1 files changed, 78 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch
new file mode 100644
index 00000000..e6d6ac03
--- /dev/null
+++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch
@@ -0,0 +1,78 @@
+From 636e8de47aae86650672a0065eb401e918544d34 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <levinsasha928@gmail.com>
+Date: Thu, 5 Apr 2012 12:07:45 +0000
+Subject: [PATCH 064/165] phonet: Check input from user before allocating
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+[ Upstream commit bcf1b70ac6eb0ed8286c66e6bf37cb747cbaa04c ]
+A phonet packet is limited to USHRT_MAX bytes, this is never checked during
+tx which means that the user can specify any size he wishes, and the kernel
+will attempt to allocate that size.
+In the good case, it'll lead to the following warning, but it may also cause
+the kernel to kick in the OOM and kill a random task on the server.
+[ 8921.744094] WARNING: at mm/page_alloc.c:2255 __alloc_pages_slowpath+0x65/0x730()
+[ 8921.749770] Pid: 5081, comm: trinity Tainted: G        W    3.4.0-rc1-next-20120402-sasha #46
+[ 8921.756672] Call Trace:
+[ 8921.758185]  [<ffffffff810b2ba7>] warn_slowpath_common+0x87/0xb0
+[ 8921.762868]  [<ffffffff810b2be5>] warn_slowpath_null+0x15/0x20
+[ 8921.765399]  [<ffffffff8117eae5>] __alloc_pages_slowpath+0x65/0x730
+[ 8921.769226]  [<ffffffff81179c8a>] ? zone_watermark_ok+0x1a/0x20
+[ 8921.771686]  [<ffffffff8117d045>] ? get_page_from_freelist+0x625/0x660
+[ 8921.773919]  [<ffffffff8117f3a8>] __alloc_pages_nodemask+0x1f8/0x240
+[ 8921.776248]  [<ffffffff811c03e0>] kmalloc_large_node+0x70/0xc0
+[ 8921.778294]  [<ffffffff811c4bd4>] __kmalloc_node_track_caller+0x34/0x1c0
+[ 8921.780847]  [<ffffffff821b0e3c>] ? sock_alloc_send_pskb+0xbc/0x260
+[ 8921.783179]  [<ffffffff821b3c65>] __alloc_skb+0x75/0x170
+[ 8921.784971]  [<ffffffff821b0e3c>] sock_alloc_send_pskb+0xbc/0x260
+[ 8921.787111]  [<ffffffff821b002e>] ? release_sock+0x7e/0x90
+[ 8921.788973]  [<ffffffff821b0ff0>] sock_alloc_send_skb+0x10/0x20
+[ 8921.791052]  [<ffffffff824cfc20>] pep_sendmsg+0x60/0x380
+[ 8921.792931]  [<ffffffff824cb4a6>] ? pn_socket_bind+0x156/0x180
+[ 8921.794917]  [<ffffffff824cb50f>] ? pn_socket_autobind+0x3f/0x90
+[ 8921.797053]  [<ffffffff824cb63f>] pn_socket_sendmsg+0x4f/0x70
+[ 8921.798992]  [<ffffffff821ab8e7>] sock_aio_write+0x187/0x1b0
+[ 8921.801395]  [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
+[ 8921.803501]  [<ffffffff8111842c>] ? __lock_acquire+0x42c/0x4b0
+[ 8921.805505]  [<ffffffff821ab760>] ? __sock_recv_ts_and_drops+0x140/0x140
+[ 8921.807860]  [<ffffffff811e07cc>] do_sync_readv_writev+0xbc/0x110
+[ 8921.809986]  [<ffffffff811958e7>] ? might_fault+0x97/0xa0
+[ 8921.811998]  [<ffffffff817bd99e>] ? security_file_permission+0x1e/0x90
+[ 8921.814595]  [<ffffffff811e17e2>] do_readv_writev+0xe2/0x1e0
+[ 8921.816702]  [<ffffffff810b8dac>] ? do_setitimer+0x1ac/0x200
+[ 8921.818819]  [<ffffffff810e2ec1>] ? get_parent_ip+0x11/0x50
+[ 8921.820863]  [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
+[ 8921.823318]  [<ffffffff811e1926>] vfs_writev+0x46/0x60
+[ 8921.825219]  [<ffffffff811e1a3f>] sys_writev+0x4f/0xb0
+[ 8921.827127]  [<ffffffff82658039>] system_call_fastpath+0x16/0x1b
+[ 8921.829384] ---[ end trace dffe390f30db9eb7 ]---
+Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
+Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ net/phonet/pep.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+diff --git a/net/phonet/pep.c b/net/phonet/pep.c
+index 2ba6e9f..007546d 100644
+--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
+@@ -1046,6 +1046,9 @@ static int pep_sendmsg(struct kiocb *iocb, struct sock *sk,
+        int flags = msg->msg_flags;
+        int err, done;
+ 
+       if (len > USHRT_MAX)
+               return -EMSGSIZE;
+
+        if ((msg->msg_flags & ~(MSG_DONTWAIT|MSG_EOR|MSG_NOSIGNAL|
+                                MSG_CMSG_COMPAT)) ||
+                        !(msg->msg_flags & MSG_EOR))
+-- 
+1.7.7.6

diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch new file mode 100644 index 00000000..e6d6ac03 --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.17/0064-phonet-Check-input-from-user-before-allocating.patch
@@ -0,0 +1,78 @@
	1	From 636e8de47aae86650672a0065eb401e918544d34 Mon Sep 17 00:00:00 2001
	2	From: Sasha Levin <levinsasha928@gmail.com>
	3	Date: Thu, 5 Apr 2012 12:07:45 +0000
	4	Subject: [PATCH 064/165] phonet: Check input from user before allocating
	5	MIME-Version: 1.0
	6	Content-Type: text/plain; charset=UTF-8
	7	Content-Transfer-Encoding: 8bit
	8
	9	[ Upstream commit bcf1b70ac6eb0ed8286c66e6bf37cb747cbaa04c ]
	10
	11	A phonet packet is limited to USHRT_MAX bytes, this is never checked during
	12	tx which means that the user can specify any size he wishes, and the kernel
	13	will attempt to allocate that size.
	14
	15	In the good case, it'll lead to the following warning, but it may also cause
	16	the kernel to kick in the OOM and kill a random task on the server.
	17
	18	[ 8921.744094] WARNING: at mm/page_alloc.c:2255 __alloc_pages_slowpath+0x65/0x730()
	19	[ 8921.749770] Pid: 5081, comm: trinity Tainted: G W 3.4.0-rc1-next-20120402-sasha #46
	20	[ 8921.756672] Call Trace:
	21	[ 8921.758185] [<ffffffff810b2ba7>] warn_slowpath_common+0x87/0xb0
	22	[ 8921.762868] [<ffffffff810b2be5>] warn_slowpath_null+0x15/0x20
	23	[ 8921.765399] [<ffffffff8117eae5>] __alloc_pages_slowpath+0x65/0x730
	24	[ 8921.769226] [<ffffffff81179c8a>] ? zone_watermark_ok+0x1a/0x20
	25	[ 8921.771686] [<ffffffff8117d045>] ? get_page_from_freelist+0x625/0x660
	26	[ 8921.773919] [<ffffffff8117f3a8>] __alloc_pages_nodemask+0x1f8/0x240
	27	[ 8921.776248] [<ffffffff811c03e0>] kmalloc_large_node+0x70/0xc0
	28	[ 8921.778294] [<ffffffff811c4bd4>] __kmalloc_node_track_caller+0x34/0x1c0
	29	[ 8921.780847] [<ffffffff821b0e3c>] ? sock_alloc_send_pskb+0xbc/0x260
	30	[ 8921.783179] [<ffffffff821b3c65>] __alloc_skb+0x75/0x170
	31	[ 8921.784971] [<ffffffff821b0e3c>] sock_alloc_send_pskb+0xbc/0x260
	32	[ 8921.787111] [<ffffffff821b002e>] ? release_sock+0x7e/0x90
	33	[ 8921.788973] [<ffffffff821b0ff0>] sock_alloc_send_skb+0x10/0x20
	34	[ 8921.791052] [<ffffffff824cfc20>] pep_sendmsg+0x60/0x380
	35	[ 8921.792931] [<ffffffff824cb4a6>] ? pn_socket_bind+0x156/0x180
	36	[ 8921.794917] [<ffffffff824cb50f>] ? pn_socket_autobind+0x3f/0x90
	37	[ 8921.797053] [<ffffffff824cb63f>] pn_socket_sendmsg+0x4f/0x70
	38	[ 8921.798992] [<ffffffff821ab8e7>] sock_aio_write+0x187/0x1b0
	39	[ 8921.801395] [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
	40	[ 8921.803501] [<ffffffff8111842c>] ? __lock_acquire+0x42c/0x4b0
	41	[ 8921.805505] [<ffffffff821ab760>] ? __sock_recv_ts_and_drops+0x140/0x140
	42	[ 8921.807860] [<ffffffff811e07cc>] do_sync_readv_writev+0xbc/0x110
	43	[ 8921.809986] [<ffffffff811958e7>] ? might_fault+0x97/0xa0
	44	[ 8921.811998] [<ffffffff817bd99e>] ? security_file_permission+0x1e/0x90
	45	[ 8921.814595] [<ffffffff811e17e2>] do_readv_writev+0xe2/0x1e0
	46	[ 8921.816702] [<ffffffff810b8dac>] ? do_setitimer+0x1ac/0x200
	47	[ 8921.818819] [<ffffffff810e2ec1>] ? get_parent_ip+0x11/0x50
	48	[ 8921.820863] [<ffffffff810e325e>] ? sub_preempt_count+0xae/0xf0
	49	[ 8921.823318] [<ffffffff811e1926>] vfs_writev+0x46/0x60
	50	[ 8921.825219] [<ffffffff811e1a3f>] sys_writev+0x4f/0xb0
	51	[ 8921.827127] [<ffffffff82658039>] system_call_fastpath+0x16/0x1b
	52	[ 8921.829384] ---[ end trace dffe390f30db9eb7 ]---
	53
	54	Signed-off-by: Sasha Levin <levinsasha928@gmail.com>
	55	Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
	56	Signed-off-by: David S. Miller <davem@davemloft.net>
	57	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	58	---
	59	net/phonet/pep.c \| 3 +++
	60	1 files changed, 3 insertions(+), 0 deletions(-)
	61
	62	diff --git a/net/phonet/pep.c b/net/phonet/pep.c
	63	index 2ba6e9f..007546d 100644
	64	--- a/net/phonet/pep.c
	65	+++ b/net/phonet/pep.c
	66	@@ -1046,6 +1046,9 @@ static int pep_sendmsg(struct kiocb iocb, struct sock sk,
	67	int flags = msg->msg_flags;
	68	int err, done;
	69
	70	+ if (len > USHRT_MAX)
	71	+ return -EMSGSIZE;
	72	+
	73	if ((msg->msg_flags & ~(MSG_DONTWAIT\|MSG_EOR\|MSG_NOSIGNAL\|
	74	MSG_CMSG_COMPAT)) \|\|
	75	!(msg->msg_flags & MSG_EOR))
	76	--
	77	1.7.7.6
	78