++ Hot Fix 3 for Linux Kernel 2.4.29 - 2005/02/16 (rev@sync:1.1554) ++ Willy Tarreau - EXOSEC < wtarreau at exosec.net > Please read the "README" file first. Then, simply run "make" in the directory containing this file to rebuild the patches referenced in this file. 1) Security fixes ================= + flash_erase-checks-cap_sys_admin-1 (James Nelson) This patch adds CAP_SYS_ADMIN checks to the potentially dangerous ioctls FLASH_Erase and FLASH_Burn in the Cobalt LCD interface driver. + rw_verify_area-against-file-offset-overflow-2 (Linus Torvalds) backport 2.6 rw_verify_area() to check against file offset overflows - Make generic rw_verify_area check against file offset overflows. - Add 'f_maxcount' to allow filesystems to set a per-file maximum IO size. - Rename "locks_verify_area()" to "rw_verify_area()" and clean up the arguments. + rw_verify_area-missing-f_maxcount-1 (Solar Designer) + wireless-data-leak-1 (Chris Wright) There is a potential leak of kernel data to user space in private handler handling. Few drivers use that feature, there is no risk of crash or direct attack, so I would not worry about it. 2) Critical fixes ================= + panic-when-backing-up-lvm-snapshots-1 (Heinz J. Mauelshagen) This patch fixes lvm-snap.c in order to avoid a list update on the snapshot exception hash happening while only holding a read lock as documented in Red Hat bugzilla #135266. 3) Major bug fixes ================== + oops-ata_to_sense_error-1 (Jeff Garzik) Fix an oops in ata_to_sense_error + lcd_ioctl-memory-leak-1 (James Nelson) This patch fixes a memory leak in the FLASH_Burn ioctl for the Cobalt LCD interface driver. + pkt_sched-netem-leaks-memory-1 (Stephen Hemminger) Good catch.. netem needs to free skb's that are dropped due to loss simulation. + netlink-fix-nlmsg_goodsize-calculation-1 (Thomas Graf) NLMSG_GOODSIZE specifies a good default size for the skb tailroom used in netlink messages when the size is unknown at the time of the allocation. The current value doesn't make much sense anymore because skb_shared_info isn't taken into account which means that depending on the architecture NLMSG_GOOSIZE can exceed PAGE_SIZE resulting in a waste of almost a complete page. Using SKB_MAXORDER solves this potential leak at the cost of slightly smaller but safer sizes for some architectures. + proc-kcore-memory-corruption-1 (Ernie Petrides) A fairly nasty memory corruption potential exists when /proc/kcore is accessed and there are at least 62 vmalloc'd areas. (...) The fix is already in 2.6. + net-oops-base_reachable_time-zero-1 (Hideaki Yoshifuji) [NET]: Fix kernel oops if base_reachable_time is set to 0. 4) Minor bug fixes ================== + ppc32-tlb-miss-handler-1 (Tom Rini / Joakim Tjernlund) There is a problem in the TLB Miss (and Error, as they jump to the Miss handler) handlers. The problem is that when an app spans more than one L1 entry, we don't have all of the correct information, and do_page_fault() things a protection fault happened, when it didn't really. The fix for this is to modify the handlers slightly to force a TLB Error in this case. + rtnetlink-set-multi-flags-1 (Thomas Graf) Set NLM_F_MULTI for neighbour rtnetlink messages to userspace. + hiddev-busy-loop-1 (David Micon) In the loop, schedule() returns with the current state TASK_RUNNING, so at the next revolution it returns immediately, and the task sits there burning CPU. + msf-overflow-multisession-dvd-1 (Luca Tettamanti) This a backport of my patch that went into 2.6.10. cdrom_read_toc (ide-cd.c) always reads the TOC using MSF format. If the last session of the disk starts beyond block 1152000 (LBA) there's an overflow in the MSF format and kernel complains: Unable to identify CD-ROM format. So read the multi-session TOC in LBA format in order to avoid an overflow in MSF format with multisession DVDs. + sparc64-signed-atomic-values-1 (David S. Miller / Hugh Daniels) Even though we declare these functions as returning a 32-bit signed integer, the sparc64 ABI states that such functions must properly sign-extend the return value to the full 64-bits. + kfree_skb-missing-memory-barrier-1 (Herbert Xu) The bug is that in the case where we do the atomic_read() optimization, we need to make sure that reads of skb state later in __kfree_skb() processing (particularly the skb->list BUG check) are not reordered to occur before the counter read by the cpu. + net-put-barriers-around-dst-refcnt-1 (Herbert Xu) In light of the recent discussion about sk_buff, I think we need the following patch for dst_entry. This adds a memory barrier before dst_release drops the refcnt, and a read memory barrier before dst_destroy starts destroying the entry. + sparc64-atomic-and-bitops-fixes-1 (David S. Miller) 1) Correct memory barriers. Routines not returning a value need no memory barriers, however routines returning values do need them. 2) Actually implement non-atomic ext2 bitops. + sparc64-xchg-use-membars-1 (David S. Miller) [SPARC64]: Add missing membars for xchg() and cmpxchg(). + sparc64-locks-use-membars-1 (David S. Miller) [SPARC64]: Add missing membars for xchg() and cmpxchg(). read_unlock should order all previous memory operations before the atomic counter update to drop the lock. The debugging version of write_unlock had a similar error. + ipconfig-use-memmove-not-strcpy-1 (Matthew Wilcox) strcpy is undefined if src and dest overlap. That's clearly possible here with a sufficiently deep path on the server. Use memmove instead. + sparc64-mask-32bits-stack-ptr-1 (David S. Miller) [SPARC64]: Mask off stack ptr in alloc_user_space() for 32-bit. + i386-pci-irq-displays-wrong-pin-1 (Mark Haigh) [PATCH] arch/i386/kernel/pci-irq.c: Wrong message output I'd submitted a patch earlier for this file, fixing a warning. When I looked at it further, I noticed it can output an incorrect warning message under certain circumstances. I've confirmed that this can and does happen in the wild: (...) This patch also fixes the original warning: + lp_write-race-can-corrupt-data-1 (Kenneth Sumrall) In lp_write(), copy_from_user() is called to copy data into a statically allocated kernel buffer before down_interruptible() is called. If a second thread of execution comes in between the copy_from_user() and the down_interruptible() calls, silent data corruption could result. + tunsetiff-needs-copy-back-after-ioctl-1 (David S. Miller) [COMPAT]: TUNSETIFF needs to copy back data after ioctl. It is defined as a _IOW() which is erroneous, it should have been defined as _IORW() but that cannot be changed now without breaking all existing applications using this ioctl. + sparc32-smp-clear-psr_ef-on-fork-1 (David S. Miller) [SPARC32]: Need to clear PSR_EF in psr of childregs on fork() on SMP. + netlink_remove-unhash-leaks-sockets-1 (Patrick McHardy) netlink_remove() only unhashes sockets contained in the first hash bucket. This leads to leaking sockets and, over time, to bind conflicts which confuse iproute. + brlock-causes-deadlock-1 (David S. Miller) There were two versions of the big-reader lock implementation. 1) One using per-cpu reader locks, and a singular write lock. Predominantly enabled on x86 and it's brothers. 2) One using non-atomic per-cpu counter, and a single write lock. This is what all other platforms were using. #1 is unfortunately buggy. brlocks were meant to provide a high performance implementation of rwlock_t locks when it is known that the lock is taken %99 of the time by readers and that writers are thus rare. (...) + 32bit-sys_recvmsg-corruption-1 (Stephen Rothwell) In the presence of threads, there is a possibility of the kernel being fooled by the 32 bit sys_recvmsg control data into copying more than it should into the kernel and corrupting kernel data structures. (...) This patch just does some more length checking. This bug was actually being hit by BIND running at a customer site. It is very hard to hit, but (obviously) possible. + sparc64-32bit-compat-bugs-1 (David S. Miller) Fix 32bit compat layer bugs in sys_ipc() and sys_rt_sigtimedwait(). 1) sys_ipc() compat wrappers need to verify length before allocating kernel data and performing copies. 2) sys_rt_sigtimedwait() had one schedule_timeout() too many. 5) Build fixes ============== + configure-mangles-hex-values-1 (Nick Pollitt) When doing a make oldconfig, the hex function strips the leading '0x' from hex values. The '0x' is needed in the final autoconf.h, and its absence causes the following problem. + sparc-smb_macros-extra-semicolons-1 (David S. Miller) [SPARC]: Fix bogus trailing semicolon in smb_*() macros. Backported from 2.6.x + sparc-nop-extra-semicolons-1 (David S. Miller) [SPARC]: nop() macro has bogus trailing semicolon Noticed by Bob Breuer. + sparc64-membar-extra-semicolons-2 (David S. Miller) [SPARC64]: Fix trailing semicolon in membar macros. 6) Documentation fixes ====================== none yet. END.