Difference between revisions of "Download/kernel/2.6.8/022stab032.1/changes"

This patch fixes double free of sysctl_table_header and leak of sysctl_table in quota.

Bug 50169.

This patch fixes oops in /proc/vz/veinfo on VPS stop. env->veip clearance moved under veip_hash_lock.

Bug 49977.

This patch fixes the following:

• changing prev_cpu in schedule_vcpu() could lead to hangs, since wrong VCPU could be put.
• finish_task_switch() on PREEMT enabled kernels could schedule before vcpu_put() and hang forever since CPU is still busy, but fairsched is not aware of it.
• init_pcpu() use pcpu() macro
• BUG_ON in vcpu_put() to be sure that current VCPU is not put
• initialization cleanups
• pcpu_info changed to be simple array (instead of PERCPU) for better code and correct early initialization for sure.

This patch fixes conntrack init_of_fini error handling.

VPS's sysctl tables must be kmalloc-ed to be registered, otherwise multiple VPSs use the same sysctl tree and oops.

Bug 49976.

free_percpu() argument must be checket for != NULL before calling free. fixed in init_ve_mibs.

This patch cleanups plain fairsched

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem.

http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2

CAN-2005-0815 is assigned to this issue.

Some more defensive checks to keep corrupt isofs images from corrupting memory or causing Oops.

Signed-off-by: Chris Wright <chrisw@osdl.org>

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem.

http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2

CAN-2005-0815 is assigned to this issue.

isofs: more "corrupted iso image" error cases

Signed-off-by: Chris Wright <chrisw@osdl.org>

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem.

http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2

CAN-2005-0815 is assigned to this issue.

isofs: Handle corupted rock-ridge info slightly better.

Signed-off-by: Chris Wright <chrisw@osdl.org>

ilja <ilja@suresec.org> discovered potential local root exploit in bluetooth socket creation.

CAN-2005-0750 is assigned to this issue

This patch fixes a small signedness problem when creating the socket.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>

ROSE wasn't verifying the ndigis argument of a new route resulting in a minor security hole.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@osdl.org>

Raw character devices are supposed to pass ioctls through to the block devices they are bound to. Unfortunately, they are using the wrong function for this: ioctl_by_bdev(), instead of blkdev_ioctl(). ioctl_by_bdev() performs a set_fs(KERNEL_DS) before calling the ioctl, redirecting the user-space buffer access to the kernel address space.

The patch below fixes both the config and address-space problems.

Kernel-address-space access has been assigned CAN-2005-1264.

Signed-off-by: Stephen Tweedie <sct@redhat.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Fix deadlock with ip_queue and tcp local input path.

When we have ip_queue being used from LOCAL_IN, then we end up with a situation where the verdicts coming back from userspace traverse the TCP input path from syscall context. While this seems to work most of the time, there's an ugly deadlock:

syscall context is interrupted by the timer interrupt. When the timer interrupt leaves, the timer softirq get's scheduled and calls tcp_delack_timer() and alike. They themselves do bh_lock_sock(sk), which is already held from somewhere else -> boom.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Fix potential memory corruption in NAT code

The portptr pointing to the port in the conntrack tuple is declared static, which could result in memory corruption when two packets of the same protocol are NATed at the same time and one conntrack goes away.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Fix possible overflow of sock->sk_policy

Spotted by, and original patch by, Balazs Scheidler.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

sys_get_thread_area does not clear the returned argument

sys_get_thread_area does not memset to 0 its struct user_desc info before copying it to user space... since sizeof(struct user_desc) is 16 while the actual datas which are filled are only 12 bytes + 9 bits (across the bitfields), there is a (small) information leak.

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Chris Wright <chrisw@osdl.org>