++              Hot Fix 4 for Linux Kernel 2.4.31 - 2005/08/20               ++
              Willy Tarreau - EXOSEC  < wtarreau at exosec.net >


Please read the "README" file first. Then, simply run "make" in the directory
containing this file to rebuild the patches referenced in this file.


1) Security fixes
=================
+ 2.4.31-sparc64-solaris-emu-check-cmsg-len-1              (David S. Miller)

  [SPARC64]: Fix cmsg length checks in Solaris emulation layer.

+ 2.4.31-x86_64-ia64-32bit-execve-overflow-1                    (Andi Kleen)

  [PATCH] Fix buffer overflow in x86-64/ia64 32bit execve
  Fix buffer overflow in x86-64/ia64 32bit execve. Originally noted
  by Ilja van Sprundel. I fixed it for both x86-64 and IA64. Other
  architectures are not affected.

+ 2.4.31-x86_64-ptrace-check-canonical-addr-1                   (Andi Kleen)

  [PATCH] Check for canonical addresses in ptrace
  Check for canonical addresses in ptrace. This works around a AMD
  bug that allows to hang the CPU by passing illegal addresses.

+ 2.4.31-x86_64-fix-ptrace-check-for-seg-regs-1                 (Andi Kleen)

  [PATCH] Fix canonical checking for segment registers in ptrace
  Fix canonical checking for segment registers in ptrace. This avoids a
  local DOS where a process could oops the kernel by passing bogus values
  to ptrace. Some versions of UML did this. Found by Alexander Nyberg

+ 2.4.31-x86_64-disable-exception-stack-1                       (Andi Kleen)

  [PATCH] x86_64: Disable exception stack for stack faults
  Just drop the exception stack for stack segment faults. This will
  make some oops triple fault now, but that's better than allowing
  user triggerable oops.  Found from RedHat QA using crashme

+ 2.4.31-null-deref-cyclades-1                               (Julien Tinnes)

  Fix two potential NULL dereferences in drivers/char/cyclades.c

+ 2.4.31-null-deref-esp-1                                    (Julien Tinnes)

  Fix two potential NULL dereferences in drivers/char/esp.c

+ 2.4.31-null-deref-isicom-1                                 (Julien Tinnes)

  Fix two potential NULL dereferences in drivers/char/isicom.c

+ 2.4.31-null-deref-mxser-1                                  (Julien Tinnes)

  Fix two potential NULL dereferences in drivers/char/mxser.c

+ 2.4.31-null-deref-riscom8-1                                (Julien Tinnes)

  Fix two potential NULL dereferences in drivers/char/riscom8.c

+ 2.4.31-null-deref-specialix-1                              (Julien Tinnes)

  Fix two potential NULL dereferences in drivers/char/specialix.c

+ 2.4.31-zlib-security-bugs-2                     (Tim Yamin, Sergey Vlasov)

  Fix outstanding security bugs in the Linux zlib implementations. See:
  a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
  b) http://bugs.gentoo.org/show_bug.cgi?id=94584
  The gzip description is as good as the ChangeLog says it is -: "Set n to
  length of v, to detect improper tables" and "Don't accidentally grow j
  past z". The return 2 instead of the return 0 is so that we actually
  error out if we also get inproper tables.

+ 2.4.31-zisofs-check-deflatebound-1                        (Linus Torvalds)

  [PATCH] PATCH: Fix outstanding gzip/zlib security issues
  Add fakey 'deflateBound()' function to the in-kernel zlib routines.
  It's not the real deflateBound() in newer zlib libraries, partly because
  the upcoming usage of it won't have the "stream" available, so we can't
  have the same interfaces anyway. Problem noted by Tim Yamin.


2) Critical fixes
=================
+ 2.4.31-bluetooth-hci_usb-race-hangs-kernel-1             (Marcel Holtmann)

  [PATCH] Fix introduced in 2.4.27pre2 for bluetooth hci_usb race
  causes kernel hang.
  > I have noticed a problem with a race condition fix introduced in
  > 2.4.27-pre2 that causes the kernel to hang when disconnecting a
  > Bluetooth USB dongle or doing 'hciconfig hci0 down'. No message is
  > printed, the kernel just doesn't respond anymore.
  
  if this works then we should do the same change in the bfusb driver. A
  patch that fixes both drivers is attached.


3) Major bug fixes
==================
+ 2.4.30-serial-null-dereference-1.diff                      (Julien Tinnes)

  Potential null pointer dereference in serial driver.

+ 2.4.31-ip_vs_conn_tab-race-1                                 (Neil Horman)

  [IPVS]: Close race conditions on ip_vs_conn_tab list modification.
  In an smp system, it is possible for an connection timer to expire,
  calling ip_vs_conn_expire while the connection table is being flushed,
  before ct_write_lock_bh is acquired. (...) The result is that the next
  pointer gets set to NULL, and subsequently dereferenced, resulting in
  an oops.

+ 2.4.31-nat-fix-memory-corruption-1                       (Patrick McHardy)

  [NETFILTER]: Fix potential memory corruption in NAT code (aka memory NAT)

  
4) Minor bug fixes
==================

+ 2.4.31-inode-cache-smp-races-1                             (Larry Woodman)

  [PATCH] workaround inode cache (prune_icache/__refile_inode) SMP races.
  Over the past couple of weeks we have seen two races in the inode cache
  code. The first is between [dispose_list()] and __refile_inode() and the
  second is between prune_icache() and truncate_inodes(). Fixes bug 155289.

+ 2.4.31-netlink-socket-hashing-bugs-2                     (David S. Miller)

  [NETLINK]: Fix two socket hashing bugs.
  netlink_release() should only decrement the hash entry count if the
  socket was actually hashed. netlink_autobind() needs to propagate
  the error return from netlink_insert(). Otherwise, callers will not
  see the error as they should and thus try to operate on a socket
  with a zero pid, which is very bad. Thanks to Jakub Jelinek for
  providing backtraces, and Herbert Xu for debugging patches to help
  track this down.
 
+ 2.4.31-sparc64-sys32_utimes-random-timestamps-1             (Jakub Bogusz)

  [SPARC64]: fix sys32_utimes(somefile, NULL)
  This patch fixes utimes(somefile, NULL) syscalls on sparc64 kernel with
  32-bit userland - use of uninitialized value resulted in making random
  timestamps, which confused e.g. sudo. It has been already fixed (by davem)
  in linux-2.6 tree 30 months ago.

+ 2.4.31-isofs-option-parse-fix-1               (Horms + Andrey J.Melnikoff)

  Fix isofs option parser. If iocharset, map or session are matched,
  then none of the if or else if clauses under sbsector will match
  (that is none of these clauses match iocharset, map or session),
  and thus the else clause will be hit, and the function will return
  1 without parsing any furhter options. Also fix gcc-3.4 warnings.

+ 2.4.31-netfilter-tcp-unclean-1.diff                      (Patrick McHardy)

  [NETFILTER]: Ignore PSH on SYN/ACK in ipt_unclean

+ 2.4.31-redblacktree-missing-returns-1              (deep-blue@t-online.de)

  [PATCH] fix RedBlackTree rb_next/rb_prev functions. I have found a
  bug in the source of rbtree.c file in /lib. In Kernel 2.6 it's ok,
  but 2.4.31 has this error. We try to use it with the jffs2 source
  code and only with this fix it works fine.

  
5) Build fixes
==============
+ 2.4.31-no-32bit-moves-on-seg-regs-1                             (H. J. Lu)

  [PATCH] newer i386/x86_64 assemblers prohibit instructions for moving
  between a seg register and a 32bit location. The new i386/x86_64
  assemblers no longer accept instructions for moving between a segment
  register and a 32bit memory location.

+ 2.4.31-alpha-cabriolet-needs-ns87312-1                       (Bill Dupree)

  [PATCH] Fix Alpha AXP Cabriolet build. Alpha AXP Cabriolet build
  fails with unresolved reference to ns87312_enable_ide().


6) Documentation fixes
======================
- None

END.