++ Hot Fix 5 for Linux Kernel 2.4.29 - 2005/03/19 (rev@sync:1.1583) ++ Willy Tarreau - EXOSEC < wtarreau at exosec.net > Please read the "README" file first. Then, simply run "make" in the directory containing this file to rebuild the patches referenced in this file. 1) Security fixes ================= + flash_erase-checks-cap_sys_admin-1 (James Nelson) This patch adds CAP_SYS_ADMIN checks to the potentially dangerous ioctls FLASH_Erase and FLASH_Burn in the Cobalt LCD interface driver. + rw_verify_area-against-file-offset-overflow-2 (Linus Torvalds) backport 2.6 rw_verify_area() to check against file offset overflows - Make generic rw_verify_area check against file offset overflows. - Add 'f_maxcount' to allow filesystems to set a per-file maximum IO size. - Rename "locks_verify_area()" to "rw_verify_area()" and clean up the arguments. + rw_verify_area-missing-f_maxcount-1 (Solar Designer) + wireless-data-leak-1 (Chris Wright) There is a potential leak of kernel data to user space in private handler handling. Few drivers use that feature, there is no risk of crash or direct attack, so I would not worry about it. + ppp-server-remote-dos-1 (Paul Mackerras) Remote Linux DoS on ppp servers (CAN-2005-0384) 2) Critical fixes ================= + panic-when-backing-up-lvm-snapshots-1 (Heinz J. Mauelshagen) This patch fixes lvm-snap.c in order to avoid a list update on the snapshot exception hash happening while only holding a read lock as documented in Red Hat bugzilla #135266. 3) Major bug fixes ================== + oops-ata_to_sense_error-1 (Jeff Garzik) Fix an oops in ata_to_sense_error + lcd_ioctl-memory-leak-1 (James Nelson) This patch fixes a memory leak in the FLASH_Burn ioctl for the Cobalt LCD interface driver. + pkt_sched-netem-leaks-memory-1 (Stephen Hemminger) Good catch.. netem needs to free skb's that are dropped due to loss simulation. + netlink-fix-nlmsg_goodsize-calculation-1 (Thomas Graf) NLMSG_GOODSIZE specifies a good default size for the skb tailroom used in netlink messages when the size is unknown at the time of the allocation. The current value doesn't make much sense anymore because skb_shared_info isn't taken into account which means that depending on the architecture NLMSG_GOOSIZE can exceed PAGE_SIZE resulting in a waste of almost a complete page. Using SKB_MAXORDER solves this potential leak at the cost of slightly smaller but safer sizes for some architectures. + proc-kcore-memory-corruption-1 (Ernie Petrides) A fairly nasty memory corruption potential exists when /proc/kcore is accessed and there are at least 62 vmalloc'd areas. (...) The fix is already in 2.6. + net-oops-base_reachable_time-zero-1 (Hideaki Yoshifuji) [NET]: Fix kernel oops if base_reachable_time is set to 0. + x86_64-fix-x87-tag-word-emulation-1 (Roland McGrath) Fix x87 fnsave Tag Word emulation when using FXSR (SSE). The fxsave instruction does not save the x87 tag word (only the empty bits), and we re-created the old-style x87 tags incorrectly. The registers are saved in "stack order" in the save area, but the tag word bits are in "hardware order", and we need to get the right register state. Both x86 and x86-64 needed this fix. + possible-pty-line-discipline-race-1 (Linus Torvalds) [PATCH] Workaround possible pty line discipline race. It's in no way "correct", in that the race hasn't actually gone away by this patch, but the patch makes it unimportant. We may end up calling a stale line discipline, which is still very wrong, but it so happens that we don't much care in practice. I think that in a 2.4.x tree there are some theoretical SMP races with module unloading etc (which the 2.6.x code doesn't have because module unload stops the other CPU's - maybe that part got backported to 2.4.x?), but quite frankly, I suspect that even in 2.4.x they are entirely theoretical and impossible to actually hit. And again, in theory some line discipline might do something strange in it's "chars_in_buffer" routine that would be problematic. In practice that's just not the case: the "chars_in_buffer()" routine might return a bogus _value_ for a stale line discipline thing, but none of them seem to follow any pointers that might have become invalid (and in fact, most ldiscs don't even have that function). + softdog-does-not-reboot-on-close-1 (Jacques Basson) There is a bug in the softdog.c (v 0.05) in the 2.4 kernel series (certainly in 2.4.29 and there are no references to it in the latest Changelog) that won't reboot the machine if /dev/watchdog is closed unexpectedly and nowayout is not set. 4) Minor bug fixes ================== + ppc32-tlb-miss-handler-1 (Tom Rini / Joakim Tjernlund) There is a problem in the TLB Miss (and Error, as they jump to the Miss handler) handlers. The problem is that when an app spans more than one L1 entry, we don't have all of the correct information, and do_page_fault() things a protection fault happened, when it didn't really. The fix for this is to modify the handlers slightly to force a TLB Error in this case. + rtnetlink-set-multi-flags-1 (Thomas Graf) Set NLM_F_MULTI for neighbour rtnetlink messages to userspace. + hiddev-busy-loop-1 (David Micon) In the loop, schedule() returns with the current state TASK_RUNNING, so at the next revolution it returns immediately, and the task sits there burning CPU. + msf-overflow-multisession-dvd-1 (Luca Tettamanti) This a backport of my patch that went into 2.6.10. cdrom_read_toc (ide-cd.c) always reads the TOC using MSF format. If the last session of the disk starts beyond block 1152000 (LBA) there's an overflow in the MSF format and kernel complains: Unable to identify CD-ROM format. So read the multi-session TOC in LBA format in order to avoid an overflow in MSF format with multisession DVDs. + sparc64-signed-atomic-values-1 (David S. Miller / Hugh Daniels) Even though we declare these functions as returning a 32-bit signed integer, the sparc64 ABI states that such functions must properly sign-extend the return value to the full 64-bits. + kfree_skb-missing-memory-barrier-1 (Herbert Xu) The bug is that in the case where we do the atomic_read() optimization, we need to make sure that reads of skb state later in __kfree_skb() processing (particularly the skb->list BUG check) are not reordered to occur before the counter read by the cpu. + net-put-barriers-around-dst-refcnt-1 (Herbert Xu) In light of the recent discussion about sk_buff, I think we need the following patch for dst_entry. This adds a memory barrier before dst_release drops the refcnt, and a read memory barrier before dst_destroy starts destroying the entry. + sparc64-atomic-and-bitops-fixes-1 (David S. Miller) 1) Correct memory barriers. Routines not returning a value need no memory barriers, however routines returning values do need them. 2) Actually implement non-atomic ext2 bitops. + sparc64-xchg-use-membars-1 (David S. Miller) [SPARC64]: Add missing membars for xchg() and cmpxchg(). + sparc64-locks-use-membars-1 (David S. Miller) [SPARC64]: Add missing membars for xchg() and cmpxchg(). read_unlock should order all previous memory operations before the atomic counter update to drop the lock. The debugging version of write_unlock had a similar error. + ipconfig-use-memmove-not-strcpy-1 (Matthew Wilcox) strcpy is undefined if src and dest overlap. That's clearly possible here with a sufficiently deep path on the server. Use memmove instead. + sparc64-mask-32bits-stack-ptr-1 (David S. Miller) [SPARC64]: Mask off stack ptr in alloc_user_space() for 32-bit. + i386-pci-irq-displays-wrong-pin-1 (Mark Haigh) [PATCH] arch/i386/kernel/pci-irq.c: Wrong message output I'd submitted a patch earlier for this file, fixing a warning. When I looked at it further, I noticed it can output an incorrect warning message under certain circumstances. I've confirmed that this can and does happen in the wild: (...) This patch also fixes the original warning: + lp_write-race-can-corrupt-data-1 (Kenneth Sumrall) In lp_write(), copy_from_user() is called to copy data into a statically allocated kernel buffer before down_interruptible() is called. If a second thread of execution comes in between the copy_from_user() and the down_interruptible() calls, silent data corruption could result. + tunsetiff-needs-copy-back-after-ioctl-1 (David S. Miller) [COMPAT]: TUNSETIFF needs to copy back data after ioctl. It is defined as a _IOW() which is erroneous, it should have been defined as _IORW() but that cannot be changed now without breaking all existing applications using this ioctl. + sparc32-smp-clear-psr_ef-on-fork-1 (David S. Miller) [SPARC32]: Need to clear PSR_EF in psr of childregs on fork() on SMP. + netlink_remove-unhash-leaks-sockets-1 (Patrick McHardy) netlink_remove() only unhashes sockets contained in the first hash bucket. This leads to leaking sockets and, over time, to bind conflicts which confuse iproute. + brlock-causes-deadlock-1 (David S. Miller) There were two versions of the big-reader lock implementation. 1) One using per-cpu reader locks, and a singular write lock. Predominantly enabled on x86 and it's brothers. 2) One using non-atomic per-cpu counter, and a single write lock. This is what all other platforms were using. #1 is unfortunately buggy. brlocks were meant to provide a high performance implementation of rwlock_t locks when it is known that the lock is taken %99 of the time by readers and that writers are thus rare. (...) + 32bit-sys_recvmsg-corruption-1 (Stephen Rothwell) In the presence of threads, there is a possibility of the kernel being fooled by the 32 bit sys_recvmsg control data into copying more than it should into the kernel and corrupting kernel data structures. (...) This patch just does some more length checking. This bug was actually being hit by BIND running at a customer site. It is very hard to hit, but (obviously) possible. + sparc64-32bit-compat-bugs-2 (David S. Miller) Fix 32bit compat layer bugs in sys_ipc() and sys_rt_sigtimedwait(). 1) sys_ipc() compat wrappers need to verify length before allocating kernel data and performing copies. 2) sys_rt_sigtimedwait() had one schedule_timeout() too many. + genesys-usb-workarounds-1 (Pete Zaitcev) Disk enclosures with Genesys Logics chipset require additional delays, or commands are not processed. Also, their maximum transfer size is limited. Patch by Martin Strigl. + libata-missing-hook-oops-1 (Jeff Garzik) Advanced SATA drivers should not (and cannot) use the basic PCI IDE hooks for checking the Status and Error registers, as these registers are either in non-standard locations, or simply don't exist. In the error handling path, libata was unconditionally calling some PCI IDE hardware bitbanging functions, which would cause an oops in the AHCI driver and any other advanced libata driver. + synclinkmp-register-access-typo-1 (Paul Fulghum) Fix typo to correctly access rx ready control (RRC) register instead of the tx ready control (TRC0) register. + aic7xxx-do-not-reset-on-pause-1 (Matt Domsch) Patch below taken from RHEL3 Update 4 kernel 2.4.21-27.EL, fixes a bug in the aic79xx and aic7xxx drivers, where upon trying to pause the controller chip, it is accidentally hard-reset. This causes PCI Parity errors to appear on Dell PowerEdge 4600 servers as the inb() immediately after accidental reset receives corrupted data. Patch was submitted by Justin Gibbs many moons ago, but never applied to mainline 2.4. It's in mainline 2.6. + fix-swapoff-after-recreating-device-1 (Solar Designer) [PATCH] Fix for swapoff after re-creating device files If device is recreated the current dentry-only comparison in sys_swapoff() might have problems. + sd-fix-partition-count-1 (Soo Lee) When a scsi disk is removed other scsi disk with biggest minor # disapears in /proc/partition at the same time. sd.c decreases nr_real on disk removal but because nr_real is not real # of devices but max # of devices of a major #, it doesn't need to be changed on disk add/remove. 2.6 has little different structure but it does like this. + af_unix-fix-siocinq-for-stream-1 (David S. Miller) [AF_UNIX]: Fix SIOCINQ for STREAM. We should report the total bytes in the whole receive queue, not just the first packet, in these cases. Reported by Uwe Bonnes. + scsi-tapes-return-enomem-1 (Marcelo Tosatti) + scsi-tapes-allow-lseek-2 (Marcelo Tosatti) Allow lseek on SCSI tapes and OSST again. Recently broken by a security fix. + write-throttling-ignore-free-highmem-1 (Andrea Arcangeli) I got reports of stalls with heavy writes on 2.4. There was a mistake in nr_free_buffer_pages. That function is definitely meant _not_ to take highmem into account (dirty cache cannot spread over highmem in 2.4 [even when on top of fs]). For unknown reasons it was actually taking highmem into account. The code was obviously meant to not take into account see the GFP_USER and zonelist, except it wasn't using the zonelist. That is a severe problem because there will be no write throttling at all, and no bdflush wakeup either. This is a noop for all systems <800M (1G shouldn't be noticeable either). This is why most people can't notice. + get_user_pages-no-pg_reserved-1 (Andrea Arcangeli) get_user_pages() shall not grab PG_reserved pages. 5) Build fixes ============== + configure-mangles-hex-values-1 (Nick Pollitt) When doing a make oldconfig, the hex function strips the leading '0x' from hex values. The '0x' is needed in the final autoconf.h, and its absence causes the following problem. + sparc-smb_macros-extra-semicolons-1 (David S. Miller) [SPARC]: Fix bogus trailing semicolon in smb_*() macros. Backported from 2.6.x + sparc-nop-extra-semicolons-1 (David S. Miller) [SPARC]: nop() macro has bogus trailing semicolon Noticed by Bob Breuer. + sparc64-membar-extra-semicolons-2 (David S. Miller) [SPARC64]: Fix trailing semicolon in membar macros. + sparc32-fix-parallel-build-1 (crn:netunix.com) [SPARC32]: Fix build dependencies for vmlinux.o This helps make parallel builds work properly. 6) Documentation fixes ====================== none yet. END.