Contents
Changes
- Mainstream security updates (CVE-2006-1523, CVE-2006-3626)
- Drivers updates
- Other fixes
Patches
diff-scsi-megaraid-dma64-2006062
Patch from Vasily:
this patch prevent enable of 64-bit DMA on the Megaraid SATA 150-4 controller because of it does not support 64-bit DMA.
Bug #52530.
diff-ms-CVE-2006-3626
Patch prepared by Vasily, based on Linux mainstream patches.
Linux Kernel "proc/base.c" Userspace Interaction Local Privilege Escalation Vulnerability:
A vulnerability has been identified in Linux Kernel, which could be exploited by local attackers to obtain elevated privileges. This flaw is due to a race condition in the "pid_revalidate()" and "tid_fd_revalidate()" [fs/proc/base.c] functions, which could be exploited by malicious users to execute arbitrary commands with "root" privileges.
Fixed in 2.6.17.5 and and 2.6.17.6 mainstream kernels.
Bug #65414.
diff-ms-group-complete-signal
Patch from mainstream:
[PATCH] __group_complete_signal: remove bogus BUG_ON
[PATCH] RCU signal handling
made this BUG_ON() unsafe. This code runs under ->siglock,
while switch_exec_pids() takes tasklist_lock.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
X-Git-URL: http://kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=0945e1a305ef6128c0405f1c5c8b5368d8756224
CVE-2006-1523
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188604
http://marc.theaimsgroup.com/?l=linux-kernel&m=114476543426600&w=2
Bug #64343.
diff-ms-ext3-bitmap-20060628
Patch from Vasily Averin:
found by Andrey Savochkin using tescase
created by Dmitry Monakhov:
fixed ext3 block bitmap leakage, cause of following fsck messages:
Block bitmap differences: -64159 -73707
Bug #64460.
linux-2.6.18-sky2-1.4.patch, diff-drv-sky2-backport-20060714
Patch prepared by Kostja:
sky driver updated up to 1.4 version.
Many bugs fixed, in particular interface unavailability after
"transmit interrupt missed" error.
Sources were taken from mainstream 2.6.18-rc1-git8.
Obsoletes linux-2.6.8.1-sky2-0.13.patch.
Bug #60787.
linux-2.6.8.1-drbd-0.7.19-0.7.20.patch
Patch prepared by Kostja:
drbd driver updated up to 0.7.20 version.
Sources were taken from http://oss.linbit.com/drbd/.
Incremental from linux-2.6.8.1-drbd-0.7.19.patch.
Bug #57086.
diff-ms-exit-signal-fix-20060629
Patch from Pavel:
fixed issue triggered by 'RCU signal handling' exploit:
"Fix of signal_struct->curr_target value after __exit_signal().
When task calls __exit_signal() it moves curr_target pointer
on the next thread. If task isn't changed - this pointer must be
set to NULL. Otherwise race:
sys_execve() sys_kill()
... ...
de_thread()
switch_exec_pids()
/* at this point thread and leader
* have shared signal_struct but splitted
* (empty) pids lists
*/
release_task()
sig->curr_target = next_thread(tsk);
/* at this point curr_target is set to
* tsk since it's PID_TYPE_TGID list is
* empty
*/
...
___group_complete_signal()
`- t = p->signal->curr_target
/* t is the task which tries to
* exit on the 1st cpu so its
* memory may already be freed
*/"
Bug #65473.
Bug #64343.
Bug #64479.
diff-ms-dethread-wait-race-20060712
Patch from mainstream, prepared by Pavel:
fixed issue trigered by 'RCU signal handling' exploit:
[PATCH] fix do_wait() vs exec() race
When non-leader thread does exec, de_thread adds old leader to the init's ->children list in EXIT_ZOMBIE state and drops tasklist_lock.
This means that release_task(leader) in de_thread() is racy vs do_wait() from init task.
I think de_thread() should set old leader's state to EXIT_DEAD instead.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: george anzinger <george@mvista.com>
Cc: Roland Dreier <rolandd@cisco.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Bug #64343.
Bug #64684.
Bug #65473.