On 32-bit systems, a large args->buffer_count from userspace via ioctl
may overflow the allocation size, leading to out-of-bounds access.
This vulnerability was introduced in commit 8408c282 ("drm/i915:
First try a normal large kmalloc for the temporary exec buffers").
Signed-off-by: Xi Wang <xi.wang@gmail.com> Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Konrad Rzeszutek Wilk [Wed, 23 May 2012 16:56:59 +0000 (12:56 -0400)]
xen/hvc: Check HVM_PARAM_CONSOLE_[EVTCHN|PFN] for correctness.
We need to make sure that those parameters are setup to be correct.
As such the value of 0 is deemed invalid and we find that we
bail out. The hypervisor sets by default all of them to be zero
and when the hypercall is done does a simple:
a.value = d->arch.hvm_domain.params[a.index];
Which means that if the Xen toolstack forgot to setup the proper
HVM_PARAM_CONSOLE_EVTCHN, we would get the default value of 0
and use that.
CC: stable@kernel.org
Fixes-Oracle-Bug: 14091238 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Joe Jin [Fri, 23 Dec 2011 02:00:27 +0000 (10:00 +0800)]
[dm] do not forward ioctls from logical volumes to the underlying device
CVE-2011-4127.
A logical volume can map to just part of underlying physical volume.
In this case, it must be treated like a partition.
Based on a patch from Alasdair G Kergon.
Cc: Alasdair G Kergon <agk@redhat.com> Cc: Mike Snitzer <msnitzer@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Joe Jin <joe.jin@oracle.com>
Joe Jin [Fri, 23 Dec 2011 01:59:41 +0000 (09:59 +0800)]
[block] fail SCSI passthrough ioctls on partition devices
CVE-2011-4127.
Linux allows executing the SG_IO ioctl on a partition or even on an
LVM volume, and will pass the command to the underlying block device.
This is well-known, but it is also a large security problem when (via
Unix permissions, ACLs, SELinux or a combination thereof) a program or
user needs to be granted access to a particular partition or logical
volume but not to the full device.
This patch limits the ioctls that are forwarded to non-SCSI devices to
a few ones that are harmless. This restriction includes programs
running with the CAP_SYS_RAWIO. If for example I let a program access
/dev/sda2 and /dev/sdb, it still should not be able to read/write outside
the boundaries of /dev/sda2 independent of the capabilities.
This patch does not affect the non-libata IDE driver. That driver however
alreadys test for bd != bd->bd_contains before issuing some ioctl; so,
programs that do not require CAP_SYS_RAWIO are safe. A workaround is
just to use libata.
Encryption on the host is a mitigating factor, but it does not provide
a full solution. In particular it doesn't protect against DoS (write
random data), replay attacks (reinstate old ciphertext sectors), or
writes to unencrypted areas including the MBR, the partition table, or
/boot.
Thanks to Daniel Berrange, Milan Broz, Mike Christie, Alasdair Kergon,
Petr Matousek, Jeff Moyer, Mike Snitzer and others for help discussing
this issue.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Joe Jin <joe.jin@oracle.com>
Joe Jin [Fri, 23 Dec 2011 01:58:55 +0000 (09:58 +0800)]
[block] add and use scsi_blk_cmd_ioctl
CVE-2011-4127.
Introduce a wrapper around scsi_cmd_ioctl that takes a block device.
The function will then be enhanced to detect partition block devices and,
in that case, subject the ioctls to whitelisting.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Joe Jin <joe.jin@oracle.com>
Conflicts:
Eric Dumazet [Tue, 30 Aug 2011 22:57:00 +0000 (18:57 -0400)]
net: ipv4: relax AF_INET check in bind()
Orabug: 14054411
commit d0733d2e29b65 (Check for mistakenly passed in non-IPv4 address)
added regression on legacy apps that use bind() with AF_UNSPEC family.
Relax the check, but make sure the bind() is done on INADDR_ANY
addresses, as AF_UNSPEC has probably no sane meaning for other
addresses.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Reported-and-bisected-by: Rene Meier <r_meier@freenet.de> CC: Marcus Meissner <meissner@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
Avi Kivity [Mon, 5 Mar 2012 12:23:29 +0000 (14:23 +0200)]
KVM: Ensure all vcpus are consistent with in-kernel irqchip settings
Bugdb: 13871
This fixes: CVE-2012-1601
Commit 3e515705a1f46beb1c942bb8043c16f8ac7b1e9e upstream.
If some vcpus are created before KVM_CREATE_IRQCHIP, then
irqchip_in_kernel() and vcpu->arch.apic will be inconsistent, leading
to potential NULL pointer dereferences.
Fix by:
- ensuring that no vcpus are installed when KVM_CREATE_IRQCHIP is called
- ensuring that a vcpu has an apic if it is installed after KVM_CREATE_IRQCHIP
This is somewhat long winded because vcpu->arch.apic is created without
kvm->lock held.
Based on earlier patch by Michael Ellerman.
Signed-off-by: Michael Ellerman <michael@ellerman.id.au> Signed-off-by: Avi Kivity <avi@redhat.com>
Moger, Babu [Thu, 2 Feb 2012 15:21:54 +0000 (15:21 +0000)]
[SCSI] scsi_dh_rdac: Fix for unbalanced reference count
Orabug: 14059970
This patch fixes an unbalanced refcount issue.
Elevating the lock for both kref_put and also for controller node deletion.
Previously, controller deletion was protected but the not the kref_put. This
was causing the other thread to pick up the controller structure which was
already kref'd zero.
This was causing the following WARN_ON and also sometimes panic.
[SCSI] dh_rdac: Associate HBA and storage in rdac_controller to support partitions in storage
Orabug: 14059970
rdac hardware handler assumes that there is one-to-one relation ship
between the host and the controller w.r.t lun. IOW, it does not
support "multiple storage partitions" within a storage.
Example:
HBA1 and HBA2 see lun 0 and 1 in storage A (1)
HBA3 and HBA4 see lun 0 and 1 in storage A (2)
HBA5 and HBA6 see lun 0 and 1 in storage A (3)
luns 0 and 1 in (1), (2) and (3) are totally different.
But, rdac handler treats the lun 0s (and lun 1s) as the same when
sending a mode select to the controller, which is wrong.
This patch makes the rdac hardware handler associate HBA and the
storage w.r.t lun (and not the host itself).
Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
[SCSI] dh_rdac: Use WWID from C8 page instead of Subsystem id from C4 page to identify storage
Orabug: 14059970
rdac hardware handler uses "Subsystem Identifier" from C4 inquiry page
to uniquely identify a storage. The problem with that is that if any
any of the bytes are non-ascii, subsys_id will all be spaces (hex
0x20). This creates lot of problems especially when there are multiple
rdac storages are connected to the server.
Use "Storage Array Unique Identifier" from C8 inquiry page, which is the
world wide unique identifier for the storage array, to uniquely identify
the storage.
Signed-off-by: Chandra Seetharaman <sekharan@us.ibm.com> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
root [Wed, 2 May 2012 14:25:07 +0000 (19:55 +0530)]
be2iscsi: Check ASYNC PDU Handle corresponds to HDR/DATA Handle
For each ASYNC PDU received there is an HDR and DATA handle for it.
There will be only 1 HDR ASYNC Handle, but DATA Handle can be more
than 1 for each ASYNC PDU received. Checking if the ASYNC Handle
correspongs to HDR or DATA while returning the Handle to the free list.
hwi_free_async_msg just return the handles to the free list. No return
values are needed so changing the return type to void.
root [Wed, 2 May 2012 14:17:43 +0000 (19:47 +0530)]
be2iscsi:Fix the function return values.
This patch fixes the return value
Signed-off-by: John Soni Jose <sony.john-n@emulex.com> Signed-off-by: Jayamohan Kallickal <jayamohan.kallickal@emulex.com> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: root <root@localhost.(none)>
root [Wed, 2 May 2012 14:16:38 +0000 (19:46 +0530)]
be2iscsi:Code cleanup, removing the goto statement
Signed-off-by: John Soni Jose <sony.john-n@emulex.com> Signed-off-by: Jayamohan Kallickal <jayamohan.kallickal@emulex.com> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: root <root@localhost.(none)>
root [Wed, 2 May 2012 14:14:51 +0000 (19:44 +0530)]
be2iscsi:Fix double free of MCCQ info memory.
In case of MCC_Q creation failed, the MCCQ info memory is freed
from be_mcc_queues_destroy and be_mcc_queues_create. This caused
kernel to panic because of double free.
Signed-off-by: John Soni Jose <sony.john-n@emulex.com> Signed-off-by: Jayamohan Kallickal <jayamohan.kallickal@emulex.com> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: root <root@localhost.(none)>
root [Wed, 2 May 2012 14:13:21 +0000 (19:43 +0530)]
be2iscsi:Set num_cpu = 1 if pci_enable_msix fails
This patch sets the num_cpu to 1 if msix not supported Signed-off-by: Jayamohan Kallickal <jayamohan.kallickal@emulex.com> Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: root <root@localhost.(none)>
root [Wed, 2 May 2012 14:09:28 +0000 (19:39 +0530)]
be2iscsi:Freeing of WRB and SGL Handle in cleanup task
The WRB and SGL Handle allocated for Login task were not freed
back to the pool after the login process was done. This code
releases the WRB and SGL Handle after the login process.
v2:
- Fix up locking so bh calls are not done when not needed.
- Make beiscsi_cleanup_task static.
root [Wed, 2 May 2012 14:01:03 +0000 (19:31 +0530)]
be2iscsi: Fix in the Asynchronous Code Path
Set the ASYNC PDU Handle pBuffer for Data ring with the VA/PA
of the allocated memory for it.
To get the correct ASYNC PDY Handle iterate the list and compare
the PA set during initialization with the passed PHY Address.
The buffer_size and num_enteries are common for HDR and Data ring
root [Wed, 2 May 2012 13:58:04 +0000 (19:28 +0530)]
be2iscsi: cleanup a min_t() call
"sense_len" was declared as int type but actually it only stores a
u16 value that comes from hardware. The cast to u16 in min_t()
confuses static analysis because it truncates the int to u16 so I've
fixed the declaration to reflect that "sense_len" is just a u16.
Also there was a call to cpu_to_be16() which I've changed to
be16_to_cpu(). The functions are equivalent, but obviously the
hardware is big endian and we're doing the min_t() comparison on CPU
endian values.
This whole patch is just a cleanup and doesn't affect how the code
works.
upstream commit id : 4053a4be525d3441cad6cd1ae207177f03eb9ce7 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: root <root@localhost.(none)>
qla2xxx: Handle device mapping changes due to device logout.
A device logout sent in the delete path of a fcport would clear the
port handle binding inside the firmware. This could lead to queued
work items for the fcport, if any, getting incorrect results. This
patch fixes the issue by checking for device name changes after a
call to get port database.
Chad Dupuis [Fri, 13 Jan 2012 15:08:35 +0000 (09:08 -0600)]
qla2xxx: Hard code the number of loop entries at 128.
Do not use ha->max_fibre_devices in loop topology since the maximum number of
entries will always be 128 and so we don't have to worry about changing
ha->max_fibre_devices back.
Giridhar Malavali [Wed, 14 Dec 2011 01:17:47 +0000 (17:17 -0800)]
qla2xxx: Complete mailbox command timedout to avoid initialization failures during next reset cycle.
Complete the mailbox command timed out before initiating another abort cycle
to recover so that mailbox commands issued during next reset cycle don't fail
due to pending mailbox access timeout.
Andrew Vasquez [Tue, 10 Apr 2012 11:52:14 +0000 (17:22 +0530)]
qla2xxx: Cache swl during fabric discovery.
Rather than continuously allocating and freeing swl within the discovery
process, simply pre-allocate it the first time that it's needed, cache it
through the rest of the lifecycle of the driver and free it at module unload.
Joe Carnuccio [Tue, 10 Apr 2012 11:50:36 +0000 (17:20 +0530)]
qla2xxx: Remove EDC sysfs interface.
Since the new firmware periodically resets the EDC, the EDC is now
not able to be flashed while the firmware is running, so the user
applications must be prevented from flashing the EDC, and this is
achieved by removing the EDC sysfs interface.
Michael Christie [Tue, 10 Apr 2012 11:20:23 +0000 (16:50 +0530)]
qla2xxx: Remove check for null fcport from host reset handler.
Remove the check for a NULL fcport so that the host reset will run
unconditionally to unwedge any commands before the device is offlined and to
prevent a quick runthrough of the SCSI error handling.
Andrew Vasquez [Fri, 28 Oct 2011 21:40:44 +0000 (14:40 -0700)]
qla2xxx: Correct out of bounds read of ISP2200 mailbox registers.
From Olatunji:
A tool that I m building for finding memory faults in
Linux drivers is reporting that the following loop, in
qla2x00_mbx_completion(), reads outside the allocated io memory
while reading ISP2200 mailbox registers. I would appreciate your
help in confirming this bug.
During isp2200 initialization (qla2x00_probe_one), ha->mbx_count
is set to 32, even though isp2200 has 24 mailbox registers
(mailbox0 ... mailbox23). Therefore the loop runs for
cnt=[1..31], wptr walks off the allocated mailbox register region
at cnt==24, and results in out-of-bounds reads.
Although I observed this problem in linux2.6.17.1, I
confirmed that it also exists in 2.6.37 and 3.1-rc4.
Fortunately, the reads outside the 24 mailbox registers are
benign. For correctness, limit the driver's read to 24.
Andrew Vasquez [Thu, 20 Oct 2011 17:14:16 +0000 (10:14 -0700)]
qla2xxx: Clear options-flags while issuing stop-firmware mbx command.
Not clearing the options flags in mbx1 could lead the firmware
into interpreting old data in mbx1 through mbx8. This could
lead to inadvertent DMA read/write operations to stale memory.
During command failure/non-recognition, the upper-layer
FC-transport expects the drivers to set
job-reply->reply_payload_rcv_len. Do this in a consistent manner
to avoid duplication.
Andrew Vasquez [Fri, 4 Nov 2011 14:31:51 +0000 (09:31 -0500)]
qla2xxx: Perform implicit logout during rport tear-down.
During rport tear-down, make sure we do an implicit LOGO of the fcport in our
firmware to try to clear any residual commands associated with that fcport.
Rework the structures related to SRB processing to minimize the memor
allocations per I/O and manage resources associated with and completions
from common routines.
projects / users / jedix / linux-maple.git / log