- 09 Jan, 2016 4 commits
-
-
Al Viro authored
-
Jann Horn authored
This replaces all code in fs/compat_ioctl.c that translated ioctl arguments into a in-kernel structure, then performed do_ioctl under set_fs(KERNEL_DS), with code that allocates data on the user stack and can call the VFS ioctl handler under USER_DS. This is done as a hardening measure because the caller does not know what kind of ioctl handler will be invoked, only that no corresponding compat_ioctl handler exists and what the ioctl command number is. The accidental invocation of an unlocked_ioctl handler that unexpectedly calls copy_to_user could be a severe security issue. Signed-off-by:
Jann Horn <jann@thejh.net> Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk>
-
Al Viro authored
Signed-off-by: -
Jann Horn authored
In code in fs/compat_ioctl.c that translates ioctl arguments into a in-kernel structure, then performs sys_ioctl, possibly under set_fs(KERNEL_DS), this commit changes the sys_ioctl calls to do_ioctl calls. do_ioctl is a new function that does the same thing as sys_ioctl, but doesn't look up the fd again. This change is made to avoid (potential) security issues because of ioctl handlers that accept one of the ioctl commands I2C_FUNCS, VIDEO_GET_EVENT, MTIOCPOS, MTIOCGET, TIOCGSERIAL, TIOCSSERIAL, RTC_IRQP_READ, RTC_EPOCH_READ. This can happen for multiple reasons: - The ioctl command number could be reused. - The ioctl handler might not check the full ioctl command. This is e.g. true for drm_ioctl. - The ioctl handler is very special, e.g. cuse_file_ioctl The real issue is that set_fs(KERNEL_DS) is used here, but that's fixed in a separate commit "compat_ioctl: don't call do_ioctl under set_fs(KERNEL_DS)". This change mitigates potential security issues by preventing a race that permits invocation of unlocked_ioctl handlers under KERNEL_DS through compat code even if a corresponding compat_ioctl handler exists. So far, no way has been identified to use this to damage kernel memory without having CAP_SYS_ADMIN in the init ns (with the capability, doing reads/writes at arbitrary kernel addresses should be easy through CUSE's ioctl handler with FUSE_IOCTL_UNRESTRICTED set). [AV: two missed sys_ioctl() taken care of] Signed-off-by:
-
- 06 Jan, 2016 8 commits
-
-
Dmitry Monakhov authored
Signed-off-by:
Dmitry Monakhov <dmonakhov@openvz.org> Signed-off-by:
-
Dmitry Monakhov authored
This allow to directly print block_device name. Currently one should use bdevname() with temporal char buffer. This is very ineffective because bloat stack usage for deep IO call-traces Example: %pg -> sda, sda1 or loop0p1 [AV: fixed a minor braino - position updates should not be dependent upon having reached the of buffer] Signed-off-by:
-
Dmitry Monakhov authored
gendisk with part==0 is obviously gendisk->disk_name. Signed-off-by:
-
Mateusz Guzik authored
Number of fds is already known based on passed list. No functional changes. Signed-off-by:
Mateusz Guzik <mguzik@redhat.com> Signed-off-by:
-
Al Viro authored
Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
[folded a fix by Dan Carpenter] Signed-off-by:
-
- 04 Jan, 2016 22 commits
-
-
Al Viro authored
Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
... rather than play with __get_free_pages() (and figuring out the allocation order, etc.) Signed-off-by: -
Al Viro authored
get_zeroed_page does alloc_page and returns page_address of the result; subsequent virt_to_page will recover the page, but since the caller needs both page and its page_address() anyway, why bother going through that wrapper at all? Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
... so virt_to_phys(p) & (PAGE_SIZE - 1) is a very odd way to spell offset_in_page(p). Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
let it just return NULL, pointer to kernel copy or ERR_PTR(). Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
When __get_user64() had been removed, its helper (__get_user64_nocheck) got missed. Signed-off-by: -
Al Viro authored
they hadn't been used in last 15 years... Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
Signed-off-by: -
Al Viro authored
all we do to buffer is strncmp()... Signed-off-by: -
Al Viro authored
again, it only parses the contents of the copied buffer, so get_zeroed_page() might as well had been kmalloc(), which makes it open-coded memdup_user_nul() Signed-off-by: -
Al Viro authored
Nothing in there gives a damn about the buffer alignment - it just parses its contents. So the use of get_zeroed_page() doesn't buy us anything - might as well had been kmalloc(), which makes that code equivalent to open-coded memdup_user_nul() Signed-off-by: -
Al Viro authored
A _lot_ of ->write() instances were open-coding it; some are converted to memdup_user_nul(), a lot more remain... Signed-off-by: -
Al Viro authored
-
Al Viro authored
Similar to memdup_user(), except that allocated buffer is one byte longer and '\0' is stored after the copied data. Signed-off-by:
-
- 03 Jan, 2016 3 commits
-
-
Linus Torvalds authored
-
git://git.linux-mips.org/pub/scm/ralf/upstream-linusLinus Torvalds authored
Pull MIPS build fix from Ralf Baechle: "Fix a makefile issue resulting in build breakage with older binutils. This has sat in -next for a few days, testers and buildbot are happy with it, too though if you are going for another -rc that'd certainly help ironing out a few more issues" * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: VDSO: Fix build error with binutils 2.24 and earlier
-
git://anongit.freedesktop.org/drm-intelLinus Torvalds authored
Pull i915 drm fixes from Jani Nikula: "Two display fixes still for v4.4. The new year's resolution is to start using signed tags per Linus' request. This one is still unsigned; I want to fix this up in our maintainer scripts instead of doing it one-off" * tag 'drm-intel-fixes-2016-01-02' of git://anongit.freedesktop.org/drm-intel: drm/i915: increase the tries for HDMI hotplug live status checking drm/i915: Unbreak check_digital_port_conflicts()
-
- 31 Dec, 2015 3 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pciLinus Torvalds authored
Pull PCI bugfix from Bjorn Helgaas: "Here's another fix for v4.4. This fixes 32-bit config reads for the HiSilicon driver. Obviously the driver is completely broken without this fix (apparently it actually was tested internally, but got broken somehow in the process of upstreaming it). Summary: HiSilicon host bridge driver Fix 32-bit config reads (Dongdong Liu)" * tag 'pci-v4.4-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: PCI: hisi: Fix hisi_pcie_cfg_read() 32-bit reads -
git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparcLinus Torvalds authored
Pull sparc fixes from David Miller: "Just some missing syscall wire ups" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc: sparc: Wire up mlock2 system call. sparc: Add all necessary direct socket system calls.
-
git://git.kernel.org/pub/scm/linux/kernel/git/davem/netLinus Torvalds authored
Pull networking fixes from David Miller: 1) Prevent XFRM per-cpu counter updates for one namespace from being applied to another namespace. Fix from DanS treetman. 2) Fix RCU de-reference in iwl_mvm_get_key_sta_id(), from Johannes Berg. 3) Remove ethernet header assumption in nft_do_chain_netdev(), from Pablo Neira Ayuso. 4) Fix cpsw PHY ident with multiple slaves and fixed-phy, from Pascal Speck. 5) Fix use after free in sixpack_close and mkiss_close. 6) Fix VXLAN fw assertion on bnx2x, from Yuval Mintz. 7) natsemi doesn't check for DMA mapping errors, from Alexey Khoroshilov. 8) Fix inverted test in ip6addrlbl_get(), from ANdrey Ryabinin. 9) Missing initialization of needed_headroom in geneve tunnel driver, from Paolo Abeni. 10) Fix conntrack template leak in openvswitch, from Joe Stringer. 11) Mission initialization of wq->flags in sock_alloc_inode(), from Nicolai Stange. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (35 commits) sctp: sctp should release assoc when sctp_make_abort_user return NULL in sctp_close net, socket, socket_wq: fix missing initialization of flags drivers: net: cpsw: fix error return code openvswitch: Fix template leak in error cases. sctp: label accepted/peeled off sockets sctp: use GFP_USER for user-controlled kmalloc qlcnic: fix a loop exit condition better net: cdc_ncm: avoid changing RX/TX buffers on MTU changes geneve: initialize needed_headroom ipv6: honor ifindex in case we receive ll addresses in router advertisements addrconf: always initialize sysctl table data ipv6/addrlabel: fix ip6addrlbl_get() switchdev: bridge: Pass ageing time as clock_t instead of jiffies sh_eth: fix 16-bit descriptor field access endianness too veth: don’t modify ip_summed; doing so treats packets with bad checksums as good. net: usb: cdc_ncm: Adding Dell DW5813 LTE AT&T Mobile Broadband Card net: usb: cdc_ncm: Adding Dell DW5812 LTE Verizon Mobile Broadband Card natsemi: add checks for dma mapping errors rhashtable: Kill harmless RCU warning in rhashtable_walk_init openvswitch: correct encoding of set tunnel action attributes ...
-
