r3629 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: .
patches patches/series
Simon Horman
horms at costa.debian.org
Fri Jul 29 10:25:03 UTC 2005
Author: horms
Date: 2005-07-29 10:25:01 +0000 (Fri, 29 Jul 2005)
New Revision: 3629
Added:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-real_timer-reset.dpatch
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-reparent-timers.dpatch
Modified:
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
Log:
* fs-exec-real_timer-reset.dpatch
[Security] Reset real_timer target on exec leader change
to avoid race condition which could lead to
to invalid kernel memory being accesed and an oops.
* fs-exec-reparent-timers.dpatch
[Security] Reparent itimers to avoid possible kernel panic.
See CAN-2005-1913
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-07-29 08:33:26 UTC (rev 3628)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog 2005-07-29 10:25:01 UTC (rev 3629)
@@ -12,43 +12,47 @@
completely bogus for this version of the kernel
(Simon Horman) (closes: #311357)
- * [SECURITY] arch-x86_64-kernel-ptrace-boundary-check.dpatch
- Don't allow accesses below register frame in ptrace
+ * arch-x86_64-kernel-ptrace-boundary-check.dpatch
+ [Security, x86_64] Don't allow accesses below register frame in ptrace
See CAN-2005-1763.
(Simon Horman)
- * arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch,
- arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
- This works around an AMD Erratum by
+ * arch-x86_64-kernel-ptrace-canonical-rip-1.dpatch
+ [Security, x86_64] This works around an AMD Erratum by
checking if the ptrace RIP is canonical.
- See CAN-2005-0756 and CAN-2005-1762
+ See CAN-2005-1762
(Simon Horman)
- * [SECURITY] arch-x86_64-kernel-smp-boot-race.dpatch
- Keep interrupts disabled during smp bootup
+ * arch-x86_64-kernel-ptrace-canonical-rip-2.dpatch
+ [Security, x86_64] Fix canonical checking for segment registers in ptrace
+ See CAN-2005-0756
+ (Simon Horman)
+
+ * arch-x86_64-kernel-smp-boot-race.dpatch
+ [Security, x86_64] Keep interrupts disabled during smp bootup
This avoids a race that breaks SMP bootup on some machines.
(Simon Horman)
- * [SECURITY] arch-x86_64-mm-ioremap-page-lookup.dpatch
- Don't look up struct page pointer of physical address in iounmap as it may
- be in a memory hole not mapped in mem_map and that causes the hash lookup
- to go off to nirvana.
+ * arch-x86_64-mm-ioremap-page-lookup.dpatch
+ [Security, x86_64] Don't look up struct page pointer of physical address
+ in iounmap as it may be in a memory hole not mapped in mem_map and that
+ causes the hash lookup to go off to nirvana.
(Simon Horman)
* drivers-media-vidio-bttv-vc100xp-detect.dpatch
Allow Leadtek WinFast VC100 XP cards to work.
(Simon Horman)
- * [SECURITY] fs-exec-ptrace-core-exec-race.dpatch
- Fix race between core dumping and exec with shared mm
+ * fs-exec-ptrace-core-exec-race.dpatch
+ [Security] Fix race between core dumping and exec with shared mm
(Simon Horman)
- * [SECURITY] fs-exec-ptrace-deadlock.dpatch
- Fix coredump_wait deadlock with ptracer & tracee on shared mm
+ * fs-exec-ptrace-deadlock.dpatch
+ [Security] Fix coredump_wait deadlock with ptracer & tracee on shared mm
(Simon Horman)
- * [SECURITY] fs-exec-posix-timers-leak-1.dpatch,
- fs-exec-posix-timers-leak-2.dpatch
+ * fs-exec-posix-timers-leak-1.dpatch,
+ [Security] fs-exec-posix-timers-leak-2.dpatch
Make exec clean up posix timers.
(Simon Horman)
@@ -64,8 +68,8 @@
lists if we don't retry after writing something to disk.
(Simon Horman)
- * [SECURITY] mm-mmap-range-test.dpatch
- Make sure get_unmapped_area sanity tests are done regardless of
+ * mm-mmap-range-test.dpatch
+ [Security] Make sure get_unmapped_area sanity tests are done regardless of
wheater MAP_FIXED is set or not.
See CAN-2005-1265
(Simon Horman)
@@ -74,9 +78,9 @@
Stop try_to_unmap_cluster() passing out-of-bounds pte to pte_unmap()
(Simon Horman)
- * [SECURITY] net-bridge-netfilter-etables-smp-race.dpatch
- The patch below fixes an smp race that happens on such systems under
- heavy load.
+ * net-bridge-netfilter-etables-smp-race.dpatch
+ [Security] The patch below fixes an smp race that happens on such
+ systems under heavy load.
(Simon Horman)
* net-bridge-mangle-oops-1.dpatch, net-bridge-mangle-oops-2.dpatch
@@ -84,19 +88,18 @@
Needed for net-bridge-forwarding-poison-1.dpatch
(Simon Horman)
- * [SECURITY] net-bridge-forwarding-poison-2.dpatch,
+ * net-bridge-forwarding-poison-2.dpatch,
net-bridge-forwarding-poison-2.dpatch:
- Avoid poisoning of the bridge forwarding table by frames that have been
- dropped by filtering. This prevents spoofed source addresses on hostile
- side of bridge from causing packet leakage, a small but possible security
- risk.
- (Simon Horman)
+ [Security] Avoid poisoning of the bridge forwarding table by frames that
+ have been dropped by filtering. This prevents spoofed source addresses on
+ hostile side of bridge from causing packet leakage, a small but possible
+ security risk. (Simon Horman)
* net-ipv4-netfilter-ip_queue-deadlock.dpatch
Fix deadlock with ip_queue and tcp local input path.
(Simon Horman)
- * [SECURITY] net-rose-ndigis-verify.dpatch
+ * [Security] net-rose-ndigis-verify.dpatch
Verify ndigis argument of a new route.
(Simon Horman)
@@ -106,7 +109,7 @@
(Simon Horman)
* net-ipv4-ipvs-conn_tab-race.dpatch
- Fix race condition on ip_vs_conn_tab list modification
+ [Security] Fix race condition on ip_vs_conn_tab list modification
(Simon Horman)
* asm-i386-mem-clobber.dpatch:
@@ -128,26 +131,37 @@
(Simon Horman)
* fs-ext3-64bit-offset.dpatch
- Incorrect offset checks for ext3 xattr on 64 bit architectures
+ [Security] Incorrect offset checks for ext3 xattr on 64 bit architectures
an lead to a local DoS.
See CAN-2005-0757. (see: #311164). (Simon Horman)
* arch-x86_64-mm-mmap.dpatch
- x86_64: Compat mode program can hang kernel
+ [Security, x86_64] Compat mode program can hang kernel
See CAN-2005-1765. (Simon Horman)
* arch-ia64-ptrace-getregs-putregs.dpatch
- security, ia64: Fux unchecked user-memory accesses in ptrage_getregs()
+ [Security, ia64] Fix unchecked user-memory accesses in ptrage_getregs()
and ptrace_setregs. (Simon Horman)
* arch-ia64-ptrace-restore_sigcontext.dpatch
- security, ia64, Fix to prevent users from using ptrace to set the pl field
+ [Security, ia64] Fix to prevent users from using ptrace to set the pl field
of the ar.rsc reginster to any value, leading to the
ability to overwrite kernel memory.
Note, this patch requires the arch-ia64-ptrace-getregs-putregs.dpatch
patch to apply cleanly.
See CAN-2005-1761. (Simon Horman)
+ * fs-exec-real_timer-reset.dpatch
+ [Security] Reset real_timer target on exec leader change
+ to avoid race condition which could lead to
+ to invalid kernel memory being accesed and an oops.
+ (Simon Horman)
+
+ * fs-exec-reparent-timers.dpatch
+ [Security] Reparent itimers to avoid possible kernel panic.
+ See CAN-2005-1913
+ (Simon Horman)
+
-- Simon Horman <horms at debian.org> Fri, 29 Jul 2005 17:24:54 +0900
kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-real_timer-reset.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-real_timer-reset.dpatch 2005-07-29 08:33:26 UTC (rev 3628)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-real_timer-reset.dpatch 2005-07-29 10:25:01 UTC (rev 3629)
@@ -0,0 +1,51 @@
+commit 5323125031799a7fd8602ce150c3902aedfdcba6
+tree 43281ea094cba176e88ba50561e2a04aa8beed8c
+parent 5c888d531823f8ce2853fb717ebefbcca9acdcd0
+author Roland McGrath <roland at redhat.com> 1121201907 -0700
+committer Linus Torvalds <torvalds at g5.osdl.org> 1121209261 -0700
+
+[PATCH] reset real_timer target on exec leader change
+
+When a noninitial thread does exec, it becomes the new group leader. If
+there is a ITIMER_REAL timer running, it points at the old group leader and
+when it fires it can follow a stale pointer. The timer data needs to be
+reset to point at the exec'ing thread that is becoming the group leader.
+This has to synchronize with any concurrent firing of the timer to make
+sure that it_real_fn can never run when the data points to a thread that
+might have been reaped already.
+
+Signed-off-by: Roland McGrath <roland at redhat.com>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+
+R:100644 100644 48871917d3639c2b4d679ddd47d0db10651dc88c 222ab1c572d884762bae366086bbe145f8e0f65b M fs/exec.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+Rediffed for Debian - Horms
+
+--- a/fs/exec.c 2005-07-29 18:46:45.000000000 +0900
++++ b/fs/exec.c 2005-07-29 18:52:22.000000000 +0900
+@@ -631,6 +631,18 @@
+ count = 2;
+ if (current->pid == current->tgid)
+ count = 1;
++ else {
++ /*
++ * The SIGALRM timer survives the exec, but needs to point
++ * at us as the new group leader now. We have a race with
++ * a timer firing now getting the old leader, so we need to
++ * synchronize with any firing (by calling del_timer_sync)
++ * before we can safely let the old group leader die.
++ */
++ sig->real_timer.data = (unsigned long)current;
++ if (del_timer_sync(&sig->real_timer))
++ add_timer(&sig->real_timer);
++ }
+ while (atomic_read(&sig->count) > count) {
+ sig->group_exit_task = current;
+ sig->notify_count = count;
Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-reparent-timers.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-reparent-timers.dpatch 2005-07-29 08:33:26 UTC (rev 3628)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-exec-reparent-timers.dpatch 2005-07-29 10:25:01 UTC (rev 3629)
@@ -0,0 +1,33 @@
+commit fe3d5c8793fcaf33c5d3118a7f3ffc135eadaf4d
+tree 19fac0a8a24b4c106babdfee1e68b5e794ece216
+parent 9ee1c939d1cb936b1f98e8d81aeffab57bae46ab
+author Linus Torvalds <torvalds at osdl.org> 1119125869 -0700
+committer Chris Wright <chrisw at osdl.org> 1119468770 -0700
+
+[PATCH] Clean up subthread exec (CAN-2005-1913)
+
+Make sure we re-parent itimers. If subthread exec's with timer pending,
+signal is delivered to old group-leader and can panic kernel.
+
+Signed-off-by: Linus Torvalds <torvalds at ppc970.osdl.org>
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+
+I:100644 100644 e56ee24370255e2ab4df9a3933ec03f0d07a2de3 422cc0ec5e366b846336a22398ddc019ca6212c2 M fs/exec.c
+
+Key:
+S: Skipped
+I: Included Included verbatim
+D: Deleted Manually deleted by subsequent user edit
+R: Revised Manually revised by subsequent user edit
+
+diff --git a/fs/exec.c b/fs/exec.c
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -649,6 +649,7 @@ static inline int de_thread(struct task_
+ }
+ sig->group_exit_task = NULL;
+ sig->notify_count = 0;
++ sig->real_timer.data = (unsigned long)current;
+ spin_unlock_irq(lock);
+
+ /*
Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17 2005-07-29 08:33:26 UTC (rev 3628)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17 2005-07-29 10:25:01 UTC (rev 3629)
@@ -30,3 +30,5 @@
+ arch-x86_64-mm-mmap.dpatch
+ arch-ia64-ptrace-getregs-putregs.dpatch
+ arch-ia64-ptrace-restore_sigcontext.dpatch
++ fs-exec-real_timer-reset.dpatch
++ fs-exec-reparent-timers.dpatch
More information about the Kernel-svn-changes
mailing list