Changelog from 2.4.30-hf8 to 2.4.30-hf9 --------------------------------------- '+' = added ; '-' = removed + 2.4.31-fix-can-2005-0204-1 (Suresh Siddha / Horms) [CAN-2005-0204]: AMD64, allows local users to write to privileged IO ports via OUTS instruction. Added definition of IO_BITMAP_BYTES. + 2.4.31-routing_ioctl-lost-sockfd_put-1 (Kirill Korotaev) This patch adds lost sockfd_put() in 32bit compat rounting_ioctl() on 64bit platforms. I believe this is a security issues, since user can fget() file as many times as he wants to. The oops can be done under files_lock and others, so this can be an exploitable DoS on SMP. Didn't checked it on practice actually. + 2.4.31-x86_64-lost-fput-32bit-ioctl-1 (Kirill Korotaev) This patch adds lost fput in 32bit tiocgdev ioctl on x86-64. I believe this is a security issues, since user can fget() file as many times as he wants to. The oops can be done under files_lock and others, so this is really exploitable DoS on SMP. Didn't checked it on practice actually. + 2.4.31-ia64-page_no_present-fault-1 (Kiyoshi Ueda) [PATCH] IA64: page_not_present fault in region 5 is normal Without this patch, exception handler can be unexpectedly invoked for page-not-present fault in region 5 and cause panic etc. + 2.4.31-nfs-client-long-symlinks-1 (Assar Westerlund) [PATCH] nfs client: handle long symlinks properly. In 2.4.31, the v2/3 nfs readlink accepts too long symlinks. I have tested this by having a server return long symlinks. Changelog From 2.4.30-hf7 to 2.4.30-hf8 --------------------------------------- '+' = added ; '-' = removed + 2.4.31-size_buffers_type-overflow-1 (Andrea Arcangeli) [PATCH] Andrea Arcangeli: avoid size_buffers_type overflow size_buffers_type array, which is an unsigned long, can overflow on 32-bits: its perfectly possible for PAE machines to have more than 4Gb of data mapped by buffer_head's at the same time. Avoid that by accounting 1/512 of the real size (size >> 9). + 2.4.31-incorrect-fp-signal-delivery-1 (Chuck Ebbert) [PATCH] i386: fix incorrect FP signal delivery i386 floating-point exception handling has a bug that can cause error code 0 to be sent instead of the proper code during signal delivery. + 2.4.31-ipv4-peers-negative-timer-1 (Dave Johnson) [IPV4]: Fix negative timer loop with lots of ipv4 peers. peer_check_expire() in net/ipv4/inetpeer.c isn't using inet_peer_gc_mintime correctly and will end up creating an expire timer with less than the minimum duration, and even zero/negative if enough active peers are present. If >65K peers, the timer will be less than inet_peer_gc_mintime, and with >70K peers, the timer duration will reach zero and go negative. + 2.4.31-ipv6-route-events-with-wrong-netlink-pid-1 (Hasso Tepper) [IPV6]: Route events reported with wrong netlink PID and seq number Attached is backport of patch from jamal already in the 2.6 kernel - It would be very nice to see it in the 2.4 kernel as well, as I keep receiving reports from users that "Quagga IPv6 is broken with 2.4 kernel". + 2.4.31-nat-module-load-race-1 (Patrick McHardy) [NETFILTER]: Handle NAT module load race When the NAT module is loaded when connections are already confirmed it must not change their tuples anymore. This is especially important with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will refuse to remove an entry from a list when it can not be found on the list, so when a changed tuple hashes to a new bucket the entry is kept in the list until and after the conntrack is freed. Allocate the exact conntrack tuple for NAT for already confirmed connections or drop them if that fails. + 2.4.31-sparc64-do_netfilter_replace-use-vmalloc-1 (Gustavo Zacarias) [SPARC64]: Use vmalloc() in do_netfilter_replace() Otherwise the number of rules one can upload into the kernel is severely limited. Changelog From 2.4.30-hf6 to 2.4.30-hf7 --------------------------------------- '+' = added ; '-' = removed - 2.4.31-zlib-security-bugs-1 (Tim Yamin) + 2.4.31-zlib-security-bugs-2 (Tim Yamin, Sergey Vlasov) Reverted the Z_OK to Z_DATA_ERROR changes in inftrees.c (& PPC). + 2.4.31-zisofs-check-deflatebound-1 (Linus Torvalds) [PATCH] PATCH: Fix outstanding gzip/zlib security issues Add fakey 'deflateBound()' function to the in-kernel zlib routines. It's not the real deflateBound() in newer zlib libraries, partly because the upcoming usage of it won't have the "stream" available, so we can't have the same interfaces anyway. Problem noted by Tim Yamin. + 2.4.31-nat-fix-memory-corruption-1 (Patrick McHardy) [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT) + 2.4.31-isofs-option-parse-fix-1 (Horms + Andrey J.Melnikoff) Fix isofs option parser. If iocharset, map or session are matched, then none of the if or else if clauses under sbsector will match (that is none of these clauses match iocharset, map or session), and thus the else clause will be hit, and the function will return 1 without parsing any furhter options. Also fix gcc-3.4 warnings. + 2.4.31-netfilter-tcp-unclean-1.diff (Patrick McHardy) [NETFILTER]: Ignore PSH on SYN/ACK in ipt_unclean + 2.4.31-redblacktree-missing-returns-1 (deep-blue@t-online.de) [PATCH] fix RedBlackTree rb_next/rb_prev functions. I have found a bug in the source of rbtree.c file in /lib. In Kernel 2.6 it's ok, but 2.4.31 has this error. We try to use it with the jffs2 source code and only with this fix it works fine. + 2.4.31-alpha-cabriolet-needs-ns87312-1 (Bill Dupree) [PATCH] Fix Alpha AXP Cabriolet build. Alpha AXP Cabriolet build fails with unresolved reference to ns87312_enable_ide(). Changelog From 2.4.30-hf5 to 2.4.30-hf6 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + 2.4.31-zlib-security-bugs-1 (Tim Yamin) Fix outstanding security bugs in the Linux zlib implementations. See: a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html b) http://bugs.gentoo.org/show_bug.cgi?id=94584 + 2.4.31-ip_vs_conn_tab-race-1 (Neil Horman) [IPVS]: Close race conditions on ip_vs_conn_tab list modification. In an smp system, it is possible for an connection timer to expire, calling ip_vs_conn_expire while the connection table is being flushed, before ct_write_lock_bh is acquired. (...) The result is that the next pointer gets set to NULL, and subsequently dereferenced, resulting in an oops. + 2.4.31-inode-cache-smp-races-1 (Larry Woodman) [PATCH] workaround inode cache (prune_icache/__refile_inode) SMP races Over the past couple of weeks we have seen two races in the inode cache code. The first is between [dispose_list()] and __refile_inode() and the second is between prune_icache() and truncate_inodes(). Fixes bug 155289. + 2.4.31-netlink-socket-hashing-bugs-2 (David S. Miller) [NETLINK]: Fix two socket hashing bugs. netlink_release() should only decrement the hash entry count if the socket was actually hashed. netlink_autobind() needs to propagate the error return from netlink_insert(). Otherwise, callers will not see the error as they should and thus try to operate on a socket with a zero pid, which is very bad. Thanks to Jakub Jelinek for providing backtraces, and Herbert Xu for debugging patches to help track this down. + 2.4.31-sparc64-sys32_utimes-random-timestamps-1 (Jakub Bogusz) [SPARC64]: fix sys32_utimes(somefile, NULL) This patch fixes utimes(somefile, NULL) syscalls on sparc64 kernel with 32-bit userland - use of uninitialized value resulted in making random timestamps, which confused e.g. sudo. It has been already fixed (by davem) in linux-2.6 tree 30 months ago. Changelog From 2.4.30-hf4 to 2.4.30-hf5 (semi-automated) --------------------------------------- '+' = added ; '-' = removed - 2.4.31-sparc64-solaris-emu-check-cmsg-len-1 (David S. Miller) David told Marcelo this patch was not correct and that a better fix will follow later. + 2.4.31-null-deref-cyclades-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/cyclades.c + 2.4.31-null-deref-esp-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/esp.c + 2.4.31-null-deref-isicom-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/isicom.c + 2.4.31-null-deref-mxser-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/mxser.c + 2.4.31-null-deref-riscom8-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/riscom8.c + 2.4.31-null-deref-specialix-1 (Julien Tinnes) Fix two potential NULL dereferences in drivers/char/specialix.c Changelog From 2.4.30-hf3 to 2.4.30-hf4 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + 2.4.31-sparc64-solaris-emu-check-cmsg-len-1 (David S. Miller) [SPARC64]: Fix cmsg length checks in Solaris emulation layer. + 2.4.31-x86_64-ia64-32bit-execve-overflow-1 (Andi Kleen) [PATCH] Fix buffer overflow in x86-64/ia64 32bit execve Fix buffer overflow in x86-64/ia64 32bit execve. Originally noted by Ilja van Sprundel. I fixed it for both x86-64 and IA64. Other architectures are not affected. + 2.4.31-x86_64-ptrace-check-canonical-addr-1 (Andi Kleen) [PATCH] Check for canonical addresses in ptrace Check for canonical addresses in ptrace. This works around a AMD bug that allows to hang the CPU by passing illegal addresses. + 2.4.31-x86_64-fix-ptrace-check-for-seg-regs-1 (Andi Kleen) [PATCH] Fix canonical checking for segment registers in ptrace Fix canonical checking for segment registers in ptrace. This avoids a local DOS where a process could oops the kernel by passing bogus values to ptrace. Some versions of UML did this. Found by Alexander Nyberg + 2.4.31-x86_64-disable-exception-stack-1 (Andi Kleen) [PATCH] x86_64: Disable exception stack for stack faults Just drop the exception stack for stack segment faults. This will make some oops triple fault now, but that's better than allowing user triggerable oops. Found from RedHat QA using crashme + 2.4.31-bluetooth-hci_usb-race-hangs-kernel-1 (Marcel Holtmann) [PATCH] Fix introduced in 2.4.27pre2 for bluetooth hci_usb race causes kernel hang. > I have noticed a problem with a race condition fix introduced in > 2.4.27-pre2 that causes the kernel to hang when disconnecting a > Bluetooth USB dongle or doing 'hciconfig hci0 down'. No message is > printed, the kernel just doesn't respond anymore. if this works then we should do the same change in the bfusb driver. A patch that fixes both drivers is attached. + 2.4.31-netlink-socket-hashing-bugs-1 (David S. Miller) [NETLINK]: Fix two socket hashing bugs. netlink_release() should only decrement the hash entry count if the socket was actually hashed. netlink_autobind() needs to propagate the error return from netlink_insert(). Otherwise, callers will not see the error as they should and thus try to operate on a socket with a zero pid, which is very bad. Thanks to Jakub Jelinek for providing backtraces, and Herbert Xu for debugging patches to help track this down. + 2.4.31-no-32bit-moves-on-seg-regs-1 (H. J. Lu) [PATCH] newer i386/x86_64 assemblers prohibit instructions for moving between a seg register and a 32bit location. The new i386/x86_64 assemblers no longer accept instructions for moving between a segment register and a 32bit memory location. Changelog From 2.4.30-hf2 to 2.4.30-hf3 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + 2.4.30-ipvs-unchecked-strcpy-1.diff (the PaX team) Replaced several unchecked strcpy() with strncpy(). + 2.4.30-loop-off-by-one-1 (Julien Tinnes) There is an obvious off by one bug in loop.c in kernel 2.4. + 2.4.30-rtnetlink-off-by-one-1 (Julien Tinnes) [RTNETLINK]: Fix off-by-one error in rtnetlink.c + 2.4.30-random-poolsize-sysctl-fix-1 (Vasily Averin) [PATCH] random poolsize sysctl fix SWSoft Linux kernel Team has discovered that your patch which should fix a random poolsize sysctl handler integer overflow, is wrong. You have changed a variable definition in function proc_do_poolsize(), but you had to fix an another function, poolsize_strategy() + 2.4.30-serial-null-dereference-1.diff (Julien Tinnes) Potential null pointer dereference in serial driver. + 2.4.30-mtrr-off-by-one-1.diff (Brad Spengler/Julien Tinnes) In mtrr_write(), if len==0, -1 is passed to copy_from_user(), which will trigger BUG_ON((long)n < 0). Brad found it, Julien explained it to me. + 2.4.30-jfs_read_super-oops-1 (Mike Kasick) [PATCH] JFS oops fix Specifically, the kernel attempts to mount root with JFS first, and upon aborting jfs_read_super(), the value of sbi->nls_tab is -1, a non-NULL value that causes unload_nls() to be called on garbage data leading to a NULL pointer dereference. + 2.4.30-usb-io_edgeport-oops-1 (Marcelo Tosatti) USB: fix oops in io_edgeport.c driver (2.6 backport) + 2.4.30-stretch-ack-kills-performance-1 (David Miller) [TCP]: Fix stretch ACK performance killer when doing ucopy. When we are doing ucopy, we try to defer the ACK generation to cleanup_rbuf(). This works most of the time very well, but if the ucopy prequeue is large, this ACKing behavior kills performance. + 2.4.30-xfs-build-without-debug-1 (Christoph Hellwig) [PATCH] XFS: fix compilation error > 2.4.30 will not compile if XFS is turned on, but XFS debugging is not. Looks like a trivial one-liner got lost when merging from the SGI CVS tree. Changelog From 2.4.30-hf1 to 2.4.30-hf2 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + 2.4.30-vuln-CAN-2005-1263-1 (Greg KH, Chris Wright) From Paul Starzetz: A locally exploitable flaw has been found in the Linux ELF binary format loader's core dump function that allows local users to gain root privileges and also execute arbitrary code at kernel privilege level. Changelog From 2.4.30 to 2.4.30-hf1 (semi-automated) --------------------------------------- '+' = added ; '-' = removed + 2.4.30-panic-if-more-than-one-moxa-2 (David Monniaux) [PATCH] fix moxa crash with more than one 1 board. The current Moxa Intellio driver (moxa.c) panics when using > 1 board. Fixed build by declaring variable prior to usage - Willy. + 2.4.30-bonding-rmmod-oops-1 (Mitch Williams) It fixes a stack dump when unloading the bonding module in 802.3ad mode if spinlock debugging is turned on, and it was already merged in 2.6. + 2.4.30-madvise-must-return-EIO-1 (Hugh Dickins) [PATCH] madvise_willneed -EIO beyond EOF. When the rlim_rss was removed from madvise_willneed, we unintentionally changed its error when applied to an area wholly beyond end of file: it used to report -EIO (whereas 2.6 reports success), it currently reports the confusingly inappropriate -EBADF. Revert to -EIO in that case. + 2.4.30-rwsem-spinlocks-must-disable-interrupts-2 (David Howells) [PATCH] rwsem: Make rwsems use interrupt disabling spinlocks. The attached patch makes read/write semaphores use interrupt disabling spinlocks in the slow path, thus rendering the up functions and trylock functions available for use in interrupt context. This matches the regular semaphore behaviour. Typo fixed by Mikael Pettersson.