kernel-small_fixes.patch

   1 --- linux-2.6.33/scripts/mod/modpost.c~ 2010-02-24 19:52:17.000000000 +0100
   2 +++ linux-2.6.33/scripts/mod/modpost.c  2010-03-07 14:26:47.242168558 +0100
   3 @@ -15,7 +15,8 @@
   4  #include <stdio.h>
   5  #include <ctype.h>
   6  #include "modpost.h"
   7 -#include "../../include/generated/autoconf.h"
   8 +// PLD architectures don't use CONFIG_SYMBOL_PREFIX
   9 +//#include "../../include/generated/autoconf.h"
  10  #include "../../include/linux/license.h"
  11
  12  /* Some toolchains use a `_' prefix for all user symbols. */
  13
  14 --- linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh~       2011-07-22 04:17:23.000000000 +0200
  15 +++ linux-3.0/scripts/kconfig/lxdialog/check-lxdialog.sh        2011-08-25 21:26:04.799150642 +0200
  16 @@ -9,6 +9,12 @@
  17                         $cc -print-file-name=lib${lib}.${ext} | grep -q /
  18                         if [ $? -eq 0 ]; then
  19                                 echo "-l${lib}"
  20 +                               for libt in tinfow tinfo ; do
  21 +                                       $cc -print-file-name=lib${libt}.${ext} | grep -q /
  22 +                                       if [ $? -eq 0 ]; then
  23 +                                               echo "-l${libt}"
  24 +                                       fi
  25 +                               done
  26                                 exit
  27                         fi
  28                 done
  29 From 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7 Mon Sep 17 00:00:00 2001
  30 From: Jann Horn <jannh@google.com>
  31 Date: Tue, 26 Apr 2016 22:26:26 +0200
  32 Subject: bpf: fix double-fdput in replace_map_fd_with_map_ptr()
  33
  34 When bpf(BPF_PROG_LOAD, ...) was invoked with a BPF program whose bytecode
  35 references a non-map file descriptor as a map file descriptor, the error
  36 handling code called fdput() twice instead of once (in __bpf_map_get() and
  37 in replace_map_fd_with_map_ptr()). If the file descriptor table of the
  38 current task is shared, this causes f_count to be decremented too much,
  39 allowing the struct file to be freed while it is still in use
  40 (use-after-free). This can be exploited to gain root privileges by an
  41 unprivileged user.
  42
  43 This bug was introduced in
  44 commit 0246e64d9a5f ("bpf: handle pseudo BPF_LD_IMM64 insn"), but is only
  45 exploitable since
  46 commit 1be7f75d1668 ("bpf: enable non-root eBPF programs") because
  47 previously, CAP_SYS_ADMIN was required to reach the vulnerable code.
  48
  49 (posted publicly according to request by maintainer)
  50
  51 Signed-off-by: Jann Horn <jannh@google.com>
  52 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  53 Acked-by: Alexei Starovoitov <ast@kernel.org>
  54 Acked-by: Daniel Borkmann <daniel@iogearbox.net>
  55 Signed-off-by: David S. Miller <davem@davemloft.net>
  56 ---
  57  kernel/bpf/verifier.c | 1 -
  58  1 file changed, 1 deletion(-)
  59
  60 diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
  61 index 618ef77..db2574e 100644
  62 --- a/kernel/bpf/verifier.c
  63 +++ b/kernel/bpf/verifier.c
  64 @@ -2030,7 +2030,6 @@ static int replace_map_fd_with_map_ptr(struct verifier_env *env)
  65                         if (IS_ERR(map)) {
  66                                 verbose("fd %d is not pointing to valid bpf_map\n",
  67                                         insn->imm);
  68 -                               fdput(f);
  69                                 return PTR_ERR(map);
  70                         }
  71
  72 --
  73 cgit v0.12
  74