From patchwork Wed Jun  1 10:23:54 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [lucid/fsl-imx51,pull,request] First round of CVE fixes
Date: Wed, 01 Jun 2011 00:23:54 -0000
From: Paolo Pisati <paolo.pisati@canonical.com>
X-Patchwork-Id: 98165
Message-Id: <4DE6133A.9070000@canonical.com>
To: kernel-team@lists.ubuntu.com

The following changes since commit 50173a10506485bd731f62bcbd7c9410a1fb5b43:

  UBUNTU: Ubuntu-2.6.31-608.25 (2011-05-27 18:41:05 +0200)

are available in the git repository at:
  git://kernel.ubuntu.com/ppisati/ubuntu-lucid.git fsl-imx51

Andy Whitcroft (1):
      net: packet: fix information leak to userland, CVE-2010-3876

Dan Carpenter (1):
      gdth: integer overflow in ioctl

Dan Rosenberg (4):
      ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
      drivers/video/via/ioctl.c: prevent reading uninitialized stack memory
      sys_semctl: fix kernel stack leakage
      mpt2sas: prevent heap overflows and unchecked reads

John Hughes (1):
      x25: Patch to fix bug 15678 - x25 accesses fields beyond end of
packet.

Julien Tinnes (1):
      Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the
signal code

Kees Cook (2):
      net: ax25: fix information leak to userland harder, CVE-2010-3875
      net: clear heap allocations for privileged ethtool actions

Kulikov Vasiliy (1):
      net: tipc: fix information leak to userland, CVE-2010-3877

Linus Torvalds (4):
      net: fix rds_iovec page count overflow, CVE-2010-3865
      net: Truncate recvfrom and sendto length to INT_MAX.
      next_pidmap: fix overflow condition
      proc: do proper range check on readdir offset

Nelson Elhage (1):
      inet_diag: Make sure we actually run the same bytecode we audited,
CVE-2010-3880

Oleg Nesterov (2):
      posix-cpu-timers: workaround to suppress the problems with mt exec
      exec: make argv/envp memory visible to oom-killer

Oliver Hartkopp (2):
      can-bcm: fix minor heap overflow
      can: add missing socket check in can/raw release

Paolo Pisati (1):
      UBUNTU: Start new release

Roland Dreier (1):
      Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo

Timo Warns (1):
      fs/partitions/ldm.c: fix oops caused by corrupted partition table,
CVE-2011-1017

Vasiliy Kulikov (3):
      net: ax25: fix information leak to userland, CVE-2010-3875
      agp: fix arbitrary kernel memory writes
      agp: fix OOM and buffer overflow

andrew hendry (1):
      memory corruption in X.25 facilities parsing

 .../abi/{2.6.31-608.24 => 2.6.31-608.25}/abiname   |    0
 .../{2.6.31-608.24 => 2.6.31-608.25}/armel/imx51   |    0
 .../armel/imx51.modules                            |    0
 debian.fsl-imx51/changelog                         |    8 +++
 drivers/char/agp/generic.c                         |   19 ++++++--
 drivers/scsi/gdth.c                                |    8 +++
 drivers/scsi/mpt2sas/mpt2sas_ctl.c                 |   23 +++++++++-
 drivers/video/via/ioctl.c                          |    2 +
 fs/exec.c                                          |   28 +++++++++++-
 fs/partitions/ldm.c                                |   16 +++++--
 fs/proc/base.c                                     |    9 +++-
 include/linux/binfmts.h                            |    1 +
 include/linux/pid.h                                |    2 +-
 include/net/netlink.h                              |    2 +-
 include/net/x25.h                                  |    4 ++
 ipc/sem.c                                          |    2 +
 kernel/exit.c                                      |    8 +++
 kernel/pid.c                                       |    5 ++-
 kernel/signal.c                                    |   16 +++++--
 net/ax25/af_ax25.c                                 |    2 +-
 net/can/bcm.c                                      |    2 +-
 net/can/raw.c                                      |    7 +++-
 net/core/ethtool.c                                 |    2 +-
 net/ipv4/inet_diag.c                               |   27 +++++++-----
 net/packet/af_packet.c                             |    3 +-
 net/rds/rdma.c                                     |   11 +++++
 net/socket.c                                       |    4 ++
 net/tipc/socket.c                                  |    1 +
 net/x25/af_x25.c                                   |   47
+++++++++++++++++++-
 net/x25/x25_facilities.c                           |   20 ++++++--
 net/x25/x25_in.c                                   |   17 +++++--
 sound/pci/rme9652/hdsp.c                           |    1 +
 sound/pci/rme9652/hdspm.c                          |    1 +
 33 files changed, 251 insertions(+), 47 deletions(-)
 rename debian.fsl-imx51/abi/{2.6.31-608.24 => 2.6.31-608.25}/abiname (100%)
 rename debian.fsl-imx51/abi/{2.6.31-608.24 =>
2.6.31-608.25}/armel/imx51 (100%)
 rename debian.fsl-imx51/abi/{2.6.31-608.24 =>
2.6.31-608.25}/armel/imx51.modules (100%)


(sort-of) top down list of CVE closed in this pull:

CVE-2010-3876, CVE-2010-4157, CVE-2010-4080, CVE-2010-4081,
CVE-2010-4082, CVE-2010-4083, CVE-2011-1494, CVE-2011-1182,
CVE-2010-3875, CVE-2010-4655, CVE-2010-3877, CVE-2010-3865,
CVE-2010-3859, CVE-2011-1593, CVE-2010-3880, CVE-2010-4248,
CVE-2010-4243, CVE-2010-3874, CVE-2011-1748, CVE-2011-1017,
CVE-2010-3875, CVE-1011-2022, CVE-2011-1747, CVE-2010-3873

this one is not a CVE fix:

John Hughes (1):
x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.

but is needed for:

andrew hendry (1):
      memory corruption in X.25 facilities parsing

All the commits where cherry-picked from lucid, have the upstream sha,
contain the buglink and were previously acked by some of the kteam.

The release is still open since i'm going to push CVE fixes till the
next kernel cut.
Acked-by: Andy Whitcroft <apw@canonical.com>
Acked-by: by team members already.  In the main they are already released