From: Dan Rosenberg <drosenberg@vsecurity.com>
Date: Wed, 22 Sep 2010 18:32:56 +0000 (-0400)
Subject: Prevent freeing uninitialized pointer in compat_do_readv_writev
X-Git-Tag: v2.6.36-rc6~76
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=767b68e96993e29e3480d7ecdd9c4b84667c5762;p=pandora-kernel.git

Prevent freeing uninitialized pointer in compat_do_readv_writev

In 32-bit compatibility mode, the error handling for
compat_do_readv_writev() may free an uninitialized pointer, potentially
leading to all sorts of ugly memory corruption.  This is reliably
triggerable by unprivileged users by invoking the readv()/writev()
syscalls with an invalid iovec pointer.  The below patch fixes this to
emulate the non-compat version.

Introduced by commit b83733639a49 ("compat: factor out
compat_rw_copy_check_uvector from compat_do_readv_writev")

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: stable@kernel.org (2.6.35)
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---

Reading git-diff-tree failed