.e., will try to modify r/o data. That
string in module_kallsyms_lookup_name(),
modify find_module_all() instead to pass it the module name length.
Signed-off-by: Mathias Krause
---
v2:
- don't use kstrdup(), pass the string length to find_module_all() as
suggested by Rusty
kernel/module.c | 15 +++
1 file changed, 7 i
gument and operate on a copy
instead in case we need to split the string.
Signed-off-by: Mathias Krause
---
kernel/module.c |9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/kernel/module.c b/kernel/module.c
index cab4bce..5ce0784 100644
--- a/kernel/module.c
++
Fix the typo in MCJ_IRQ_BRAODCAST.
Signed-off-by: Mathias Krause
---
arch/x86/include/asm/mce.h |2 +-
arch/x86/kernel/cpu/mcheck/mce-inject.c |4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/mce.h b/arch/x86/include/asm/mce.h
In case, userland writes an empty string to a bool debugfs file, buf[]
will still be uninitialized when being passed to strtobool() making the
outcome of that function purely random.
Fix this by always zero-terminating the buffer.
Signed-off-by: Mathias Krause
---
fs/debugfs/file.c |1 +
1
andling invalid/empty input as error returning -EINVAL.
Cc: Ananth N Mavinakayanahalli
Cc: Anil S Keshavamurthy
Cc: "David S. Miller"
Cc: Masami Hiramatsu
Cc: Andrew Morton
Signed-off-by: Mathias Krause
---
kernel/kprobes.c |3 +++
1 file changed, 3 insertions(+)
diff --git a/
On Thu, Apr 25, 2013 at 11:54 PM, Kees Cook wrote:
> Select a random location when CONFIG_RANDOMIZE_BASE is used, bounded
> by CONFIG_RANDOMIZE_BASE_MAX_OFFSET. Sources of randomness currently
> include RDRAND and RDTSC.
>
> Signed-off-by: Kees Cook
> ---
> arch/x86/Kconfig| 29
On Sun, Mar 03, 2013 at 09:48:50AM -0800, Kees Cook wrote:
> Several subsystems already have an implicit subsystem restriction
> because they load with aliases. (e.g. binfmt-, net-pf=NNN,
> snd-card-NNN, FOO-iosched, etc). This isn't the case for filesystems
> and a few others, unfortunately:
>
Including " lapic " in the kernel cmdline on an x86-64 kernel makes it
panic while parsing early params -- e.g. with no user visible output.
Fix this bug by ensuring arg is non-NULL before passing it to strncmp().
Signed-off-by: Mathias Krause
Reported-by: PaX Team
Cc: sta...@vger.
Hi Peter,
Am 12.01.2013 um 00:00 schrieb Jesse Barnes :
> On Fri, 11 Jan 2013 14:39:04 -0800
> tip-bot for Jesse Barnes wrote:
>
>> Commit-ID: a9acc5365dbda29f7be2884efb63771dc24bd815
>> Gitweb:
>> http://git.kernel.org/tip/a9acc5365dbda29f7be2884efb63771dc24bd815
>> Author: Jesse Bar
On Thu, Nov 15, 2012 at 07:22:20AM +, Nithin Sujir wrote:
> > On Wed, 14 Nov 2012, Nithin Nayak Sujir wrote:
> >
> > > This was fixed by
> > >
> > > commit de0a41484c47d783dd4d442914815076aa2caac2
> > > Author: Paul Gortmaker
> > > Date: Mon Oct 1 11:43:49 2012 -0400
> > >
> > > tg3: un
On Fri, Sep 21, 2012 at 12:09 AM, David Miller wrote:
> From: Mathias Krause
> Date: Wed, 19 Sep 2012 23:33:37 +0200
>
>> the following series fixes various info leaks in the xfrm netlink
>> interface. As always, a test case can be supplied on request.
>>
>> Pat
s a default replay window size of 64).
Cc: Steffen Klassert
Cc: Martin Willi
Cc: Ben Hutchings
Signed-off-by: Mathias Krause
---
v3:
- revert size_t change to xfrm_replay_state_esn_len() (requested by Steffen)
- switch to int types for lengths (suggested by Ben)
- implement 4096 packets limit for
On Thu, Sep 20, 2012 at 9:05 AM, Steffen Klassert
wrote:
> On Thu, Sep 20, 2012 at 08:12:11AM +0200, Mathias Krause wrote:
>> On Thu, Sep 20, 2012 at 12:38 AM, Ben Hutchings
>> wrote:
>> > On Wed, 2012-09-19 at 23:33 +0200, Mathias Krause wrote:
>>
>>
On Thu, Sep 20, 2012 at 8:12 AM, Mathias Krause wrote:
> What still might happen is the overflow in xfrm_replay_state_esn_len()
> resulting in a to small bitmap allocation for the requested replay
> size. But that gets catched in xfrm_init_replay(). Little late, but
> hey.
Sorry, I m
For state updates the full bitmap must be supplied.
While at it, fix xfrm_replay_state_esn_len() to return size_t instead of
int as it calculates a length and all users expect the return value to
be positive.
Cc: Steffen Klassert
Cc: Martin Willi
Cc: Ben Hutchings
Signed-off-by: Mathias Kra
On Thu, Sep 20, 2012 at 12:38 AM, Ben Hutchings
wrote:
> On Wed, 2012-09-19 at 23:33 +0200, Mathias Krause wrote:
>> The current code fails to ensure that the netlink message actually
>> contains as many bytes as the header indicates. If a user creates a new
>> state or up
The memory reserved to dump the xfrm state includes the padding bytes of
struct xfrm_usersa_info added by the compiler for alignment (7 for
amd64, 3 for i386). Add an explicit memset(0) before filling the buffer
to avoid the info leak.
Signed-off-by: Mathias Krause
---
net/xfrm/xfrm_user.c
copy_to_user_auth() fails to initialize the remainder of alg_name and
therefore discloses up to 54 bytes of heap memory via netlink to
userland.
Use strncpy() instead of strcpy() to fill the trailing bytes of alg_name
with null bytes.
Signed-off-by: Mathias Krause
---
net/xfrm/xfrm_user.c
patch by Brad Spengler.
Cc: Brad Spengler
Signed-off-by: Mathias Krause
---
net/xfrm/xfrm_user.c |1 +
1 file changed, 1 insertion(+)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 7511427..9f1e749 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1423,6
upper limit for the replay window size. But I'll leave
implementing this to someone else. ;)
Mathias Krause (6):
xfrm_user: fix info leak in copy_to_user_auth()
xfrm_user: fix info leak in copy_to_user_state()
xfrm_user: fix info leak in copy_to_user_policy()
xfrm_user: fix in
For state updates the full bitmap must be supplied.
Cc: Steffen Klassert
Cc: Martin Willi
Signed-off-by: Mathias Krause
---
net/xfrm/xfrm_user.c | 27 +--
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
in
The ESN replay window was already fully initialized in
xfrm_alloc_replay_state_esn(). No need to copy it again.
Cc: Steffen Klassert
Signed-off-by: Mathias Krause
---
net/xfrm/xfrm_user.c |9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/xfrm/xfrm_user.c b/net
The memory reserved to dump the xfrm policy includes multiple padding
bytes added by the compiler for alignment (padding bytes in struct
xfrm_selector and struct xfrm_userpolicy_info). Add an explicit
memset(0) before filling the buffer to avoid the heap info leak.
Signed-off-by: Mathias Krause
On Mon, Sep 17, 2012 at 9:16 AM, Steffen Klassert
wrote:
> On Thu, Sep 13, 2012 at 11:41:26PM +0200, Mathias Krause wrote:
>> When dump_one_state() returns an error, e.g. because of a too small
>> buffer to dump the whole xfrm state, xfrm_state_netlink() returns NULL
>>
-off-by: Mathias Krause
---
Note, this is a different, but similar issue as my previous patch
with the almost same subject.
I'm not aware of a way how to exploit this bug as the policy *should*
always fit into the netlink buffer but better safe then sorry, so cc
stable.
net/xfrm/xfrm_u
escalation (execution of user code in
kernel context) if the attacker has CAP_NET_ADMIN and is able to map
address 0.
Cc: sta...@vger.kernel.org
Signed-off-by: Mathias Krause
---
A test case can be provided on request.
net/xfrm/xfrm_user.c |6 --
1 file changed, 4 insertions(+), 2 deletions
On Mon, Sep 10, 2012 at 8:47 AM, David Miller wrote:
> From: Mathias Krause
> Date: Mon, 10 Sep 2012 08:17:06 +0200
>
>> Hi Ben,
>>
>> On Mon, Sep 10, 2012 at 12:42 AM, Ben Hutchings wrote:
>>> 3.2-stable review patch. If anyone has any objections, please l
Hi Ben,
On Mon, Sep 10, 2012 at 12:42 AM, Ben Hutchings wrote:
> 3.2-stable review patch. If anyone has any objections, please let me know.
No objections, but could you please consider including the following
commits, too?:
e862f1a atm: fix info leak in getsockopt(SO_ATMPVC)
3c0c5cf atm: f
On Sun, Sep 09, 2012 at 02:00:00PM -0700, Herbert Xu wrote:
> On Sun, Sep 09, 2012 at 10:09:10PM +0200, Mathias Krause wrote:
> >
> > It happens with the C variants of SHA1 and AES, too. You can easily
> > trigger the bug with Steffen's crconf[1]:
> >
> &g
On Sun, Sep 09, 2012 at 12:19:58PM -0700, Herbert Xu wrote:
> On Sun, Sep 09, 2012 at 11:13:02AM +0200, Romain Francoise wrote:
> > Still seeing this BUG with -rc5, that I originally reported here:
> > http://marc.info/?l=linux-crypto-vger&m=134653220530264&w=2
> >
> > [ 26.362567] [
On Sun, Sep 2, 2012 at 11:37 PM, Mathias Krause wrote:
> It's redundant and makes sparse complain about it.
>
> Signed-off-by: Mathias Krause
> ---
> include/linux/pci.h |2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/pci.h
Commit-ID: ae13b7b4e041eccf34fa4dd58581fe1441375578
Gitweb: http://git.kernel.org/tip/ae13b7b4e041eccf34fa4dd58581fe1441375578
Author: Mathias Krause
AuthorDate: Sun, 2 Sep 2012 23:31:46 +0200
Committer: Ingo Molnar
CommitDate: Wed, 5 Sep 2012 10:52:26 +0200
x86/iommu: Use NULL
Commit-ID: 2b11afd1ab502d959ae8d6d5812923151b5bc505
Gitweb: http://git.kernel.org/tip/2b11afd1ab502d959ae8d6d5812923151b5bc505
Author: Mathias Krause
AuthorDate: Sun, 2 Sep 2012 23:31:45 +0200
Committer: Ingo Molnar
CommitDate: Wed, 5 Sep 2012 10:52:26 +0200
x86/iommu: Drop duplicate
Commit-ID: 5c7d03e99cb1ed449328ed9fba0c632944d39e7e
Gitweb: http://git.kernel.org/tip/5c7d03e99cb1ed449328ed9fba0c632944d39e7e
Author: Mathias Krause
AuthorDate: Sun, 2 Sep 2012 23:31:44 +0200
Committer: Ingo Molnar
CommitDate: Wed, 5 Sep 2012 10:52:25 +0200
x86/fpu/xsave: Keep __user
Commit-ID: 04d695a6828bca54d53305246545cd1f8a841ac6
Gitweb: http://git.kernel.org/tip/04d695a6828bca54d53305246545cd1f8a841ac6
Author: Mathias Krause
AuthorDate: Sun, 2 Sep 2012 23:31:43 +0200
Committer: Ingo Molnar
CommitDate: Wed, 5 Sep 2012 10:52:25 +0200
x86/pci/probe_roms: Add
Commit-ID: 0ff8fef4eaf252ee13a2d0b175a8c876415bd62a
Gitweb: http://git.kernel.org/tip/0ff8fef4eaf252ee13a2d0b175a8c876415bd62a
Author: Mathias Krause
AuthorDate: Sun, 2 Sep 2012 23:31:42 +0200
Committer: Ingo Molnar
CommitDate: Wed, 5 Sep 2012 10:52:24 +0200
x86/signals: ia32_signal.c
Commit-ID: 3d1334064fb365ea8f299874c2b4c46de2bee74d
Gitweb: http://git.kernel.org/tip/3d1334064fb365ea8f299874c2b4c46de2bee74d
Author: Mathias Krause
AuthorDate: Sun, 2 Sep 2012 23:31:41 +0200
Committer: Ingo Molnar
CommitDate: Wed, 5 Sep 2012 10:52:23 +0200
x86/vdso: Add __user
Commit-ID: f00026276ace77dcad1cdf17f696ae4e56e12ee6
Gitweb: http://git.kernel.org/tip/f00026276ace77dcad1cdf17f696ae4e56e12ee6
Author: Mathias Krause
AuthorDate: Sun, 2 Sep 2012 23:31:40 +0200
Committer: Ingo Molnar
CommitDate: Wed, 5 Sep 2012 10:52:23 +0200
x86: Fix __user
On Tue, Sep 4, 2012 at 2:13 PM, Avi Kivity wrote:
> On 09/04/2012 03:09 PM, Avi Kivity wrote:
>> On 08/30/2012 02:30 AM, Mathias Krause wrote:
>>> As the the compiler ensures that the memory operand is always aligned
>>> to a 16 byte memory location,
>>
>>
It's redundant and makes sparse complain about it.
Signed-off-by: Mathias Krause
---
include/linux/pci.h |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 5faa831..aee24a8 100644
--- a/include/linux/pci.h
+++ b/include/
The address calculated by VDSO32_SYMBOL() is a pointer into userland.
Add the __user annotation to fix related sparse warnings in its users.
Signed-off-by: Mathias Krause
---
arch/x86/include/asm/vdso.h |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/include
It's redundant and makes sparse complain about it.
Signed-off-by: Mathias Krause
---
arch/x86/include/asm/iommu_table.h |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/iommu_table.h
b/arch/x86/include/asm/iommu_table.h
index f229b13..bbf8fb2 1
ce of expression
xsave.c:135:15: warning: cast removes address space of expression
xsave.c:135:15: warning: cast removes address space of expression
xsave.c:135:15: warning: cast removes address space of expression
Signed-off-by: Mathias Krause
---
arch/x86/kernel/xsave.c |6 +++---
1 file chang
sparse warnings but missed that
one.
Cc: Jaswinder Singh Rajput
Signed-off-by: Mathias Krause
---
arch/x86/ia32/sys_ia32.c|2 +-
arch/x86/include/asm/sys_ia32.h |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
Stay in sync with the declaration and fix the corresponding sparse
warnings.
Cc: Dan Williams
Signed-off-by: Mathias Krause
---
arch/x86/kernel/probe_roms.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/probe_roms.c b/arch/x86/kernel/probe_roms.c
index
IOMMU_INIT_POST and IOMMU_INIT_POST_FINISH pass the plain value 0
instead of NULL to __IOMMU_INIT. Fix this and make sparse happy by
doing so.
Signed-off-by: Mathias Krause
---
arch/x86/include/asm/iommu_table.h |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86
of expression
ia32_signal.c:532:17: warning: cast removes address space of expression
Signed-off-by: Mathias Krause
---
arch/x86/ia32/ia32_signal.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index
,
Mathias Krause (7):
x86: fix __user annotations in asm/sys_ia32.h
x86, vdso: add __user annotation to VDSO32_SYMBOL
x86: ia32_signal.c: add __user casts to fix sparse warnings
x86, probe_roms: add missing __iomem annotation to pci_map_biosrom()
x86, xsave: keep __user annotation in casts
The opcode tables never change at runtime, therefor mark them const.
Signed-off-by: Mathias Krause
---
arch/x86/kvm/emulate.c | 40
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
index
As the the compiler ensures that the memory operand is always aligned
to a 16 byte memory location, use the aligned variant of MOVDQ for
read_sse_reg() and write_sse_reg().
Signed-off-by: Mathias Krause
---
arch/x86/kvm/emulate.c | 64
1 file
We never modify direct_access_msrs[], msrpm_ranges[],
svm_exit_handlers[] or x86_intercept_map[] at runtime.
Mark them r/o.
Signed-off-by: Mathias Krause
Cc: Joerg Roedel
---
arch/x86/kvm/svm.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kvm/svm.c b
We use vmcs_field_to_offset_table[], kvm_vmx_segment_fields[] and
kvm_vmx_exit_handlers[] as lookup tables only -- make them r/o.
Signed-off-by: Mathias Krause
---
arch/x86/kvm/vmx.c | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/arch/x86/kvm/vmx.c b/arch
Signed-off-by: Mathias Krause
---
arch/x86/kvm/lapic.c |2 +-
arch/x86/kvm/x86.c |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
index 18d149d..07ad628 100644
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
We never change those, make them r/o.
Signed-off-by: Mathias Krause
---
arch/x86/kvm/x86.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index f8b0148..79ac03c 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
We never change emulate_ops[] at runtime so it should be r/o.
Signed-off-by: Mathias Krause
---
arch/x86/include/asm/kvm_emulate.h |2 +-
arch/x86/kvm/emulate.c | 22 +++---
arch/x86/kvm/x86.c |2 +-
3 files changed, 13 insertions(+), 13
in
a cache line together with data that gets written to. The latter should
speed up the emulation of SSE register moves as the aligned variant of
MOVDQ has lower latencies and higher throughput than the unaligned one.
Regards,
Mathias Krause (8):
KVM: x86: minor size optimization
KVM: x86
Some fields can be constified and/or made static to reduce code and data
size.
Numbers for a 32 bit build:
textdata bss dec hex filename
before: 3351 80 03431 d67 cpuid.o
after: 3391 0 03391 d3f cpuid.o
Signed-off-by: Mathias
The ATM code fails to initialize the two padding bytes of struct
sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause
---
net/atm/pvc.c |1 +
1 file changed, 1 insertion(+)
diff --git a/net/atm
The ATM code fails to initialize the two padding bytes of struct
sockaddr_atmpvc inserted for alignment. Add an explicit memset(0)
before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause
---
net/atm/common.c |1 +
1 file changed, 1 insertion(+)
diff --git a/net
uest, test code for all (but one) of the issues can be provided.
Regards,
Mathias
Mathias Krause (14):
atm: fix info leak in getsockopt(SO_ATMPVC)
atm: fix info leak via getsockname()
Bluetooth: HCI - Fix info leak in getsockopt(HCI_FILTER)
Bluetooth: HCI - Fix info leak via g
The RFCOMM code fails to initialize the key_size member of struct
bt_security before copying it to userland -- that for leaking one
byte kernel stack. Initialize key_size with 0 to avoid the info
leak.
Signed-off-by: Mathias Krause
Cc: Marcel Holtmann
Cc: Gustavo Padovan
Cc: Johan Hedberg
The RFCOMM code fails to initialize the trailing padding byte of struct
sockaddr_rc added for alignment. It that for leaks one byte kernel stack
via the getsockname() syscall. Add an explicit memset(0) before filling
the structure to avoid the info leak.
Signed-off-by: Mathias Krause
Cc: Marcel
: Mathias Krause
Cc: Marcel Holtmann
Cc: Gustavo Padovan
Cc: Johan Hedberg
---
net/bluetooth/l2cap_sock.c |1 +
1 file changed, 1 insertion(+)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index a4bb27e..df5ea9e 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth
The HCI code fails to initialize the hci_channel member of struct
sockaddr_hci and that for leaks two bytes kernel stack via the
getsockname() syscall. Initialize hci_channel with 0 to avoid the
info leak.
Signed-off-by: Mathias Krause
Cc: Marcel Holtmann
Cc: Gustavo Padovan
Cc: Johan Hedberg
The HCI code fails to initialize the two padding bytes of struct
hci_ufilter before copying it to userland -- that for leaking two
bytes kernel stack. Add an explicit memset(0) before filling the
structure to avoid the info leak.
Signed-off-by: Mathias Krause
Cc: Marcel Holtmann
Cc: Gustavo
The L2TP code for IPv6 fails to initialize the l2tp_unused member of
struct sockaddr_l2tpip6 and that for leaks two bytes kernel stack via
the getsockname() syscall. Initialize l2tp_unused with 0 to avoid the
info leak.
Signed-off-by: Mathias Krause
Cc: James Chapman
---
net/l2tp/l2tp_ip6.c
ccid_hc_rx_getsockopt() and ccid_hc_tx_getsockopt() might be called with
a NULL ccid pointer leading to a NULL pointer dereference. This could
lead to a privilege escalation if the attacker is able to map page 0 and
prepare it with a fake ccid_ops pointer.
Signed-off-by: Mathias Krause
Cc
__ip_vs_get_timeouts() to avoid the info leak.
Signed-off-by: Mathias Krause
Cc: Wensong Zhang
Cc: Simon Horman
Cc: Julian Anastasov
---
net/netfilter/ipvs/ip_vs_ctl.c |1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 8dd..72bf32a
uninitialized kernel heap memory.
Allocate the memory using kzalloc() to fix this issue.
Signed-off-by: Mathias Krause
Cc: Marcel Holtmann
Cc: Gustavo Padovan
Cc: Johan Hedberg
---
net/bluetooth/rfcomm/tty.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth
(0) before filling the structure to avoid the info leak.
Signed-off-by: Mathias Krause
---
net/socket.c |1 +
1 file changed, 1 insertion(+)
diff --git a/net/socket.c b/net/socket.c
index dfe5b66..a5471f8 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2657,6 +2657,7 @@ static int dev_ifconf
.
Signed-off-by: Mathias Krause
Cc: Gerrit Renker
---
net/dccp/ccids/ccid3.c |1 +
1 file changed, 1 insertion(+)
diff --git a/net/dccp/ccids/ccid3.c b/net/dccp/ccids/ccid3.c
index d65e987..119c043 100644
--- a/net/dccp/ccids/ccid3.c
+++ b/net/dccp/ccids/ccid3.c
@@ -535,6 +535,7 @@ static int
the socket is zapped to prevent the info
leak. Also remove the unnecessary memset(0). We don't directly write to
the memory pointed by uaddr but memcpy() a local structure at the end of
the function that is properly initialized.
Signed-off-by: Mathias Krause
Cc: Arnaldo Carvalho de Melo
---
n
For type 0x51 the udf.parent_partref member in struct fid gets copied
uninitialized to userland. Fix this by initializing it to 0.
Signed-off-by: Mathias Krause
---
fs/udf/namei.c |1 +
1 file changed, 1 insertion(+)
diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index 1802417..c31deb3
should be fixed.
This info leak can be triggered locally by using the name_to_handle_at()
syscall.
Regards,
Mathias Krause (2):
isofs: avoid info leak on export
udf: avoid info leak on export
fs/isofs/export.c |1 +
fs/udf/namei.c|1 +
2 files changed, 2 insertions
For type 1 the parent_offset member in struct isofs_fid gets copied
uninitialized to userland. Fix this by initializing it to 0.
Signed-off-by: Mathias Krause
---
fs/isofs/export.c |1 +
1 file changed, 1 insertion(+)
diff --git a/fs/isofs/export.c b/fs/isofs/export.c
index aa4356d
201 - 295 of 295 matches
Mail list logo