[kernel] r12528 - in dists/etch/linux-2.6/debian: . patches/bugfix patches/features/all/vserver patches/features/all/xen patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Dec 25 20:48:30 UTC 2008
Author: dannf
Date: Thu Dec 25 20:48:28 2008
New Revision: 12528
Log:
merge 2.6.18.dfsg.1-23etch1
Added:
dists/etch/linux-2.6/debian/patches/bugfix/add-install_special_mapping.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/add-install_special_mapping.patch
dists/etch/linux-2.6/debian/patches/bugfix/af_unix-convert-socks-to-unix_socks.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/af_unix-convert-socks-to-unix_socks.patch
dists/etch/linux-2.6/debian/patches/bugfix/af_unix-fix-garbage-collector-races.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/af_unix-fix-garbage-collector-races.patch
dists/etch/linux-2.6/debian/patches/bugfix/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
dists/etch/linux-2.6/debian/patches/bugfix/dont-allow-splice-to-files-opened-with-O_APPEND.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/dont-allow-splice-to-files-opened-with-O_APPEND.patch
dists/etch/linux-2.6/debian/patches/bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
dists/etch/linux-2.6/debian/patches/bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
dists/etch/linux-2.6/debian/patches/bugfix/hfs-fix-namelength-memory-corruption.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/hfs-fix-namelength-memory-corruption.patch
dists/etch/linux-2.6/debian/patches/bugfix/hfsplus-check_read_mapping_page-return-value.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/hfsplus-check_read_mapping_page-return-value.patch
dists/etch/linux-2.6/debian/patches/bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
dists/etch/linux-2.6/debian/patches/bugfix/i386-vdso-use_install_special_mapping.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/i386-vdso-use_install_special_mapping.patch
dists/etch/linux-2.6/debian/patches/bugfix/inotify-watch-removal-umount-races.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/inotify-watch-removal-umount-races.patch
dists/etch/linux-2.6/debian/patches/bugfix/net-fix-recursive-descent-in-__scm_destroy-abi-ignore.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/net-fix-recursive-descent-in-__scm_destroy-abi-ignore.patch
dists/etch/linux-2.6/debian/patches/bugfix/net-fix-recursive-descent-in-__scm_destroy.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/net-fix-recursive-descent-in-__scm_destroy.patch
dists/etch/linux-2.6/debian/patches/bugfix/net-unix-fix-inflight-counting-bug-in-garbage-collector.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/net-unix-fix-inflight-counting-bug-in-garbage-collector.patch
dists/etch/linux-2.6/debian/patches/bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
dists/etch/linux-2.6/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
dists/etch/linux-2.6/debian/patches/bugfix/x86_64-ia32-vDSO-use-install_special_mapping.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/bugfix/x86_64-ia32-vDSO-use-install_special_mapping.patch
dists/etch/linux-2.6/debian/patches/features/all/xen/vdso-use_install_special_mapping.patch
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/features/all/xen/vdso-use_install_special_mapping.patch
dists/etch/linux-2.6/debian/patches/series/23etch1
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/series/23etch1
dists/etch/linux-2.6/debian/patches/series/23etch1-extra
- copied unchanged from r12527, /releases/linux-2.6/2.6.18.dfsg.1-23etch1/debian/patches/series/23etch1-extra
Modified:
dists/etch/linux-2.6/debian/changelog
dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch
dists/etch/linux-2.6/debian/patches/features/all/xen/fedora-2.6.18-36186.patch
dists/etch/linux-2.6/debian/patches/features/all/xen/vserver-update.patch
Modified: dists/etch/linux-2.6/debian/changelog
==============================================================================
--- dists/etch/linux-2.6/debian/changelog (original)
+++ dists/etch/linux-2.6/debian/changelog Thu Dec 25 20:48:28 2008
@@ -19,6 +19,57 @@
-- dann frazier <dannf at debian.org> Wed, 24 Dec 2008 11:12:55 -0700
+linux-2.6 (2.6.18.dfsg.1-23etch1) stable-security; urgency=high
+
+ * Fix missing boundary checks in syscall/syscall32_nopage():
+ - bugfix/add-install_special_mapping.patch
+ - bugfix/i386-vdso-use_install_special_mapping.patch
+ - bugfix/x86_64-ia32-vDSO-use-install_special_mapping.patch
+ - features/all/xen/vdso-use_install_special_mapping.patch
+ See CVE-2008-3527
+ * Modify feature patches to apply on top of the fixes for
+ CVE-2008-3527:
+ - features/all/vserver/vs2.0.2.2-rc9.patch
+ - features/all/xen/fedora-2.6.18-36186.patch
+ - features/all/xen/vserver-update.patch
+ * Don't allow splicing to files opened with O_APPEND:
+ - bugfix/dont-allow-splice-to-files-opened-with-O_APPEND.patch
+ See CVE-2008-4554
+ * Avoid printk floods when reading corrupted ext[2,3] directories
+ - bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
+ - bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
+ See CVE-2008-3528
+ * Fix oops in SCTP
+ - bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
+ See CVE-2008-4576
+ * Fix buffer overflow in hfsplus
+ - bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
+ See CVE-2008-4933
+ * Fix BUG() in hfsplus
+ - bugfix/hfsplus-check_read_mapping_page-return-value.patch
+ See CVE-2008-4934
+ * Fix stack corruption in hfs
+ - bugfix/hfs-fix-namelength-memory-corruption.patch
+ See CVE-2008-5025
+ * Fix recursive descent in __scm_destroy
+ - bugfix/af_unix-fix-garbage-collector-races.patch
+ - bugfix/af_unix-convert-socks-to-unix_socks.patch
+ - bugfix/net-unix-fix-inflight-counting-bug-in-garbage-collector.patch
+ - bugfix/net-fix-recursive-descent-in-__scm_destroy.patch
+ See CVE-2008-5029
+ * Make sendmsg() block during UNIX garbage collection:
+ - bugfix/net-unix-gc-fix-soft-lockups-oom-issues.patch
+ See CVE-2008-5300
+ * Fix DoS when calling svc_listen twice on the same socket while reading
+ /proc/net/atm/*vc:
+ - bugfix/atm-duplicate-listen-on-socket-corrupts-the-vcc-table.patch
+ See CVE-2008-5079
+ * Fix race conditions between inotify removal and umount
+ - bugfix/inotify-watch-removal-umount-races.patch
+ See CVE-2008-5182
+
+ -- dann frazier <dannf at debian.org> Thu, 11 Dec 2008 08:38:28 -0700
+
linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
[ Ian Campbell ]
Modified: dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch
==============================================================================
--- dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch (original)
+++ dists/etch/linux-2.6/debian/patches/features/all/vserver/vs2.0.2.2-rc9.patch Thu Dec 25 20:48:28 2008
@@ -378,25 +378,6 @@
.long sys_mbind
.long sys_get_mempolicy
.long sys_set_mempolicy
---- linux-2.6.18.5/arch/i386/kernel/sysenter.c 2006-09-20 16:57:58 +0200
-+++ linux-2.6.18.5-vs2.0.2.2-rc9/arch/i386/kernel/sysenter.c 2006-09-20 21:46:26 +0200
-@@ -17,6 +17,7 @@
- #include <linux/elf.h>
- #include <linux/mm.h>
- #include <linux/module.h>
-+#include <linux/vs_memory.h>
-
- #include <asm/cpufeature.h>
- #include <asm/msr.h>
-@@ -156,7 +157,7 @@ int arch_setup_additional_pages(struct l
- current->mm->context.vdso = (void *)addr;
- current_thread_info()->sysenter_return =
- (void *)VDSO_SYM(&SYSENTER_RETURN);
-- mm->total_vm++;
-+ vx_vmpages_inc(mm);
- up_fail:
- up_write(&mm->mmap_sem);
- return ret;
--- linux-2.6.18.5/arch/i386/kernel/traps.c 2006-09-20 16:57:58 +0200
+++ linux-2.6.18.5-vs2.0.2.2-rc9/arch/i386/kernel/traps.c 2006-09-20 20:10:14 +0200
@@ -53,6 +53,7 @@
@@ -1633,25 +1614,6 @@
up_read(&uts_sem);
if (personality(current->personality) == PER_LINUX32)
err |= copy_to_user(&name->machine, "i686", 5);
---- linux-2.6.18.5/arch/x86_64/ia32/syscall32.c 2005-10-28 20:49:18 +0200
-+++ linux-2.6.18.5-vs2.0.2.2-rc9/arch/x86_64/ia32/syscall32.c 2006-09-20 17:01:44 +0200
-@@ -10,6 +10,7 @@
- #include <linux/init.h>
- #include <linux/stringify.h>
- #include <linux/security.h>
-+#include <linux/vs_memory.h>
- #include <asm/proto.h>
- #include <asm/tlbflush.h>
- #include <asm/ia32_unistd.h>
-@@ -70,7 +71,7 @@ int syscall32_setup_pages(struct linux_b
- kmem_cache_free(vm_area_cachep, vma);
- return ret;
- }
-- mm->total_vm += npages;
-+ vx_vmpages_add(mm, npages);
- up_write(&mm->mmap_sem);
- return 0;
- }
--- linux-2.6.18.5/arch/x86_64/kernel/sys_x86_64.c 2006-01-03 17:29:20 +0100
+++ linux-2.6.18.5-vs2.0.2.2-rc9/arch/x86_64/kernel/sys_x86_64.c 2006-09-20 17:01:44 +0200
@@ -16,6 +16,7 @@
@@ -20422,8 +20384,8 @@
if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
capable(CAP_IPC_LOCK))
ret = do_mlockall(flags);
---- linux-2.6.18.5/mm/mmap.c 2006-09-20 16:58:45 +0200
-+++ linux-2.6.18.5-vs2.0.2.2-rc9/mm/mmap.c 2006-09-20 17:01:45 +0200
+--- linux-2.6.18.5/mm/mmap.c 2008-11-03 17:15:43.000000000 -0700
++++ linux-2.6.18.5-vs2.0.2.2-rc9/mm/mmap.c 2008-11-03 17:26:16.000000000 -0700
@@ -1137,10 +1137,10 @@ munmap_back:
kmem_cache_free(vm_area_cachep, vma);
}
@@ -20437,7 +20399,7 @@
make_pages_present(addr, addr + len);
}
if (flags & MAP_POPULATE) {
-@@ -1500,9 +1500,9 @@ static int acct_stack_growth(struct vm_a
+@@ -1507,9 +1507,9 @@ static int acct_stack_growth(struct vm_a
return -ENOMEM;
/* Ok, everything looks good - let it rip */
@@ -20449,7 +20411,7 @@
vm_stat_account(mm, vma->vm_flags, vma->vm_file, grow);
return 0;
}
-@@ -1655,9 +1655,9 @@ static void remove_vma_list(struct mm_st
+@@ -1662,9 +1662,9 @@ static void remove_vma_list(struct mm_st
do {
long nrpages = vma_pages(vma);
@@ -20461,7 +20423,7 @@
vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
vma = remove_vma(vma);
} while (vma);
-@@ -1893,6 +1893,8 @@ unsigned long do_brk(unsigned long addr,
+@@ -1900,6 +1900,8 @@ unsigned long do_brk(unsigned long addr,
lock_limit >>= PAGE_SHIFT;
if (locked > lock_limit && !capable(CAP_IPC_LOCK))
return -EAGAIN;
@@ -20470,7 +20432,7 @@
}
/*
-@@ -1919,7 +1921,8 @@ unsigned long do_brk(unsigned long addr,
+@@ -1926,7 +1928,8 @@ unsigned long do_brk(unsigned long addr,
if (mm->map_count > sysctl_max_map_count)
return -ENOMEM;
@@ -20480,7 +20442,7 @@
return -ENOMEM;
/* Can we just expand an old private anonymous mapping? */
-@@ -1945,9 +1948,9 @@ unsigned long do_brk(unsigned long addr,
+@@ -1952,9 +1955,9 @@ unsigned long do_brk(unsigned long addr,
(VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)];
vma_link(mm, vma, prev, rb_link, rb_parent);
out:
@@ -20492,7 +20454,7 @@
make_pages_present(addr, addr + len);
}
return addr;
-@@ -1973,6 +1976,11 @@ void exit_mmap(struct mm_struct *mm)
+@@ -1980,6 +1983,11 @@ void exit_mmap(struct mm_struct *mm)
free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, 0);
tlb_finish_mmu(tlb, 0, end);
@@ -20504,7 +20466,7 @@
/*
* Walk the list again, actually closing and freeing it,
* with preemption enabled, without holding any MM locks.
-@@ -2012,7 +2020,8 @@ int insert_vm_struct(struct mm_struct *
+@@ -2019,7 +2027,8 @@ int insert_vm_struct(struct mm_struct *
if (__vma && __vma->vm_start < vma->vm_end)
return -ENOMEM;
if ((vma->vm_flags & VM_ACCOUNT) &&
@@ -20514,7 +20476,7 @@
return -ENOMEM;
vma_link(mm, vma, prev, rb_link, rb_parent);
return 0;
-@@ -2085,5 +2094,7 @@ int may_expand_vm(struct mm_struct *mm,
+@@ -2092,6 +2101,8 @@ int may_expand_vm(struct mm_struct *mm,
if (cur + npages > lim)
return 0;
@@ -20522,6 +20484,16 @@
+ return 0;
return 1;
}
+
+@@ -2162,7 +2173,7 @@ int install_special_mapping(struct mm_st
+ return -ENOMEM;
+ }
+
+- mm->total_vm += len >> PAGE_SHIFT;
++ vx_vmpages_add(mm, len >> PAGE_SHIFT);
+
+ return 0;
+ }
--- linux-2.6.18.5/mm/mremap.c 2006-09-20 16:58:45 +0200
+++ linux-2.6.18.5-vs2.0.2.2-rc9/mm/mremap.c 2006-09-20 17:01:45 +0200
@@ -18,6 +18,7 @@
Modified: dists/etch/linux-2.6/debian/patches/features/all/xen/fedora-2.6.18-36186.patch
==============================================================================
--- dists/etch/linux-2.6/debian/patches/features/all/xen/fedora-2.6.18-36186.patch (original)
+++ dists/etch/linux-2.6/debian/patches/features/all/xen/fedora-2.6.18-36186.patch Thu Dec 25 20:48:28 2008
@@ -13589,8 +13589,8 @@
+EXPORT_SYMBOL(swiotlb_dma_mapping_error);
+EXPORT_SYMBOL(swiotlb_dma_supported);
diff -urN -x .hg -x .hgtags linux-2.6.18.3/arch/i386/kernel/sysenter.c linux-2.6.18-xen/arch/i386/kernel/sysenter.c
---- linux-2.6.18.3/arch/i386/kernel/sysenter.c 2006-09-20 05:42:06.000000000 +0200
-+++ linux-2.6.18-xen/arch/i386/kernel/sysenter.c 2006-11-19 14:26:22.000000000 +0100
+--- linux-2.6.18.3/arch/i386/kernel/sysenter.c 2008-11-04 01:21:29.000000000 -0700
++++ linux-2.6.18-xen/arch/i386/kernel/sysenter.c 2008-11-04 01:23:08.000000000 -0700
@@ -23,6 +23,10 @@
#include <asm/pgtable.h>
#include <asm/unistd.h>
@@ -13618,9 +13618,9 @@
}
/*
-@@ -72,6 +78,18 @@
- {
- syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
+@@ -73,6 +79,18 @@
+ void *syscall_page = (void *)get_zeroed_page(GFP_ATOMIC);
+ syscall_pages[0] = virt_to_page(syscall_page);
+#ifdef CONFIG_XEN
+ if (boot_cpu_has(X86_FEATURE_SEP)) {
@@ -13637,7 +13637,7 @@
#ifdef CONFIG_COMPAT_VDSO
__set_fixmap(FIX_VDSO, __pa(syscall_page), PAGE_READONLY);
printk("Compat vDSO mapped to %08lx.\n", __fix_to_virt(FIX_VDSO));
-@@ -79,8 +97,12 @@
+@@ -80,8 +98,12 @@
/*
* In the non-compat case the ELF coredumping code needs the fixmap:
*/
Modified: dists/etch/linux-2.6/debian/patches/features/all/xen/vserver-update.patch
==============================================================================
--- dists/etch/linux-2.6/debian/patches/features/all/xen/vserver-update.patch (original)
+++ dists/etch/linux-2.6/debian/patches/features/all/xen/vserver-update.patch Thu Dec 25 20:48:28 2008
@@ -64,26 +64,6 @@
.quad sys_mbind
.quad compat_sys_get_mempolicy /* 275 */
.quad sys_set_mempolicy
-diff -ur source-amd64-xen/arch/x86_64/ia32/syscall32-xen.c source-amd64-xen-vserver-patch/arch/x86_64/ia32/syscall32-xen.c
---- source-amd64-xen/arch/x86_64/ia32/syscall32-xen.c 2006-12-15 18:44:42.000000000 +0100
-+++ source-amd64-xen-vserver-patch/arch/x86_64/ia32/syscall32-xen.c 2006-12-15 18:45:43.000000000 +0100
-@@ -10,6 +10,7 @@
- #include <linux/init.h>
- #include <linux/stringify.h>
- #include <linux/security.h>
-+#include <linux/vs_memory.h>
- #include <asm/proto.h>
- #include <asm/tlbflush.h>
- #include <asm/ia32_unistd.h>
-@@ -75,7 +76,7 @@
- kmem_cache_free(vm_area_cachep, vma);
- return ret;
- }
-- mm->total_vm += npages;
-+ vx_vmpages_add(mm, npages);
- up_write(&mm->mmap_sem);
- return 0;
- }
diff -ur source-amd64-xen/arch/x86_64/kernel/traps-xen.c source-amd64-xen-vserver-patch/arch/x86_64/kernel/traps-xen.c
--- source-amd64-xen/arch/x86_64/kernel/traps-xen.c 2006-12-15 18:44:42.000000000 +0100
+++ source-amd64-xen-vserver-patch/arch/x86_64/kernel/traps-xen.c 2006-12-15 18:45:43.000000000 +0100
More information about the Kernel-svn-changes
mailing list