Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v2.6.38 2011-03-03T23:48:01Z 2011-03-03T23:48:01Z Linus Torvalds torvalds@linux-foundation.org 2011-03-03T23:48:01Z urn:sha1:b65a0e0c84cf489bfa00d6aa6c48abc5a237100f * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] 2011-03-03T23:43:15Z Linus Torvalds torvalds@linux-foundation.org 2011-03-03T23:43:15Z urn:sha1:4438a02fc4956f5f61918095708f183f5c63a9d3 * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits) MAINTAINERS: Add Andy Gospodarek as co-maintainer. r8169: disable ASPM RxRPC: Fix v1 keys AF_RXRPC: Handle receiving ACKALL packets cnic: Fix lost interrupt on bnx2x cnic: Prevent status block race conditions with hardware net: dcbnl: check correct ops in dcbnl_ieee_set() e1000e: disable broken PHY wakeup for ICH10 LOMs, use MAC wakeup instead igb: fix sparse warning e1000: fix sparse warning netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values dccp: fix oops on Reset after close ipvs: fix dst_lock locking on dest update davinci_emac: Add Carrier Link OK check in Davinci RX Handler bnx2x: update driver version to 1.62.00-6 bnx2x: properly calculate lro_mss bnx2x: perform statistics "action" before state transition. bnx2x: properly configure coefficients for MinBW algorithm (NPAR mode). bnx2x: Fix ethtool -t link test for MF (non-pmf) devices. bnx2x: Fix nvram test for single port devices. ... 2011-03-03T22:56:19Z David Howells dhowells@redhat.com 2011-03-03T11:28:58Z urn:sha1:1362fa078dae16776cd439791c6605b224ea6171 When a DNS resolver key is instantiated with an error indication, attempts to read that key will result in an oops because user_read() is expecting there to be a payload - and there isn't one [CVE-2011-1076]. Give the DNS resolver key its own read handler that returns the error cached in key->type_data.x[0] as an error rather than crashing. Also make the kenter() at the beginning of dns_resolver_instantiate() limit the amount of data it prints, since the data is not necessarily NUL-terminated. The buggy code was added in: commit 4a2d789267e00b5a1175ecd2ddefcc78b83fbf09 Author: Wang Lei <wang840925@gmail.com> Date: Wed Aug 11 09:37:58 2010 +0100 Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2] This can trivially be reproduced by any user with the following program compiled with -lkeyutils: #include <stdlib.h> #include <keyutils.h> #include <err.h> static char payload[] = "#dnserror=6"; int main() { key_serial_t key; key = add_key("dns_resolver", "a", payload, sizeof(payload), KEY_SPEC_SESSION_KEYRING); if (key == -1) err(1, "add_key"); if (keyctl_read(key, NULL, 0) == -1) err(1, "read_key"); return 0; } What should happen is that keyctl_read() reports error 6 (ENXIO) to the user: dns-break: read_key: No such device or address but instead the kernel oopses. This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands as both of those cut the data down below the NUL termination that must be included in the data. Without this dns_resolver_instantiate() will return -EINVAL and the key will not be instantiated such that it can be read. The oops looks like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f PGD 3bdf8067 PUD 385b9067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq CPU 0 Modules linked in: Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468 /DG965RY RIP: 0010:[<ffffffff811b99f7>] [<ffffffff811b99f7>] user_read+0x4f/0x8f RSP: 0018:ffff88003bf47f08 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378 RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000 R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1 FS: 00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090) Stack: ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000 ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000 00000000004005a0 00007fffba368060 0000000000000000 0000000000000000 Call Trace: [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6 [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48 RIP [<ffffffff811b99f7>] user_read+0x4f/0x8f RSP <ffff88003bf47f08> CR2: 0000000000000010 Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Jeff Layton <jlayton@redhat.com> cc: Wang Lei <wang840925@gmail.com> Signed-off-by: James Morris <jmorris@namei.org> 2011-02-28T20:33:19Z Randy Dunlap randy.dunlap@oracle.com 2011-02-22T12:23:43Z urn:sha1:a90e81579de79e1e94b9af6216e4ef54e468ef4a Clean up entries in 00-INDEX: drop files that have been removed. Reported-by: Rob Landley <rlandley@parallels.com> Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Acked-by: Rob Landley <rlandley@parallels.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2011-02-21T23:07:04Z Randy Dunlap randy.dunlap@oracle.com 2011-02-21T04:08:35Z urn:sha1:361821854b71fc3a53c9e17701538247bddbd4ba Add fs/eventfd.c to filesystems docbook. Make typo corrections in fs/eventfd.c. Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Cc: Davide Libenzi <davidel@xmailserver.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2011-02-21T23:07:04Z Randy Dunlap randy.dunlap@oracle.com 2011-02-21T04:08:35Z urn:sha1:c756d08a00a2f151363d95ad27e12ca6b27cb3f6 Update the "log_buf_len" description to use [KMG] syntax for the buffer size. Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2011-02-21T23:07:04Z Ahmed S. Darwish darwish.07@gmail.com 2011-02-21T04:08:35Z urn:sha1:7a19a237d54e3f209d543b69b27f24a23b335c40 The '[KMG]' suffix is commonly described after a number of kernel parameter values documentation. Explicitly state its semantics. Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2011-02-21T23:07:04Z Ahmed S. Darwish darwish.07@gmail.com 2011-02-21T04:08:35Z urn:sha1:6f21e64630d8378b64f2ad25c0b291725a00a40c Complete the crashkernel= kernel parameter documentation. Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: Simon Horman <horms@verge.net.au> Acked-by: Vivek Goyal <vgoyal@redhat.com> Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2011-02-20T18:15:22Z Linus Torvalds torvalds@linux-foundation.org 2011-02-20T18:15:22Z urn:sha1:a0c85e96d3b5609c918edd5a534a7cde9845b3fa * 'hwmon-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/staging: hwmon: (lm85) extend to support EMC6D103 chips MAINTAINERS: Remove stale hwmon quilt tree hwmon: (k10temp) add support for AMD Family 12h/14h CPUs hwmon: (jc42) do not allow writing to locked registers hwmon: (jc42) more helpful documentation hwmon: (jc42) fix type mismatch 2011-02-18T22:15:05Z Linus Torvalds torvalds@linux-foundation.org 2011-02-18T22:15:05Z urn:sha1:4c3021da451fe0ea1deaba8fa3805d8d065ec84e * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (37 commits) net: deinit automatic LIST_HEAD net: dont leave active on stack LIST_HEAD net: provide default_advmss() methods to blackhole dst_ops tg3: Restrict phy ioctl access drivers/net: Call netif_carrier_off at the end of the probe ixgbe: work around for DDP last buffer size ixgbe: fix panic due to uninitialised pointer e1000e: flush all writebacks before unload e1000e: check down flag in tasks isdn: hisax: Use l2headersize() instead of dup (and buggy) func. arp_notify: unconditionally send gratuitous ARP for NETDEV_NOTIFY_PEERS. cxgb4vf: Use defined Mailbox Timeout cxgb4vf: Quiesce Virtual Interfaces on shutdown ... cxgb4vf: Behave properly when CONFIG_DEBUG_FS isn't defined ... cxgb4vf: Check driver parameters in the right place ... pch_gbe: Fix the MAC Address load issue. iwlwifi: Delete iwl3945_good_plcp_health. net/can/softing: make CAN_SOFTING_CS depend on CAN_SOFTING netfilter: nf_iterate: fix incorrect RCU usage pch_gbe: Fix the issue that the receiving data is not normal. ...