Linux Kernel Documents

Fork

• linux-2.6
• linux-2.4.36

[NETFILTER]: Fix deadlock on NAT helper unload

When a NAT helper is unlocked conntrack/NAT may deadlock because of
the following lock sequence:

.. ip_nat_helper_unregister
-> ip_ct_selective_cleanup
-> get_next_corpse (ip_conntrack_lock)
-> kill_helper (ip_nat_lock)

.. ip_nat_fn (ip_nat_lock)
-> ip_nat_setup_info
-> ip_conntrack_alter_reply (ip_conntrack_lock)

Taking ip_nat_lock in kill_helper() is unnecessary since the helper assigned
to a connection is immutable and new connections can't have the helper that
is beeing unloaded assigned since it is already removed from the global list.

Reported by <doublefacer007@gmail.com>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] copy_from_user information leak on s390.

There is/has been a bug with copy_from_user on s390. The problem is that
it does not pad the kernel buffer with zeroes in case of a fault on the
user address. That allows a malicious user to read uninitialized kernel
memory. The bug is already fixed upstream:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=52149ba6b0ddf3e9d965257cc0513193650b3ea8

The uaccess code for s390 has changed recently, for older 2.6 versions
you need a different patch, and for 2.4 yet another one.

Description: kernel: user readable uninitialised kernel memory.
Symptom: None.
Problem: A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
Solution: Fix the copy_from_user function to clear the remaining bytes
of the kernel buffer after a user space fault.

Martin Schwidefsky
Linux for zSeries Development & Services
IBM Deutschland Entwicklung GmbH

Change VERSION to 2.4.34-pre4

- Backport fix for CVE-2006-4997 to 2.4 tree
- fbdev: correct buffer size limit in fbmem_read_proc()
- really fix size display for sun partitions larger than 1TByte
- i386: fix overflow in vmap on an x86 system which has more than 4GB memory.
- Advertise PPPoE MTU
- MIPS & i386: fix long long cast in pte macro
- block: fix negative bias of ios_in_flight (CONFIG_BLK_STATS) because of unbalanced I/O accounting
- x86_64: Fix missing delay when the TSC counter just overflowed
- fix Configure.help concerning rp_filter

[PATCH] i386: fix long long cast in pte macro

From PaX Team :
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.

Added the (unsigned long long) cast as suggested by Ralf Baechle to
silent gcc when shifting right 32-bit arguments.

Acked-by: Willy Tarreau <w@1wt.eu>

[PATCH] MIPS: fix long long cast in pte macro

From PaX Team :
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.

From Ralf Baechle :
I need a slight change to get this to build without warning for MIPS.
The argument passed to __pte() might be just a 32-bit int, so >> 32 will
upset gcc big time. I believe the same problem exists for i386, so
here's the patch with the necessary cast for both architectures.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

Revert "[PATCH] MIPS: fix long long cast in pte macro"

The commit was bogus, it contained both the MIPS and the i386
fixes.

This reverts 5f81c2baacdb36638446d1356beb4ce4e13baedb commit.

[PATCH] MIPS: fix long long cast in pte macro

From PaX Team :
the current idiom used for initializing a structure of two unsigned longs
from unsigned long long is wrong, it effectively loses the upper 32 bits
which in this particular case could turn a non-executable PTE into an
executable one on NX capable i386 (i.e., it's a potential security bug).
fortunately the in-tree users in 2.4 (drivers/char/drm-4.0/ffb_drv.c
and arch/mips/baget/baget.c) are not affected.

From Ralf Baechle :
I need a slight change to get this to build without warning for MIPS.
The argument passed to __pte() might be just a 32-bit int, so >> 32 will
upset gcc big time. I believe the same problem exists for i386, so
here's the patch with the necessary cast for both architectures.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

[PATCH] really fix size display for sun partitions larger than 1TByte

Problem: the last fix introduced by Jeff Mahoney for kernel 2.6 was not
complete for kernel 2.4 (as applied). I found out that add_gd_partition
is called by any type of partition (2.4). add_gd_partition is defined
as add_gd_partition (int, int), what makes no sense to me as negative
numbers should never occur here. As long as add_gd_partition is not
changed to add_gd_partition (unsigned, unsigned), /proc/partitions will
keep showing negative numbers.

If ever someone could look into this, within the different partition
type files in linux/fs/partitions the parameters to add_gd_partitions
seem to be chosen arbitrarily between int, unsigned and unsigned long,
whatever seemed to be appropriate, I think it would make sense to get
consistent parameters to add_gd_partition from all partition types here.
Especially if one takes into account that sizeof (long) and sizeof (int)
may differ significantly i. e. on sparc.

Signed-off-by: Dieter Jurzitza <DJurzitza@HarmanBecker.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>

[PATCH] fix Configure.help concerning rp_filter

Adrian Buciuman reported that Configure.help is wrong regarding
rp_filter, while ip_sysctl.txt is right. rp_filter is OFF by
default.

[PATCH] Backport fix for CVE-2006-4997 to 2.4 tree

Backport fix for CVE-2006-4997 to 2.4 tree, compile tested.
Original commit message follows.

[ATM] CLIP: Do not refer freed skbuff in clip_mkip().

In clip_mkip(), skb->dev is dereferenced after clip_push(),
which frees up skb.

Advisory: AD_LAB-06009 (<adlab@venustech.com.cn>).

Original patch by YOSHIFUJI Hideaki.

Signed-off-by: dann frazier <dannf@debian.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] fbdev: correct buffer size limit in fbmem_read_proc()

Address http://bugzilla.kernel.org/show_bug.cgi?id=7189

It should check `clen', not `len'.

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: <jurij@wooyd.org>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Cc: <stable@kernel.org>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@osdl.org>

[PATCH] Advertise PPPoE MTU

PPPoE must advertise the underlying device's MTU via the ppp channel
descriptor structure, as multilink functionality depends on it.

Signed-off-by: Michal Ostrowski <mostrows@earthlink.net>
Acked-by: Paul Mackerras <paulus@samba.org>

[PATCH] x86_64: Fix missing delay when the TSC counter just overflowed

I'd seen a problem that *delay functions return in too short delay.
It happens when the lower 32bit of TSC counter is overflowed.
This patch fixes the problem. This is back-port of Andi Kleen's
2.6 fix.

http://www.kernel.org/git/?p=linux/kernel/git/tglx/history.git;a=commit;h=6c51e28ffbbebf49437ec63ac4f9e385d60827e5

Signed-off-by: Toyo Abe <toyoa@mvista.com>

[PATCH] i386: fix overflow in vmap on an x86 system which has more than 4GB memory.

(max_mapnr << PAGE_SHIFT) would overflow on a system which has
4GB memory or more, and so could cause vmap to fail every time.

Signed-off-by: Michael Chen <micche@ati.com>
Signed-off-by: Hugh Dickins <hugh@veritas.com>

[PATCH] block: fix negative bias of ios_in_flight (CONFIG_BLK_STATS) because of unbalanced I/O accounting

Fix for unbalanced I/O accounting, that caused ios_in_flight
(CONFIG_BLK_STATS) to become and stay negative, as suggested by Jens
Axboe.

An added boolean field "io_account" in struct request is assumed to be
initialized to false on new requests. On starting I/O accounting, true is
assigned to the field. On ending I/O accounting, accounting is only
executed if the field has already been assigned true previously. Thus,
this fixes unbalanced cases where requests such as non-data get enqueued
without starting to account (ide_do_drive_cmd?) but the end of accounting
gets executed on finishing the same requests (ide_end_drive_cmd,
end_that_request_last, req_finished_io).

The precondition of io_account being initialized to false is ensured by

1) ide_init_drive_taskfile / ide_init_drive_cmd memset'ing the whole
request to zero, for requests that were potentially accounted unbalanced,
and

2) get_request assigning zero to io_account on allocating a request from
the free list cache (or slab cache initially), for the majority of
requests such as those involving data.

Jens preferred this to other discussed solutions and it should fix all
those unbalanced cases at once without touching each of them individually.

For more details, please see previous posts of this thread
http://www.uwsg.iu.edu/hypermail/linux/kernel/0608.2/0776.html.

I tested the patch with 2.4.24 and 2.4.33.3 successfully on an UP ia32
machine with one /dev/hda.

Signed-off-by: Steffen Maier <smaier@users.sourceforge.net>

Change VERSION to 2.4.34-pre3

This pre-version only includes GCC4 fixes and nothing else.
Build should work at least on i386, x86_64, PPC and sparc64.

Merge branch 'gcc4'

Change VERSION to 2.4.34-pre2

- drivers/scsi/sg.c : fix CVE-2006-1528
- [SCTP] Fix sctp_primitive_ABORT() call in sctp_close()
- Fix possible UDF deadlock and memory corruption (CVE-2006-4145)
- binfmt_elf.c : fix checks for bad address
- [DISKLABEL] SUN: Fix signed int usage for sector count
- cciss: do not mark cciss_scsi_detect __init
- i386 : fix exception processing in early boot
- crypto : prevent cryptoloop from oopsing on stupid ciphers
- loop.c: kernel_thread() retval check
- [SCTP] Local privilege elevation - CVE-2006-3745
- powerpc: Clear HID0 attention enable on PPC970 at boot time
- Revert "export memchr() which is used by smbfs and lp driver."
- [SPARC] export memchr() which is used by smbfs and lp driver.

[PATCH] i386 : fix exception processing in early boot

fix the longest existing kernel bug ever (since 0.01 ;-). basically,
the dummy interrupt handler installed for the early boot period does
not work for exceptions that push an error code as well, effectively
making the iret at the end of the handler to trigger another exception,
ad infinitum, or rather, until the kernel stack runs over, trashes all
memory below and eventually causes a CPU reset or a hang. without this
fix the early printk facility in 2.6 is also rather useless.

[PATCH] Fix possible UDF deadlock and memory corruption (CVE-2006-4145)

Here is a backport of the fix for CVE-2006-4145 fix from 2.6[1]
I've compile-tested it.

[1] http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commit;h=7127be29378b1230eb8dd8b84f18d6b69c56e959

Description in the original patch follows :

UDF code is not really ready to handle extents larger that 1GB. This
is the easy way to forbid creating those. Also truncation code did not
count with the case when there are no extents in the file and we are
extending the file.

Signed-off-by: dann frazier <dannf@debian.org>

[PATCH] [SCTP] Fix sctp_primitive_ABORT() call in sctp_close()

Here is a 2.4 backport of David's fix for a problem with the recent
embargoed patch for CVE-2006-3745. Compile-tested, original
description follows:

[SCTP]: Fix sctp_primitive_ABORT() call in sctp_close().

With the recent fix, the callers of sctp_primitive_ABORT()
need to create an ABORT chunk and pass it as an argument rather
than msghdr that was passed earlier.

Signed-off-by: dann frazier <dannf@debian.org>

[PATCH] cciss: do not mark cciss_scsi_detect __init

if the cciss driver is compiled in then later discovery requests
initiated from userland will result in calling free'd memory since
the detect method is marked as __init. suggested fix is to simply
not mark it as __init, 2.6 has done it as well.

[PATCH] loop.c: kernel_thread() retval check

Patch extracted from 2.4.33-ow1. It has also been ported to 2.6 by
Julio Auto.

Basically, the code in drivers/block/loop.c did not check the return
value from kernel_thread(). If kernel_thread() would fail, the code
would misbehave (IIRC, the invoking process would become unkillable).

An easy way to trigger the bug was to run losetup under strace (as
root), and this is also how I tested the error path added with this
patch.

This change has been a part of publicly released -ow patches for 8+
months.

There are more instances of kernel_thread() calls that do not check the
return value; some of the remaining ones might need to be fixed, too.

Acked-by: Alan Cox <alan@redhat.com>

[DISKLABEL] SUN: Fix signed int usage for sector count

The current sun disklabel code uses a signed int for the sector count.
When partitions larger than 1 TB are used, the cast to a sector_t causes
the partition sizes to be invalid:

# cat /proc/paritions | grep sdan
66 112 2146435072 sdan
66 115 9223372036853660736 sdan3
66 120 9223372036853660736 sdan8

This patch switches the sector count to an unsigned int to fix this.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

[PATCH] crypto : prevent cryptoloop from oopsing on stupid ciphers

With the cryptoloop patch applied, it's possible to request
ECB mode encryption, which will result in a Oops because of
uninitialized function pointers. Initializing them to the
nocrypt_iv() function does not completely solve the problem
because cryptoloop does not check the return code, and kernel
memory will leak uninitialized through cryptoloop.

Proposed solution :
Can we maybe define working but IV-ignoring functions for ECB (like I
did), but use memory-clearing nocrypt*() for CFB and CTR (as long as
these are not supported)? Of course, all of these will return -ENOSYS.

Response from Herbert Xu :
In cryptodev-2.6, with block ciphers you can no longer select CFB/CTR
until someone writes support for them so this is no longer an issue.
For 2.4, I don't really mind either way what nocrypt does.

Final solution :
OK, I've merged Willy's suggestion for the memset()s into the patch
that I had submitted previously. The resulting patch is attached.

[PATCH] [SCTP] Local privilege elevation - CVE-2006-3745

Avoid the use of buggy get_user_iov_size(). sctp_make_abort_user()
now takes the msg_len along with the msg so that we don't have to
recalculate the bytes in iovec. It also uses memcpy_fromiovec()
so that we don't go beyond the length of the allocated buffer.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>

[PATCH] binfmt_elf.c : fix checks for bad address

Fix check for bad address; use macro instead of open-coding two checks.

Explanation from Ernie Petries in 2.6 commit :

For background, the BAD_ADDR() macro should return TRUE if the address is
TASK_SIZE, because that's the lowest address that is *not* valid for
user-space mappings. The macro was correct in binfmt_aout.c but was wrong
for the "equal to" case in binfmt_elf.c. There were two in-line validations
of user-space addresses in binfmt_elf.c, which have been appropriately
converted to use the corrected BAD_ADDR() macro in the patch you posted
yesterday. Note that the size checks against TASK_SIZE are okay as coded.

Note that this patch slightly differs from Ernie's in that the printk()
only got commented out instead of being removed, since a rate limited call
is expected soon.

[PATCH] [SPARC] export memchr() which is used by smbfs and lp driver.

Previous attempt at fixing smbfs build on sparc broke at least x86_64.
This patch is less intrusive and exports memchr() only on sparc and
sparc64.

Signed-off-by: Willy Tarreau <w@1wt.eu>

[PATCH] Revert "[PATCH] export memchr() which is used by smbfs and lp driver."

This reverts aa8eb4b22e6ecd3aa24e824c55239ddedf4dedad commit.

This patch broke x86_64 build and probably others. Better export
memchr() on architectures which need it.

[GCC4] SPARC64: fix UP build error in arch/sparc64/mm/init.c

This patch fixes an invalid-lvalue error when compiling a
2.4.34-pre1 kernel on sparc64 with gcc-4.1.1. The kernel
must be configured with CONFIG_SMP=n for the error to trigger.
(I didn't save the error message, sorry.)

A kernel compiled with gcc-4.1.1 boots fine on my Ultra5
and can rebuild itself, and generally seems no less solid
than the 2.4.33 I compiled with gcc-3.4.6.

Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>