[kernel] r14561 - in dists/lenny/linux-2.6: . debian debian/patches/bugfix/all debian/patches/bugfix/x86 debian/patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Nov 5 01:44:59 UTC 2009
Author: dannf
Date: Thu Nov 5 01:44:57 2009
New Revision: 14561
Log:
merge 2.6.26-19lenny2
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
- copied unchanged from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch
- copied unchanged from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch
- copied unchanged from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/netlink-fix-typo-in-initialization.patch
- copied unchanged from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/netlink-fix-typo-in-initialization.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/random-make-get_random_int-more-random.patch
- copied unchanged from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/random-make-get_random_int-more-random.patch
dists/lenny/linux-2.6/debian/patches/bugfix/all/tc-fix-pad-leak.patch
- copied unchanged from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/tc-fix-pad-leak.patch
dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch
- copied unchanged from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch
dists/lenny/linux-2.6/debian/patches/series/19lenny2
- copied unchanged from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/series/19lenny2
Modified:
dists/lenny/linux-2.6/ (props changed)
dists/lenny/linux-2.6/debian/changelog
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Thu Nov 5 01:42:20 2009 (r14560)
+++ dists/lenny/linux-2.6/debian/changelog Thu Nov 5 01:44:57 2009 (r14561)
@@ -73,6 +73,19 @@
-- dann frazier <dannf at debian.org> Fri, 23 Oct 2009 16:31:23 -0600
+linux-2.6 (2.6.26-19lenny2) stable-security; urgency=high
+
+ * tc: Fix uninitialized kernel memory leak (CVE-2009-3228)
+ * random: make get_random_int() more random (CVE-2009-3238)
+ * netlink: fix typo in initialization (CVE-2009-3612)
+ * drm/r128: Add test for initialisation to all ioctls that require it
+ (CVE-2009-3620)
+ * AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)
+ * fs: pipe.c null pointer dereference (CVE-2009-3547)
+ * KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638)
+
+ -- dann frazier <dannf at debian.org> Wed, 04 Nov 2009 12:33:37 -0700
+
linux-2.6 (2.6.26-19lenny1) stable-security; urgency=high
* appletalk: Fix skb leak when ipddp interface is not loaded
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch (from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch Thu Nov 5 01:44:57 2009 (r14561, copy of r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch)
@@ -0,0 +1,83 @@
+commit 77238f2b942b38ab4e7f3aced44084493e4a8675
+Author: Tomoki Sekiyama <tomoki.sekiyama.qu at hitachi.com>
+Date: Sun Oct 18 23:17:37 2009 -0700
+
+ AF_UNIX: Fix deadlock on connecting to shutdown socket
+
+ I found a deadlock bug in UNIX domain socket, which makes able to DoS
+ attack against the local machine by non-root users.
+
+ How to reproduce:
+ 1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
+ namespace(*), and shutdown(2) it.
+ 2. Repeat connect(2)ing to the listening socket from the other sockets
+ until the connection backlog is full-filled.
+ 3. connect(2) takes the CPU forever. If every core is taken, the
+ system hangs.
+
+ PoC code: (Run as many times as cores on SMP machines.)
+
+ int main(void)
+ {
+ int ret;
+ int csd;
+ int lsd;
+ struct sockaddr_un sun;
+
+ /* make an abstruct name address (*) */
+ memset(&sun, 0, sizeof(sun));
+ sun.sun_family = PF_UNIX;
+ sprintf(&sun.sun_path[1], "%d", getpid());
+
+ /* create the listening socket and shutdown */
+ lsd = socket(AF_UNIX, SOCK_STREAM, 0);
+ bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
+ listen(lsd, 1);
+ shutdown(lsd, SHUT_RDWR);
+
+ /* connect loop */
+ alarm(15); /* forcely exit the loop after 15 sec */
+ for (;;) {
+ csd = socket(AF_UNIX, SOCK_STREAM, 0);
+ ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
+ if (-1 == ret) {
+ perror("connect()");
+ break;
+ }
+ puts("Connection OK");
+ }
+ return 0;
+ }
+
+ (*) Make sun_path[0] = 0 to use the abstruct namespace.
+ If a file-based socket is used, the system doesn't deadlock because
+ of context switches in the file system layer.
+
+ Why this happens:
+ Error checks between unix_socket_connect() and unix_wait_for_peer() are
+ inconsistent. The former calls the latter to wait until the backlog is
+ processed. Despite the latter returns without doing anything when the
+ socket is shutdown, the former doesn't check the shutdown state and
+ just retries calling the latter forever.
+
+ Patch:
+ The patch below adds shutdown check into unix_socket_connect(), so
+ connect(2) to the shutdown socket will return -ECONREFUSED.
+
+ Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu at hitachi.com>
+ Signed-off-by: Masanori Yoshida <masanori.yoshida.tv at hitachi.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
+index 51ab497..fc820cd 100644
+--- a/net/unix/af_unix.c
++++ b/net/unix/af_unix.c
+@@ -1074,6 +1074,8 @@ restart:
+ err = -ECONNREFUSED;
+ if (other->sk_state != TCP_LISTEN)
+ goto out_unlock;
++ if (other->sk_shutdown & RCV_SHUTDOWN)
++ goto out_unlock;
+
+ if (unix_recvq_full(other)) {
+ err = -EAGAIN;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch (from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch Thu Nov 5 01:44:57 2009 (r14561, copy of r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch)
@@ -0,0 +1,222 @@
+commit 7dc482dfeeeefcfd000d4271c4626937406756d7
+Author: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun Aug 23 16:59:04 2009 +0100
+
+ drm/r128: Add test for initialisation to all ioctls that require it
+
+ Almost all r128's private ioctls require that the CCE state has
+ already been initialised. However, most do not test that this has
+ been done, and will proceed to dereference a null pointer. This may
+ result in a security vulnerability, since some ioctls are
+ unprivileged.
+
+ This adds a macro for the common initialisation test and changes all
+ ioctl implementations that require prior initialisation to use that
+ macro.
+
+ Also, r128_do_init_cce() does not test that the CCE state has not
+ been initialised already. Repeated initialisation may lead to a crash
+ or resource leak. This adds that test.
+
+ Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+ Signed-off-by: Dave Airlie <airlied at redhat.com>
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/drivers/char/drm/r128_cce.c linux-source-2.6.26/drivers/char/drm/r128_cce.c
+--- linux-source-2.6.26.orig/drivers/char/drm/r128_cce.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/char/drm/r128_cce.c 2009-10-27 21:54:39.000000000 -0600
+@@ -353,6 +353,11 @@ static int r128_do_init_cce(struct drm_d
+
+ DRM_DEBUG("\n");
+
++ if (dev->dev_private) {
++ DRM_DEBUG("called when already initialized\n");
++ return -EINVAL;
++ }
++
+ dev_priv = drm_alloc(sizeof(drm_r128_private_t), DRM_MEM_DRIVER);
+ if (dev_priv == NULL)
+ return -ENOMEM;
+@@ -651,6 +656,8 @@ int r128_cce_start(struct drm_device *de
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
++
+ if (dev_priv->cce_running || dev_priv->cce_mode == R128_PM4_NONPM4) {
+ DRM_DEBUG("while CCE running\n");
+ return 0;
+@@ -673,6 +680,8 @@ int r128_cce_stop(struct drm_device *dev
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
++
+ /* Flush any pending CCE commands. This ensures any outstanding
+ * commands are exectuted by the engine before we turn it off.
+ */
+@@ -710,10 +719,7 @@ int r128_cce_reset(struct drm_device *de
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
+- if (!dev_priv) {
+- DRM_DEBUG("called before init done\n");
+- return -EINVAL;
+- }
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
+
+ r128_do_cce_reset(dev_priv);
+
+@@ -730,6 +736,8 @@ int r128_cce_idle(struct drm_device *dev
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
++
+ if (dev_priv->cce_running) {
+ r128_do_cce_flush(dev_priv);
+ }
+@@ -743,6 +751,8 @@ int r128_engine_reset(struct drm_device
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev->dev_private);
++
+ return r128_do_engine_reset(dev);
+ }
+
+diff -urpN linux-source-2.6.26.orig/drivers/char/drm/r128_drv.h linux-source-2.6.26/drivers/char/drm/r128_drv.h
+--- linux-source-2.6.26.orig/drivers/char/drm/r128_drv.h 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/char/drm/r128_drv.h 2009-10-27 21:53:33.000000000 -0600
+@@ -418,6 +418,14 @@ static __inline__ void r128_update_ring_
+ * Misc helper macros
+ */
+
++#define DEV_INIT_TEST_WITH_RETURN(_dev_priv) \
++do { \
++ if (!_dev_priv) { \
++ DRM_ERROR("called with no initialization\n"); \
++ return -EINVAL; \
++ } \
++} while (0)
++
+ #define RING_SPACE_TEST_WITH_RETURN( dev_priv ) \
+ do { \
+ drm_r128_ring_buffer_t *ring = &dev_priv->ring; int i; \
+diff -urpN linux-source-2.6.26.orig/drivers/char/drm/r128_state.c linux-source-2.6.26/drivers/char/drm/r128_state.c
+--- linux-source-2.6.26.orig/drivers/char/drm/r128_state.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/char/drm/r128_state.c 2009-10-27 21:53:37.000000000 -0600
+@@ -1244,14 +1244,18 @@ static void r128_cce_dispatch_stipple(st
+ static int r128_cce_clear(struct drm_device *dev, void *data, struct drm_file *file_priv)
+ {
+ drm_r128_private_t *dev_priv = dev->dev_private;
+- drm_r128_sarea_t *sarea_priv = dev_priv->sarea_priv;
++ drm_r128_sarea_t *sarea_priv;
+ drm_r128_clear_t *clear = data;
+ DRM_DEBUG("\n");
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
++
+ RING_SPACE_TEST_WITH_RETURN(dev_priv);
+
++ sarea_priv = dev_priv->sarea_priv;
++
+ if (sarea_priv->nbox > R128_NR_SAREA_CLIPRECTS)
+ sarea_priv->nbox = R128_NR_SAREA_CLIPRECTS;
+
+@@ -1312,6 +1316,8 @@ static int r128_cce_flip(struct drm_devi
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
++
+ RING_SPACE_TEST_WITH_RETURN(dev_priv);
+
+ if (!dev_priv->page_flipping)
+@@ -1331,6 +1337,8 @@ static int r128_cce_swap(struct drm_devi
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
++
+ RING_SPACE_TEST_WITH_RETURN(dev_priv);
+
+ if (sarea_priv->nbox > R128_NR_SAREA_CLIPRECTS)
+@@ -1354,10 +1362,7 @@ static int r128_cce_vertex(struct drm_de
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
+- if (!dev_priv) {
+- DRM_ERROR("called with no initialization\n");
+- return -EINVAL;
+- }
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
+
+ DRM_DEBUG("pid=%d index=%d count=%d discard=%d\n",
+ DRM_CURRENTPID, vertex->idx, vertex->count, vertex->discard);
+@@ -1410,10 +1415,7 @@ static int r128_cce_indices(struct drm_d
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
+- if (!dev_priv) {
+- DRM_ERROR("called with no initialization\n");
+- return -EINVAL;
+- }
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
+
+ DRM_DEBUG("pid=%d buf=%d s=%d e=%d d=%d\n", DRM_CURRENTPID,
+ elts->idx, elts->start, elts->end, elts->discard);
+@@ -1476,6 +1478,8 @@ static int r128_cce_blit(struct drm_devi
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
++
+ DRM_DEBUG("pid=%d index=%d\n", DRM_CURRENTPID, blit->idx);
+
+ if (blit->idx < 0 || blit->idx >= dma->buf_count) {
+@@ -1501,6 +1505,8 @@ static int r128_cce_depth(struct drm_dev
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
++
+ RING_SPACE_TEST_WITH_RETURN(dev_priv);
+
+ ret = -EINVAL;
+@@ -1531,6 +1537,8 @@ static int r128_cce_stipple(struct drm_d
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
++
+ if (DRM_COPY_FROM_USER(&mask, stipple->mask, 32 * sizeof(u32)))
+ return -EFAULT;
+
+@@ -1555,10 +1563,7 @@ static int r128_cce_indirect(struct drm_
+
+ LOCK_TEST_WITH_RETURN(dev, file_priv);
+
+- if (!dev_priv) {
+- DRM_ERROR("called with no initialization\n");
+- return -EINVAL;
+- }
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
+
+ DRM_DEBUG("idx=%d s=%d e=%d d=%d\n",
+ indirect->idx, indirect->start, indirect->end,
+@@ -1620,10 +1625,7 @@ static int r128_getparam(struct drm_devi
+ drm_r128_getparam_t *param = data;
+ int value;
+
+- if (!dev_priv) {
+- DRM_ERROR("called with no initialization\n");
+- return -EINVAL;
+- }
++ DEV_INIT_TEST_WITH_RETURN(dev_priv);
+
+ DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
+
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch (from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch Thu Nov 5 01:44:57 2009 (r14561, copy of r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch)
@@ -0,0 +1,130 @@
+commit ad3960243e55320d74195fb85c975e0a8cc4466c
+Author: Earl Chew <earl_chew at agilent.com>
+Date: Mon Oct 19 15:55:41 2009 -0700
+
+ fs: pipe.c null pointer dereference
+
+ This patch fixes a null pointer exception in pipe_rdwr_open() which
+ generates the stack trace:
+
+ > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
+ > [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
+ > [<ffffffff8028125c>] __dentry_open+0x13c/0x230
+ > [<ffffffff8028143d>] do_filp_open+0x2d/0x40
+ > [<ffffffff802814aa>] do_sys_open+0x5a/0x100
+ > [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
+
+ The failure mode is triggered by an attempt to open an anonymous
+ pipe via /proc/pid/fd/* as exemplified by this script:
+
+ =============================================================
+ while : ; do
+ { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
+ PID=$!
+ OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
+ { read PID REST ; echo $PID; } )
+ OUT="${OUT%% *}"
+ DELAY=$((RANDOM * 1000 / 32768))
+ usleep $((DELAY * 1000 + RANDOM % 1000 ))
+ echo n > /proc/$OUT/fd/1 # Trigger defect
+ done
+ =============================================================
+
+ Note that the failure window is quite small and I could only
+ reliably reproduce the defect by inserting a small delay
+ in pipe_rdwr_open(). For example:
+
+ static int
+ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
+ msleep(100);
+ mutex_lock(&inode->i_mutex);
+
+ Although the defect was observed in pipe_rdwr_open(), I think it
+ makes sense to replicate the change through all the pipe_*_open()
+ functions.
+
+ The core of the change is to verify that inode->i_pipe has not
+ been released before attempting to manipulate it. If inode->i_pipe
+ is no longer present, return ENOENT to indicate so.
+
+ The comment about potentially using atomic_t for i_pipe->readers
+ and i_pipe->writers has also been removed because it is no longer
+ relevant in this context. The inode->i_mutex lock must be used so
+ that inode->i_pipe can be dealt with correctly.
+
+ Signed-off-by: Earl Chew <earl_chew at agilent.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 52c4151..ae17d02 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -777,36 +777,55 @@ pipe_rdwr_release(struct inode *inode, struct file *filp)
+ static int
+ pipe_read_open(struct inode *inode, struct file *filp)
+ {
+- /* We could have perhaps used atomic_t, but this and friends
+- below are the only places. So it doesn't seem worthwhile. */
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- inode->i_pipe->readers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ inode->i_pipe->readers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+ pipe_write_open(struct inode *inode, struct file *filp)
+ {
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- inode->i_pipe->writers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ inode->i_pipe->writers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- if (filp->f_mode & FMODE_READ)
+- inode->i_pipe->readers++;
+- if (filp->f_mode & FMODE_WRITE)
+- inode->i_pipe->writers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ if (filp->f_mode & FMODE_READ)
++ inode->i_pipe->readers++;
++ if (filp->f_mode & FMODE_WRITE)
++ inode->i_pipe->writers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ /*
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/netlink-fix-typo-in-initialization.patch (from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/netlink-fix-typo-in-initialization.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/netlink-fix-typo-in-initialization.patch Thu Nov 5 01:44:57 2009 (r14561, copy of r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/netlink-fix-typo-in-initialization.patch)
@@ -0,0 +1,27 @@
+commit ad61df918c44316940404891d5082c63e79c256a
+Author: Jiri Pirko <jpirko at redhat.com>
+Date: Thu Oct 8 01:21:46 2009 -0700
+
+ netlink: fix typo in initialization
+
+ Commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 ("[NETLINK]: Missing
+ initializations in dumped data") introduced a typo in
+ initialization. This patch fixes this.
+
+ Signed-off-by: Jiri Pirko <jpirko at redhat.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/net/sched/cls_api.c linux-source-2.6.26/net/sched/cls_api.c
+--- linux-source-2.6.26.orig/net/sched/cls_api.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sched/cls_api.c 2009-10-27 21:47:00.000000000 -0600
+@@ -333,7 +333,7 @@ static int tcf_fill_node(struct sk_buff
+ tcm = NLMSG_DATA(nlh);
+ tcm->tcm_family = AF_UNSPEC;
+ tcm->tcm__pad1 = 0;
+- tcm->tcm__pad1 = 0;
++ tcm->tcm__pad2 = 0;
+ tcm->tcm_ifindex = tp->q->dev->ifindex;
+ tcm->tcm_parent = tp->classid;
+ tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol);
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/random-make-get_random_int-more-random.patch (from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/random-make-get_random_int-more-random.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/random-make-get_random_int-more-random.patch Thu Nov 5 01:44:57 2009 (r14561, copy of r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/random-make-get_random_int-more-random.patch)
@@ -0,0 +1,65 @@
+commit 8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Tue May 5 08:17:43 2009 -0700
+
+ random: make get_random_int() more random
+
+ It's a really simple patch that basically just open-codes the current
+ "secure_ip_id()" call, but when open-coding it we now use a _static_
+ hashing area, so that it gets updated every time.
+
+ And to make sure somebody can't just start from the same original seed of
+ all-zeroes, and then do the "half_md4_transform()" over and over until
+ they get the same sequence as the kernel has, each iteration also mixes in
+ the same old "current->pid + jiffies" we used - so we should now have a
+ regular strong pseudo-number generator, but we also have one that doesn't
+ have a single seed.
+
+ Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It
+ has no real meaning. It could be anything. I just picked the previous
+ seed, it's just that now we keep the state in between calls and that will
+ feed into the next result, and that should make all the difference.
+
+ I made that hash be a per-cpu data just to avoid cache-line ping-pong:
+ having multiple CPU's write to the same data would be fine for randomness,
+ and add yet another layer of chaos to it, but since get_random_int() is
+ supposed to be a fast interface I did it that way instead. I considered
+ using "__raw_get_cpu_var()" to avoid any preemption overhead while still
+ getting the hash be _mostly_ ping-pong free, but in the end good taste won
+ out.
+
+ Signed-off-by: Ingo Molnar <mingo at elte.hu>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/drivers/char/random.c b/drivers/char/random.c
+index f824ef8..b2ced39 100644
+--- a/drivers/char/random.c
++++ b/drivers/char/random.c
+@@ -1665,15 +1665,20 @@ EXPORT_SYMBOL(secure_dccp_sequence_number);
+ * value is not cryptographically secure but for several uses the cost of
+ * depleting entropy is too high
+ */
++DEFINE_PER_CPU(__u32 [4], get_random_int_hash);
+ unsigned int get_random_int(void)
+ {
+- /*
+- * Use IP's RNG. It suits our purpose perfectly: it re-keys itself
+- * every second, from the entropy pool (and thus creates a limited
+- * drain on it), and uses halfMD4Transform within the second. We
+- * also mix it with jiffies and the PID:
+- */
+- return secure_ip_id((__force __be32)(current->pid + jiffies));
++ struct keydata *keyptr;
++ __u32 *hash = get_cpu_var(get_random_int_hash);
++ int ret;
++
++ keyptr = get_keyptr();
++ hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret;
++
++ ret = half_md4_transform(hash, keyptr->secret);
++ put_cpu_var(get_random_int_hash);
++
++ return ret;
+ }
+
+ /*
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/all/tc-fix-pad-leak.patch (from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/tc-fix-pad-leak.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/tc-fix-pad-leak.patch Thu Nov 5 01:44:57 2009 (r14561, copy of r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/all/tc-fix-pad-leak.patch)
@@ -0,0 +1,26 @@
+commit 16ebb5e0b36ceadc8186f71d68b0c4fa4b6e781b
+Author: Eric Dumazet <eric.dumazet at gmail.com>
+Date: Wed Sep 2 02:40:09 2009 +0000
+
+ tc: Fix unitialized kernel memory leak
+
+ Three bytes of uninitialized kernel memory are currently leaked to user
+
+ Signed-off-by: Eric Dumazet <eric.dumazet at gmail.com>
+ Reviewed-by: Jiri Pirko <jpirko at redhat.com>
+ Signed-off-by: David S. Miller <davem at davemloft.net>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/net/sched/sch_api.c linux-source-2.6.26/net/sched/sch_api.c
+--- linux-source-2.6.26.orig/net/sched/sch_api.c 2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/net/sched/sch_api.c 2009-10-27 21:31:09.000000000 -0600
+@@ -1080,6 +1080,8 @@ static int tc_fill_tclass(struct sk_buff
+ nlh = NLMSG_NEW(skb, pid, seq, event, sizeof(*tcm), flags);
+ tcm = NLMSG_DATA(nlh);
+ tcm->tcm_family = AF_UNSPEC;
++ tcm->tcm__pad1 = 0;
++ tcm->tcm__pad2 = 0;
+ tcm->tcm_ifindex = q->dev->ifindex;
+ tcm->tcm_parent = q->handle;
+ tcm->tcm_handle = q->handle;
Copied: dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch (from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch Thu Nov 5 01:44:57 2009 (r14561, copy of r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch)
@@ -0,0 +1,26 @@
+commit 6a54435560efdab1a08f429a954df4d6c740bddf
+Author: Avi Kivity <avi at redhat.com>
+Date: Sun Oct 4 16:45:13 2009 +0200
+
+ KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID
+
+ The number of entries is multiplied by the entry size, which can
+ overflow on 32-bit hosts. Bound the entry count instead.
+
+ Reported-by: David Wagner <daw at cs.berkeley.edu>
+ Cc: stable at kernel.org
+ Signed-off-by: Avi Kivity <avi at redhat.com>
+
+diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
+index be451ee..9b96953 100644
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -1591,6 +1591,8 @@ static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
+
+ if (cpuid->nent < 1)
+ goto out;
++ if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
++ cpuid->nent = KVM_MAX_CPUID_ENTRIES;
+ r = -ENOMEM;
+ cpuid_entries = vmalloc(sizeof(struct kvm_cpuid_entry2) * cpuid->nent);
+ if (!cpuid_entries)
Copied: dists/lenny/linux-2.6/debian/patches/series/19lenny2 (from r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/series/19lenny2)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/series/19lenny2 Thu Nov 5 01:44:57 2009 (r14561, copy of r14560, releases/linux-2.6/2.6.26-19lenny2/debian/patches/series/19lenny2)
@@ -0,0 +1,7 @@
++ bugfix/all/tc-fix-pad-leak.patch
++ bugfix/all/random-make-get_random_int-more-random.patch
++ bugfix/all/netlink-fix-typo-in-initialization.patch
++ bugfix/all/drm+r128-Add-test-for-init-to-all-reqd-ioctls.patch
++ bugfix/all/af_unix-fix-deadlock-on-connecting-to-shutdown-socket.patch
++ bugfix/all/fs-pipe-null-pointer-dereference.patch
++ bugfix/x86/kvm-prevent-overflow-in-KVM_GET_SUPPORTED_CPUID.patch
More information about the Kernel-svn-changes
mailing list