6,534
edits
Changes
created
== Changes ==
* Mainstream security updates ({{CVE|CVE-2006-1523}}, others)
* Drivers updates
* Other fixes
<includeonly>[[{{PAGENAME}}/changes#Patches|{{Long changelog message}}]]</includeonly><noinclude>
=== Patches ===
==== diff-scsi-megaraid-dma64-2006062 ====
<div class="change">
Patch from Vasily:
this patch prevent enable of 64-bit DMA on the Megaraid SATA 150-4 controller
because of it does not support 64-bit DMA.
Bug #52530.
</div>
==== diff-ms-CVE-2006-3626 ====
<div class="change">
Patch prepared by Vasily, based on Linux mainstream patches.
Linux Kernel "proc/base.c" Userspace Interaction Local Privilege Escalation
Vulnerability:
A vulnerability has been identified in Linux Kernel, which could be exploited by
local attackers to obtain elevated privileges. This flaw is due to a race
condition in the "pid_revalidate()" and "tid_fd_revalidate()" [fs/proc/base.c]
functions, which could be exploited by malicious users to execute arbitrary
commands with "root" privileges.
Fixed in 2.6.17.5 and and 2.6.17.6 mainstream kernels.
Bug #65414.
</div>
==== diff-ms-group-complete-signal ====
<div class="change">
Patch from mainstream:<br/>
[PATCH] __group_complete_signal: remove bogus BUG_ON
[PATCH] RCU signal handling<br/>
made this BUG_ON() unsafe. This code runs under ->siglock,
while switch_exec_pids() takes tasklist_lock.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru><br/>
Signed-off-by: Linus Torvalds <torvalds@osdl.org><br/>
X-Git-URL: http://kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=0945e1a305ef6128c0405f1c5c8b5368d8756224<br/>
{{CVE|CVE-2006-1523}}<br/>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188604<br/>
http://marc.theaimsgroup.com/?l=linux-kernel&m=114476543426600&w=2
Bug #64343.
</div>
==== diff-ms-ext3-bitmap-20060628 ====
<div class="change">
Patch from Vasily Averin:<br/>
found by Andrey Savochkin using tescase
created by Dmitry Monakhov:<br/>
fixed ext3 block bitmap leakage, cause of following fsck messages:
Block bitmap differences: -64159 -73707
Bug #64460.
</div>
==== linux-2.6.18-sky2-1.4.patch, diff-drv-sky2-backport-20060714 ====
<div class="change">
Patch prepared by Kostja:<br/>
sky driver updated up to 1.4 version.<br/>
Many bugs fixed, in particular interface unavailability after
"transmit interrupt missed" error.<br/>
Sources were taken from mainstream 2.6.18-rc1-git8.<br/>
Obsoletes linux-2.6.8.1-sky2-0.13.patch.
Bug #60787.
</div>
==== linux-2.6.8.1-drbd-0.7.19-0.7.20.patch ====
<div class="change">
Patch prepared by Kostja:<br/>
drbd driver updated up to 0.7.20 version.<br/>
Sources were taken from http://oss.linbit.com/drbd/.<br/>
Incremental from linux-2.6.8.1-drbd-0.7.19.patch.
Bug #57086.
</div>
==== diff-ms-exit-signal-fix-20060629 ====
<div class="change">
Patch from Pavel:<br/>
fixed issue triggered by 'RCU signal handling' exploit:<br/>
"Fix of signal_struct->curr_target value after __exit_signal().
When task calls __exit_signal() it moves curr_target pointer
on the next thread. If task isn't changed - this pointer must be
set to NULL. Otherwise race:
<source lang="c">
sys_execve() sys_kill()
... ...
de_thread()
switch_exec_pids()
/* at this point thread and leader
* have shared signal_struct but splitted
* (empty) pids lists
*/
release_task()
sig->curr_target = next_thread(tsk);
/* at this point curr_target is set to
* tsk since it's PID_TYPE_TGID list is
* empty
*/
...
___group_complete_signal()
`- t = p->signal->curr_target
/* t is the task which tries to
* exit on the 1st cpu so its
* memory may already be freed
*/"
</source>
Bug #65473.<br/>
Bug #64343.<br/>
Bug #64479.
</div>
==== diff-ms-dethread-wait-race-20060712 ====
<div class="change">
Patch from mainstream, prepared by Pavel:<br/>
fixed issue trigered by 'RCU signal handling' exploit:<br/>
[PATCH] fix do_wait() vs exec() race<br/>
When non-leader thread does exec, de_thread adds old leader to the init's
->children list in EXIT_ZOMBIE state and drops tasklist_lock.
This means that release_task(leader) in de_thread() is racy vs do_wait()
from init task.
I think de_thread() should set old leader's state to EXIT_DEAD instead.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru><br/>
Cc: george anzinger <george@mvista.com><br/>
Cc: Roland Dreier <rolandd@cisco.com><br/>
Cc: Ingo Molnar <mingo@elte.hu><br/>
Cc: Linus Torvalds <torvalds@osdl.org><br/>
Signed-off-by: Andrew Morton <akpm@osdl.org><br/>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Bug #64343.<br/>
Bug #64684.<br/>
Bug #65473.
</div>
</noinclude>
* Mainstream security updates ({{CVE|CVE-2006-1523}}, others)
* Drivers updates
* Other fixes
<includeonly>[[{{PAGENAME}}/changes#Patches|{{Long changelog message}}]]</includeonly><noinclude>
=== Patches ===
==== diff-scsi-megaraid-dma64-2006062 ====
<div class="change">
Patch from Vasily:
this patch prevent enable of 64-bit DMA on the Megaraid SATA 150-4 controller
because of it does not support 64-bit DMA.
Bug #52530.
</div>
==== diff-ms-CVE-2006-3626 ====
<div class="change">
Patch prepared by Vasily, based on Linux mainstream patches.
Linux Kernel "proc/base.c" Userspace Interaction Local Privilege Escalation
Vulnerability:
A vulnerability has been identified in Linux Kernel, which could be exploited by
local attackers to obtain elevated privileges. This flaw is due to a race
condition in the "pid_revalidate()" and "tid_fd_revalidate()" [fs/proc/base.c]
functions, which could be exploited by malicious users to execute arbitrary
commands with "root" privileges.
Fixed in 2.6.17.5 and and 2.6.17.6 mainstream kernels.
Bug #65414.
</div>
==== diff-ms-group-complete-signal ====
<div class="change">
Patch from mainstream:<br/>
[PATCH] __group_complete_signal: remove bogus BUG_ON
[PATCH] RCU signal handling<br/>
made this BUG_ON() unsafe. This code runs under ->siglock,
while switch_exec_pids() takes tasklist_lock.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru><br/>
Signed-off-by: Linus Torvalds <torvalds@osdl.org><br/>
X-Git-URL: http://kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=0945e1a305ef6128c0405f1c5c8b5368d8756224<br/>
{{CVE|CVE-2006-1523}}<br/>
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188604<br/>
http://marc.theaimsgroup.com/?l=linux-kernel&m=114476543426600&w=2
Bug #64343.
</div>
==== diff-ms-ext3-bitmap-20060628 ====
<div class="change">
Patch from Vasily Averin:<br/>
found by Andrey Savochkin using tescase
created by Dmitry Monakhov:<br/>
fixed ext3 block bitmap leakage, cause of following fsck messages:
Block bitmap differences: -64159 -73707
Bug #64460.
</div>
==== linux-2.6.18-sky2-1.4.patch, diff-drv-sky2-backport-20060714 ====
<div class="change">
Patch prepared by Kostja:<br/>
sky driver updated up to 1.4 version.<br/>
Many bugs fixed, in particular interface unavailability after
"transmit interrupt missed" error.<br/>
Sources were taken from mainstream 2.6.18-rc1-git8.<br/>
Obsoletes linux-2.6.8.1-sky2-0.13.patch.
Bug #60787.
</div>
==== linux-2.6.8.1-drbd-0.7.19-0.7.20.patch ====
<div class="change">
Patch prepared by Kostja:<br/>
drbd driver updated up to 0.7.20 version.<br/>
Sources were taken from http://oss.linbit.com/drbd/.<br/>
Incremental from linux-2.6.8.1-drbd-0.7.19.patch.
Bug #57086.
</div>
==== diff-ms-exit-signal-fix-20060629 ====
<div class="change">
Patch from Pavel:<br/>
fixed issue triggered by 'RCU signal handling' exploit:<br/>
"Fix of signal_struct->curr_target value after __exit_signal().
When task calls __exit_signal() it moves curr_target pointer
on the next thread. If task isn't changed - this pointer must be
set to NULL. Otherwise race:
<source lang="c">
sys_execve() sys_kill()
... ...
de_thread()
switch_exec_pids()
/* at this point thread and leader
* have shared signal_struct but splitted
* (empty) pids lists
*/
release_task()
sig->curr_target = next_thread(tsk);
/* at this point curr_target is set to
* tsk since it's PID_TYPE_TGID list is
* empty
*/
...
___group_complete_signal()
`- t = p->signal->curr_target
/* t is the task which tries to
* exit on the 1st cpu so its
* memory may already be freed
*/"
</source>
Bug #65473.<br/>
Bug #64343.<br/>
Bug #64479.
</div>
==== diff-ms-dethread-wait-race-20060712 ====
<div class="change">
Patch from mainstream, prepared by Pavel:<br/>
fixed issue trigered by 'RCU signal handling' exploit:<br/>
[PATCH] fix do_wait() vs exec() race<br/>
When non-leader thread does exec, de_thread adds old leader to the init's
->children list in EXIT_ZOMBIE state and drops tasklist_lock.
This means that release_task(leader) in de_thread() is racy vs do_wait()
from init task.
I think de_thread() should set old leader's state to EXIT_DEAD instead.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru><br/>
Cc: george anzinger <george@mvista.com><br/>
Cc: Roland Dreier <rolandd@cisco.com><br/>
Cc: Ingo Molnar <mingo@elte.hu><br/>
Cc: Linus Torvalds <torvalds@osdl.org><br/>
Signed-off-by: Andrew Morton <akpm@osdl.org><br/>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Bug #64343.<br/>
Bug #64684.<br/>
Bug #65473.
</div>
</noinclude>
