Signed-off-by: Stefan Bader <email address hidden>
546c437...
by
Matthias Hopf <email address hidden>
Only allow access to DRM_I915_HWS_ADDR ioctl() for Xserver.
CVE-2008-383
The i915_set_status_page() function of the i915 kernel driver calls ioremap
with an address offset that is supplied by userspace via ioctl.
The function zeroes the mapped memory via memset and tells the hardware about
the address. Turns out that access to that ioctl is not restricted to root so
users could probably exploit that to do nasty things. We haven't tried to
write actual exploit code though.
Signed-off-by: Stefan Bader <email address hidden>
bb6c05d...
by
"J. Bruce Fields" <email address hidden>
Thanks to Johann Dahm and David Richter for bug report and testing.
Signed-off-by: J. Bruce Fields <email address hidden>
Cc: David Richter <email address hidden>
Tested-by: Johann Dahm <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
SuSE's insserve initscript ordering program hits kernel BUG at mm/shmem.c:814
on 2.6.26. It's using posix_fadvise on directories, and the shmem_readpage
method added in 2.6.23 is letting POSIX_FADV_WILLNEED allocate useless pages
to a tmpfs directory, incrementing i_blocks count but never decrementing it.
Fix this by assigning shmem_aops (pointing to readpage and writepage and
set_page_dirty) only when it's needed, on a regular file or a long symlink.
Many thanks to Kel for outstanding bugreport and steps to reproduce it.
There are missing capability checks in the following code:
1300 static int
1301 sbni_ioctl( struct net_device *dev, struct ifreq *ifr, int cmd)
1302 {
[...]
1319 case SIOCDEVRESINSTATS :
1320 if( current->euid != 0 ) /* root only */
1321 return -EPERM;
[...]
1336 case SIOCDEVSHWSTATE :
1337 if( current->euid != 0 ) /* root only */
1338 return -EPERM;
[...]
1357 case SIOCDEVENSLAVE :
1358 if( current->euid != 0 ) /* root only */
1359 return -EPERM;
[...]
1372 case SIOCDEVEMANSIPATE :
1373 if( current->euid != 0 ) /* root only */
1374 return -EPERM;
Here's my proposed fix:
Missing capability checks.
Signed-off-by: Eugene Teo <email address hidden>
Signed-off-by: David S. Miller <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
This patch uses kzalloc to zero all of struct dio rather than manually
trying to track which fields we rely on being zero. It passed aio+dio
stress testing and some bug regression testing on ext3.
This patch was introduced by Linus in the conversation that lead up to
Badari's minimal fix to manually zero .map_bh.b_state in commit:
6a648fa72161d1f6468dabd96c5d3c0db04f598a
It makes the code a bit smaller. Maybe a couple fewer cachelines to
load, if we're lucky:
text data bss dec hex filename
3285925 568506 1304616 5159047 4eb887 vmlinux
3285797 568506 1304616 5158919 4eb807 vmlinux.patched
I was unable to measure a stable difference in the number of cpu cycles
spent in blockdev_direct_IO() when pushing aio+dio 256K reads at
~340MB/s.
So the resulting intent of the patch isn't a performance gain but to
avoid exposing ourselves to the risk of finding another field like
.map_bh.b_state where we rely on zeroing but don't enforce it in the
code.
Signed-off-by: Zach Brown <email address hidden>
Signed-off-by: Linus Torvalds <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
Need to initialize map_bh.b_state to zero. Otherwise, in case of a faulty
user-buffer its possible to go into dio_zero_block() and submit a page by
mistake - since it checks for buffer_new().