Skip to content
Commits on Apr 24, 2006
  1. @gregkh

    Linux 2.6.16.11

    gregkh committed
  2. @gregkh

    [PATCH] Don't allow a backslash in a path component (CVE-2006-1863)

    Steve French committed with gregkh
    Unless Posix paths have been negotiated, the backslash, "\", is not a valid
    character in a path component.
    
    Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
    Signed-off-by: Steve French  <sfrench@us.ibm.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @gregkh

    Linux 2.6.16.10

    gregkh committed
  4. @gregkh

    [PATCH] IPC: access to unmapped vmalloc area in grow_ary()

    Alexey Kuznetsov committed with gregkh
    grow_ary() should not copy struct ipc_id_ary (it copies new->p, not
    new). Due to this, memcpy() src pointer could hit unmapped vmalloc page
    when near page boundary.
    
    Found during OpenVZ stress testing
    
    Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
    Signed-off-by: Kirill Korotaev <dev@openvz.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @OGAWAHirofumi @gregkh

    [PATCH] Add more prevent_tail_call()

    OGAWAHirofumi committed with gregkh
    Those also break userland regs like following.
    
       00000000 <sys_chown16>:
          0:	0f b7 44 24 0c       	movzwl 0xc(%esp),%eax
          5:	83 ca ff             	or     $0xffffffff,%edx
          8:	0f b7 4c 24 08       	movzwl 0x8(%esp),%ecx
          d:	66 83 f8 ff          	cmp    $0xffffffff,%ax
         11:	0f 44 c2             	cmove  %edx,%eax
         14:	66 83 f9 ff          	cmp    $0xffffffff,%cx
         18:	0f 45 d1             	cmovne %ecx,%edx
         1b:	89 44 24 0c          	mov    %eax,0xc(%esp)
         1f:	89 54 24 08          	mov    %edx,0x8(%esp)
         23:	e9 fc ff ff ff       	jmp    24 <sys_chown16+0x24>
    
    where the tailcall at the end overwrites the incoming stack-frame.
    
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @gregkh

    [PATCH] alim15x3: ULI M-1573 south Bridge support

    KAI.HSU committed with gregkh
    >From http://bugzilla.kernel.org/show_bug.cgi?id=6358
    
    The alim15x3.c havn't been update for 3 years.  Recently when we use this
    "ULI M1573" south bridge chip found that can't mount CDROM(VCD) smoothly,
    must waiting for a long time.  After I check the "ULI M1573" south bridge
    datasheet, I found the reason.  The reason is the "ULI M1573" version in
    the Linux is "0xC7" not "0xC4" anymore So I was modified the source than it
    was successed.
    
    Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl>
    Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  7. @sthibaul @gregkh

    [PATCH] apm: fix Armada laptops again

    sthibaul committed with gregkh
    Fix the "apm: set display: Interface not engaged" error on Armada laptops
    again.
    
    Jordan said:
    
      I think this is fine.  It seems to me that this may be the fault of one or
      both of the APM solutions handling this situation in a non-standard way, but
      since APM is used very little on the Geode, and I have direct access to our
      BIOS folks, if this problem comes up with a customer again, we'll solve it
      from the firmware.
    
    Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
    Cc: "Jordan Crouse" <jordan.crouse@amd.com>
    Cc: Zachary Amsden <zach@vmware.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @gregkh

    [PATCH] fbdev: Fix return error of fb_write

    Antonino A. Daplas committed with gregkh
    Fix return code of fb_write():
    
    If at least 1 byte was transferred to the device, return number of bytes,
    otherwise:
    
        - return -EFBIG - if file offset is past the maximum allowable offset or
          size is greater than framebuffer length
        - return -ENOSPC - if size is greater than framebuffer length - offset
    
    Signed-off-by: Antonino Daplas <adaplas@pol.net>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  9. @dipankarsarma @gregkh

    [PATCH] Fix file lookup without ref

    dipankarsarma committed with gregkh
    There are places in the kernel where we look up files in fd tables and
    access the file structure without holding refereces to the file.  So, we
    need special care to avoid the race between looking up files in the fd
    table and tearing down of the file in another CPU.  Otherwise, one might
    see a NULL f_dentry or such torn down version of the file.  This patch
    fixes those special places where such a race may happen.
    
    Signed-off-by: Dipankar Sarma <dipankar@in.ibm.com>
    Acked-by: "Paul E. McKenney" <paulmck@us.ibm.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  10. @gregkh

    [PATCH] m41t00: fix bitmasks when writing to chip

    David Barksdale committed with gregkh
    Fix the bitmasks used when writing to the M41T00 registers.
    
    The original code used a mask of 0x7f when writing to each register,
    this is incorrect and probably the result of a copy-paste error.  As a
    result years from 1980 to 1999 will be read back as 2000 to 2019.
    
    Signed-off-by: David Barksdale <amatus@ocgnet.org>
    Acked-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  11. @gregkh

    [PATCH] Open IPMI BT overflow

    Heikki Orsila committed with gregkh
    I was looking into random driver code and found a suspicious looking
    memcpy() in drivers/char/ipmi/ipmi_bt_sm.c on 2.6.17-rc1:
    
    	if ((size < 2) || (size > IPMI_MAX_MSG_LENGTH))
    		return -1;
    	...
    	memcpy(bt->write_data + 3, data + 1, size - 1);
    
    where sizeof bt->write_data is IPMI_MAX_MSG_LENGTH.  It looks like the
    memcpy would overflow by 2 bytes if size == IPMI_MAX_MSG_LENGTH.  A patch
    attached to limit size to (IPMI_MAX_LENGTH - 2).
    
    Cc: Corey Minyard <minyard@acm.org>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  12. @gregkh

    [PATCH] x86: be careful about tailcall breakage for sys_open[at] too

    Linus Torvalds committed with gregkh
    x86: be careful about tailcall breakage for sys_open[at] too
    
    Came up through a quick grep for other cases similar to the ftruncate()
    one in commit 0a489cb.
    
    Also, add a comment, so that people who read the code understand why we
    do what looks like a no-op.
    
    (Again, this won't actually matter to any sane user, since libc will
    save and restore the register gcc stomps on, but it's still wrong to
    stomp on it)
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  13. @gregkh

    [PATCH] x86: don't allow tail-calls in sys_ftruncate[64]()

    Linus Torvalds committed with gregkh
    x86: don't allow tail-calls in sys_ftruncate[64]()
    
    Gcc thinks it owns the incoming argument stack, but that's not true for
    "asmlinkage" functions, and it corrupts the caller-set-up argument stack
    when it pushes the third argument onto the stack.  Which can result in
    %ebx getting corrupted in user space.
    
    Now, normally nobody sane would ever notice, since libc will save and
    restore %ebx anyway over the system call, but it's still wrong.
    
    I'd much rather have "asmlinkage" tell gcc directly that it doesn't own
    the stack, but no such attribute exists, so we're stuck with our hacky
    manual "prevent_tail_call()" macro once more (we've had the same issue
    before with sys_waitpid() and sys_wait4()).
    
    Thanks to Hans-Werner Hilse <hilse@sub.uni-goettingen.de> for reporting
    the issue and testing the fix.
    
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  14. @gregkh

    [PATCH] IPV6: XFRM: Fix decoding session with preceding extension hea…

    YOSHIFUJI Hideaki / $B5HF#1QL@(B committed with gregkh
    …der(s).
    
    [IPV6] XFRM: Fix decoding session with preceding extension header(s).
    
    We did not correctly decode session with preceding extension
    header(s).  This was because we had already pulled preceding
    headers, skb->nh.raw + 40 + 1 - skb->data was minus, and
    pskb_may_pull() failed.
    
    We now have IP6CB(skb)->nhoff and skb->h.raw, and we can
    start parsing / decoding upper layer protocol from current
    position.
    
    Tracked down by Noriaki TAKAMIYA <takamiya@po.ntts.co.jp>
    and tested by Kazunori Miyazawa <kazunori@miyazawa.org>.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  15. @gregkh

    [PATCH] IPV6: XFRM: Don't use old copy of pointer after pskb_may_pull().

    YOSHIFUJI Hideaki / $B5HF#1QL@(B committed with gregkh
    [IPV6] XFRM: Don't use old copy of pointer after pskb_may_pull().
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  16. @gregkh

    [PATCH] IPV6: Ensure to have hop-by-hop options in our header of &sk_…

    YOSHIFUJI Hideaki / $B5HF#1QL@(B committed with gregkh
    …buff.
    
    [IPV6]: Ensure to have hop-by-hop options in our header of &sk_buff.
    
    Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  17. @gregkh

    [PATCH] selinux: Fix MLS compatibility off-by-one bug

    Ron Yorston committed with gregkh
    Fix an off-by-one error in the MLS compatibility code that was causing
    contexts with a MLS suffix to be rejected, preventing sharing partitions
    between FC4 and FC5.  Bug reported in
    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=188068
    
    Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
    Acked-by: James Morris <jmorris@redhat.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  18. @agx @gregkh

    [PATCH] PPC: fix oops in alsa powermac driver

    agx committed with gregkh
    this fixes an oops in 2.6.16.X when loading the snd_powermac module. The
    name of the requested module changed during the 2.6.16 development cycle
    from i2c-keylargo to i2c-powermac:
    
    Signed-off-by: Guido Guenther <agx@sigxcpu.org>
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  19. @AdrianBunk @gregkh

    [PATCH] MTD_NAND_SHARPSL and MTD_NAND_NANDSIM should be tristate's

    AdrianBunk committed with gregkh
    MTD_NAND=m and MTD_NAND_SHARPSL=y or MTD_NAND_NANDSIM=y are illegal
    combinations that mustn't be allowed.
    
    This patch fixes this bug by making MTD_NAND_SHARPSL and MTD_NAND_NANDSIM
    tristate's.
    
    Additionally, it fixes some whitespace damage at these options.
    
    This patch was already included in Linus' tree.
    
    Signed-off-by: Adrian Bunk <bunk@stusta.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  20. @gregkh

    [PATCH] i2c-i801: Fix resume when PEC is used

    Jean Delvare committed with gregkh
    Fix for bug #6395:
    Fail to resume on Tecra M2 with ADM1032 and Intel 82801DBM
    
    The BIOS of the Tecra M2 doesn't like it when it has to reboot or
    resume after the i2c-i801 driver has left the SMBus in PEC mode.
    I have a more complete fix for 2.6.17 but the simple approach of
    leaving the SMBus in non-PEC mode after every transaction should do
    for -stable. That's what the i2c-i801 driver was doing up to 2.6.15
    (inclusive).
    
    Signed-off-by: Jean Delvare <khali@linux-fr.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  21. @gregkh

    [PATCH] Fix hotplug race during device registration

    Thomas de Grenier de Latour committed with gregkh
    On Sun, 9 Apr 2006 21:56:59 +0400,
    Sergey Vlasov <vsu@altlinux.ru> wrote:
    > However, show_address() does not output anything unless
    > dev->reg_state == NETREG_REGISTERED - and this state is set by
    > netdev_run_todo() only after netdev_register_sysfs() returns, so in
    > the meantime (while netdev_register_sysfs() is busy adding the
    > "statistics" attribute group) some process may see an empty "address"
    > attribute.
    
    I've tried the attached patch, suggested by Sergey Vlasov on
    hotplug-devel@, and as far as i can test it works just fine.
    
    Signed-off-by: Alexander Patrakov <patrakov@ums.usu.ru>
    Signed-off-by: David Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  22. @herbertx @gregkh

    [PATCH] Fix truesize underflow

    herbertx committed with gregkh
    [TCP]: Fix truesize underflow
    
    There is a problem with the TSO packet trimming code.  The cause of
    this lies in the tcp_fragment() function.
    
    When we allocate a fragment for a completely non-linear packet the
    truesize is calculated for a payload length of zero.  This means that
    truesize could in fact be less than the real payload length.
    
    When that happens the TSO packet trimming can cause truesize to become
    negative.  This in turn can cause sk_forward_alloc to be -n * PAGE_SIZE
    which would trigger the warning.
    
    I've copied the code DaveM used in tso_fragment which should work here.
    
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
    Signed-off-by: David Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  23. @gregkh

    [PATCH] efficeon-agp: Add missing memory mask

    H. Peter Anvin committed with gregkh
    Original patch by Benjamin Herrenschmidt after debugging by Brian Hinz.
    
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Cc: Brian Hinz <bphinz@hotmail.com>
    Signed-off-by: H Peter Anvin <hpa@zytor.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  24. @gregkh

    [PATCH] 3ware 9000 disable local irqs during kmap_atomic

    adam radford committed with gregkh
    The attached patch for 2.6.17-rc2 updates the 3ware 9000 driver:
    
    - Disable local interrupts during kmap/unmap_atomic().
    
    Signed-off-by: Adam Radford <linuxraid@amcc.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  25. @gregkh

    [PATCH] 3ware: kmap_atomic() fix

    Andrew Morton committed with gregkh
    We must disable local IRQs while holding KM_IRQ0 or KM_IRQ1.  Otherwise, an
    IRQ handler could use those kmap slots while this code is using them,
    resulting in memory corruption.
    
    Thanks to Nick Orlov <bugfixer@list.ru> for reporting.
    
    Cc: <linuxraid@amcc.com>
    Cc: James Bottomley <James.Bottomley@SteelEye.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Apr 19, 2006
  1. @gregkh

    Linux 2.6.16.9

    gregkh committed
  2. @gregkh

    [PATCH] i386/x86-64: Fix x87 information leak between processes (CVE-…

    Andi Kleen committed with gregkh
    …2006-1056)
    
    AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE
    when an exception is pending.  This means the value leak through context
    switches and allow processes to observe some x87 instruction state of
    other processes.
    
    This was actually documented by AMD, but nobody recognized it as being
    different from Intel before.
    
    The fix first adds an optimization: instead of unconditionally calling
    FNCLEX after each FXSAVE test if ES is pending and skip it when not
    needed. Then do a x87 load from a kernel variable to clear FOP/FIP/FDP.
    
    This means other processes always will only see a constant value defined
    by the kernel in their FP state.
    
    I took some pain to make sure to chose a variable that's already in L1
    during context switch to make the overhead of this low.
    
    Also alternative() is used to patch away the new code on CPUs who don't
    need it.
    
    Patch for both i386/x86-64.
    
    The problem was discovered originally by Jan Beulich. Richard Brunner
    provided the basic code for the workarounds, with contribution from Jan.
    
    This is CVE-2006-1056
    
    Cc: richard.brunner@amd.com
    Cc: jbeulich@novell.com
    Signed-off-by: Andi Kleen <ak@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Apr 18, 2006
  1. @gregkh

    Linux 2.6.16.8

    gregkh committed
  2. @gregkh

    [PATCH] ip_route_input panic fix (CVE-2006-1525)

    Stephen Hemminger committed with gregkh
    This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388
    The bug is caused by ip_route_input dereferencing skb->nh.protocol of
    the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing
    it). It only happens if the route requested is for a multicast IP
    address.
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Apr 17, 2006
  1. @gregkh

    Linux 2.6.16.7

    gregkh committed
  2. @gregkh

    [PATCH] fix MADV_REMOVE vulnerability (CVE-2006-1524 for real this time)

    Hugh Dickins committed with gregkh
    madvise_remove needs to respect file and mmap protections.
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @gregkh

    Linux 2.6.16.6

    gregkh committed
  4. @gregkh

    [PATCH] shmat: stop mprotect from giving write permission to a readon…

    Hugh Dickins committed with gregkh
    …ly attachment (CVE-2006-1524)
    
    I found that all of 2.4 and 2.6 have been letting mprotect give write
    permission to a readonly attachment of shared memory, whether or not IPC
    would give the caller that permission.
    
    SUS says "The behaviour of this function [mprotect] is unspecified if the
    mapping was not established by a call to mmap", but I don't think we can
    interpret that as allowing it to subvert IPC permissions.
    
    I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
    the patch below reproduces that behaviour - mprotect cannot be used to add
    write permission to a shared memory segment attached readonly.
    
    This patch is simple, and I'm sure it's what we should have done in 2.4.0:
    if you want to go on to switch write permission on and off with mprotect,
    just don't attach the segment readonly in the first place.
    
    However, we could have accumulated apps which attach readonly (even though
    they would be permitted to attach read/write), and which subsequently use
    mprotect to switch write permission on and off: it's not unreasonable.
    
    I was going to add a second ipcperms check in do_shmat, to check for
    writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
     But security_ipc_permission might do auditing, and it seems wrong to
    report an attempt for write permission when there has been none.  Or we
    could flag the vma as SHM, note the shmid or shp in vm_private_data, and
    then get mprotect to check.
    
    But the patch below is a lot simpler: I'd rather stick with it, if we can
    convince ourselves somehow that it'll be safe.
    
    Signed-off-by: Hugh Dickins <hugh@veritas.com>
    Signed-off-by: Andrew Morton <akpm@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @gregkh

    [PATCH] atm: clip causes unregister hang

    Stephen Hemminger committed with gregkh
    If Classical IP over ATM module is loaded, its neighbor table gets
    populated when permanent neighbor entries are created; but these entries
    are not flushed when the device is removed. Since the entry never gets
    flushed the unregister of the network device never completes.
    
    This version of the patch also adds locking around the reference to
    the atm arp daemon to avoid races with events and daemon state changes.
    (Note: barrier() was never really safe)
    
    Bug-reference: http://bugzilla.kernel.org/show_bug.cgi?id=6295
    
    Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @gregkh

    [PATCH] fix non-leader exec under ptrace

    Roland McGrath committed with gregkh
    This reverts most of commit 30e0fca.
    It broke the case of non-leader MT exec when ptraced.
    I think the bug it was intended to fix was already addressed by commit
    788e05a.
    
    Signed-off-by: Roland McGrath <roland@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Something went wrong with that request. Please try again.