r4237 - in dists/sid/linux-2.6/debian: . patches-debian
patches-debian/series
Simon Horman
horms at costa.debian.org
Tue Sep 20 09:16:39 UTC 2005
Author: horms
Date: 2005-09-20 09:16:38 +0000 (Tue, 20 Sep 2005)
New Revision: 4237
Added:
dists/sid/linux-2.6/debian/patches-debian/aacraid-bad-BUG_ON-fix.patch
dists/sid/linux-2.6/debian/patches-debian/fix-pci-rom-mapping.patch
dists/sid/linux-2.6/debian/patches-debian/fix-socket-filter-regression.patch
dists/sid/linux-2.6/debian/patches-debian/ipv4-fragmentation-csum-handling.patch
dists/sid/linux-2.6/debian/patches-debian/saa7134-dvb-must-select-tda1004x.patch
dists/sid/linux-2.6/debian/patches-debian/sendmsg-DoS.patch
dists/sid/linux-2.6/debian/patches-debian/sendmsg-stackoverflow.patch
dists/sid/linux-2.6/debian/patches-debian/sparc-request_irq-in-RTC-fix.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches-debian/series/2.6.12-7
Log:
* Added 2.6.13.1
- Kconfig: saa7134-dvb must select tda1004x
saa7134-dvb-must-select-tda1004x.patch
- aacraid bad BUG_ON fix
aacraid-bad-BUG_ON-fix.patch
- Fix PCI ROM mapping
fix-pci-rom-mapping.patch
- 2.6.13 breaks libpcap (and tcpdump)
fix-socket-filter-regression.patch
- [SECURITY] Fix boundary check in standard multi-block cipher processors;
Maybe local DoS
ipsec-oops-fix.patch
- Use SA_SHIRQ in sparc specific code
sparc-request_irq-in-RTC-fix.patch
- Reassembly trim not clearing CHECKSUM_HW
ipv4-fragmentation-csum-handling.patch
- [SECURITY] 32bit sendmsg() flaw. See CAN-2005-2490
sendmsg-stackoverflow.patch
- [SECURITY] raw_sendmsg DoS. See CAN-2005-2492
sendmsg-DoS.patch
Modified: dists/sid/linux-2.6/debian/changelog
===================================================================
--- dists/sid/linux-2.6/debian/changelog 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/changelog 2005-09-20 09:16:38 UTC (rev 4237)
@@ -16,8 +16,30 @@
of panics with some Adaptec cards: driver-scsi-dpt_i2o-fixes.patch.
See patch header for details and references. (closes: #328534)
- -- Sven Luther <luther at debian.org> Sat, 17 Sep 2005 21:14:40 +0200
+ [ Simon Horman ]
+ * Added 2.6.13.1
+ - Kconfig: saa7134-dvb must select tda1004x
+ saa7134-dvb-must-select-tda1004x.patch
+ - aacraid bad BUG_ON fix
+ aacraid-bad-BUG_ON-fix.patch
+ - Fix PCI ROM mapping
+ fix-pci-rom-mapping.patch
+ - 2.6.13 breaks libpcap (and tcpdump)
+ fix-socket-filter-regression.patch
+ - [SECURITY] Fix boundary check in standard multi-block cipher processors;
+ Maybe local DoS
+ ipsec-oops-fix.patch
+ - Use SA_SHIRQ in sparc specific code
+ sparc-request_irq-in-RTC-fix.patch
+ - Reassembly trim not clearing CHECKSUM_HW
+ ipv4-fragmentation-csum-handling.patch
+ - [SECURITY] 32bit sendmsg() flaw. See CAN-2005-2490
+ sendmsg-stackoverflow.patch
+ - [SECURITY] raw_sendmsg DoS. See CAN-2005-2492
+ sendmsg-DoS.patch
+ -- Simon Horman <horms at debian.org> Tue, 20 Sep 2005 18:01:11 +0900
+
linux-2.6 (2.6.12-6) unstable; urgency=high
[ Andres Salomon, Bastian Blank ]
Added: dists/sid/linux-2.6/debian/patches-debian/aacraid-bad-BUG_ON-fix.patch
===================================================================
--- dists/sid/linux-2.6/debian/patches-debian/aacraid-bad-BUG_ON-fix.patch 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/patches-debian/aacraid-bad-BUG_ON-fix.patch 2005-09-20 09:16:38 UTC (rev 4237)
@@ -0,0 +1,37 @@
+From linux-kernel-owner+chrisw=40osdl.org-S1030193AbVIAPWg at vger.kernel.org Thu Sep 1 08:23:18 2005
+Subject: [PATCH] aacraid: 2.6.13 aacraid bad BUG_ON fix
+From: Mark Haverkamp <markh at osdl.org>
+To: James Bottomley <James.Bottomley at steeleye.com>,
+ Andrew Morton <akpm at osdl.org>
+Cc: linux-scsi <linux-scsi at vger.kernel.org>,
+ linux-kernel <linux-kernel at vger.kernel.org>,
+ Mark Salyzyn <mark_salyzyn at adaptec.com>
+Date: Thu, 01 Sep 2005 08:19:23 -0700
+
+This was noticed by Doug Bazamic and the fix found by Mark Salyzyn at
+Adaptec.
+
+There was an error in the BUG_ON() statement that validated the
+calculated fib size which can cause the driver to panic.
+
+Signed-off-by: Mark Haverkamp <markh at osdl.org>
+Acked-by: James Bottomley <James.Bottomley at SteelEye.com>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/scsi/aacraid/aachba.c | 2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+Index: linux-2.6.13.y/drivers/scsi/aacraid/aachba.c
+===================================================================
+--- linux-2.6.13.y.orig/drivers/scsi/aacraid/aachba.c
++++ linux-2.6.13.y/drivers/scsi/aacraid/aachba.c
+@@ -968,7 +968,7 @@ static int aac_read(struct scsi_cmnd * s
+ fibsize = sizeof(struct aac_read64) +
+ ((le32_to_cpu(readcmd->sg.count) - 1) *
+ sizeof (struct sgentry64));
+- BUG_ON (fibsize > (sizeof(struct hw_fib) -
++ BUG_ON (fibsize > (dev->max_fib_size -
+ sizeof(struct aac_fibhdr)));
+ /*
+ * Now send the Fib to the adapter
Added: dists/sid/linux-2.6/debian/patches-debian/fix-pci-rom-mapping.patch
===================================================================
--- dists/sid/linux-2.6/debian/patches-debian/fix-pci-rom-mapping.patch 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/patches-debian/fix-pci-rom-mapping.patch 2005-09-20 09:16:38 UTC (rev 4237)
@@ -0,0 +1,76 @@
+From stable-bounces at linux.kernel.org Sat Sep 3 15:29:40 2005
+From: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+To: stable at kernel.org
+Date: Sun, 04 Sep 2005 08:28:05 +1000
+Subject: [PATCH] Fix PCI ROM mapping
+
+This fixes a problem with pci_map_rom() which doesn't properly
+update the ROM BAR value with the address thas allocated for it by the
+PCI code. This problem, among other, breaks boot on Mac laptops.
+
+It'ss a new version based on Linus latest one with better error
+checking.
+
+Signed-off-by: Benjamin Herrenschmidt <benh at kernel.crashing.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/pci/rom.c | 24 +++++++++++++++++-------
+ 1 files changed, 17 insertions(+), 7 deletions(-)
+
+Index: linux-2.6.13.y/drivers/pci/rom.c
+===================================================================
+--- linux-2.6.13.y.orig/drivers/pci/rom.c
++++ linux-2.6.13.y/drivers/pci/rom.c
+@@ -21,13 +21,21 @@
+ * between the ROM and other resources, so enabling it may disable access
+ * to MMIO registers or other card memory.
+ */
+-static void pci_enable_rom(struct pci_dev *pdev)
++static int pci_enable_rom(struct pci_dev *pdev)
+ {
++ struct resource *res = pdev->resource + PCI_ROM_RESOURCE;
++ struct pci_bus_region region;
+ u32 rom_addr;
+
++ if (!res->flags)
++ return -1;
++
++ pcibios_resource_to_bus(pdev, ®ion, res);
+ pci_read_config_dword(pdev, pdev->rom_base_reg, &rom_addr);
+- rom_addr |= PCI_ROM_ADDRESS_ENABLE;
++ rom_addr &= ~PCI_ROM_ADDRESS_MASK;
++ rom_addr |= region.start | PCI_ROM_ADDRESS_ENABLE;
+ pci_write_config_dword(pdev, pdev->rom_base_reg, rom_addr);
++ return 0;
+ }
+
+ /**
+@@ -71,19 +79,21 @@ void __iomem *pci_map_rom(struct pci_dev
+ } else {
+ if (res->flags & IORESOURCE_ROM_COPY) {
+ *size = pci_resource_len(pdev, PCI_ROM_RESOURCE);
+- return (void __iomem *)pci_resource_start(pdev, PCI_ROM_RESOURCE);
++ return (void __iomem *)pci_resource_start(pdev,
++ PCI_ROM_RESOURCE);
+ } else {
+ /* assign the ROM an address if it doesn't have one */
+- if (res->parent == NULL)
+- pci_assign_resource(pdev, PCI_ROM_RESOURCE);
+-
++ if (res->parent == NULL &&
++ pci_assign_resource(pdev,PCI_ROM_RESOURCE))
++ return NULL;
+ start = pci_resource_start(pdev, PCI_ROM_RESOURCE);
+ *size = pci_resource_len(pdev, PCI_ROM_RESOURCE);
+ if (*size == 0)
+ return NULL;
+
+ /* Enable ROM space decodes */
+- pci_enable_rom(pdev);
++ if (pci_enable_rom(pdev))
++ return NULL;
+ }
+ }
+
Added: dists/sid/linux-2.6/debian/patches-debian/fix-socket-filter-regression.patch
===================================================================
--- dists/sid/linux-2.6/debian/patches-debian/fix-socket-filter-regression.patch 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/patches-debian/fix-socket-filter-regression.patch 2005-09-20 09:16:38 UTC (rev 4237)
@@ -0,0 +1,64 @@
+From stable-bounces at linux.kernel.org Mon Sep 5 18:47:45 2005
+Date: Mon, 05 Sep 2005 18:47:10 -0700 (PDT)
+To: stable at kernel.org
+From: "David S. Miller" <davem at davemloft.net>
+Cc: herbert at gondor.apana.org.au, kaber at trash.net
+Subject: [NET]: 2.6.13 breaks libpcap (and tcpdump)
+
+From: Herbert Xu <herbert at gondor.apana.org.au>
+
+[NET]: 2.6.13 breaks libpcap (and tcpdump)
+
+Patrick McHardy says:
+
+ Never mind, I got it, we never fall through to the second switch
+ statement anymore. I think we could simply break when load_pointer
+ returns NULL. The switch statement will fall through to the default
+ case and return 0 for all cases but 0 > k >= SKF_AD_OFF.
+
+Here's a patch to do just that.
+
+I left BPF_MSH alone because it's really a hack to calculate the IP
+header length, which makes no sense when applied to the special data.
+
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/core/filter.c | 6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+Rediffed for Debian's 2.6.12 by Horms
+
+Index: linux-2.6.13.y/net/core/filter.c
+===================================================================
+--- a/net/core/filter.c 2005-09-20 18:12:25.000000000 +0900
++++ b/net/core/filter.c 2005-09-20 18:14:02.000000000 +0900
+@@ -190,7 +190,7 @@
+ continue;
+ }
+ }
+- return 0;
++ break;
+ case BPF_LD|BPF_H|BPF_ABS:
+ k = fentry->k;
+ load_h:
+@@ -216,7 +216,7 @@
+ continue;
+ }
+ }
+- return 0;
++ break;
+ case BPF_LD|BPF_B|BPF_ABS:
+ k = fentry->k;
+ load_b:
+@@ -242,7 +242,7 @@
+ continue;
+ }
+ }
+- return 0;
++ break;
+ case BPF_LD|BPF_W|BPF_LEN:
+ A = len;
+ continue;
Added: dists/sid/linux-2.6/debian/patches-debian/ipv4-fragmentation-csum-handling.patch
===================================================================
--- dists/sid/linux-2.6/debian/patches-debian/ipv4-fragmentation-csum-handling.patch 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/patches-debian/ipv4-fragmentation-csum-handling.patch 2005-09-20 09:16:38 UTC (rev 4237)
@@ -0,0 +1,38 @@
+From stable-bounces at linux.kernel.org Tue Sep 6 15:52:37 2005
+Date: Tue, 06 Sep 2005 15:52:34 -0700 (PDT)
+To: stable at kernel.org
+From: "David S. Miller" <davem at davemloft.net>
+Subject: [IPV4]: Reassembly trim not clearing CHECKSUM_HW
+
+From: Stephen Hemminger <shemminger at osdl.org>
+
+[IPV4]: Reassembly trim not clearing CHECKSUM_HW
+
+This was found by inspection while looking for checksum problems
+with the skge driver that sets CHECKSUM_HW. It did not fix the
+problem, but it looks like it is needed.
+
+If IP reassembly is trimming an overlapping fragment, it
+should reset (or adjust) the hardware checksum flag on the skb.
+
+Signed-off-by: Stephen Hemminger <shemminger at osdl.org>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/ipv4/ip_fragment.c | 2 +-
+ 1 files changed, 1 insertion(+), 1 deletion(-)
+
+Index: linux-2.6.13.y/net/ipv4/ip_fragment.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv4/ip_fragment.c
++++ linux-2.6.13.y/net/ipv4/ip_fragment.c
+@@ -457,7 +457,7 @@ static void ip_frag_queue(struct ipq *qp
+
+ if (pskb_pull(skb, ihl) == NULL)
+ goto err;
+- if (pskb_trim(skb, end-offset))
++ if (pskb_trim_rcsum(skb, end-offset))
+ goto err;
+
+ /* Find out which fragments are in front and at the back of us
Added: dists/sid/linux-2.6/debian/patches-debian/saa7134-dvb-must-select-tda1004x.patch
===================================================================
--- dists/sid/linux-2.6/debian/patches-debian/saa7134-dvb-must-select-tda1004x.patch 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/patches-debian/saa7134-dvb-must-select-tda1004x.patch 2005-09-20 09:16:38 UTC (rev 4237)
@@ -0,0 +1,41 @@
+From stable-bounces at linux.kernel.org Tue Aug 30 12:47:40 2005
+Date: Tue, 30 Aug 2005 15:47:14 -0400
+From: Michael Krufky <mkrufky at m1k.net>
+To: stable at kernel.org
+Cc: Andrew Morton <akpm at osdl.org>,
+ Mauro Carvalho Chehab <mchehab at brturbo.com.br>, torvalds at osdl.org,
+ linux-dvb-maintainer at linuxtv.org,
+ linux-kernel <linux-kernel at vger.kernel.org>
+Subject: [PATCH] Kconfig: saa7134-dvb must select tda1004x
+
+I wish I had seen this before 2.6.13 was released... I guess this only
+goes to show that there haven't been any testers using saa7134-hybrid
+dvb/v4l boards that depend on the tda1004x module, during the 2.6.13-rc
+series :-(
+
+Please apply this to 2.6.14, and also to 2.6.13.1 -stable. Without this
+patch, users will have to EXPLICITLY select tda1004x in Kconfig. This
+SHOULD be done automatically when saa7134-dvb is selected. This patch
+corrects this problem.
+
+saa7134-dvb must select tda1004x
+
+Signed-off-by: Michael Krufky <mkrufky at m1k.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/media/video/Kconfig | 1 +
+ 1 files changed, 1 insertion(+)
+
+Index: linux-2.6.13.y/drivers/media/video/Kconfig
+===================================================================
+--- linux-2.6.13.y.orig/drivers/media/video/Kconfig
++++ linux-2.6.13.y/drivers/media/video/Kconfig
+@@ -254,6 +254,7 @@ config VIDEO_SAA7134_DVB
+ select VIDEO_BUF_DVB
+ select DVB_MT352
+ select DVB_CX22702
++ select DVB_TDA1004X
+ ---help---
+ This adds support for DVB cards based on the
+ Philips saa7134 chip.
Added: dists/sid/linux-2.6/debian/patches-debian/sendmsg-DoS.patch
===================================================================
--- dists/sid/linux-2.6/debian/patches-debian/sendmsg-DoS.patch 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/patches-debian/sendmsg-DoS.patch 2005-09-20 09:16:38 UTC (rev 4237)
@@ -0,0 +1,49 @@
+From security-bounces at linux.kernel.org Wed Aug 31 02:55:24 2005
+Date: Wed, 31 Aug 2005 10:55:12 +0100 (BST)
+From: Mark J Cox <mjc at redhat.com>
+Cc: aviro at redhat.com, davem at redhat.com
+Subject: [PATCH] raw_sendmsg DoS (CAN-2005-2492)
+
+From: Al Viro <aviro at redhat.com>
+
+Fix unchecked __get_user that could be tricked into generating a
+memory read on an arbitrary address. The result of the read is not
+returned directly but you may be able to divine some information about
+it, or use the read to cause a crash on some architectures by reading
+hardware state. CAN-2005-2492.
+
+Fix from Al Viro, ack from Dave Miller.
+
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ net/ipv4/raw.c | 2 +-
+ net/ipv6/raw.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+Index: linux-2.6.13.y/net/ipv4/raw.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv4/raw.c
++++ linux-2.6.13.y/net/ipv4/raw.c
+@@ -358,7 +358,7 @@ static void raw_probe_proto_opt(struct f
+
+ if (type && code) {
+ get_user(fl->fl_icmp_type, type);
+- __get_user(fl->fl_icmp_code, code);
++ get_user(fl->fl_icmp_code, code);
+ probed = 1;
+ }
+ break;
+Index: linux-2.6.13.y/net/ipv6/raw.c
+===================================================================
+--- linux-2.6.13.y.orig/net/ipv6/raw.c
++++ linux-2.6.13.y/net/ipv6/raw.c
+@@ -619,7 +619,7 @@ static void rawv6_probe_proto_opt(struct
+
+ if (type && code) {
+ get_user(fl->fl_icmp_type, type);
+- __get_user(fl->fl_icmp_code, code);
++ get_user(fl->fl_icmp_code, code);
+ probed = 1;
+ }
+ break;
Added: dists/sid/linux-2.6/debian/patches-debian/sendmsg-stackoverflow.patch
===================================================================
--- dists/sid/linux-2.6/debian/patches-debian/sendmsg-stackoverflow.patch 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/patches-debian/sendmsg-stackoverflow.patch 2005-09-20 09:16:38 UTC (rev 4237)
@@ -0,0 +1,155 @@
+From security-bounces at linux.kernel.org Tue Sep 6 01:31:17 2005
+From: David Woodhouse <dwmw2 at infradead.org>
+To: Sebastian Krahmer <krahmer at suse.de>
+Date: Tue, 06 Sep 2005 09:30:10 +0100
+Subject: [PATCH] 32bit sendmsg() flaw (CAN-2005-2490)
+Cc: viro at ZenIV.linux.org.uk, "David S. Miller" <davem at davemloft.net>, David Woodhouse <dwmw2 at infradead.org>
+
+When we copy 32bit ->msg_control contents to kernel, we walk the same
+userland data twice without sanity checks on the second pass.
+
+Second version of this patch: the original broke with 64-bit arches
+running 32-bit-compat-mode executables doing sendmsg() syscalls with
+unaligned CMSG data areas
+
+Another thing is that we use kmalloc() to allocate and sock_kfree_s()
+to free afterwards; less serious, but also needs fixing.
+
+Patch by Al Viro, David Miller, David Woodhouse
+(sparc64 clean compile fix from David Miller)
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: David Woodhouse <dwmw2 at infradead.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ include/net/compat.h | 5 +++--
+ net/compat.c | 44 ++++++++++++++++++++++++++------------------
+ net/socket.c | 3 ++-
+ 3 files changed, 31 insertions(+), 21 deletions(-)
+
+Index: linux-2.6.13.y/include/net/compat.h
+===================================================================
+--- linux-2.6.13.y.orig/include/net/compat.h
++++ linux-2.6.13.y/include/net/compat.h
+@@ -33,7 +33,8 @@ extern asmlinkage long compat_sys_sendms
+ extern asmlinkage long compat_sys_recvmsg(int,struct compat_msghdr __user *,unsigned);
+ extern asmlinkage long compat_sys_getsockopt(int, int, int, char __user *, int __user *);
+ extern int put_cmsg_compat(struct msghdr*, int, int, int, void *);
+-extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, unsigned char *,
+- int);
++
++struct sock;
++extern int cmsghdr_from_user_compat_to_kern(struct msghdr *, struct sock *, unsigned char *, int);
+
+ #endif /* NET_COMPAT_H */
+Index: linux-2.6.13.y/net/compat.c
+===================================================================
+--- linux-2.6.13.y.orig/net/compat.c
++++ linux-2.6.13.y/net/compat.c
+@@ -135,13 +135,14 @@ static inline struct compat_cmsghdr __us
+ * thus placement) of cmsg headers and length are different for
+ * 32-bit apps. -DaveM
+ */
+-int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg,
++int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
+ unsigned char *stackbuf, int stackbuf_size)
+ {
+ struct compat_cmsghdr __user *ucmsg;
+ struct cmsghdr *kcmsg, *kcmsg_base;
+ compat_size_t ucmlen;
+ __kernel_size_t kcmlen, tmp;
++ int err = -EFAULT;
+
+ kcmlen = 0;
+ kcmsg_base = kcmsg = (struct cmsghdr *)stackbuf;
+@@ -156,6 +157,7 @@ int cmsghdr_from_user_compat_to_kern(str
+
+ tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
+ CMSG_ALIGN(sizeof(struct cmsghdr)));
++ tmp = CMSG_ALIGN(tmp);
+ kcmlen += tmp;
+ ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+ }
+@@ -167,30 +169,34 @@ int cmsghdr_from_user_compat_to_kern(str
+ * until we have successfully copied over all of the data
+ * from the user.
+ */
+- if(kcmlen > stackbuf_size)
+- kcmsg_base = kcmsg = kmalloc(kcmlen, GFP_KERNEL);
+- if(kcmsg == NULL)
++ if (kcmlen > stackbuf_size)
++ kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL);
++ if (kcmsg == NULL)
+ return -ENOBUFS;
+
+ /* Now copy them over neatly. */
+ memset(kcmsg, 0, kcmlen);
+ ucmsg = CMSG_COMPAT_FIRSTHDR(kmsg);
+ while(ucmsg != NULL) {
+- __get_user(ucmlen, &ucmsg->cmsg_len);
++ if (__get_user(ucmlen, &ucmsg->cmsg_len))
++ goto Efault;
++ if (!CMSG_COMPAT_OK(ucmlen, ucmsg, kmsg))
++ goto Einval;
+ tmp = ((ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg))) +
+ CMSG_ALIGN(sizeof(struct cmsghdr)));
++ if ((char *)kcmsg_base + kcmlen - (char *)kcmsg < CMSG_ALIGN(tmp))
++ goto Einval;
+ kcmsg->cmsg_len = tmp;
+- __get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level);
+- __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type);
+-
+- /* Copy over the data. */
+- if(copy_from_user(CMSG_DATA(kcmsg),
+- CMSG_COMPAT_DATA(ucmsg),
+- (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg)))))
+- goto out_free_efault;
++ tmp = CMSG_ALIGN(tmp);
++ if (__get_user(kcmsg->cmsg_level, &ucmsg->cmsg_level) ||
++ __get_user(kcmsg->cmsg_type, &ucmsg->cmsg_type) ||
++ copy_from_user(CMSG_DATA(kcmsg),
++ CMSG_COMPAT_DATA(ucmsg),
++ (ucmlen - CMSG_COMPAT_ALIGN(sizeof(*ucmsg)))))
++ goto Efault;
+
+ /* Advance. */
+- kcmsg = (struct cmsghdr *)((char *)kcmsg + CMSG_ALIGN(tmp));
++ kcmsg = (struct cmsghdr *)((char *)kcmsg + tmp);
+ ucmsg = cmsg_compat_nxthdr(kmsg, ucmsg, ucmlen);
+ }
+
+@@ -199,10 +205,12 @@ int cmsghdr_from_user_compat_to_kern(str
+ kmsg->msg_controllen = kcmlen;
+ return 0;
+
+-out_free_efault:
+- if(kcmsg_base != (struct cmsghdr *)stackbuf)
+- kfree(kcmsg_base);
+- return -EFAULT;
++Einval:
++ err = -EINVAL;
++Efault:
++ if (kcmsg_base != (struct cmsghdr *)stackbuf)
++ sock_kfree_s(sk, kcmsg_base, kcmlen);
++ return err;
+ }
+
+ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
+Index: linux-2.6.13.y/net/socket.c
+===================================================================
+--- linux-2.6.13.y.orig/net/socket.c
++++ linux-2.6.13.y/net/socket.c
+@@ -1739,10 +1739,11 @@ asmlinkage long sys_sendmsg(int fd, stru
+ goto out_freeiov;
+ ctl_len = msg_sys.msg_controllen;
+ if ((MSG_CMSG_COMPAT & flags) && ctl_len) {
+- err = cmsghdr_from_user_compat_to_kern(&msg_sys, ctl, sizeof(ctl));
++ err = cmsghdr_from_user_compat_to_kern(&msg_sys, sock->sk, ctl, sizeof(ctl));
+ if (err)
+ goto out_freeiov;
+ ctl_buf = msg_sys.msg_control;
++ ctl_len = msg_sys.msg_controllen;
+ } else if (ctl_len) {
+ if (ctl_len > sizeof(ctl))
+ {
Modified: dists/sid/linux-2.6/debian/patches-debian/series/2.6.12-7
===================================================================
--- dists/sid/linux-2.6/debian/patches-debian/series/2.6.12-7 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/patches-debian/series/2.6.12-7 2005-09-20 09:16:38 UTC (rev 4237)
@@ -1,2 +1,11 @@
+ powerpc-mv643xx-hotplug-support.patch
+ drivers-scsi-dpt_i2o-fixes.patch
++ sendmsg-stackoverflow.patch
++ saa7134-dvb-must-select-tda1004x.patch
++ sendmsg-DoS.patch
++ fix-pci-rom-mapping.patch
++ sparc-request_irq-in-RTC-fix.patch
++ aacraid-bad-BUG_ON-fix.patch
++ ipv4-fragmentation-csum-handling.patch
++ fix-socket-filter-regression.patch
+
Added: dists/sid/linux-2.6/debian/patches-debian/sparc-request_irq-in-RTC-fix.patch
===================================================================
--- dists/sid/linux-2.6/debian/patches-debian/sparc-request_irq-in-RTC-fix.patch 2005-09-18 17:02:47 UTC (rev 4236)
+++ dists/sid/linux-2.6/debian/patches-debian/sparc-request_irq-in-RTC-fix.patch 2005-09-20 09:16:38 UTC (rev 4237)
@@ -0,0 +1,32 @@
+From stable-bounces at linux.kernel.org Tue Sep 6 15:03:44 2005
+Date: Tue, 06 Sep 2005 15:03:39 -0700 (PDT)
+To: stable at kernel.org
+From: "David S. Miller" <davem at davemloft.net>
+Subject: [RTC]: Use SA_SHIRQ in sparc specific code.
+
+Based upon a report from Jason Wever.
+
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+ drivers/char/rtc.c | 5 ++---
+ 1 files changed, 2 insertions(+), 3 deletions(-)
+
+Index: linux-2.6.13.y/drivers/char/rtc.c
+===================================================================
+--- linux-2.6.13.y.orig/drivers/char/rtc.c
++++ linux-2.6.13.y/drivers/char/rtc.c
+@@ -938,10 +938,9 @@ found:
+
+ /*
+ * XXX Interrupt pin #7 in Espresso is shared between RTC and
+- * PCI Slot 2 INTA# (and some INTx# in Slot 1). SA_INTERRUPT here
+- * is asking for trouble with add-on boards. Change to SA_SHIRQ.
++ * PCI Slot 2 INTA# (and some INTx# in Slot 1).
+ */
+- if (request_irq(rtc_irq, rtc_interrupt, SA_INTERRUPT, "rtc", (void *)&rtc_port)) {
++ if (request_irq(rtc_irq, rtc_interrupt, SA_SHIRQ, "rtc", (void *)&rtc_port)) {
+ /*
+ * Standard way for sparc to print irq's is to use
+ * __irq_itoa(). I think for EBus it's ok to use %d.
More information about the Kernel-svn-changes
mailing list