[kernel] r6851 - in dists/sid/linux-2.6.16/debian: . patches
maximilian attems
maks-guest at costa.debian.org
Tue Jun 20 18:06:07 UTC 2006
Author: maks-guest
Date: Tue Jun 20 18:06:05 2006
New Revision: 6851
Added:
dists/sid/linux-2.6.16/debian/patches/2.6.16.21
Modified:
dists/sid/linux-2.6.16/debian/changelog
dists/sid/linux-2.6.16/debian/patches/series/15
Log:
add one of the last 2.6.16 bits
Modified: dists/sid/linux-2.6.16/debian/changelog
==============================================================================
--- dists/sid/linux-2.6.16/debian/changelog (original)
+++ dists/sid/linux-2.6.16/debian/changelog Tue Jun 20 18:06:05 2006
@@ -18,6 +18,11 @@
- sbp2: fix check of return value of hpsb_allocate_and_register_addrspace
- x86_64: x86_64 add crashdump trigger points
- ipw2200: Filter unsupported channels out in ad-hoc mode
+ * Add stable release 2.6.16.21:
+ - check_process_timers: fix possible lockup
+ - run_posix_cpu_timers: remove a bogus BUG_ON() (CVE-2006-2445)
+ - xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
+ - powerpc: Fix machine check problem on 32-bit kernels (CVE-2006-2448)
[ Christian T. Steigies ]
* [m68k] Add mac via patch from Finn Thain.
@@ -54,13 +59,13 @@
* Add dcache-memory-corruption.patch to fix the mremap(), occasionally
triggered on sparc in the form of dpkg database corruption. Affects
sparc64, mips and generic includes. Thanks to David Miller, original
- patch is included in 2.6.17.
+ patch is included in 2.6.17.
Ref: http://marc.theaimsgroup.com/?l=linux-sparc&m=114920963824047&w=2
* Add sparc32-iotlb.patch to fix the DMA errors encountered with latest
kernels on sparc32, in particularly HyperSparcs. Thanks to Bob Breuer.
Ref: http://marc.theaimsgroup.com/?l=linux-sparc&m=115077649707675&w=2
- -- Bastian Blank <waldi at debian.org> Tue, 20 Jun 2006 15:07:05 +0200
+ -- maximilian attems <maks at sternwelten.at> Tue, 20 Jun 2006 19:39:44 +0200
linux-2.6 (2.6.16-14) unstable; urgency=low
Added: dists/sid/linux-2.6.16/debian/patches/2.6.16.21
==============================================================================
--- (empty file)
+++ dists/sid/linux-2.6.16/debian/patches/2.6.16.21 Tue Jun 20 18:06:05 2006
@@ -0,0 +1,167 @@
+diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
+index d7a4e81..7fb9ff6 100644
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -802,10 +802,13 @@ #ifdef CONFIG_PPC64
+ if (__get_user(cmcp, &ucp->uc_regs))
+ return -EFAULT;
+ mcp = (struct mcontext __user *)(u64)cmcp;
++ /* no need to check access_ok(mcp), since mcp < 4GB */
+ }
+ #else
+ if (__get_user(mcp, &ucp->uc_regs))
+ return -EFAULT;
++ if (!access_ok(VERIFY_READ, mcp, sizeof(*mcp)))
++ return -EFAULT;
+ #endif
+ restore_sigmask(&set);
+ if (restore_user_regs(regs, mcp, sig))
+@@ -907,13 +910,14 @@ int sys_debug_setcontext(struct ucontext
+ {
+ struct sig_dbg_op op;
+ int i;
++ unsigned char tmp;
+ unsigned long new_msr = regs->msr;
+ #if defined(CONFIG_4xx) || defined(CONFIG_BOOKE)
+ unsigned long new_dbcr0 = current->thread.dbcr0;
+ #endif
+
+ for (i=0; i<ndbg; i++) {
+- if (__copy_from_user(&op, dbg, sizeof(op)))
++ if (copy_from_user(&op, dbg + i, sizeof(op)))
+ return -EFAULT;
+ switch (op.dbg_type) {
+ case SIG_DBG_SINGLE_STEPPING:
+@@ -958,6 +962,11 @@ #if defined(CONFIG_4xx) || defined(CONFI
+ current->thread.dbcr0 = new_dbcr0;
+ #endif
+
++ if (!access_ok(VERIFY_READ, ctx, sizeof(*ctx))
++ || __get_user(tmp, (u8 __user *) ctx)
++ || __get_user(tmp, (u8 __user *) (ctx + 1) - 1))
++ return -EFAULT;
++
+ /*
+ * If we get a fault copying the context into the kernel's
+ * image of the user's registers, we can't just return -EFAULT
+diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
+index 096dfdc..f1715f3 100644
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -183,6 +183,8 @@ #ifdef CONFIG_ALTIVEC
+ err |= __get_user(msr, &sc->gp_regs[PT_MSR]);
+ if (err)
+ return err;
++ if (v_regs && !access_ok(VERIFY_READ, v_regs, 34 * sizeof(vector128)))
++ return -EFAULT;
+ /* Copy 33 vec registers (vr0..31 and vscr) from the stack */
+ if (v_regs != 0 && (msr & MSR_VEC) != 0)
+ err |= __copy_from_user(current->thread.vr, v_regs,
+diff --git a/kernel/exit.c b/kernel/exit.c
+index 531aadc..fc46c9a 100644
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -828,14 +828,6 @@ fastcall NORET_TYPE void do_exit(long co
+
+ tsk->flags |= PF_EXITING;
+
+- /*
+- * Make sure we don't try to process any timer firings
+- * while we are already exiting.
+- */
+- tsk->it_virt_expires = cputime_zero;
+- tsk->it_prof_expires = cputime_zero;
+- tsk->it_sched_expires = 0;
+-
+ if (unlikely(in_atomic()))
+ printk(KERN_INFO "note: %s[%d] exited with preempt_count %d\n",
+ current->comm, current->pid,
+diff --git a/kernel/posix-cpu-timers.c b/kernel/posix-cpu-timers.c
+index 520f6c5..4882bf1 100644
+--- a/kernel/posix-cpu-timers.c
++++ b/kernel/posix-cpu-timers.c
+@@ -1173,6 +1173,9 @@ static void check_process_timers(struct
+ }
+ t = tsk;
+ do {
++ if (unlikely(t->flags & PF_EXITING))
++ continue;
++
+ ticks = cputime_add(cputime_add(t->utime, t->stime),
+ prof_left);
+ if (!cputime_eq(prof_expires, cputime_zero) &&
+@@ -1193,11 +1196,7 @@ static void check_process_timers(struct
+ t->it_sched_expires > sched)) {
+ t->it_sched_expires = sched;
+ }
+-
+- do {
+- t = next_thread(t);
+- } while (unlikely(t->flags & PF_EXITING));
+- } while (t != tsk);
++ } while ((t = next_thread(t)) != tsk);
+ }
+ }
+
+@@ -1289,30 +1288,30 @@ #define UNEXPIRED(clock) \
+
+ #undef UNEXPIRED
+
+- BUG_ON(tsk->exit_state);
+-
+ /*
+ * Double-check with locks held.
+ */
+ read_lock(&tasklist_lock);
+- spin_lock(&tsk->sighand->siglock);
++ if (likely(tsk->signal != NULL)) {
++ spin_lock(&tsk->sighand->siglock);
+
+- /*
+- * Here we take off tsk->cpu_timers[N] and tsk->signal->cpu_timers[N]
+- * all the timers that are firing, and put them on the firing list.
+- */
+- check_thread_timers(tsk, &firing);
+- check_process_timers(tsk, &firing);
++ /*
++ * Here we take off tsk->cpu_timers[N] and tsk->signal->cpu_timers[N]
++ * all the timers that are firing, and put them on the firing list.
++ */
++ check_thread_timers(tsk, &firing);
++ check_process_timers(tsk, &firing);
+
+- /*
+- * We must release these locks before taking any timer's lock.
+- * There is a potential race with timer deletion here, as the
+- * siglock now protects our private firing list. We have set
+- * the firing flag in each timer, so that a deletion attempt
+- * that gets the timer lock before we do will give it up and
+- * spin until we've taken care of that timer below.
+- */
+- spin_unlock(&tsk->sighand->siglock);
++ /*
++ * We must release these locks before taking any timer's lock.
++ * There is a potential race with timer deletion here, as the
++ * siglock now protects our private firing list. We have set
++ * the firing flag in each timer, so that a deletion attempt
++ * that gets the timer lock before we do will give it up and
++ * spin until we've taken care of that timer below.
++ */
++ spin_unlock(&tsk->sighand->siglock);
++ }
+ read_unlock(&tasklist_lock);
+
+ /*
+diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
+index 10fbfc5..2390182 100644
+--- a/net/netfilter/xt_sctp.c
++++ b/net/netfilter/xt_sctp.c
+@@ -62,7 +62,7 @@ #endif
+
+ do {
+ sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
+- if (sch == NULL) {
++ if (sch == NULL || sch->length == 0) {
+ duprintf("Dropping invalid SCTP packet.\n");
+ *hotdrop = 1;
+ return 0;
Modified: dists/sid/linux-2.6.16/debian/patches/series/15
==============================================================================
--- dists/sid/linux-2.6.16/debian/patches/series/15 (original)
+++ dists/sid/linux-2.6.16/debian/patches/series/15 Tue Jun 20 18:06:05 2006
@@ -7,3 +7,4 @@
+ doc-build-parallel.patch
+ dcache-memory-corruption.patch
+ sparc32-iotlb.patch
++ 2.6.16.21
More information about the Kernel-svn-changes
mailing list