<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/security, branch linux-2.6.39.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>KEYS: Fix error handling in construct_key_and_link()</title>
<updated>2011-07-09T06:15:27+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2011-06-21T13:32:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=59ae4caf46efbdae86a3a1d23cee82b8a82d6a0f'/>
<id>59ae4caf46efbdae86a3a1d23cee82b8a82d6a0f</id>
<content type='text'>
commit b1d7dd80aadb9042e83f9778b484a2f92e0b04d4 upstream.

Fix error handling in construct_key_and_link().

If construct_alloc_key() returns an error, it shouldn't pass out through
the normal path as the key_serial() called by the kleave() statement
will oops when it gets an error code in the pointer:

  BUG: unable to handle kernel paging request at ffffffffffffff84
  IP: [&lt;ffffffff8120b401&gt;] request_key_and_link+0x4d7/0x52f
  ..
  Call Trace:
   [&lt;ffffffff8120b52c&gt;] request_key+0x41/0x75
   [&lt;ffffffffa00ed6e8&gt;] cifs_get_spnego_key+0x206/0x226 [cifs]
   [&lt;ffffffffa00eb0c9&gt;] CIFS_SessSetup+0x511/0x1234 [cifs]
   [&lt;ffffffffa00d9799&gt;] cifs_setup_session+0x90/0x1ae [cifs]
   [&lt;ffffffffa00d9c02&gt;] cifs_get_smb_ses+0x34b/0x40f [cifs]
   [&lt;ffffffffa00d9e05&gt;] cifs_mount+0x13f/0x504 [cifs]
   [&lt;ffffffffa00caabb&gt;] cifs_do_mount+0xc4/0x672 [cifs]
   [&lt;ffffffff8113ae8c&gt;] mount_fs+0x69/0x155
   [&lt;ffffffff8114ff0e&gt;] vfs_kern_mount+0x63/0xa0
   [&lt;ffffffff81150be2&gt;] do_kern_mount+0x4d/0xdf
   [&lt;ffffffff81152278&gt;] do_mount+0x63c/0x69f
   [&lt;ffffffff8115255c&gt;] sys_mount+0x88/0xc2
   [&lt;ffffffff814fbdc2&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Acked-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b1d7dd80aadb9042e83f9778b484a2f92e0b04d4 upstream.

Fix error handling in construct_key_and_link().

If construct_alloc_key() returns an error, it shouldn't pass out through
the normal path as the key_serial() called by the kleave() statement
will oops when it gets an error code in the pointer:

  BUG: unable to handle kernel paging request at ffffffffffffff84
  IP: [&lt;ffffffff8120b401&gt;] request_key_and_link+0x4d7/0x52f
  ..
  Call Trace:
   [&lt;ffffffff8120b52c&gt;] request_key+0x41/0x75
   [&lt;ffffffffa00ed6e8&gt;] cifs_get_spnego_key+0x206/0x226 [cifs]
   [&lt;ffffffffa00eb0c9&gt;] CIFS_SessSetup+0x511/0x1234 [cifs]
   [&lt;ffffffffa00d9799&gt;] cifs_setup_session+0x90/0x1ae [cifs]
   [&lt;ffffffffa00d9c02&gt;] cifs_get_smb_ses+0x34b/0x40f [cifs]
   [&lt;ffffffffa00d9e05&gt;] cifs_mount+0x13f/0x504 [cifs]
   [&lt;ffffffffa00caabb&gt;] cifs_do_mount+0xc4/0x672 [cifs]
   [&lt;ffffffff8113ae8c&gt;] mount_fs+0x69/0x155
   [&lt;ffffffff8114ff0e&gt;] vfs_kern_mount+0x63/0xa0
   [&lt;ffffffff81150be2&gt;] do_kern_mount+0x4d/0xdf
   [&lt;ffffffff81152278&gt;] do_mount+0x63c/0x69f
   [&lt;ffffffff8115255c&gt;] sys_mount+0x88/0xc2
   [&lt;ffffffff814fbdc2&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Acked-by: Jeff Layton &lt;jlayton@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>TOMOYO: Fix oops in tomoyo_mount_acl().</title>
<updated>2011-06-23T22:05:40+00:00</updated>
<author>
<name>Tetsuo Handa</name>
<email>penguin-kernel@I-love.SAKURA.ne.jp</email>
</author>
<published>2011-06-13T04:49:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=93b18ca021e7b38d26eb55bcb0d1ca4c9105f643'/>
<id>93b18ca021e7b38d26eb55bcb0d1ca4c9105f643</id>
<content type='text'>
commit 4e78c724d47e2342aa8fde61f6b8536f662f795f upstream.

In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking
dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing
mount(NULL, "/", "ext3", 0, NULL) request.
Fix this by checking dev_name != NULL before calling kern_path(dev_name).

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 4e78c724d47e2342aa8fde61f6b8536f662f795f upstream.

In tomoyo_mount_acl() since 2.6.36, kern_path() was called without checking
dev_name != NULL. As a result, an unprivileged user can trigger oops by issuing
mount(NULL, "/", "ext3", 0, NULL) request.
Fix this by checking dev_name != NULL before calling kern_path(dev_name).

Signed-off-by: Tetsuo Handa &lt;penguin-kernel@I-love.SAKURA.ne.jp&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>AppArmor: Fix sleep in invalid context from task_setrlimit</title>
<updated>2011-06-23T22:05:38+00:00</updated>
<author>
<name>John Johansen</name>
<email>john.johansen@canonical.com</email>
</author>
<published>2011-06-08T22:07:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=83a9a8034ee98ac21804c376ec90af8e4997790e'/>
<id>83a9a8034ee98ac21804c376ec90af8e4997790e</id>
<content type='text'>
commit 1780f2d3839a0d3eb85ee014a708f9e2c8f8ba0e upstream.

Affected kernels 2.6.36 - 3.0

AppArmor may do a GFP_KERNEL memory allocation with task_lock(tsk-&gt;group_leader);
held when called from security_task_setrlimit.  This will only occur when the
task's current policy has been replaced, and the task's creds have not been
updated before entering the LSM security_task_setrlimit() hook.

BUG: sleeping function called from invalid context at mm/slub.c:847
 in_atomic(): 1, irqs_disabled(): 0, pid: 1583, name: cupsd
 2 locks held by cupsd/1583:
  #0:  (tasklist_lock){.+.+.+}, at: [&lt;ffffffff8104dafa&gt;] do_prlimit+0x61/0x189
  #1:  (&amp;(&amp;p-&gt;alloc_lock)-&gt;rlock){+.+.+.}, at: [&lt;ffffffff8104db2d&gt;]
do_prlimit+0x94/0x189
 Pid: 1583, comm: cupsd Not tainted 3.0.0-rc2-git1 #7
 Call Trace:
  [&lt;ffffffff8102ebf2&gt;] __might_sleep+0x10d/0x112
  [&lt;ffffffff810e6f46&gt;] slab_pre_alloc_hook.isra.49+0x2d/0x33
  [&lt;ffffffff810e7bc4&gt;] kmem_cache_alloc+0x22/0x132
  [&lt;ffffffff8105b6e6&gt;] prepare_creds+0x35/0xe4
  [&lt;ffffffff811c0675&gt;] aa_replace_current_profile+0x35/0xb2
  [&lt;ffffffff811c4d2d&gt;] aa_current_profile+0x45/0x4c
  [&lt;ffffffff811c4d4d&gt;] apparmor_task_setrlimit+0x19/0x3a
  [&lt;ffffffff811beaa5&gt;] security_task_setrlimit+0x11/0x13
  [&lt;ffffffff8104db6b&gt;] do_prlimit+0xd2/0x189
  [&lt;ffffffff8104dea9&gt;] sys_setrlimit+0x3b/0x48
  [&lt;ffffffff814062bb&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Reported-by: Miles Lane &lt;miles.lane@gmail.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 1780f2d3839a0d3eb85ee014a708f9e2c8f8ba0e upstream.

Affected kernels 2.6.36 - 3.0

AppArmor may do a GFP_KERNEL memory allocation with task_lock(tsk-&gt;group_leader);
held when called from security_task_setrlimit.  This will only occur when the
task's current policy has been replaced, and the task's creds have not been
updated before entering the LSM security_task_setrlimit() hook.

BUG: sleeping function called from invalid context at mm/slub.c:847
 in_atomic(): 1, irqs_disabled(): 0, pid: 1583, name: cupsd
 2 locks held by cupsd/1583:
  #0:  (tasklist_lock){.+.+.+}, at: [&lt;ffffffff8104dafa&gt;] do_prlimit+0x61/0x189
  #1:  (&amp;(&amp;p-&gt;alloc_lock)-&gt;rlock){+.+.+.}, at: [&lt;ffffffff8104db2d&gt;]
do_prlimit+0x94/0x189
 Pid: 1583, comm: cupsd Not tainted 3.0.0-rc2-git1 #7
 Call Trace:
  [&lt;ffffffff8102ebf2&gt;] __might_sleep+0x10d/0x112
  [&lt;ffffffff810e6f46&gt;] slab_pre_alloc_hook.isra.49+0x2d/0x33
  [&lt;ffffffff810e7bc4&gt;] kmem_cache_alloc+0x22/0x132
  [&lt;ffffffff8105b6e6&gt;] prepare_creds+0x35/0xe4
  [&lt;ffffffff811c0675&gt;] aa_replace_current_profile+0x35/0xb2
  [&lt;ffffffff811c4d2d&gt;] aa_current_profile+0x45/0x4c
  [&lt;ffffffff811c4d4d&gt;] apparmor_task_setrlimit+0x19/0x3a
  [&lt;ffffffff811beaa5&gt;] security_task_setrlimit+0x11/0x13
  [&lt;ffffffff8104db6b&gt;] do_prlimit+0xd2/0x189
  [&lt;ffffffff8104dea9&gt;] sys_setrlimit+0x3b/0x48
  [&lt;ffffffff814062bb&gt;] system_call_fastpath+0x16/0x1b

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Reported-by: Miles Lane &lt;miles.lane@gmail.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>AppArmor: fix oops in apparmor_setprocattr</title>
<updated>2011-06-03T00:32:51+00:00</updated>
<author>
<name>Kees Cook</name>
<email>kees.cook@canonical.com</email>
</author>
<published>2011-05-31T18:31:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b8ccd154b8435ba1f60c6a41d38a53c30d295218'/>
<id>b8ccd154b8435ba1f60c6a41d38a53c30d295218</id>
<content type='text'>
commit a5b2c5b2ad5853591a6cac6134cd0f599a720865 upstream.

When invalid parameters are passed to apparmor_setprocattr a NULL deref
oops occurs when it tries to record an audit message. This is because
it is passing NULL for the profile parameter for aa_audit. But aa_audit
now requires that the profile passed is not NULL.

Fix this by passing the current profile on the task that is trying to
setprocattr.

Signed-off-by: Kees Cook &lt;kees@ubuntu.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a5b2c5b2ad5853591a6cac6134cd0f599a720865 upstream.

When invalid parameters are passed to apparmor_setprocattr a NULL deref
oops occurs when it tries to record an audit message. This is because
it is passing NULL for the profile parameter for aa_audit. But aa_audit
now requires that the profile passed is not NULL.

Fix this by passing the current profile on the task that is trying to
setprocattr.

Signed-off-by: Kees Cook &lt;kees@ubuntu.com&gt;
Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
Signed-off-by: James Morris &lt;jmorris@namei.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Set cred-&gt;user_ns in key_replace_session_keyring</title>
<updated>2011-06-03T00:32:33+00:00</updated>
<author>
<name>Serge E. Hallyn</name>
<email>serge@hallyn.com</email>
</author>
<published>2011-05-26T20:25:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=82ce79999abf4899b10481209db7f0af8057a561'/>
<id>82ce79999abf4899b10481209db7f0af8057a561</id>
<content type='text'>
commit f7285b5d631fd6096b11c6af0058ed3a2b30ef4e upstream.

Since this cred was not created with copy_creds(), it needs to get
initialized.  Otherwise use of syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT);
can lead to a NULL deref.  Thanks to Robert for finding this.

But introduced by commit 47a150edc2a ("Cache user_ns in struct cred").

Signed-off-by: Serge E. Hallyn &lt;serge.hallyn@canonical.com&gt;
Reported-by: Robert Święcki &lt;robert@swiecki.net&gt;
Cc: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f7285b5d631fd6096b11c6af0058ed3a2b30ef4e upstream.

Since this cred was not created with copy_creds(), it needs to get
initialized.  Otherwise use of syscall(__NR_keyctl, KEYCTL_SESSION_TO_PARENT);
can lead to a NULL deref.  Thanks to Robert for finding this.

But introduced by commit 47a150edc2a ("Cache user_ns in struct cred").

Signed-off-by: Serge E. Hallyn &lt;serge.hallyn@canonical.com&gt;
Reported-by: Robert Święcki &lt;robert@swiecki.net&gt;
Cc: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@suse.de&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'for-linus' of git://git.infradead.org/users/eparis/selinux into for-linus</title>
<updated>2011-05-12T23:52:16+00:00</updated>
<author>
<name>James Morris</name>
<email>jmorris@namei.org</email>
</author>
<published>2011-05-12T23:52:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ca7d12000895ae5dfef8b8ff2648a0d50abd397c'/>
<id>ca7d12000895ae5dfef8b8ff2648a0d50abd397c</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>SELinux: delete debugging printks from filename_trans rule processing</title>
<updated>2011-05-12T20:02:42+00:00</updated>
<author>
<name>Eric Paris</name>
<email>eparis@redhat.com</email>
</author>
<published>2011-04-07T18:46:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=93826c092c385549c04af184fbebd43f36995c69'/>
<id>93826c092c385549c04af184fbebd43f36995c69</id>
<content type='text'>
The filename_trans rule processing has some printk(KERN_ERR ) messages
which were intended as debug aids in creating the code but weren't removed
before it was submitted.  Remove them.

Reported-by: Paul Bolle &lt;pebolle@tiscali.nl&gt;
Signed-off-by: Eric Paris &lt;eparis@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The filename_trans rule processing has some printk(KERN_ERR ) messages
which were intended as debug aids in creating the code but weren't removed
before it was submitted.  Remove them.

Reported-by: Paul Bolle &lt;pebolle@tiscali.nl&gt;
Signed-off-by: Eric Paris &lt;eparis@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge branch 'for-linus' of git://git.infradead.org/users/eparis/selinux into for-linus</title>
<updated>2011-05-04T01:59:34+00:00</updated>
<author>
<name>James Morris</name>
<email>jmorris@namei.org</email>
</author>
<published>2011-05-04T01:59:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6f239284542bae297d27355d06afbb8df23c5db9'/>
<id>6f239284542bae297d27355d06afbb8df23c5db9</id>
<content type='text'>
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
</pre>
</div>
</content>
</entry>
<entry>
<title>flex_array: flex_array_prealloc takes a number of elements, not an end</title>
<updated>2011-04-28T20:12:47+00:00</updated>
<author>
<name>Eric Paris</name>
<email>eparis@redhat.com</email>
</author>
<published>2011-04-28T19:55:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5d30b10bd68df007e7ae21e77d1e0ce184b53040'/>
<id>5d30b10bd68df007e7ae21e77d1e0ce184b53040</id>
<content type='text'>
Change flex_array_prealloc to take the number of elements for which space
should be allocated instead of the last (inclusive) element. Users
and documentation are updated accordingly.  flex_arrays got introduced before
they had users.  When folks started using it, they ended up needing a
different API than was coded up originally.  This swaps over to the API that
folks apparently need.

Based-on-patch-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Eric Paris &lt;eparis@redhat.com&gt;
Tested-by: Chris Richards &lt;gizmo@giz-works.com&gt;
Acked-by: Dave Hansen &lt;dave@linux.vnet.ibm.com&gt;
Cc: stable@kernel.org [2.6.38+]
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Change flex_array_prealloc to take the number of elements for which space
should be allocated instead of the last (inclusive) element. Users
and documentation are updated accordingly.  flex_arrays got introduced before
they had users.  When folks started using it, they ended up needing a
different API than was coded up originally.  This swaps over to the API that
folks apparently need.

Based-on-patch-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Eric Paris &lt;eparis@redhat.com&gt;
Tested-by: Chris Richards &lt;gizmo@giz-works.com&gt;
Acked-by: Dave Hansen &lt;dave@linux.vnet.ibm.com&gt;
Cc: stable@kernel.org [2.6.38+]
</pre>
</div>
</content>
</entry>
<entry>
<title>SELinux: pass last path component in may_create</title>
<updated>2011-04-28T20:12:41+00:00</updated>
<author>
<name>Eric Paris</name>
<email>eparis@redhat.com</email>
</author>
<published>2011-04-28T19:11:21+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cb1e922fa104bb0bb3aa5fc6ca7f7e070f3b55e9'/>
<id>cb1e922fa104bb0bb3aa5fc6ca7f7e070f3b55e9</id>
<content type='text'>
New inodes are created in a two stage process.  We first will compute the
label on a new inode in security_inode_create() and check if the
operation is allowed.  We will then actually re-compute that same label and
apply it in security_inode_init_security().  The change to do new label
calculations based in part on the last component of the path name only
passed the path component information all the way down the
security_inode_init_security hook.  Down the security_inode_create hook the
path information did not make it past may_create.  Thus the two calculations
came up differently and the permissions check might not actually be against
the label that is created.  Pass and use the same information in both places
to harmonize the calculations and checks.

Reported-by: Dominick Grift &lt;domg472@gmail.com&gt;
Signed-off-by: Eric Paris &lt;eparis@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
New inodes are created in a two stage process.  We first will compute the
label on a new inode in security_inode_create() and check if the
operation is allowed.  We will then actually re-compute that same label and
apply it in security_inode_init_security().  The change to do new label
calculations based in part on the last component of the path name only
passed the path component information all the way down the
security_inode_init_security hook.  Down the security_inode_create hook the
path information did not make it past may_create.  Thus the two calculations
came up differently and the permissions check might not actually be against
the label that is created.  Pass and use the same information in both places
to harmonize the calculations and checks.

Reported-by: Dominick Grift &lt;domg472@gmail.com&gt;
Signed-off-by: Eric Paris &lt;eparis@redhat.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
