Download/kernel/2.6.8/022stab032.1/changes

From OpenVZ Virtuozzo Containers Wiki
< Download‎ | kernel‎ | 2.6.8‎ | 022stab032.1
Revision as of 18:23, 22 October 2009 by Kir (talk | contribs) (Protected "Download/kernel/2.6.8/022stab032.1/changes": Robot: Protecting a list of files. [edit=autoconfirmed:move=autoconfirmed])
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Changes

  • Bunch of mainstream minor security fixes
  • Bug fixes
  • Cleanups

Patches

diff-vzdq-sysctl-20050811

Patch from Pavel:

This patch fixes double free of sysctl_table_header and leak of sysctl_table in quota.

Bug 50169.

diff-venet-veinfo-20050808

Patch from Dmitry:

This patch fixes oops in /proc/vz/veinfo on VPS stop. env->veip clearance moved under veip_hash_lock.

Bug 49977.

diff-fairsched-fixes-20050810

Patch from Kirill:

This patch fixes the following:

  • changing prev_cpu in schedule_vcpu() could lead to hangs, since wrong VCPU could be put.
  • finish_task_switch() on PREEMT enabled kernels could schedule before vcpu_put() and hang forever since CPU is still busy, but fairsched is not aware of it.
  • init_pcpu() use pcpu() macro
  • BUG_ON in vcpu_put() to be sure that current VCPU is not put
  • initialization cleanups
  • pcpu_info changed to be simple array (instead of PERCPU) for better code and correct early initialization for sure.

diff-ve-ip-conntrack-errh-20050808

Patch from Pavel:

This patch fixes conntrack init_of_fini error handling.

diff-vzdq-sysctl-20050806

Patch from Pavel:

VPS's sysctl tables must be kmalloc-ed to be registered, otherwise multiple VPSs use the same sysctl tree and oops.

Bug 49976.

diff-ve-mibs-20050806

Patch from Pavel:

free_percpu() argument must be checket for != NULL before calling free. fixed in init_ve_mibs.

diff-fairsched-plain-20050810

Patch from Kirill:

This patch cleanups plain fairsched

diff-security-isofs-c-20050326

Patch from mainstream:

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem.

http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2

CAN-2005-0815 is assigned to this issue.

Some more defensive checks to keep corrupt isofs images from corrupting memory or causing Oops.

Signed-off-by: Chris Wright <chrisw@osdl.org>

diff-security-isofs-b-20050326

Patch from mainstream:

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem.

http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2

CAN-2005-0815 is assigned to this issue.

isofs: more "corrupted iso image" error cases

Signed-off-by: Chris Wright <chrisw@osdl.org>

diff-security-isofs-a-20050326

Patch from mainstream:

Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in iso9660 filesystem.

http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2

CAN-2005-0815 is assigned to this issue.

isofs: Handle corupted rock-ridge info slightly better.

Signed-off-by: Chris Wright <chrisw@osdl.org>

diff-security-bluetooth-20050326

Patch from mainstream:

ilja <ilja@suresec.org> discovered potential local root exploit in bluetooth socket creation.

CAN-2005-0750 is assigned to this issue

This patch fixes a small signedness problem when creating the socket.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Chris Wright <chrisw@osdl.org>

diff-security-rose-20050311

Patch from mainstream:

ROSE wasn't verifying the ndigis argument of a new route resulting in a minor security hole.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@osdl.org>

diff-security-rawioctl-20050514

Patch from mainstream:

Raw character devices are supposed to pass ioctls through to the block devices they are bound to. Unfortunately, they are using the wrong function for this: ioctl_by_bdev(), instead of blkdev_ioctl(). ioctl_by_bdev() performs a set_fs(KERNEL_DS) before calling the ioctl, redirecting the user-space buffer access to the kernel address space.

The patch below fixes both the config and address-space problems.

Kernel-address-space access has been assigned CAN-2005-1264.

Signed-off-by: Stephen Tweedie <sct@redhat.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff-mainstream-ipqueue-20050530

Patch from mainstream:

Fix deadlock with ip_queue and tcp local input path.

When we have ip_queue being used from LOCAL_IN, then we end up with a situation where the verdicts coming back from userspace traverse the TCP input path from syscall context. While this seems to work most of the time, there's an ugly deadlock:

syscall context is interrupted by the timer interrupt. When the timer interrupt leaves, the timer softirq get's scheduled and calls tcp_delack_timer() and alike. They themselves do bh_lock_sock(sk), which is already held from somewhere else -> boom.

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff-mainstream-natcorrupt-20050804

Patch from mainstream:

Fix potential memory corruption in NAT code

The portptr pointing to the port in the conntrack tuple is declared static, which could result in memory corruption when two packets of the same protocol are NATed at the same time and one conntrack goes away.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff-security-xfrm-20050804

Patch from mainstream:

Fix possible overflow of sock->sk_policy

Spotted by, and original patch by, Balazs Scheidler.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff-security-getthreadarea-20050804

Patch from mainstream:

sys_get_thread_area does not clear the returned argument

sys_get_thread_area does not memset to 0 its struct user_desc info before copying it to user space... since sizeof(struct user_desc) is 16 while the actual datas which are filled are only 12 bytes + 9 bits (across the bitfields), there is a (small) information leak.

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Chris Wright <chrisw@osdl.org>