Contents
Changes
- Bunch of mainstream minor security fixes
- Bug fixes
- Cleanups
Patches
diff-vzdq-sysctl-20050811
This patch fixes double free of sysctl_table_header and leak of sysctl_table in quota.
Bug 50169.
diff-venet-veinfo-20050808
This patch fixes oops in /proc/vz/veinfo on VPS stop. env->veip clearance moved under veip_hash_lock.
Bug 49977.
diff-fairsched-fixes-20050810
This patch fixes the following:
- changing prev_cpu in schedule_vcpu() could lead to hangs, since wrong VCPU could be put.
- finish_task_switch() on PREEMT enabled kernels could schedule before vcpu_put() and hang forever since CPU is still busy, but fairsched is not aware of it.
- init_pcpu() use pcpu() macro
- BUG_ON in vcpu_put() to be sure that current VCPU is not put
- initialization cleanups
- pcpu_info changed to be simple array (instead of PERCPU) for better code and correct early initialization for sure.
diff-ve-ip-conntrack-errh-20050808
This patch fixes conntrack init_of_fini error handling.
diff-vzdq-sysctl-20050806
VPS's sysctl tables must be kmalloc-ed to be registered, otherwise multiple VPSs use the same sysctl tree and oops.
Bug 49976.
diff-ve-mibs-20050806
free_percpu() argument must be checket for != NULL before calling free. fixed in init_ve_mibs.
diff-fairsched-plain-20050810
This patch cleanups plain fairsched
diff-security-isofs-c-20050326
Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem.
http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
CAN-2005-0815 is assigned to this issue.
Some more defensive checks to keep corrupt isofs images from corrupting memory or causing Oops.
Signed-off-by: Chris Wright <chrisw@osdl.org>
diff-security-isofs-b-20050326
Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem.
http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
CAN-2005-0815 is assigned to this issue.
isofs: more "corrupted iso image" error cases
Signed-off-by: Chris Wright <chrisw@osdl.org>
diff-security-isofs-a-20050326
Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem.
http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
CAN-2005-0815 is assigned to this issue.
isofs: Handle corupted rock-ridge info slightly better.
Signed-off-by: Chris Wright <chrisw@osdl.org>
diff-security-bluetooth-20050326
ilja <ilja@suresec.org> discovered potential local root exploit in bluetooth socket creation.
CAN-2005-0750 is assigned to this issue
This patch fixes a small signedness problem when creating the socket.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>
diff-security-rose-20050311
ROSE wasn't verifying the ndigis argument of a new route resulting in a minor security hole.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@osdl.org>
diff-security-rawioctl-20050514
Raw character devices are supposed to pass ioctls through to the block devices they are bound to. Unfortunately, they are using the wrong function for this: ioctl_by_bdev(), instead of blkdev_ioctl(). ioctl_by_bdev() performs a set_fs(KERNEL_DS) before calling the ioctl, redirecting the user-space buffer access to the kernel address space.
The patch below fixes both the config and address-space problems.
Kernel-address-space access has been assigned CAN-2005-1264.
Signed-off-by: Stephen Tweedie <sct@redhat.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
diff-mainstream-ipqueue-20050530
Fix deadlock with ip_queue and tcp local input path.
When we have ip_queue being used from LOCAL_IN, then we end up with a situation where the verdicts coming back from userspace traverse the TCP input path from syscall context. While this seems to work most of the time, there's an ugly deadlock:
syscall context is interrupted by the timer interrupt. When the timer interrupt leaves, the timer softirq get's scheduled and calls tcp_delack_timer() and alike. They themselves do bh_lock_sock(sk), which is already held from somewhere else -> boom.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
diff-mainstream-natcorrupt-20050804
Fix potential memory corruption in NAT code
The portptr pointing to the port in the conntrack tuple is declared static, which could result in memory corruption when two packets of the same protocol are NATed at the same time and one conntrack goes away.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
diff-security-xfrm-20050804
Fix possible overflow of sock->sk_policy
Spotted by, and original patch by, Balazs Scheidler.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
diff-security-getthreadarea-20050804
sys_get_thread_area does not clear the returned argument
sys_get_thread_area does not memset to 0 its struct user_desc info before copying it to user space... since sizeof(struct user_desc) is 16 while the actual datas which are filled are only 12 bytes + 9 bits (across the bitfields), there is a (small) information leak.
Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Chris Wright <chrisw@osdl.org>