Difference between revisions of "Download/kernel/2.6.8/022stab078.14/changes"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(Changes: fixed CVEs)
m (Protected "Download/kernel/2.6.8/022stab078.14/changes": Robot: Protecting a list of files. [edit=autoconfirmed:move=autoconfirmed])
 
(No difference)

Latest revision as of 18:25, 22 October 2009

Changes

Patches

diff-scsi-megaraid-dma64-2006062

Patch from Vasily:

this patch prevent enable of 64-bit DMA on the Megaraid SATA 150-4 controller because of it does not support 64-bit DMA.

Bug #52530.

diff-ms-CVE-2006-3626

Patch prepared by Vasily, based on Linux mainstream patches.

Linux Kernel "proc/base.c" Userspace Interaction Local Privilege Escalation Vulnerability:

A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to obtain elevated privileges. This flaw is due to a race condition in the "pid_revalidate()" and "tid_fd_revalidate()" [fs/proc/base.c] functions, which could be exploited by malicious users to execute arbitrary commands with "root" privileges.

Fixed in 2.6.17.5 and and 2.6.17.6 mainstream kernels.

Bug #65414.

diff-ms-group-complete-signal

Patch from mainstream:
[PATCH] __group_complete_signal: remove bogus BUG_ON

[PATCH] RCU signal handling
made this BUG_ON() unsafe. This code runs under ->siglock, while switch_exec_pids() takes tasklist_lock.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

X-Git-URL: http://kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=0945e1a305ef6128c0405f1c5c8b5368d8756224
CVE-2006-1523
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188604
http://marc.theaimsgroup.com/?l=linux-kernel&m=114476543426600&w=2

Bug #64343.

diff-ms-ext3-bitmap-20060628

Patch from Vasily Averin:
found by Andrey Savochkin using tescase created by Dmitry Monakhov:
fixed ext3 block bitmap leakage, cause of following fsck messages: Block bitmap differences: -64159 -73707

Bug #64460.

linux-2.6.18-sky2-1.4.patch, diff-drv-sky2-backport-20060714

Patch prepared by Kostja:
sky driver updated up to 1.4 version.
Many bugs fixed, in particular interface unavailability after "transmit interrupt missed" error.

Sources were taken from mainstream 2.6.18-rc1-git8.

Obsoletes linux-2.6.8.1-sky2-0.13.patch.

Bug #60787.

linux-2.6.8.1-drbd-0.7.19-0.7.20.patch

Patch prepared by Kostja:
drbd driver updated up to 0.7.20 version.
Sources were taken from http://oss.linbit.com/drbd/.
Incremental from linux-2.6.8.1-drbd-0.7.19.patch.

Bug #57086.

diff-ms-exit-signal-fix-20060629

Patch from Pavel:
fixed issue triggered by 'RCU signal handling' exploit:
"Fix of signal_struct->curr_target value after __exit_signal(). When task calls __exit_signal() it moves curr_target pointer on the next thread. If task isn't changed - this pointer must be set to NULL. Otherwise race:

sys_execve()                                        sys_kill()
...                                                 ...
de_thread()
switch_exec_pids()
/* at this point thread and leader
* have shared signal_struct but splitted
* (empty) pids lists
*/
release_task()
sig-&gt;curr_target = next_thread(tsk);
/* at this point curr_target is set to
* tsk since it's PID_TYPE_TGID list is
* empty
*/
...
                                        ___group_complete_signal()
                                        `- t = p-&gt;signal-&gt;curr_target
                                        /* t is the task which tries to
                                         * exit on the 1st cpu so its
                                         * memory may already be freed
                                         */"

Bug #65473.
Bug #64343.
Bug #64479.

diff-ms-dethread-wait-race-20060712

Patch from mainstream, prepared by Pavel:
fixed issue trigered by 'RCU signal handling' exploit:
[PATCH] fix do_wait() vs exec() race

When non-leader thread does exec, de_thread adds old leader to the init's ->children list in EXIT_ZOMBIE state and drops tasklist_lock.

This means that release_task(leader) in de_thread() is racy vs do_wait() from init task.

I think de_thread() should set old leader's state to EXIT_DEAD instead.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: george anzinger <george@mvista.com>
Cc: Roland Dreier <rolandd@cisco.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

Bug #64343.
Bug #64684.
Bug #65473.