Linux v3.9-rc2-292-ga2362d2

- Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device

7 files changed, 7 insertions, 502 deletions

diff --git a/alps-v2.patch b/alps-v2.patch
deleted file mode 100644
index bdb57067e..000000000
--- a/alps-v2.patch
+++ /dev/null
@@ -1,248 +0,0 @@
-From db7192fa07fa5c70c9849d8f658a7ff696cff99d Mon Sep 17 00:00:00 2001
-From: Kevin Cernekee <cernekee@gmail.com>
-Date: Sat, 16 Feb 2013 22:40:03 -0800
-Subject: [PATCH 14/15] Input: ALPS - Remove unused argument to
- alps_enter_command_mode()
-
-Now that alps_identify() explicitly issues an EC report using
-alps_rpt_cmd(), we no longer need to look at the magic numbers returned
-by alps_enter_command_mode().
-
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- drivers/input/mouse/alps.c | 18 +++++++-----------
- 1 file changed, 7 insertions(+), 11 deletions(-)
-
-diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
-index 7b99fc7..9c97531 100644
---- a/drivers/input/mouse/alps.c
-+++ b/drivers/input/mouse/alps.c
-@@ -994,8 +994,7 @@ static int alps_rpt_cmd(struct psmouse *psmouse, int init_command,
- 	return 0;
- }
- 
--static int alps_enter_command_mode(struct psmouse *psmouse,
--				   unsigned char *resp)
-+static int alps_enter_command_mode(struct psmouse *psmouse)
- {
- 	unsigned char param[4];
- 
-@@ -1009,9 +1008,6 @@ static int alps_enter_command_mode(struct psmouse *psmouse,
- 			    "unknown response while entering command mode\n");
- 		return -1;
- 	}
--
--	if (resp)
--		*resp = param[2];
- 	return 0;
- }
- 
-@@ -1176,7 +1172,7 @@ static int alps_passthrough_mode_v3(struct psmouse *psmouse,
- {
- 	int reg_val, ret = -1;
- 
--	if (alps_enter_command_mode(psmouse, NULL))
-+	if (alps_enter_command_mode(psmouse))
- 		return -1;
- 
- 	reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x0008);
-@@ -1216,7 +1212,7 @@ static int alps_probe_trackstick_v3(struct psmouse *psmouse, int reg_base)
- {
- 	int ret = -EIO, reg_val;
- 
--	if (alps_enter_command_mode(psmouse, NULL))
-+	if (alps_enter_command_mode(psmouse))
- 		goto error;
- 
- 	reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x08);
-@@ -1279,7 +1275,7 @@ static int alps_setup_trackstick_v3(struct psmouse *psmouse, int reg_base)
- 		 * supported by this driver. If bit 1 isn't set the packet
- 		 * format is different.
- 		 */
--		if (alps_enter_command_mode(psmouse, NULL) ||
-+		if (alps_enter_command_mode(psmouse) ||
- 		    alps_command_mode_write_reg(psmouse,
- 						reg_base + 0x08, 0x82) ||
- 		    alps_exit_command_mode(psmouse))
-@@ -1306,7 +1302,7 @@ static int alps_hw_init_v3(struct psmouse *psmouse)
- 	    alps_setup_trackstick_v3(psmouse, ALPS_REG_BASE_PINNACLE) == -EIO)
- 		goto error;
- 
--	if (alps_enter_command_mode(psmouse, NULL) ||
-+	if (alps_enter_command_mode(psmouse) ||
- 	    alps_absolute_mode_v3(psmouse)) {
- 		psmouse_err(psmouse, "Failed to enter absolute mode\n");
- 		goto error;
-@@ -1381,7 +1377,7 @@ static int alps_hw_init_rushmore_v3(struct psmouse *psmouse)
- 			priv->flags &= ~ALPS_DUALPOINT;
- 	}
- 
--	if (alps_enter_command_mode(psmouse, NULL) ||
-+	if (alps_enter_command_mode(psmouse) ||
- 	    alps_command_mode_read_reg(psmouse, 0xc2d9) == -1 ||
- 	    alps_command_mode_write_reg(psmouse, 0xc2cb, 0x00))
- 		goto error;
-@@ -1431,7 +1427,7 @@ static int alps_hw_init_v4(struct psmouse *psmouse)
- 	struct ps2dev *ps2dev = &psmouse->ps2dev;
- 	unsigned char param[4];
- 
--	if (alps_enter_command_mode(psmouse, NULL))
-+	if (alps_enter_command_mode(psmouse))
- 		goto error;
- 
- 	if (alps_absolute_mode_v4(psmouse)) {
--- 
-1.8.1.2
-
-
-From 10740a25bb3b895b5de7773f926a978416b38409 Mon Sep 17 00:00:00 2001
-From: Dave Turvene <dturvene@dahetral.com>
-Date: Sat, 16 Feb 2013 22:40:04 -0800
-Subject: [PATCH 15/15] Input: ALPS - Add "Dolphin V1" touchpad support
-
-These touchpads use a different protocol; they have been seen on Dell
-N5110, Dell 17R SE, and others.
-
-The official ALPS driver identifies them by looking for an exact match
-on the E7 report: 73 03 50.  Dolphin V1 returns an EC report of
-73 01 xx (02 and 0d have been seen); Dolphin V2 returns an EC report of
-73 02 xx (02 has been seen).
-
-Dolphin V2 probably needs a different initialization sequence and/or
-report parser, so it is left for a future commit.
-
-Signed-off-by: Dave Turvene <dturvene@dahetral.com>
-Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
----
- drivers/input/mouse/alps.c | 67 ++++++++++++++++++++++++++++++++++++++++++++--
- drivers/input/mouse/alps.h |  1 +
- 2 files changed, 66 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c
-index 9c97531..0238e0e 100644
---- a/drivers/input/mouse/alps.c
-+++ b/drivers/input/mouse/alps.c
-@@ -490,6 +490,29 @@ static void alps_decode_rushmore(struct alps_fields *f, unsigned char *p)
- 	f->y_map |= (p[5] & 0x20) << 6;
- }
- 
-+static void alps_decode_dolphin(struct alps_fields *f, unsigned char *p)
-+{
-+	f->first_mp = !!(p[0] & 0x02);
-+	f->is_mp = !!(p[0] & 0x20);
-+
-+	f->fingers = ((p[0] & 0x6) >> 1 |
-+		     (p[0] & 0x10) >> 2);
-+	f->x_map = ((p[2] & 0x60) >> 5) |
-+		   ((p[4] & 0x7f) << 2) |
-+		   ((p[5] & 0x7f) << 9) |
-+		   ((p[3] & 0x07) << 16) |
-+		   ((p[3] & 0x70) << 15) |
-+		   ((p[0] & 0x01) << 22);
-+	f->y_map = (p[1] & 0x7f) |
-+		   ((p[2] & 0x1f) << 7);
-+
-+	f->x = ((p[1] & 0x7f) | ((p[4] & 0x0f) << 7));
-+	f->y = ((p[2] & 0x7f) | ((p[4] & 0xf0) << 3));
-+	f->z = (p[0] & 4) ? 0 : p[5] & 0x7f;
-+
-+	alps_decode_buttons_v3(f, p);
-+}
-+
- static void alps_process_touchpad_packet_v3(struct psmouse *psmouse)
- {
- 	struct alps_data *priv = psmouse->private;
-@@ -874,7 +897,8 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse)
- 	}
- 
- 	/* Bytes 2 - pktsize should have 0 in the highest bit */
--	if (psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize &&
-+	if (priv->proto_version != ALPS_PROTO_V5 &&
-+	    psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize &&
- 	    (psmouse->packet[psmouse->pktcnt - 1] & 0x80)) {
- 		psmouse_dbg(psmouse, "refusing packet[%i] = %x\n",
- 			    psmouse->pktcnt - 1,
-@@ -1003,7 +1027,8 @@ static int alps_enter_command_mode(struct psmouse *psmouse)
- 		return -1;
- 	}
- 
--	if (param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) {
-+	if ((param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) &&
-+	    param[0] != 0x73) {
- 		psmouse_dbg(psmouse,
- 			    "unknown response while entering command mode\n");
- 		return -1;
-@@ -1495,6 +1520,23 @@ error:
- 	return -1;
- }
- 
-+static int alps_hw_init_dolphin_v1(struct psmouse *psmouse)
-+{
-+	struct ps2dev *ps2dev = &psmouse->ps2dev;
-+	unsigned char param[2];
-+
-+	/* This is dolphin "v1" as empirically defined by florin9doi */
-+	param[0] = 0x64;
-+	param[1] = 0x28;
-+
-+	if (ps2_command(ps2dev, NULL, PSMOUSE_CMD_SETSTREAM) ||
-+	    ps2_command(ps2dev, &param[0], PSMOUSE_CMD_SETRATE) ||
-+	    ps2_command(ps2dev, &param[1], PSMOUSE_CMD_SETRATE))
-+		return -1;
-+
-+	return 0;
-+}
-+
- static void alps_set_defaults(struct alps_data *priv)
- {
- 	priv->byte0 = 0x8f;
-@@ -1528,6 +1570,21 @@ static void alps_set_defaults(struct alps_data *priv)
- 		priv->nibble_commands = alps_v4_nibble_commands;
- 		priv->addr_command = PSMOUSE_CMD_DISABLE;
- 		break;
-+	case ALPS_PROTO_V5:
-+		priv->hw_init = alps_hw_init_dolphin_v1;
-+		priv->process_packet = alps_process_packet_v3;
-+		priv->decode_fields = alps_decode_dolphin;
-+		priv->set_abs_params = alps_set_abs_params_mt;
-+		priv->nibble_commands = alps_v3_nibble_commands;
-+		priv->addr_command = PSMOUSE_CMD_RESET_WRAP;
-+		priv->byte0 = 0xc8;
-+		priv->mask0 = 0xc8;
-+		priv->flags = 0;
-+		priv->x_max = 1360;
-+		priv->y_max = 660;
-+		priv->x_bits = 23;
-+		priv->y_bits = 12;
-+		break;
- 	}
- }
- 
-@@ -1588,6 +1645,12 @@ static int alps_identify(struct psmouse *psmouse, struct alps_data *priv)
- 
- 	if (alps_match_table(psmouse, priv, e7, ec) == 0) {
- 		return 0;
-+	} else if (e7[0] == 0x73 && e7[1] == 0x03 && e7[2] == 0x50 &&
-+		   ec[0] == 0x73 && ec[1] == 0x01) {
-+		priv->proto_version = ALPS_PROTO_V5;
-+		alps_set_defaults(priv);
-+
-+		return 0;
- 	} else if (ec[0] == 0x88 && ec[1] == 0x08) {
- 		priv->proto_version = ALPS_PROTO_V3;
- 		alps_set_defaults(priv);
-diff --git a/drivers/input/mouse/alps.h b/drivers/input/mouse/alps.h
-index 9704805..eee5985 100644
---- a/drivers/input/mouse/alps.h
-+++ b/drivers/input/mouse/alps.h
-@@ -16,6 +16,7 @@
- #define ALPS_PROTO_V2	2
- #define ALPS_PROTO_V3	3
- #define ALPS_PROTO_V4	4
-+#define ALPS_PROTO_V5	5
- 
- /**
-  * struct alps_model_info - touchpad ID table
--- 
-1.8.1.2
-
diff --git a/kernel.spec b/kernel.spec
index 99536cea4..bd182bf27 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -62,7 +62,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 3
+%global baserelease 1
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -95,7 +95,7 @@ Summary: The Linux kernel
 # The rc snapshot level
 %define rcrev 2
 # The git snapshot level
-%define gitrev 0
+%define gitrev 1
 # Set rpm version accordingly
 %define rpmversion 3.%{upstream_sublevel}.0
 %endif
@@ -724,27 +724,15 @@ Patch21247: ath9k_rx_dma_stop_check.patch
 #rhbz 844750
 Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
 
-#rhbz 812111
-Patch21260: alps-v2.patch
-
 #rhbz 903192
 Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
 
 #rhbz 914737
 Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
 
-# CVE-2013-1792 rhbz 916646,919021
-Patch21267: keys-fix-race-with-concurrent-install_user_keyrings.patch
-
 #rhbz 857954
 Patch21268: w1-fix-oops-when-w1_search-is-called-from.patch
 
-#rhbz 911771
-Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
-
-#CVE-2013-0914 rhbz 920499 920510
-Patch21270: signal-always-clear-sa_restorer-on-execve.patch
-
 #CVE-2013-0913 rhbz 920471 920529
 Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch
 
@@ -1434,27 +1422,15 @@ ApplyPatch ath9k_rx_dma_stop_check.patch
 #rhbz 844750
 ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch
 
-#rhbz 812111
-ApplyPatch alps-v2.patch
-
 #rhbz 903192
 ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch
 
 #rhbz 914737
 ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch
 
-# CVE-2013-1792 rhbz 916646,919021
-ApplyPatch keys-fix-race-with-concurrent-install_user_keyrings.patch
-
 #rhbz 857954
 ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch
 
-#rhbz 911771
-ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
-
-#CVE-2013-0914 rhbz 920499 920510
-ApplyPatch signal-always-clear-sa_restorer-on-execve.patch
-
 #CVE-2013-0913 rhbz 920471 920529
 ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch
 
@@ -2303,6 +2279,10 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Fri Mar 15 2013 Josh Boyer <jwboyer@redhat.com> - 3.9.0-0.rc2.git1.1
+- Linux v3.9-rc2-292-ga2362d2
+- Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device
+
 * Thu Mar 14 2013 Dave Jones <davej@redhat.com>
 - Move cpufreq drivers to be modular (rhbz 746372)
 
diff --git a/keys-fix-race-with-concurrent-install_user_keyrings.patch b/keys-fix-race-with-concurrent-install_user_keyrings.patch
deleted file mode 100644
index ba7b30a6d..000000000
--- a/keys-fix-race-with-concurrent-install_user_keyrings.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
-index 58dfe08..c5ec083 100644
---- a/security/keys/process_keys.c
-+++ b/security/keys/process_keys.c
-@@ -57,7 +57,7 @@ int install_user_keyrings(void)
- 
- 	kenter("%p{%u}", user, uid);
- 
--	if (user->uid_keyring) {
-+	if (user->uid_keyring && user->session_keyring) {
- 		kleave(" = 0 [exist]");
- 		return 0;
- 	}
-
-  
\ No newline at end of file
diff --git a/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch b/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
index 81090e3ec..7d49d9834 100644
--- a/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
+++ b/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch
@@ -1,40 +1,3 @@
-commit 801d929ca7d935ee199fd61d8ef914f51e892270
-Author: Felix Fietkau <nbd@openwrt.org>
-Date:   Sat Mar 2 19:05:47 2013 +0100
-
-    mac80211: another fix for idle handling in monitor mode
-    
-    When setting a monitor interface up or down, the idle state needs to be
-    recalculated, otherwise the hardware will just stay in its previous idle
-    state.
-    
-    Signed-off-by: Felix Fietkau <nbd@openwrt.org>
-    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
-
-diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
-index 640afab..baaa860 100644
---- a/net/mac80211/iface.c
-+++ b/net/mac80211/iface.c
-@@ -541,6 +541,9 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
- 
- 		ieee80211_adjust_monitor_flags(sdata, 1);
- 		ieee80211_configure_filter(local);
-+		mutex_lock(&local->mtx);
-+		ieee80211_recalc_idle(local);
-+		mutex_unlock(&local->mtx);
- 
- 		netif_carrier_on(dev);
- 		break;
-@@ -812,6 +815,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
- 
- 		ieee80211_adjust_monitor_flags(sdata, -1);
- 		ieee80211_configure_filter(local);
-+		mutex_lock(&local->mtx);
-+		ieee80211_recalc_idle(local);
-+		mutex_unlock(&local->mtx);
- 		break;
- 	case NL80211_IFTYPE_P2P_DEVICE:
- 		/* relies on synchronize_rcu() below */
 diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
 index baaa860..7a3d675 100644
 --- a/net/mac80211/iface.c
diff --git a/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch b/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
deleted file mode 100644
index b16be4417..000000000
--- a/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From e94256528a988231ccc7a2a0b6b206a1131cb358 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@redhat.com>
-Date: Fri, 8 Mar 2013 21:13:52 -0500
-Subject: [PATCH] serial: 8250: Keep 8250.<xxxx> module options functional
- after driver rename
-
-With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the
-8250 driver was renamed to 8250_core.  This means any existing usage of
-the 8259.<xxxx> module parameters or as a kernel command line switch is
-now broken, as the 8250_core driver doesn't parse options belonging to
-something called "8250".
-
-To solve this, we redefine the module options in a dummy function using
-a redefined MODULE_PARAM_PREFX when built into the kernel.  In the case
-where we're building as a module, we provide an alias to the old 8250
-name.  The dummy function prevents compiler errors due to global variable
-redefinitions that happen as part of the module_param_ macro expansions.
-
-Signed-off-by: Josh Boyer <jwboyer@redhat.com>
----
- drivers/tty/serial/8250/8250.c | 29 +++++++++++++++++++++++++++++
- 1 file changed, 29 insertions(+)
-
-diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c
-index 0efc815..f982633 100644
---- a/drivers/tty/serial/8250/8250.c
-+++ b/drivers/tty/serial/8250/8250.c
-@@ -3396,3 +3396,32 @@ module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444);
- MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA");
- #endif
- MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR);
-+
-+#ifndef MODULE
-+/* This module was renamed to 8250_core in 3.7.  Keep the old "8250" name
-+ * working as well for the module options so we don't break people.  We
-+ * need to keep the names identical and the convenient macros will happily
-+ * refuse to let us do that by failing the build with redefinition errors
-+ * of global variables.  So we stick them inside a dummy function to avoid
-+ * those conflicts.  The options still get parsed, and the redefined
-+ * MODULE_PARAM_PREFIX lets us keep the "8250." syntax alive.
-+ *
-+ * This is hacky.  I'm sorry.
-+ */
-+static void __used s8250_options(void)
-+{
-+#undef MODULE_PARAM_PREFIX
-+#define MODULE_PARAM_PREFIX "8250."
-+
-+	module_param_cb(share_irqs, &param_ops_uint, &share_irqs, 0644);
-+	module_param_cb(nr_uarts, &param_ops_uint, &nr_uarts, 0644);
-+	module_param_cb(skip_txen_test, &param_ops_uint, &skip_txen_test, 0644);
-+#ifdef CONFIG_SERIAL_8250_RSA
-+	__module_param_call(MODULE_PARAM_PREFIX, probe_rsa,
-+		&param_array_ops, .arr = &__param_arr_probe_rsa,
-+		0444, -1);
-+#endif
-+}
-+#else
-+MODULE_ALIAS("8250");
-+#endif
--- 
-1.8.1.2
-
diff --git a/signal-always-clear-sa_restorer-on-execve.patch b/signal-always-clear-sa_restorer-on-execve.patch
deleted file mode 100644
index feb005c44..000000000
--- a/signal-always-clear-sa_restorer-on-execve.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-                                                                                                                                                                                                                                                               
-Delivered-To: jwboyer@gmail.com
-Received: by 10.76.169.233 with SMTP id ah9csp99159oac;
-        Mon, 11 Mar 2013 13:14:17 -0700 (PDT)
-X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671;
-        Mon, 11 Mar 2013 13:14:16 -0700 (PDT)
-Return-Path: <linux-kernel-owner@vger.kernel.org>
-Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
-        by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10;
-        Mon, 11 Mar 2013 13:14:16 -0700 (PDT)
-Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
-Authentication-Results: mx.google.com;
-       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
-	id S1754069Ab3CKUN4 (ORCPT <rfc822;cpulmkl@gmail.com> + 99 others);
-	Mon, 11 Mar 2013 16:13:56 -0400
-Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net"
-	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
-	id S1753913Ab3CKUN4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
-	Mon, 11 Mar 2013 16:13:56 -0400
-Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2])
-	by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201;
-	Mon, 11 Mar 2013 13:13:43 -0700
-Date:	Mon, 11 Mar 2013 13:13:42 -0700
-From:	Kees Cook <keescook@chromium.org>
-To:	linux-kernel@vger.kernel.org
-Cc:	Al Viro <viro@zeniv.linux.org.uk>, Oleg Nesterov <oleg@redhat.com>,
-	Andrew Morton <akpm@linux-foundation.org>,
-	"Eric W. Biederman" <ebiederm@xmission.com>,
-	Serge Hallyn <serge.hallyn@canonical.com>,
-	Emese Revfy <re.emese@gmail.com>,
-	PaX Team <pageexec@freemail.hu>, jln@google.com
-Subject: [PATCH v2] signal: always clear sa_restorer on execve
-Message-ID: <20130311201342.GA19824@www.outflux.net>
-MIME-Version: 1.0
-Content-Type: text/plain; charset=us-ascii
-Content-Disposition: inline
-X-MIMEDefang-Filter: outflux$Revision: 1.316 $
-X-HELO:	www.outflux.net
-X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1
-Sender:	linux-kernel-owner@vger.kernel.org
-Precedence: bulk
-List-ID: <linux-kernel.vger.kernel.org>
-X-Mailing-List:	linux-kernel@vger.kernel.org
-
-When the new signal handlers are set up, the location of sa_restorer
-is not cleared, leaking a parent process's address space location to
-children. This allows for a potential bypass of the parent's ASLR by
-examining the sa_restorer value returned when calling sigaction().
-
-Based on what should be considered "secret" about addresses, it only
-matters across the exec not the fork (since the VMAs haven't changed
-until the exec). But since exec sets SIG_DFL and keeps sa_restorer,
-this is where it should be fixed.
-
-Given the few uses of sa_restorer, a "set" function was not written
-since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER,
-as already done in other places.
-
-Example of the leak before applying this patch:
-
-$ cat /proc/$$/maps
-...
-7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
-...
-$ ./leak
-...
-7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so
-...
-1 0 (nil) 0x7fb9f30b94a0
-2 4000000 (nil) 0x7f278bcaa4a0
-3 4000000 (nil) 0x7f278bcaa4a0
-4 0 (nil) 0x7fb9f30b94a0
-...
-
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Reported-by: Emese Revfy <re.emese@gmail.com>
-Cc: Emese Revfy <re.emese@gmail.com>
-Cc: PaX Team <pageexec@freemail.hu>
-Cc: stable@vger.kernel.org
----
-v2:
- - clarify commit, explain use of #ifdef.
----
- kernel/signal.c |    3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/kernel/signal.c b/kernel/signal.c
-index 2ec870a..8c8e3ca 100644
---- a/kernel/signal.c
-+++ b/kernel/signal.c
-@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default)
- 		if (force_default || ka->sa.sa_handler != SIG_IGN)
- 			ka->sa.sa_handler = SIG_DFL;
- 		ka->sa.sa_flags = 0;
-+#ifdef __ARCH_HAS_SA_RESTORER
-+		ka->sa.sa_restorer = NULL;
-+#endif
- 		sigemptyset(&ka->sa.sa_mask);
- 		ka++;
- 	}
--- 
-1.7.9.5
-
-
--- 
-Kees Cook
-Chrome OS Security
---
-To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
-the body of a message to majordomo@vger.kernel.org
-More majordomo info at  http://vger.kernel.org/majordomo-info.html
-Please read the FAQ at  http://www.tux.org/lkml/
diff --git a/sources b/sources
index 64b1211ea..aae0bfacb 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,3 @@
 1c738edfc54e7c65faeb90c436104e2f  linux-3.8.tar.xz
 519f8799f8cf9aae2f05ba8fadc43bd1  patch-3.9-rc2.xz
+813d50e12eb677a04e4a2743cc54242d  patch-3.9-rc2-git1.xz