[kernel] r20124 - in dists/squeeze-backports/linux: . debian debian/config debian/patches debian/patches/bugfix/all debian/patches/bugfix/x86
Ben Hutchings
benh at alioth.debian.org
Thu May 16 17:02:17 UTC 2013
Author: benh
Date: Thu May 16 17:02:17 2013
New Revision: 20124
Log:
Merge changes from wheezy-security up to 3.2.41-2+deb7u2
Added:
dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch
dists/squeeze-backports/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch
dists/squeeze-backports/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
- copied unchanged from r20117, dists/wheezy-security/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
Modified:
dists/squeeze-backports/linux/ (props changed)
dists/squeeze-backports/linux/debian/changelog
dists/squeeze-backports/linux/debian/config/defines
dists/squeeze-backports/linux/debian/patches/series
Modified: dists/squeeze-backports/linux/debian/changelog
==============================================================================
--- dists/squeeze-backports/linux/debian/changelog Thu May 16 04:53:15 2013 (r20123)
+++ dists/squeeze-backports/linux/debian/changelog Thu May 16 17:02:17 2013 (r20124)
@@ -1,4 +1,4 @@
-linux (3.2.41-2~bpo60+1) squeeze-backports; urgency=low
+linux (3.2.41-2+deb7u2~bpo60+1) squeeze-backports; urgency=high
* Rebuild for squeeze:
- Use gcc-4.4 for all architectures
@@ -11,7 +11,45 @@
- Make build target depend on build-arch only, so we don't redundantly
build documentation on each architecture
- -- Ben Hutchings <ben at decadent.org.uk> Mon, 08 Apr 2013 00:04:06 +0100
+ -- Ben Hutchings <ben at decadent.org.uk> Thu, 16 May 2013 13:38:45 +0100
+
+linux (3.2.41-2+deb7u2) wheezy-security; urgency=high
+
+ * s390/kvm: Ignore ABI changes, it should not be used OOT
+
+ -- dann frazier <dannf at debian.org> Wed, 15 May 2013 12:07:33 -0600
+
+linux (3.2.41-2+deb7u1) wheezy-security; urgency=high
+
+ [ dann frazier ]
+ * perf: Treat attr.config as u64 in perf_swevent_init() (CVE-2013-2094)
+ * TTY: fix timing leak with /dev/ptmx (CVE-2013-0160)
+ * ext4: avoid hang when mounting non-journal filesystems with orphan list
+ (CVE-2013-2015)
+ * crypto: algif - suppress sending source address information in recvmsg
+ (CVE-2013-3076)
+ * atm: update msg_namelen in vcc_recvmsg() (CVE-2013-3222)
+ * ax25: fix info leak via msg_name in ax25_recvmsg() (CVE-2013-3223)
+ * Bluetooth: fix possible info leak in bt_sock_recvmsg() (CVE-2013-3224)
+ * Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()
+ (CVE-2013-3225)
+ * caif: Fix missing msg_namelen update in caif_seqpkt_recvmsg()
+ (CVE-2013-3227)
+ * irda: Fix missing msg_namelen update in irda_recvmsg_dgram() (CVE-2013-3228)
+ * iucv: Fix missing msg_namelen update in iucv_sock_recvmsg() (CVE-2013-3229)
+ * llc: Fix missing msg_namelen update in llc_ui_recvmsg() (CVE-2013-3231)
+ * rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
+ * tipc: fix info leaks via msg_name in recv_msg/recv_stream (CVE-2013-3235)
+ * tracing: Fix possible NULL pointer dereferences (CVE-2013-3301)
+
+ [ Ben Hutchings ]
+ * [x86] KVM: Allow cross page reads and writes from cached translations.
+ (fixes regression in fix for CVE-2013-1796)
+ * net: fix incorrect credentials passing (CVE-2013-1979)
+ * tg3: fix length overflow in VPD firmware parsing (CVE-2013-1929)
+ * kernel/signal.c: stop info leak via the tkill and the tgkill syscalls
+
+ -- dann frazier <dannf at debian.org> Tue, 14 May 2013 22:17:43 -0600
linux (3.2.41-2) unstable; urgency=low
Modified: dists/squeeze-backports/linux/debian/config/defines
==============================================================================
--- dists/squeeze-backports/linux/debian/config/defines Thu May 16 04:53:15 2013 (r20123)
+++ dists/squeeze-backports/linux/debian/config/defines Thu May 16 17:02:17 2013 (r20124)
@@ -47,6 +47,8 @@
# Only used by Google firmware module
register_efivars
unregister_efivars
+# Should not be used from OOT
+ module:arch/s390/kvm/kvm
[base]
arches:
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch)
@@ -0,0 +1,40 @@
+From bbad6f725f1d1b92e5eb3a7c6a8875eeec955747 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:50 +0000
+Subject: [PATCH] Bluetooth: RFCOMM - Fix missing msg_namelen update in
+ rfcomm_sock_recvmsg()
+
+[ Upstream commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691 ]
+
+If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
+early with 0 without updating the possibly set msg_namelen member. This,
+in turn, leads to a 128 byte kernel stack leak in net/socket.c.
+
+Fix this by updating msg_namelen in this case. For all other cases it
+will be handled in bt_sock_stream_recvmsg().
+
+Cc: Marcel Holtmann <marcel at holtmann.org>
+Cc: Gustavo Padovan <gustavo at padovan.org>
+Cc: Johan Hedberg <johan.hedberg at gmail.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/bluetooth/rfcomm/sock.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
+index 14c4864..82ce164 100644
+--- a/net/bluetooth/rfcomm/sock.c
++++ b/net/bluetooth/rfcomm/sock.c
+@@ -627,6 +627,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+
+ if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
+ rfcomm_dlc_accept(d);
++ msg->msg_namelen = 0;
+ return 0;
+ }
+
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch)
@@ -0,0 +1,50 @@
+From 95ee0fb7a014cdf80be37b329fa462ff3847f7c0 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:49 +0000
+Subject: [PATCH] Bluetooth: fix possible info leak in bt_sock_recvmsg()
+
+[ Upstream commit 4683f42fde3977bdb4e8a09622788cc8b5313778 ]
+
+In case the socket is already shutting down, bt_sock_recvmsg() returns
+with 0 without updating msg_namelen leading to net/socket.c leaking the
+local, uninitialized sockaddr_storage variable to userland -- 128 bytes
+of kernel stack memory.
+
+Fix this by moving the msg_namelen assignment in front of the shutdown
+test.
+
+Cc: Marcel Holtmann <marcel at holtmann.org>
+Cc: Gustavo Padovan <gustavo at padovan.org>
+Cc: Johan Hedberg <johan.hedberg at gmail.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/bluetooth/af_bluetooth.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c
+index 062124c..838f113 100644
+--- a/net/bluetooth/af_bluetooth.c
++++ b/net/bluetooth/af_bluetooth.c
+@@ -245,6 +245,8 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (flags & (MSG_OOB))
+ return -EOPNOTSUPP;
+
++ msg->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags, noblock, &err);
+ if (!skb) {
+ if (sk->sk_shutdown & RCV_SHUTDOWN)
+@@ -252,8 +254,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ return err;
+ }
+
+- msg->msg_namelen = 0;
+-
+ copied = skb->len;
+ if (len < copied) {
+ msg->msg_flags |= MSG_TRUNC;
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch)
@@ -0,0 +1,57 @@
+From c29ad805df8c54a9f5d74c66bf5d4a2d449bd99a Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby at suse.cz>
+Date: Fri, 15 Feb 2013 15:25:05 +0100
+Subject: [PATCH] TTY: do not update atime/mtime on read/write
+
+commit b0de59b5733d18b0d1974a060860a8b5c1b36a2e upstream.
+
+On http://vladz.devzero.fr/013_ptmx-timing.php, we can see how to find
+out length of a password using timestamps of /dev/ptmx. It is
+documented in "Timing Analysis of Keystrokes and Timing Attacks on
+SSH". To avoid that problem, do not update time when reading
+from/writing to a TTY.
+
+I am afraid of regressions as this is a behavior we have since 0.97
+and apps may expect the time to be current, e.g. for monitoring
+whether there was a change on the TTY. Now, there is no change. So
+this would better have a lot of testing before it goes upstream.
+
+References: CVE-2013-0160
+
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/tty/tty_io.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index 05085be..f3ad3ec 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -976,8 +976,7 @@ static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
+ else
+ i = -EIO;
+ tty_ldisc_deref(ld);
+- if (i > 0)
+- inode->i_atime = current_fs_time(inode->i_sb);
++
+ return i;
+ }
+
+@@ -1078,11 +1077,8 @@ static inline ssize_t do_tty_write(
+ break;
+ cond_resched();
+ }
+- if (written) {
+- struct inode *inode = file->f_path.dentry->d_inode;
+- inode->i_mtime = current_fs_time(inode->i_sb);
++ if (written)
+ ret = written;
+- }
+ out:
+ tty_write_unlock(tty);
+ return ret;
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/TTY-fix-atime-mtime-regression.patch)
@@ -0,0 +1,71 @@
+From 0b28f5865ef23d2bcee122d75b4aea1e2f052624 Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby at suse.cz>
+Date: Fri, 26 Apr 2013 13:48:53 +0200
+Subject: [PATCH] TTY: fix atime/mtime regression
+
+commit 37b7f3c76595e23257f61bd80b223de8658617ee upstream.
+
+In commit b0de59b5733d ("TTY: do not update atime/mtime on read/write")
+we removed timestamps from tty inodes to fix a security issue and waited
+if something breaks. Well, 'w', the utility to find out logged users
+and their inactivity time broke. It shows that users are inactive since
+the time they logged in.
+
+To revert to the old behaviour while still preventing attackers to
+guess the password length, we update the timestamps in one-minute
+intervals by this patch.
+
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: For 3.2, use Greg's backported version]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/tty/tty_io.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index f3ad3ec..c7131a9 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -940,6 +940,14 @@ void start_tty(struct tty_struct *tty)
+
+ EXPORT_SYMBOL(start_tty);
+
++static void tty_update_time(struct timespec *time)
++{
++ unsigned long sec = get_seconds();
++ sec -= sec % 60;
++ if ((long)(sec - time->tv_sec) > 0)
++ time->tv_sec = sec;
++}
++
+ /**
+ * tty_read - read method for tty device files
+ * @file: pointer to tty file
+@@ -977,6 +985,9 @@ static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
+ i = -EIO;
+ tty_ldisc_deref(ld);
+
++ if (i > 0)
++ tty_update_time(&inode->i_atime);
++
+ return i;
+ }
+
+@@ -1077,8 +1088,11 @@ static inline ssize_t do_tty_write(
+ break;
+ cond_resched();
+ }
+- if (written)
++ if (written) {
++ struct inode *inode = file->f_path.dentry->d_inode;
++ tty_update_time(&inode->i_mtime);
+ ret = written;
++ }
+ out:
+ tty_write_unlock(tty);
+ return ret;
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch)
@@ -0,0 +1,38 @@
+From 2a8c07b253bac436358adb9eb96a37dd223ef120 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:47 +0000
+Subject: [PATCH] atm: update msg_namelen in vcc_recvmsg()
+
+[ Upstream commit 9b3e617f3df53822345a8573b6d358f6b9e5ed87 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about vcc_recvmsg() not filling the msg_name in case it was set.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/atm/common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/atm/common.c b/net/atm/common.c
+index 0ca06e8..43b6bfe 100644
+--- a/net/atm/common.c
++++ b/net/atm/common.c
+@@ -500,6 +500,8 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
+ struct sk_buff *skb;
+ int copied, error = -EINVAL;
+
++ msg->msg_namelen = 0;
++
+ if (sock->state != SS_CONNECTED)
+ return -ENOTCONN;
+ if (flags & ~MSG_DONTWAIT) /* only handle MSG_DONTWAIT */
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch)
@@ -0,0 +1,41 @@
+From e72f86d5b6602c86efb08443c58086c40228b81b Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:48 +0000
+Subject: [PATCH] ax25: fix info leak via msg_name in ax25_recvmsg()
+
+[ Upstream commit ef3313e84acbf349caecae942ab3ab731471f1a1 ]
+
+When msg_namelen is non-zero the sockaddr info gets filled out, as
+requested, but the code fails to initialize the padding bytes of struct
+sockaddr_ax25 inserted by the compiler for alignment. Additionally the
+msg_namelen value is updated to sizeof(struct full_sockaddr_ax25) but is
+not always filled up to this size.
+
+Both issues lead to the fact that the code will leak uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix both issues by initializing the memory with memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/ax25/af_ax25.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
+index b04a6ef..86ac37f 100644
+--- a/net/ax25/af_ax25.c
++++ b/net/ax25/af_ax25.c
+@@ -1641,6 +1641,7 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock,
+ ax25_address src;
+ const unsigned char *mac = skb_mac_header(skb);
+
++ memset(sax, 0, sizeof(struct full_sockaddr_ax25));
+ ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL,
+ &digi, NULL, NULL);
+ sax->sax25_family = AF_AX25;
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch)
@@ -0,0 +1,38 @@
+From 2d6fbfe733f35c6b355c216644e08e149c61b271 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:52 +0000
+Subject: [PATCH] caif: Fix missing msg_namelen update in
+ caif_seqpkt_recvmsg()
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about caif_seqpkt_recvmsg() not filling the msg_name in case it was
+set.
+
+Cc: Sjur Braendeland <sjur.brandeland at stericsson.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ net/caif/caif_socket.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
+index 095259f..ff2ff3c 100644
+--- a/net/caif/caif_socket.c
++++ b/net/caif/caif_socket.c
+@@ -286,6 +286,8 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock,
+ if (m->msg_flags&MSG_OOB)
+ goto read_error;
+
++ m->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags, 0 , &ret);
+ if (!skb)
+ goto read_error;
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch)
@@ -0,0 +1,48 @@
+From 419f4ba0f032c8d906153d24e017f4bee6df26f5 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 14:05:39 +0200
+Subject: [PATCH] crypto: algif - suppress sending source address information
+ in recvmsg
+
+commit 72a763d805a48ac8c0bf48fdb510e84c12de51fe upstream.
+
+The current code does not set the msg_namelen member to 0 and therefore
+makes net/socket.c leak the local sockaddr_storage variable to userland
+-- 128 bytes of kernel stack memory. Fix that.
+
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: Herbert Xu <herbert at gondor.apana.org.au>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ crypto/algif_hash.c | 2 ++
+ crypto/algif_skcipher.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c
+index ef5356c..0262210 100644
+--- a/crypto/algif_hash.c
++++ b/crypto/algif_hash.c
+@@ -161,6 +161,8 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock,
+ else if (len < ds)
+ msg->msg_flags |= MSG_TRUNC;
+
++ msg->msg_namelen = 0;
++
+ lock_sock(sk);
+ if (ctx->more) {
+ ctx->more = 0;
+diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c
+index 6a6dfc0..a1c4f0a 100644
+--- a/crypto/algif_skcipher.c
++++ b/crypto/algif_skcipher.c
+@@ -432,6 +432,7 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock,
+ long copied = 0;
+
+ lock_sock(sk);
++ msg->msg_namelen = 0;
+ for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0;
+ iovlen--, iov++) {
+ unsigned long seglen = iov->iov_len;
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch)
@@ -0,0 +1,46 @@
+From 0e9a9a1ad619e7e987815d20262d36a2f95717ca Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso at mit.edu>
+Date: Thu, 27 Dec 2012 01:42:50 -0500
+Subject: [PATCH] ext4: avoid hang when mounting non-journal filesystems with
+ orphan list
+
+When trying to mount a file system which does not contain a journal,
+but which does have a orphan list containing an inode which needs to
+be truncated, the mount call with hang forever in
+ext4_orphan_cleanup() because ext4_orphan_del() will return
+immediately without removing the inode from the orphan list, leading
+to an uninterruptible loop in kernel code which will busy out one of
+the CPU's on the system.
+
+This can be trivially reproduced by trying to mount the file system
+found in tests/f_orphan_extents_inode/image.gz from the e2fsprogs
+source tree. If a malicious user were to put this on a USB stick, and
+mount it on a Linux desktop which has automatic mounts enabled, this
+could be considered a potential denial of service attack. (Not a big
+deal in practice, but professional paranoids worry about such things,
+and have even been known to allocate CVE numbers for such problems.)
+
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Reviewed-by: Zheng Liu <wenqing.lz at taobao.com>
+Cc: stable at vger.kernel.org
+---
+ fs/ext4/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index cac4482..8990165 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2648,7 +2648,8 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
+ struct ext4_iloc iloc;
+ int err = 0;
+
+- if (!EXT4_SB(inode->i_sb)->s_journal)
++ if ((!EXT4_SB(inode->i_sb)->s_journal) &&
++ !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS))
+ return 0;
+
+ mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch)
@@ -0,0 +1,50 @@
+From c9b92530a723ac5ef8e352885a1862b18f31b2f5 Mon Sep 17 00:00:00 2001
+From: Anatol Pomozov <anatol.pomozov at gmail.com>
+Date: Tue, 18 Sep 2012 13:38:59 -0400
+Subject: [PATCH] ext4: make orphan functions be no-op in no-journal mode
+
+Instead of checking whether the handle is valid, we check if journal
+is enabled. This avoids taking the s_orphan_lock mutex in all cases
+when there is no journal in use, including the error paths where
+ext4_orphan_del() is called with a handle set to NULL.
+
+Signed-off-by: Anatol Pomozov <anatol.pomozov at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+---
+ fs/ext4/namei.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 37c03b3..8f4bda7 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2369,7 +2369,7 @@ int ext4_orphan_add(handle_t *handle, struct inode *inode)
+ struct ext4_iloc iloc;
+ int err = 0, rc;
+
+- if (!ext4_handle_valid(handle))
++ if (!EXT4_SB(sb)->s_journal)
+ return 0;
+
+ mutex_lock(&EXT4_SB(sb)->s_orphan_lock);
+@@ -2443,8 +2443,7 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
+ struct ext4_iloc iloc;
+ int err = 0;
+
+- /* ext4_handle_valid() assumes a valid handle_t pointer */
+- if (handle && !ext4_handle_valid(handle))
++ if (!EXT4_SB(inode->i_sb)->s_journal)
+ return 0;
+
+ mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
+@@ -2463,7 +2462,7 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
+ * transaction handle with which to update the orphan list on
+ * disk, but we still need to remove the inode from the linked
+ * list in memory. */
+- if (sbi->s_journal && !handle)
++ if (!handle)
+ goto out;
+
+ err = ext4_reserve_inode_write(handle, inode, &iloc);
+--
+1.7.10.4
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch)
@@ -0,0 +1,41 @@
+From 402fb9f974f158d747e6c6944336cd9af7f349b2 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:53 +0000
+Subject: [PATCH] irda: Fix missing msg_namelen update in
+ irda_recvmsg_dgram()
+
+[ Upstream commit 5ae94c0d2f0bed41d6718be743985d61b7f5c47d ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about irda_recvmsg_dgram() not filling the msg_name in case it was
+set.
+
+Cc: Samuel Ortiz <samuel at sortiz.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/irda/af_irda.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
+index f4b49c5..91821e9 100644
+--- a/net/irda/af_irda.c
++++ b/net/irda/af_irda.c
+@@ -1386,6 +1386,8 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock,
+
+ IRDA_DEBUG(4, "%s()\n", __func__);
+
++ msg->msg_namelen = 0;
++
+ skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT,
+ flags & MSG_DONTWAIT, &err);
+ if (!skb)
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch)
@@ -0,0 +1,39 @@
+From 40c157ba78681c45cc62dabde406b44ca3c76c2b Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:54 +0000
+Subject: [PATCH] iucv: Fix missing msg_namelen update in iucv_sock_recvmsg()
+
+[ Upstream commit a5598bd9c087dc0efc250a5221e5d0e6f584ee88 ]
+
+The current code does not fill the msg_name member in case it is set.
+It also does not set the msg_namelen member to 0 and therefore makes
+net/socket.c leak the local, uninitialized sockaddr_storage variable
+to userland -- 128 bytes of kernel stack memory.
+
+Fix that by simply setting msg_namelen to 0 as obviously nobody cared
+about iucv_sock_recvmsg() not filling the msg_name in case it was set.
+
+Cc: Ursula Braun <ursula.braun at de.ibm.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/iucv/af_iucv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
+index cf98d62..e836140 100644
+--- a/net/iucv/af_iucv.c
++++ b/net/iucv/af_iucv.c
+@@ -1356,6 +1356,8 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
+ int blen;
+ int err = 0;
+
++ msg->msg_namelen = 0;
++
+ if ((sk->sk_state == IUCV_DISCONN || sk->sk_state == IUCV_SEVERED) &&
+ skb_queue_empty(&iucv->backlog_skb_q) &&
+ skb_queue_empty(&sk->sk_receive_queue) &&
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch)
@@ -0,0 +1,53 @@
+From ffe1341edbe2878134f3083625d5c916670d0fca Mon Sep 17 00:00:00 2001
+From: Emese Revfy <re.emese at gmail.com>
+Date: Wed, 17 Apr 2013 15:58:36 -0700
+Subject: [PATCH] kernel/signal.c: stop info leak via the tkill and the tgkill
+ syscalls
+
+commit b9e146d8eb3b9ecae5086d373b50fa0c1f3e7f0f upstream.
+
+This fixes a kernel memory contents leak via the tkill and tgkill syscalls
+for compat processes.
+
+This is visible in the siginfo_t->_sifields._rt.si_sigval.sival_ptr field
+when handling signals delivered from tkill.
+
+The place of the infoleak:
+
+int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from)
+{
+ ...
+ put_user_ex(ptr_to_compat(from->si_ptr), &to->si_ptr);
+ ...
+}
+
+Signed-off-by: Emese Revfy <re.emese at gmail.com>
+Reviewed-by: PaX Team <pageexec at freemail.hu>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Cc: Al Viro <viro at zeniv.linux.org.uk>
+Cc: Oleg Nesterov <oleg at redhat.com>
+Cc: "Eric W. Biederman" <ebiederm at xmission.com>
+Cc: Serge Hallyn <serge.hallyn at canonical.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ kernel/signal.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/kernel/signal.c b/kernel/signal.c
+index ea76d30..3ecf574 100644
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2790,7 +2790,7 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
+
+ static int do_tkill(pid_t tgid, pid_t pid, int sig)
+ {
+- struct siginfo info;
++ struct siginfo info = {};
+
+ info.si_signo = sig;
+ info.si_errno = 0;
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch)
@@ -0,0 +1,40 @@
+From d0dd0a3d5d31807eea0d54bd561cf178c45a24ca Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:56 +0000
+Subject: [PATCH] llc: Fix missing msg_namelen update in llc_ui_recvmsg()
+
+[ Upstream commit c77a4b9cffb6215a15196ec499490d116dfad181 ]
+
+For stream sockets the code misses to update the msg_namelen member
+to 0 and therefore makes net/socket.c leak the local, uninitialized
+sockaddr_storage variable to userland -- 128 bytes of kernel stack
+memory. The msg_namelen update is also missing for datagram sockets
+in case the socket is shutting down during receive.
+
+Fix both issues by setting msg_namelen to 0 early. It will be
+updated later if we're going to fill the msg_name member.
+
+Cc: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/llc/af_llc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
+index 99a60d5..e5565c7 100644
+--- a/net/llc/af_llc.c
++++ b/net/llc/af_llc.c
+@@ -720,6 +720,8 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock,
+ int target; /* Read at least this many bytes */
+ long timeo;
+
++ msg->msg_namelen = 0;
++
+ lock_sock(sk);
+ copied = -ENOTCONN;
+ if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN))
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/net-fix-incorrect-credentials-passing.patch)
@@ -0,0 +1,87 @@
+From 5428146ebea24b916eb9e3684449699cb6a5c8c0 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Fri, 19 Apr 2013 15:32:32 +0000
+Subject: [PATCH] net: fix incorrect credentials passing
+
+commit 83f1b4ba917db5dc5a061a44b3403ddb6e783494 upstream.
+
+Commit 257b5358b32f ("scm: Capture the full credentials of the scm
+sender") changed the credentials passing code to pass in the effective
+uid/gid instead of the real uid/gid.
+
+Obviously this doesn't matter most of the time (since normally they are
+the same), but it results in differences for suid binaries when the wrong
+uid/gid ends up being used.
+
+This just undoes that (presumably unintentional) part of the commit.
+
+Reported-by: Andy Lutomirski <luto at amacapital.net>
+Cc: Eric W. Biederman <ebiederm at xmission.com>
+Cc: Serge E. Hallyn <serge at hallyn.com>
+Cc: David S. Miller <davem at davemloft.net>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Acked-by: "Eric W. Biederman" <ebiederm at xmission.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+[bwh: Backported to 3.2: scm_set_cred() does user namespace conversion
+ of euid/egid using cred_to_ucred(). Add and use cred_real_to_ucred() to
+ do the same thing for real uid/gid.]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ include/linux/socket.h | 1 +
+ include/net/scm.h | 2 +-
+ net/core/sock.c | 14 ++++++++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/include/linux/socket.h b/include/linux/socket.h
+index ad919e0..2acd2e2 100644
+--- a/include/linux/socket.h
++++ b/include/linux/socket.h
+@@ -317,6 +317,7 @@ struct ucred {
+ #define IPX_TYPE 1
+
+ extern void cred_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
++extern void cred_real_to_ucred(struct pid *pid, const struct cred *cred, struct ucred *ucred);
+
+ extern int memcpy_fromiovec(unsigned char *kdata, struct iovec *iov, int len);
+ extern int memcpy_fromiovecend(unsigned char *kdata, const struct iovec *iov,
+diff --git a/include/net/scm.h b/include/net/scm.h
+index 0c0017c..5da0a7b 100644
+--- a/include/net/scm.h
++++ b/include/net/scm.h
+@@ -50,7 +50,7 @@ static __inline__ void scm_set_cred(struct scm_cookie *scm,
+ {
+ scm->pid = get_pid(pid);
+ scm->cred = cred ? get_cred(cred) : NULL;
+- cred_to_ucred(pid, cred, &scm->creds);
++ cred_real_to_ucred(pid, cred, &scm->creds);
+ }
+
+ static __inline__ void scm_destroy_cred(struct scm_cookie *scm)
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 1e8a882..2c73adf 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -761,6 +761,20 @@ void cred_to_ucred(struct pid *pid, const struct cred *cred,
+ }
+ EXPORT_SYMBOL_GPL(cred_to_ucred);
+
++void cred_real_to_ucred(struct pid *pid, const struct cred *cred,
++ struct ucred *ucred)
++{
++ ucred->pid = pid_vnr(pid);
++ ucred->uid = ucred->gid = -1;
++ if (cred) {
++ struct user_namespace *current_ns = current_user_ns();
++
++ ucred->uid = user_ns_map_uid(current_ns, cred, cred->uid);
++ ucred->gid = user_ns_map_gid(current_ns, cred, cred->gid);
++ }
++}
++EXPORT_SYMBOL_GPL(cred_real_to_ucred);
++
+ int sock_getsockopt(struct socket *sock, int level, int optname,
+ char __user *optval, int __user *optlen)
+ {
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch)
@@ -0,0 +1,39 @@
+From 3fc8fc1cc2d585c1f695f7de914063258aafe50e Mon Sep 17 00:00:00 2001
+From: Tommi Rantala <tt.rantala at gmail.com>
+Date: Sat, 13 Apr 2013 19:49:14 +0000
+Subject: perf: Treat attr.config as u64 in perf_swevent_init()
+
+commit 8176cced706b5e5d15887584150764894e94e02f upstream.
+
+Trinity discovered that we fail to check all 64 bits of
+attr.config passed by user space, resulting to out-of-bounds
+access of the perf_swevent_enabled array in
+sw_perf_event_destroy().
+
+Introduced in commit b0a873ebb ("perf: Register PMU
+implementations").
+
+Signed-off-by: Tommi Rantala <tt.rantala at gmail.com>
+Cc: Peter Zijlstra <a.p.zijlstra at chello.nl>
+Cc: davej at redhat.com
+Cc: Paul Mackerras <paulus at samba.org>
+Cc: Arnaldo Carvalho de Melo <acme at ghostprotocols.net>
+Link: http://lkml.kernel.org/r/1365882554-30259-1-git-send-email-tt.rantala@gmail.com
+Signed-off-by: Ingo Molnar <mingo at kernel.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+diff --git a/kernel/events/core.c b/kernel/events/core.c
+index d23dfa7..9f21915 100644
+--- a/kernel/events/core.c
++++ b/kernel/events/core.c
+@@ -5164,7 +5164,7 @@ static void sw_perf_event_destroy(struct perf_event *event)
+
+ static int perf_swevent_init(struct perf_event *event)
+ {
+- int event_id = event->attr.config;
++ u64 event_id = event->attr.config;
+
+ if (event->attr.type != PERF_TYPE_SOFTWARE)
+ return -ENOENT;
+--
+cgit v0.9.1
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch)
@@ -0,0 +1,39 @@
+From f05503a9ef115c505b36fcd75f77b341811e9169 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:51:59 +0000
+Subject: [PATCH] rose: fix info leak via msg_name in rose_recvmsg()
+
+[ Upstream commit 4a184233f21645cf0b719366210ed445d1024d72 ]
+
+The code in rose_recvmsg() does not initialize all of the members of
+struct sockaddr_rose/full_sockaddr_rose when filling the sockaddr info.
+Nor does it initialize the padding bytes of the structure inserted by
+the compiler for alignment. This will lead to leaking uninitialized
+kernel stack bytes in net/socket.c.
+
+Fix the issue by initializing the memory used for sockaddr info with
+memset(0).
+
+Cc: Ralf Baechle <ralf at linux-mips.org>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/rose/af_rose.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
+index f9ea925..1f96fb9 100644
+--- a/net/rose/af_rose.c
++++ b/net/rose/af_rose.c
+@@ -1258,6 +1258,7 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock,
+ skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
+
+ if (srose != NULL) {
++ memset(srose, 0, msg->msg_namelen);
+ srose->srose_family = AF_ROSE;
+ srose->srose_addr = rose->dest_addr;
+ srose->srose_call = rose->dest_call;
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch)
@@ -0,0 +1,49 @@
+From 2b79fa8fddde2d070ca28a2d94394c39bfd8d741 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook at chromium.org>
+Date: Wed, 27 Mar 2013 06:40:50 +0000
+Subject: [PATCH] tg3: fix length overflow in VPD firmware parsing
+
+commit 715230a44310a8cf66fbfb5a46f9a62a9b2de424 upstream.
+
+Commit 184b89044fb6e2a74611dafa69b1dce0d98612c6 ("tg3: Use VPD fw version
+when present") introduced VPD parsing that contained a potential length
+overflow.
+
+Limit the hardware's reported firmware string length (max 255 bytes) to
+stay inside the driver's firmware string length (32 bytes). On overflow,
+truncate the formatted firmware string instead of potentially overwriting
+portions of the tg3 struct.
+
+http://cansecwest.com/slides/2013/PrivateCore%20CSW%202013.pdf
+
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Reported-by: Oded Horovitz <oded at privatecore.com>
+Reported-by: Brad Spengler <spender at grsecurity.net>
+Cc: Matt Carlson <mcarlson at broadcom.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/net/ethernet/broadcom/tg3.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c
+index c86fa50..c6b9903 100644
+--- a/drivers/net/ethernet/broadcom/tg3.c
++++ b/drivers/net/ethernet/broadcom/tg3.c
+@@ -13433,8 +13433,11 @@ static void __devinit tg3_read_vpd(struct tg3 *tp)
+ if (j + len > block_end)
+ goto partno;
+
+- memcpy(tp->fw_ver, &vpd_data[j], len);
+- strncat(tp->fw_ver, " bc ", vpdlen - len - 1);
++ if (len >= sizeof(tp->fw_ver))
++ len = sizeof(tp->fw_ver) - 1;
++ memset(tp->fw_ver, 0, sizeof(tp->fw_ver));
++ snprintf(tp->fw_ver, sizeof(tp->fw_ver), "%.*s bc ", len,
++ &vpd_data[j]);
+ }
+
+ partno:
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch)
@@ -0,0 +1,66 @@
+From 1ae38900523eaf11a77c73827c096d7e7eade3a4 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli at googlemail.com>
+Date: Sun, 7 Apr 2013 01:52:00 +0000
+Subject: [PATCH] tipc: fix info leaks via msg_name in recv_msg/recv_stream
+
+[ Upstream commit 60085c3d009b0df252547adb336d1ccca5ce52ec ]
+
+The code in set_orig_addr() does not initialize all of the members of
+struct sockaddr_tipc when filling the sockaddr info -- namely the union
+is only partly filled. This will make recv_msg() and recv_stream() --
+the only users of this function -- leak kernel stack memory as the
+msg_name member is a local variable in net/socket.c.
+
+Additionally to that both recv_msg() and recv_stream() fail to update
+the msg_namelen member to 0 while otherwise returning with 0, i.e.
+"success". This is the case for, e.g., non-blocking sockets. This will
+lead to a 128 byte kernel stack leak in net/socket.c.
+
+Fix the first issue by initializing the memory of the union with
+memset(0). Fix the second one by setting msg_namelen to 0 early as it
+will be updated later if we're going to fill the msg_name member.
+
+Cc: Jon Maloy <jon.maloy at ericsson.com>
+Cc: Allan Stephens <allan.stephens at windriver.com>
+Signed-off-by: Mathias Krause <minipli at googlemail.com>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ net/tipc/socket.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/net/tipc/socket.c b/net/tipc/socket.c
+index 42b8324..fdf34af 100644
+--- a/net/tipc/socket.c
++++ b/net/tipc/socket.c
+@@ -829,6 +829,7 @@ static void set_orig_addr(struct msghdr *m, struct tipc_msg *msg)
+ if (addr) {
+ addr->family = AF_TIPC;
+ addr->addrtype = TIPC_ADDR_ID;
++ memset(&addr->addr, 0, sizeof(addr->addr));
+ addr->addr.id.ref = msg_origport(msg);
+ addr->addr.id.node = msg_orignode(msg);
+ addr->addr.name.domain = 0; /* could leave uninitialized */
+@@ -948,6 +949,9 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock,
+ goto exit;
+ }
+
++ /* will be updated in set_orig_addr() if needed */
++ m->msg_namelen = 0;
++
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+
+@@ -1074,6 +1078,9 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock,
+ goto exit;
+ }
+
++ /* will be updated in set_orig_addr() if needed */
++ m->msg_namelen = 0;
++
+ target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len);
+ timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
+ restart:
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch)
@@ -0,0 +1,86 @@
+From ee3c9aabb636fcfc21d53c506362620b55fdd8c6 Mon Sep 17 00:00:00 2001
+From: Namhyung Kim <namhyung.kim at lge.com>
+Date: Thu, 11 Apr 2013 15:55:01 +0900
+Subject: [PATCH] tracing: Fix possible NULL pointer dereferences
+
+commit 6a76f8c0ab19f215af2a3442870eeb5f0e81998d upstream.
+
+Currently set_ftrace_pid and set_graph_function files use seq_lseek
+for their fops. However seq_open() is called only for FMODE_READ in
+the fops->open() so that if an user tries to seek one of those file
+when she open it for writing, it sees NULL seq_file and then panic.
+
+It can be easily reproduced with following command:
+
+ $ cd /sys/kernel/debug/tracing
+ $ echo 1234 | sudo tee -a set_ftrace_pid
+
+In this example, GNU coreutils' tee opens the file with fopen(, "a")
+and then the fopen() internally calls lseek().
+
+Link: http://lkml.kernel.org/r/1365663302-2170-1-git-send-email-namhyung@kernel.org
+
+Cc: Frederic Weisbecker <fweisbec at gmail.com>
+Cc: Ingo Molnar <mingo at kernel.org>
+Cc: Namhyung Kim <namhyung.kim at lge.com>
+Signed-off-by: Namhyung Kim <namhyung at kernel.org>
+Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
+[bwh: Backported to 3.2: ftrace_regex_lseek() is static]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ kernel/trace/ftrace.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
+index bed7991..5527211 100644
+--- a/kernel/trace/ftrace.c
++++ b/kernel/trace/ftrace.c
+@@ -2316,7 +2316,7 @@ ftrace_notrace_open(struct inode *inode, struct file *file)
+ }
+
+ static loff_t
+-ftrace_regex_lseek(struct file *file, loff_t offset, int origin)
++ftrace_filter_lseek(struct file *file, loff_t offset, int origin)
+ {
+ loff_t ret;
+
+@@ -3134,7 +3134,7 @@ static const struct file_operations ftrace_filter_fops = {
+ .open = ftrace_filter_open,
+ .read = seq_read,
+ .write = ftrace_filter_write,
+- .llseek = ftrace_regex_lseek,
++ .llseek = ftrace_filter_lseek,
+ .release = ftrace_regex_release,
+ };
+
+@@ -3142,7 +3142,7 @@ static const struct file_operations ftrace_notrace_fops = {
+ .open = ftrace_notrace_open,
+ .read = seq_read,
+ .write = ftrace_notrace_write,
+- .llseek = ftrace_regex_lseek,
++ .llseek = ftrace_filter_lseek,
+ .release = ftrace_regex_release,
+ };
+
+@@ -3350,8 +3350,8 @@ static const struct file_operations ftrace_graph_fops = {
+ .open = ftrace_graph_open,
+ .read = seq_read,
+ .write = ftrace_graph_write,
++ .llseek = ftrace_filter_lseek,
+ .release = ftrace_graph_release,
+- .llseek = seq_lseek,
+ };
+ #endif /* CONFIG_FUNCTION_GRAPH_TRACER */
+
+@@ -3843,7 +3843,7 @@ static const struct file_operations ftrace_pid_fops = {
+ .open = ftrace_pid_open,
+ .write = ftrace_pid_write,
+ .read = seq_read,
+- .llseek = seq_lseek,
++ .llseek = ftrace_filter_lseek,
+ .release = ftrace_pid_release,
+ };
+
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch)
@@ -0,0 +1,68 @@
+From cd945654552d978b84c0825c7206b2d0667a1272 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed, 1 May 2013 07:32:21 -0700
+Subject: [PATCH] tty: fix up atime/mtime mess, take three
+
+commit b0b885657b6c8ef63a46bc9299b2a7715d19acde upstream.
+
+We first tried to avoid updating atime/mtime entirely (commit
+b0de59b5733d: "TTY: do not update atime/mtime on read/write"), and then
+limited it to only update it occasionally (commit 37b7f3c76595: "TTY:
+fix atime/mtime regression"), but it turns out that this was both
+insufficient and overkill.
+
+It was insufficient because we let people attach to the shared ptmx node
+to see activity without even reading atime/mtime, and it was overkill
+because the "only once a minute" means that you can't really tell an
+idle person from an active one with 'w'.
+
+So this tries to fix the problem properly. It marks the shared ptmx
+node as un-notifiable, and it lowers the "only once a minute" to a few
+seconds instead - still long enough that you can't time individual
+keystrokes, but short enough that you can tell whether somebody is
+active or not.
+
+Reported-by: Simon Kirby <sim at hostway.ca>
+Acked-by: Jiri Slaby <jslaby at suse.cz>
+Cc: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ drivers/tty/pty.c | 3 +++
+ drivers/tty/tty_io.c | 4 ++--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
+index d19b879..4735928 100644
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -669,6 +669,9 @@ static int ptmx_open(struct inode *inode, struct file *filp)
+
+ nonseekable_open(inode, filp);
+
++ /* We refuse fsnotify events on ptmx, since it's a shared resource */
++ filp->f_mode |= FMODE_NONOTIFY;
++
+ retval = tty_alloc_file(filp);
+ if (retval)
+ return retval;
+diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
+index c7131a9..3f35e42 100644
+--- a/drivers/tty/tty_io.c
++++ b/drivers/tty/tty_io.c
+@@ -940,10 +940,10 @@ void start_tty(struct tty_struct *tty)
+
+ EXPORT_SYMBOL(start_tty);
+
++/* We limit tty time update visibility to every 8 seconds or so. */
+ static void tty_update_time(struct timespec *time)
+ {
+- unsigned long sec = get_seconds();
+- sec -= sec % 60;
++ unsigned long sec = get_seconds() & ~7;
+ if ((long)(sec - time->tv_sec) > 0)
+ time->tv_sec = sec;
+ }
+--
+1.7.10.4
+
Copied: dists/squeeze-backports/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch (from r20117, dists/wheezy-security/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-backports/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch Thu May 16 17:02:17 2013 (r20124, copy of r20117, dists/wheezy-security/linux/debian/patches/bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch)
@@ -0,0 +1,177 @@
+From c471da1e3f5c6e43397dccf47cefd8edc86aa9f0 Mon Sep 17 00:00:00 2001
+From: Andrew Honig <ahonig at google.com>
+Date: Fri, 29 Mar 2013 09:35:21 -0700
+Subject: [PATCH] KVM: Allow cross page reads and writes from cached
+ translations.
+
+commit 8f964525a121f2ff2df948dac908dcc65be21b5b upstream.
+
+This patch adds support for kvm_gfn_to_hva_cache_init functions for
+reads and writes that will cross a page. If the range falls within
+the same memslot, then this will be a fast operation. If the range
+is split between two memslots, then the slower kvm_read_guest and
+kvm_write_guest are used.
+
+Tested: Test against kvm_clock unit tests.
+
+Signed-off-by: Andrew Honig <ahonig at google.com>
+Signed-off-by: Gleb Natapov <gleb at redhat.com>
+[bwh: Backported to 3.2:
+ - Drop change in lapic.c
+ - Keep using __gfn_to_memslot() in kvm_gfn_to_hva_cache_init()]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ arch/x86/kvm/x86.c | 13 ++++++-------
+ include/linux/kvm_host.h | 2 +-
+ include/linux/kvm_types.h | 1 +
+ virt/kvm/kvm_main.c | 47 +++++++++++++++++++++++++++++++++++----------
+ 4 files changed, 45 insertions(+), 18 deletions(-)
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index 2dd2e4e..e82a53a 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1480,7 +1480,8 @@ static int kvm_pv_enable_async_pf(struct kvm_vcpu *vcpu, u64 data)
+ return 0;
+ }
+
+- if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.apf.data, gpa))
++ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.apf.data, gpa,
++ sizeof(u32)))
+ return 1;
+
+ vcpu->arch.apf.send_user_only = !(data & KVM_ASYNC_PF_SEND_ALWAYS);
+@@ -1594,12 +1595,9 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+
+ gpa_offset = data & ~(PAGE_MASK | 1);
+
+- /* Check that the address is 32-byte aligned. */
+- if (gpa_offset & (sizeof(struct pvclock_vcpu_time_info) - 1))
+- break;
+-
+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm,
+- &vcpu->arch.pv_time, data & ~1ULL))
++ &vcpu->arch.pv_time, data & ~1ULL,
++ sizeof(struct pvclock_vcpu_time_info)))
+ vcpu->arch.pv_time_enabled = false;
+ else
+ vcpu->arch.pv_time_enabled = true;
+@@ -1618,7 +1616,8 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+ return 1;
+
+ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, &vcpu->arch.st.stime,
+- data & KVM_STEAL_VALID_BITS))
++ data & KVM_STEAL_VALID_BITS,
++ sizeof(struct kvm_steal_time)))
+ return 1;
+
+ vcpu->arch.st.msr_val = data;
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index 6136821..e6796c1 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -396,7 +396,7 @@ int kvm_write_guest(struct kvm *kvm, gpa_t gpa, const void *data,
+ int kvm_write_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+ void *data, unsigned long len);
+ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+- gpa_t gpa);
++ gpa_t gpa, unsigned long len);
+ int kvm_clear_guest_page(struct kvm *kvm, gfn_t gfn, int offset, int len);
+ int kvm_clear_guest(struct kvm *kvm, gpa_t gpa, unsigned long len);
+ struct kvm_memory_slot *gfn_to_memslot(struct kvm *kvm, gfn_t gfn);
+diff --git a/include/linux/kvm_types.h b/include/linux/kvm_types.h
+index fa7cc72..b0bcce0 100644
+--- a/include/linux/kvm_types.h
++++ b/include/linux/kvm_types.h
+@@ -71,6 +71,7 @@ struct gfn_to_hva_cache {
+ u64 generation;
+ gpa_t gpa;
+ unsigned long hva;
++ unsigned long len;
+ struct kvm_memory_slot *memslot;
+ };
+
+diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
+index ec747dc..8bf05f0 100644
+--- a/virt/kvm/kvm_main.c
++++ b/virt/kvm/kvm_main.c
+@@ -1401,21 +1401,38 @@ int kvm_write_guest(struct kvm *kvm, gpa_t gpa, const void *data,
+ }
+
+ int kvm_gfn_to_hva_cache_init(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+- gpa_t gpa)
++ gpa_t gpa, unsigned long len)
+ {
+ struct kvm_memslots *slots = kvm_memslots(kvm);
+ int offset = offset_in_page(gpa);
+- gfn_t gfn = gpa >> PAGE_SHIFT;
++ gfn_t start_gfn = gpa >> PAGE_SHIFT;
++ gfn_t end_gfn = (gpa + len - 1) >> PAGE_SHIFT;
++ gfn_t nr_pages_needed = end_gfn - start_gfn + 1;
++ gfn_t nr_pages_avail;
+
+ ghc->gpa = gpa;
+ ghc->generation = slots->generation;
+- ghc->memslot = __gfn_to_memslot(slots, gfn);
+- ghc->hva = gfn_to_hva_many(ghc->memslot, gfn, NULL);
+- if (!kvm_is_error_hva(ghc->hva))
++ ghc->len = len;
++ ghc->memslot = __gfn_to_memslot(slots, start_gfn);
++ ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn, &nr_pages_avail);
++ if (!kvm_is_error_hva(ghc->hva) && nr_pages_avail >= nr_pages_needed) {
+ ghc->hva += offset;
+- else
+- return -EFAULT;
+-
++ } else {
++ /*
++ * If the requested region crosses two memslots, we still
++ * verify that the entire region is valid here.
++ */
++ while (start_gfn <= end_gfn) {
++ ghc->memslot = __gfn_to_memslot(slots, start_gfn);
++ ghc->hva = gfn_to_hva_many(ghc->memslot, start_gfn,
++ &nr_pages_avail);
++ if (kvm_is_error_hva(ghc->hva))
++ return -EFAULT;
++ start_gfn += nr_pages_avail;
++ }
++ /* Use the slow path for cross page reads and writes. */
++ ghc->memslot = NULL;
++ }
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(kvm_gfn_to_hva_cache_init);
+@@ -1426,8 +1443,13 @@ int kvm_write_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+ struct kvm_memslots *slots = kvm_memslots(kvm);
+ int r;
+
++ BUG_ON(len > ghc->len);
++
+ if (slots->generation != ghc->generation)
+- kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa);
++ kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len);
++
++ if (unlikely(!ghc->memslot))
++ return kvm_write_guest(kvm, ghc->gpa, data, len);
+
+ if (kvm_is_error_hva(ghc->hva))
+ return -EFAULT;
+@@ -1447,8 +1469,13 @@ int kvm_read_guest_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
+ struct kvm_memslots *slots = kvm_memslots(kvm);
+ int r;
+
++ BUG_ON(len > ghc->len);
++
+ if (slots->generation != ghc->generation)
+- kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa);
++ kvm_gfn_to_hva_cache_init(kvm, ghc, ghc->gpa, ghc->len);
++
++ if (unlikely(!ghc->memslot))
++ return kvm_read_guest(kvm, ghc->gpa, data, len);
+
+ if (kvm_is_error_hva(ghc->hva))
+ return -EFAULT;
+--
+1.7.10.4
+
Modified: dists/squeeze-backports/linux/debian/patches/series
==============================================================================
--- dists/squeeze-backports/linux/debian/patches/series Thu May 16 04:53:15 2013 (r20123)
+++ dists/squeeze-backports/linux/debian/patches/series Thu May 16 17:02:17 2013 (r20124)
@@ -639,3 +639,25 @@
bugfix/x86/KVM-x86-fix-for-buffer-overflow-in-handling-of-MSR_K.patch
bugfix/x86/KVM-x86-Convert-MSR_KVM_SYSTEM_TIME-to-use-gfn_to_hv.patch
bugfix/all/KVM-Fix-bounds-checking-in-ioapic-indirect-register-.patch
+bugfix/all/perf-Treat-attr.config-as-u64-in-perf_swevent_init.patch
+bugfix/all/TTY-do-not-update-atime-mtime-on-read-write.patch
+bugfix/all/TTY-fix-atime-mtime-regression.patch
+bugfix/all/tty-fix-up-atime-mtime-mess-take-three.patch
+bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
+bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
+bugfix/all/crypto-algif-suppress-sending-source-address-informa.patch
+bugfix/all/atm-update-msg_namelen-in-vcc_recvmsg.patch
+bugfix/all/ax25-fix-info-leak-via-msg_name-in-ax25_recvmsg.patch
+bugfix/all/Bluetooth-fix-possible-info-leak-in-bt_sock_recvmsg.patch
+bugfix/all/Bluetooth-RFCOMM-Fix-missing-msg_namelen-update-in-r.patch
+bugfix/all/caif-Fix-missing-msg_namelen-update-in-caif_seqpkt_r.patch
+bugfix/all/irda-Fix-missing-msg_namelen-update-in-irda_recvmsg_.patch
+bugfix/all/iucv-Fix-missing-msg_namelen-update-in-iucv_sock_rec.patch
+bugfix/all/llc-Fix-missing-msg_namelen-update-in-llc_ui_recvmsg.patch
+bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
+bugfix/all/tracing-Fix-possible-NULL-pointer-dereferences.patch
+bugfix/x86/KVM-Allow-cross-page-reads-and-writes-from-cached-tr.patch
+bugfix/all/net-fix-incorrect-credentials-passing.patch
+bugfix/all/tg3-fix-length-overflow-in-VPD-firmware-parsing.patch
+bugfix/all/kernel-signal.c-stop-info-leak-via-the-tkill-and-the.patch
More information about the Kernel-svn-changes
mailing list