6,534
edits
Changes
created
== Changes ==
* Bunch of mainstream minor security fixes
* Bug fixes
* Cleanups
<includeonly>[[{{PAGENAME}}/changes#Patches|{{Long changelog message}}]]</includeonly><noinclude>
=== Patches ===
==== diff-vzdq-sysctl-20050811 ====
<div class="change">Patch from Pavel:
This patch fixes double free of sysctl_table_header and leak of sysctl_table in quota.
Bug 50169.
</div>
==== diff-venet-veinfo-20050808 ====
<div class="change">Patch from Dmitry:
This patch fixes oops in /proc/vz/veinfo on VPS stop.
env->veip clearance moved under veip_hash_lock.
Bug 49977.
</div>
==== diff-fairsched-fixes-20050810 ====
<div class="change">Patch from Kirill:
This patch fixes the following:
* changing prev_cpu in schedule_vcpu() could lead to hangs, since wrong VCPU could be put.
* finish_task_switch() on PREEMT enabled kernels could schedule before vcpu_put() and hang forever since CPU is still busy, but fairsched is not aware of it.
* init_pcpu() use pcpu() macro
* BUG_ON in vcpu_put() to be sure that current VCPU is not put
* initialization cleanups
* pcpu_info changed to be simple array (instead of PERCPU) for better code and correct early initialization for sure.
</div>
==== diff-ve-ip-conntrack-errh-20050808 ====
<div class="change">Patch from Pavel:<br/>
This patch fixes conntrack init_of_fini error handling.
</div>
==== diff-vzdq-sysctl-20050806 ====
<div class="change">Patch from Pavel:
VPS's sysctl tables must be kmalloc-ed to be registered,
otherwise multiple VPSs use the same sysctl tree and oops.
Bug 49976.
</div>
==== diff-ve-mibs-20050806 ====
<div class="change">Patch from Pavel:
free_percpu() argument must be checket for != NULL before
calling free. fixed in init_ve_mibs.
</div>
==== diff-fairsched-plain-20050810 ====
<div class="change">Patch from Kirill:<br/>
This patch cleanups plain fairsched
</div>
==== diff-security-isofs-c-20050326 ====
<div class="change">Patch from mainstream:<br/>
Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
iso9660 filesystem.
http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
{{CAN|2005-0815}} is assigned to this issue.
Some more defensive checks to keep corrupt isofs images from corrupting
memory or causing Oops.
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-isofs-b-20050326 ====
<div class="change">Patch from mainstream:
Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
iso9660 filesystem.
http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
{{CAN|2005-0815}} is assigned to this issue.
isofs: more "corrupted iso image" error cases
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-isofs-a-20050326 ====
<div class="change">Patch from mainstream:<br/>
Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
iso9660 filesystem.
http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
{{CAN|2005-0815}} is assigned to this issue.
isofs: Handle corupted rock-ridge info slightly better.
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-bluetooth-20050326 ====
<div class="change">Patch from mainstream:
ilja <ilja@suresec.org> discovered potential local root exploit in
bluetooth socket creation.
{{CAN|2005-0750}} is assigned to this issue
This patch fixes a small signedness problem when creating the
socket.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-rose-20050311 ====
<div class="change">Patch from mainstream:
ROSE wasn't verifying the ndigis argument of a new route resulting in a
minor security hole.
Signed-off-by: David S. Miller <davem@davemloft.net><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-rawioctl-20050514 ====
<div class="change">Patch from mainstream:
Raw character devices are supposed to pass ioctls through to the block
devices they are bound to. Unfortunately, they are using the wrong
function for this: ioctl_by_bdev(), instead of blkdev_ioctl().
ioctl_by_bdev() performs a set_fs(KERNEL_DS) before calling the ioctl,
redirecting the user-space buffer access to the kernel address space.
The patch below fixes both the config and address-space problems.
Kernel-address-space access has been assigned {{CAN|2005-1264}}.
Signed-off-by: Stephen Tweedie <sct@redhat.com><br/>
Signed-off-by: Dave Jones <davej@redhat.com><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
</div>
==== diff-mainstream-ipqueue-20050530 ====
<div class="change">Patch from mainstream:
Fix deadlock with ip_queue and tcp local input path.
When we have ip_queue being used from LOCAL_IN, then we end up with a
situation where the verdicts coming back from userspace traverse the TCP
input path from syscall context. While this seems to work most of the
time, there's an ugly deadlock:
syscall context is interrupted by the timer interrupt. When the timer
interrupt leaves, the timer softirq get's scheduled and calls
tcp_delack_timer() and alike. They themselves do bh_lock_sock(sk),
which is already held from somewhere else -> boom.
Signed-off-by: Harald Welte <laforge@netfilter.org><br/>
Signed-off-by: David S. Miller <davem@davemloft.net><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
</div>
==== diff-mainstream-natcorrupt-20050804 ====
<div class="change">Patch from mainstream:<br/>
Fix potential memory corruption in NAT code
The portptr pointing to the port in the conntrack tuple is declared static,
which could result in memory corruption when two packets of the same
protocol are NATed at the same time and one conntrack goes away.
Signed-off-by: Patrick McHardy <kaber@trash.net><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
</div>
==== diff-security-xfrm-20050804 ====
<div class="change">Patch from mainstream:<br/>
Fix possible overflow of sock->sk_policy
Spotted by, and original patch by, Balazs Scheidler.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au><br/>
Signed-off-by: David S. Miller <davem@davemloft.net><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
</div>
==== diff-security-getthreadarea-20050804 ====
<div class="change">Patch from mainstream:<br/>
sys_get_thread_area does not clear the returned argument
sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space... since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
</noinclude>
* Bunch of mainstream minor security fixes
* Bug fixes
* Cleanups
<includeonly>[[{{PAGENAME}}/changes#Patches|{{Long changelog message}}]]</includeonly><noinclude>
=== Patches ===
==== diff-vzdq-sysctl-20050811 ====
<div class="change">Patch from Pavel:
This patch fixes double free of sysctl_table_header and leak of sysctl_table in quota.
Bug 50169.
</div>
==== diff-venet-veinfo-20050808 ====
<div class="change">Patch from Dmitry:
This patch fixes oops in /proc/vz/veinfo on VPS stop.
env->veip clearance moved under veip_hash_lock.
Bug 49977.
</div>
==== diff-fairsched-fixes-20050810 ====
<div class="change">Patch from Kirill:
This patch fixes the following:
* changing prev_cpu in schedule_vcpu() could lead to hangs, since wrong VCPU could be put.
* finish_task_switch() on PREEMT enabled kernels could schedule before vcpu_put() and hang forever since CPU is still busy, but fairsched is not aware of it.
* init_pcpu() use pcpu() macro
* BUG_ON in vcpu_put() to be sure that current VCPU is not put
* initialization cleanups
* pcpu_info changed to be simple array (instead of PERCPU) for better code and correct early initialization for sure.
</div>
==== diff-ve-ip-conntrack-errh-20050808 ====
<div class="change">Patch from Pavel:<br/>
This patch fixes conntrack init_of_fini error handling.
</div>
==== diff-vzdq-sysctl-20050806 ====
<div class="change">Patch from Pavel:
VPS's sysctl tables must be kmalloc-ed to be registered,
otherwise multiple VPSs use the same sysctl tree and oops.
Bug 49976.
</div>
==== diff-ve-mibs-20050806 ====
<div class="change">Patch from Pavel:
free_percpu() argument must be checket for != NULL before
calling free. fixed in init_ve_mibs.
</div>
==== diff-fairsched-plain-20050810 ====
<div class="change">Patch from Kirill:<br/>
This patch cleanups plain fairsched
</div>
==== diff-security-isofs-c-20050326 ====
<div class="change">Patch from mainstream:<br/>
Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
iso9660 filesystem.
http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
{{CAN|2005-0815}} is assigned to this issue.
Some more defensive checks to keep corrupt isofs images from corrupting
memory or causing Oops.
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-isofs-b-20050326 ====
<div class="change">Patch from mainstream:
Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
iso9660 filesystem.
http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
{{CAN|2005-0815}} is assigned to this issue.
isofs: more "corrupted iso image" error cases
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-isofs-a-20050326 ====
<div class="change">Patch from mainstream:<br/>
Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
iso9660 filesystem.
http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
{{CAN|2005-0815}} is assigned to this issue.
isofs: Handle corupted rock-ridge info slightly better.
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-bluetooth-20050326 ====
<div class="change">Patch from mainstream:
ilja <ilja@suresec.org> discovered potential local root exploit in
bluetooth socket creation.
{{CAN|2005-0750}} is assigned to this issue
This patch fixes a small signedness problem when creating the
socket.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-rose-20050311 ====
<div class="change">Patch from mainstream:
ROSE wasn't verifying the ndigis argument of a new route resulting in a
minor security hole.
Signed-off-by: David S. Miller <davem@davemloft.net><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
==== diff-security-rawioctl-20050514 ====
<div class="change">Patch from mainstream:
Raw character devices are supposed to pass ioctls through to the block
devices they are bound to. Unfortunately, they are using the wrong
function for this: ioctl_by_bdev(), instead of blkdev_ioctl().
ioctl_by_bdev() performs a set_fs(KERNEL_DS) before calling the ioctl,
redirecting the user-space buffer access to the kernel address space.
The patch below fixes both the config and address-space problems.
Kernel-address-space access has been assigned {{CAN|2005-1264}}.
Signed-off-by: Stephen Tweedie <sct@redhat.com><br/>
Signed-off-by: Dave Jones <davej@redhat.com><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
</div>
==== diff-mainstream-ipqueue-20050530 ====
<div class="change">Patch from mainstream:
Fix deadlock with ip_queue and tcp local input path.
When we have ip_queue being used from LOCAL_IN, then we end up with a
situation where the verdicts coming back from userspace traverse the TCP
input path from syscall context. While this seems to work most of the
time, there's an ugly deadlock:
syscall context is interrupted by the timer interrupt. When the timer
interrupt leaves, the timer softirq get's scheduled and calls
tcp_delack_timer() and alike. They themselves do bh_lock_sock(sk),
which is already held from somewhere else -> boom.
Signed-off-by: Harald Welte <laforge@netfilter.org><br/>
Signed-off-by: David S. Miller <davem@davemloft.net><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
</div>
==== diff-mainstream-natcorrupt-20050804 ====
<div class="change">Patch from mainstream:<br/>
Fix potential memory corruption in NAT code
The portptr pointing to the port in the conntrack tuple is declared static,
which could result in memory corruption when two packets of the same
protocol are NATed at the same time and one conntrack goes away.
Signed-off-by: Patrick McHardy <kaber@trash.net><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
</div>
==== diff-security-xfrm-20050804 ====
<div class="change">Patch from mainstream:<br/>
Fix possible overflow of sock->sk_policy
Spotted by, and original patch by, Balazs Scheidler.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au><br/>
Signed-off-by: David S. Miller <davem@davemloft.net><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org><br/>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
</div>
==== diff-security-getthreadarea-20050804 ====
<div class="change">Patch from mainstream:<br/>
sys_get_thread_area does not clear the returned argument
sys_get_thread_area does not memset to 0 its struct user_desc info before
copying it to user space... since sizeof(struct user_desc) is 16 while the
actual datas which are filled are only 12 bytes + 9 bits (across the
bitfields), there is a (small) information leak.
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it><br/>
Signed-off-by: Chris Wright <chrisw@osdl.org>
</div>
</noinclude>
