commit 4ece57945f296ab05a8a958089c9a382cbb700b4 Author: Chris Wright Date: Tue Jun 20 01:55:00 2006 -0700 Linux 2.6.16.21 commit ab46ee26dc90c5608c0d51c33a029fe514c0a49d Author: Patrick McHardy Date: Mon Jun 19 19:14:21 2006 +0200 [PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085) Fix endless loop in the SCTP match similar to those already fixed in the SCTP conntrack helper (was CVE-2006-1527). Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright commit 0ba239cc0ef0ebf9d38cd733754fcf657ae79b2b Author: Oleg Nesterov Date: Thu Jun 15 20:11:43 2006 +0400 [PATCH] run_posix_cpu_timers: remove a bogus BUG_ON() (CVE-2006-2445) do_exit() clears ->it_##clock##_expires, but nothing prevents another cpu to attach the timer to exiting process after that. arm_timer() tries to protect against this race, but the check is racy. After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and before do_exit() calls 'schedule() local timer interrupt can find tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu does sys_wait4) interrupted task has ->signal == NULL. At this moment exiting task has no pending cpu timers, they were cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(), so we can just return from irq. John Stultz recently confirmed this bug, see http://marc.theaimsgroup.com/?l=linux-kernel&m=115015841413687 Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright commit 5705264e83bd9f8918895d8f5ddddbdeb062c719 Author: Oleg Nesterov Date: Thu Jun 15 20:11:15 2006 +0400 [PATCH] check_process_timers: fix possible lockup If the local timer interrupt happens just after do_exit() sets PF_EXITING (and before it clears ->it_xxx_expires) run_posix_cpu_timers() will call check_process_timers() with tasklist_lock + ->siglock held and check_process_timers: t = tsk; do { .... do { t = next_thread(t); } while (unlikely(t->flags & PF_EXITING)); } while (t != tsk); the outer loop will never stop. Actually, the window is bigger. Another process can attach the timer after ->it_xxx_expires was cleared (see the next commit) and the 'if (PF_EXITING)' check in arm_timer() is racy (see the one after that). Signed-off-by: Oleg Nesterov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit ad325de56677938d8c58b376e1d7813b50527263 Author: Paul Mackerras Date: Fri Jun 9 13:02:59 2006 +1000 [PATCH] powerpc: Fix machine check problem on 32-bit kernels (CVE-2006-2448) This fixes a bug found by Dave Jones that means that it is possible for userspace to provoke a machine check on 32-bit kernels. This also fixes a couple of other places where I found similar problems by inspection. Signed-off-by: Paul Mackerras Signed-off-by: Chris Wright