Commit: 5306cc0478da7d778f8f43e1b9931a52ba541cfc Author: Adrian Bunk Sun, 06 Jan 2008 17:54:15 +0200 Linux 2.6.16.58 Commit: a8d648b7487632a2d5992f8a6099b2af0250f078 Author: Adrian Bunk Sun, 06 Jan 2008 02:10:24 +0200 Linux 2.6.16.58-rc1 Commit: 0949515eac13172c4754691d2270772c0b195565 Author: Alan Cox Sun, 09 Dec 2007 19:07:00 +0100 [SCSI] aacraid: fix security weakness Actually there are several but one is trivially fixed 1. FSACTL_GET_NEXT_ADAPTER_FIB ioctl does not lock dev->fib_list but needs to 2. Ditto for FSACTL_CLOSE_GET_ADAPTER_FIB 3. It is possible to construct an attack via the SRB ioctls where the user obtains assorted elevated privileges. Various approaches are possible, the trivial ones being things like writing to the raw media via scsi commands and the swap image of other executing programs with higher privileges. So the ioctls should be CAP_SYS_RAWIO - at least all the FIB manipulating ones. This is a bandaid fix for #3 but probably the ioctls should grow their own capable checks. The other two bugs need someone competent in that driver to fix them. Signed-off-by: Alan Cox Acked-by: Mark Salyzyn Signed-off-by: James Bottomley Signed-off-by: Adrian Bunk Commit: 3528fed43621960e41fef18a2013dc05801ee707 Author: Jean Delvare Sun, 09 Dec 2007 18:58:59 +0100 hwmon/lm87: Fix a division by zero Missing parentheses in the definition of FAN_FROM_REG cause a division by zero for a specific register value. Signed-off-by: Jean Delvare Acked-by: Hans de Goede Signed-off-by: Mark M. Hoffman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Adrian Bunk Commit: f28b4d6af82321ebddda7e40075f50075207fc09 Author: Jean Delvare Sun, 09 Dec 2007 18:57:37 +0100 hwmon/lm87: Disable VID when it should be A stupid bit shifting bug caused the VID value to be always exported even when the hardware is configured for something different. Signed-off-by: Jean Delvare Signed-off-by: Mark M. Hoffman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Adrian Bunk Commit: 01152da5e89872ea626683a8e0d1bcd09fab6a37 Author: Charles Hardin Sun, 09 Dec 2007 18:41:07 +0100 [PFKEY]: Sending an SADB_GET responds with an SADB_GET [ Upstream commit: 435000bebd94aae3a7a50078d142d11683d3b193 ] Kernel needs to respond to an SADB_GET with the same message type to conform to the RFC 2367 Section 3.1.5 Signed-off-by: Andrew Morton Signed-off-by: Herbert Xu Signed-off-by: Adrian Bunk Commit: e296897180ce12ecb991c14f9652e74269b03216 Author: Chas Williams Sun, 09 Dec 2007 18:38:22 +0100 [ATM]: [he] initialize lock and tasklet earlier [ Upstream commit: 8a8037ac9dbe4eb20ce50aa20244faf77444f4a3 ] if you are lucky (unlucky?) enough to have shared interrupts, the interrupt handler can be called before the tasklet and lock are ready for use. Signed-off-by: Chas Williams Signed-off-by: Herbert Xu Signed-off-by: Adrian Bunk Commit: d808e724a4f4b8531c7fb8722e0e60100b3cb1c2 Author: Hugh Dickins Sun, 06 Jan 2008 04:18:21 +0200 tmpfs: restore missing clear_highpage (CVE-2007-6417) tmpfs was misconverted to __GFP_ZERO in 2.6.11. There's an unusual case in which shmem_getpage receives the page from its caller instead of allocating. We must cover this case by clear_highpage before SetPageUptodate, as before. Signed-off-by: Hugh Dickins Signed-off-by: Adrian Bunk Commit: 86c4424d0a676b9d6dea8fb64e21c3d263aa88bb Author: Adrian Bunk Sun, 09 Dec 2007 20:33:23 +0100 ipv4/arp.c:arp_process(): remove bogus #ifdef mess The #ifdef's in arp_process() were not only a mess, they were also wrong in the CONFIG_NET_ETHERNET=n and (CONFIG_NETDEV_1000=y or CONFIG_NETDEV_10000=y) cases. Since they are not required this patch removes them. Also removed are some #ifdef's around #include's that caused compile errors after this change. Signed-off-by: Adrian Bunk Commit: 47d5d333edbb27fe52da914c606dbc894826bcf3 Author: Patrick McHardy Tue, 13 Nov 2007 12:23:22 +0100 [NETLINK]: Fix unicast timeouts [ Upstream commit: c3d8d1e30cace31fed6186a4b8c6b1401836d89c ] Commit ed6dcf4a in the history.git tree broke netlink_unicast timeouts by moving the schedule_timeout() call to a new function that doesn't propagate the remaining timeout back to the caller. This means on each retry we start with the full timeout again. ipc/mqueue.c seems to actually want to wait indefinitely so this behaviour is retained. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 624e4ff675005168e71d297185f4b75dbdf650af Author: Florian Zumbiehl Tue, 13 Nov 2007 11:12:46 +0100 PPPOE: fix memory leak (local DoS) (CVE-2007-2525) This patch fixes a memory leak when a PPPoE socket is release()d after it has been connect()ed, but before the PPPIOCGCHAN ioctl ever has been called on it. This is somewhat of a security problem, too, since PPPoE sockets can be created by any user, so any user can easily allocate all the machine's RAM to non-swappable address space and thus DoS the system. Is there any specific reason for PPPoE sockets being available to any unprivileged process, BTW? After all, you need a packet socket for the discovery stage anyway, so it's unlikely that any unprivileged process will ever need to create a PPPoE socket, no? Allocating all session IDs for a known AC is a kind of DoS, too, after all - with Juniper ERXes, this is really easy, actually, since they don't ever assign session ids above 8000 ... Signed-off-by: Florian Zumbiehl Signed-off-by: Adrian Bunk Commit: 07c2420331fc05ff768b35ef8d4de2d17700756e Author: Radu Rendec Tue, 13 Nov 2007 09:30:35 +0100 [PKT_SCHED] CLS_U32: Fix endianness problem with u32 classifier hash masks. While trying to implement u32 hashes in my shaping machine I ran into a possible bug in the u32 hash/bucket computing algorithm (net/sched/cls_u32.c). The problem occurs only with hash masks that extend over the octet boundary, on little endian machines (where htonl() actually does something). Let's say that I would like to use 0x3fc0 as the hash mask. This means 8 contiguous "1" bits starting at b6. With such a mask, the expected (and logical) behavior is to hash any address in, for instance, 192.168.0.0/26 in bucket 0, then any address in 192.168.0.64/26 in bucket 1, then 192.168.0.128/26 in bucket 2 and so on. This is exactly what would happen on a big endian machine, but on little endian machines, what would actually happen with current implementation is 0x3fc0 being reversed (into 0xc03f0000) by htonl() in the userspace tool and then applied to 192.168.x.x in the u32 classifier. When shifting right by 16 bits (rank of first "1" bit in the reversed mask) and applying the divisor mask (0xff for divisor 256), what would actually remain is 0x3f applied on the "168" octet of the address. One could say is this can be easily worked around by taking endianness into account in userspace and supplying an appropriate mask (0xfc03) that would be turned into contiguous "1" bits when reversed (0x03fc0000). But the actual problem is the network address (inside the packet) not being converted to host order, but used as a host-order value when computing the bucket. Let's say the network address is written as n31 n30 ... n0, with n0 being the least significant bit. When used directly (without any conversion) on a little endian machine, it becomes n7 ... n0 n8 ..n15 etc in the machine's registers. Thus bits n7 and n8 would no longer be adjacent and 192.168.64.0/26 and 192.168.128.0/26 would no longer be consecutive. The fix is to apply ntohl() on the hmask before computing fshift, and in u32_hash_fold() convert the packet data to host order before shifting down by fshift. With helpful feedback from Jamal Hadi Salim and Jarek Poplawski. Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 526d19a5e1cf1c252c9c6355c0ba8912fb9f02c5 Author: Evgeniy Polyakov Tue, 13 Nov 2007 09:27:27 +0100 [PKT_SCHED]: Fix OOPS when removing devices from a teql queuing discipline [ Upstream commit: 4f9f8311a08c0d95c70261264a2b47f2ae99683a ] tecl_reset() is called from deactivate and qdisc is set to noop already, but subsequent teql_xmit does not know about it and dereference private data as teql qdisc and thus oopses. not catch it first :) Signed-off-by: Evgeniy Polyakov Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 9c78b87bdfc519a9b73300c288a70cd4ee9f79c3 Author: Peter Zijlstra Tue, 13 Nov 2007 08:46:02 +0100 i386: fixup TRACE_IRQ breakage The TRACE_IRQS_ON function in iret_exc: calls a C function without ensuring that the segments are set properly. Move the trace function and the enabling of interrupt into the C stub. Signed-off-by: Peter Zijlstra Signed-off-by: Adrian Bunk Commit: 08cdcb569ebc93e60861931f113e59814d0f8ef7 Author: Roland McGrath Tue, 13 Nov 2007 08:43:25 +0100 Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731) The code for LDT segment selectors was not robust in the face of a bogus selector set in %cs via ptrace before the single-step was done. Signed-off-by: Roland McGrath Signed-off-by: Adrian Bunk Commit: d4f042f049e679559263a523219413889264aed4 Author: Ben Collins Tue, 13 Nov 2007 07:50:09 +0100 [ATM]: Add CPPFLAGS to byteorder.h check O= builds produced errors in the shell command because of unfound headers. Signed-off-by: Ben Collins Signed-off-by: Adrian Bunk Commit: 6833f471eca59e676aa103001c82eb027e74ac7c Author: Michal Schmidt Tue, 13 Nov 2007 07:48:46 +0100 [PPP_MPPE]: Don't put InterimKey on the stack ppp_mppe puts a crypto key on the kernel stack, then passes the address of that into the crypto layer. That doesn't work because the crypto layer needs to be able to do virt_to_*() on the address which does not universally work for the kernel stack on all platforms. Adrian Bunk: Backported to 2.6.16. Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 674ce0f35d6c917824ff772c9f87f6a1102192b2 Author: Patrick McHardy Mon, 12 Nov 2007 13:04:20 +0100 [INET_DIAG]: Fix oops in netlink_rcv_skb netlink_run_queue() doesn't handle multiple processes processing the queue concurrently. Serialize queue processing in inet_diag to fix a oops in netlink_rcv_skb caused by netlink_run_queue passing a NULL for the skb. BUG: unable to handle kernel NULL pointer dereference at virtual address 00000054 [349587.500454] printing eip: [349587.500457] c03318ae [349587.500459] *pde = 00000000 [349587.500464] Oops: 0000 [#1] [349587.500466] PREEMPT SMP [349587.500474] Modules linked in: w83627hf hwmon_vid i2c_isa [349587.500483] CPU: 0 [349587.500485] EIP: 0060:[] Not tainted VLI [349587.500487] EFLAGS: 00010246 (2.6.22.3 #1) [349587.500499] EIP is at netlink_rcv_skb+0xa/0x7e [349587.500506] eax: 00000000 ebx: 00000000 ecx: c148d2a0 edx: c0398819 [349587.500510] esi: 00000000 edi: c0398819 ebp: c7a21c8c esp: c7a21c80 [349587.500517] ds: 007b es: 007b fs: 00d8 gs: 0033 ss: 0068 [349587.500521] Process oidentd (pid: 17943, ti=c7a20000 task=cee231c0 task.ti=c7a20000) [349587.500527] Stack: 00000000 c7a21cac f7c8ba78 c7a21ca4 c0331962 c0398819 f7c8ba00 0000004c [349587.500542] f736f000 c7a21cb4 c03988e3 00000001 f7c8ba00 c7a21cc4 c03312a5 0000004c [349587.500558] f7c8ba00 c7a21cd4 c0330681 f7c8ba00 e4695280 c7a21d00 c03307c6 7fffffff [349587.500578] Call Trace: [349587.500581] [] show_trace_log_lvl+0x1c/0x33 [349587.500591] [] show_stack_log_lvl+0x8d/0xaa [349587.500595] [] show_registers+0x1cb/0x321 [349587.500604] [] die+0x112/0x1e1 [349587.500607] [] do_page_fault+0x229/0x565 [349587.500618] [] error_code+0x72/0x78 [349587.500625] [] netlink_run_queue+0x40/0x76 [349587.500632] [] inet_diag_rcv+0x1f/0x2c [349587.500639] [] netlink_data_ready+0x57/0x59 [349587.500643] [] netlink_sendskb+0x24/0x45 [349587.500651] [] netlink_unicast+0x100/0x116 [349587.500656] [] netlink_sendmsg+0x1c2/0x280 [349587.500664] [] sock_sendmsg+0xba/0xd5 [349587.500671] [] sys_sendmsg+0x17b/0x1e8 [349587.500676] [] sys_socketcall+0x230/0x24d [349587.500684] [] syscall_call+0x7/0xb [349587.500691] ======================= [349587.500693] Code: f0 ff 4e 18 0f 94 c0 84 c0 0f 84 66 ff ff ff 89 f0 e8 86 e2 fc ff e9 5a ff ff ff f0 ff 40 10 eb be 55 89 e5 57 89 d7 56 89 c6 53 <8b> 50 54 83 fa 10 72 55 8b 9e 9c 00 00 00 31 c9 8b 03 83 f8 0f Reported by Athanasius Adrian Bunk: Backported to 2.6.16 based on a suggestion by David S. Miller. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk Commit: 70b0f728caaf2c1987c45c7a2c985f7c333fe0d5 Author: YOSHIFUJI Hideaki Mon, 12 Nov 2007 13:00:22 +0100 [IPV6]: Fix unbalanced socket reference with MSG_CONFIRM. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Adrian Bunk