• R/O
  • HTTP
  • SSH

linux-2.4.36: Liste der Commits

2.4.36-stable kernel tree

Rev. Zeit Autor
6ab2cfa 2007-11-12 02:43:41 dann frazier

[PATCH 3/4] [OpenPROM] Prevent overflow of sprintf buffer

This patch fixes a few potential overflows, originally submitted to 2.5 by
Dave Miller:

Signed-off-by: dann frazier <dannf@hp.com>

a545dd4 2007-11-12 02:43:29 dann frazier

[PATCH 2/4] [OpenPROM]: Fix user-access checking bugs in openpromfs

This patch backports a number of user-access checking fixes, originally
submitted to 2.5 by Dave Miller:

Signed-off-by: dann frazier <dannf@hp.com>

996bad4 2007-11-12 02:43:25 dann frazier

[PATCH 1/4] [OpenPROM]: Fix signedness bug in openprom char driver

CVE-2004-2731 describes two issues in the openprom driver.
The first issue, an integer overflow in copyin_string(), appears to be
fixed in 2.4. The second issue, an overflow in copyin(), is still present.

A description of both issues is here:

The user-provided 'bufsize' is checked for being too large, but is not checked
for being negative. This patch avoids this situation by making bufsize

This change has been in 2.6 for a number of years now:

Signed-off-by: dann frazier <dannf@hp.com>

af89f16 2007-11-12 02:43:16 Willy Tarreau

[PATCH] ATM: avoid kernel panic upon access to /proc/net/atm/arp

Gilles Espinasse reported that if one user tried to read
/proc/net/atm/arp with the atm.o module loaded but without
clip.o, then the kernel would panic.

This is caused by a neighbour table which is NULL when the
CLIP module is not loaded. 2.6 has fixed this by managing
the "arp" entry within clip.o. Here, a less intrusive workaround
consists in returning -EAGAIN to open() if CLIP is not loaded.

Signed-off-by: Willy Tarreau <w@1wt.eu>

7e6ba25 2007-11-12 02:43:12 Andi Kleen

[PATCH] x86_64: Make sure to validate all 64bits of ptrace information

This is CVE-2007-4573, found by Wojciech Purczynski.

Signed-off-by: Andi Kleen <ak@suse.de>

6e4dc69 2007-11-12 02:43:07 Stephen Hemminger

[PATCH] Bridge STP timer fixes

Fix a couple of obvious places in 2.4 code where bridge timers are
set to values < current jiffies. This was a bug (mostly harmless)
that makes timer fires too soon.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>

75813af 2007-09-09 02:44:50 Willy Tarreau

Change VERSION to 2.4.36-pre1

- b44: fix force mac address before ifconfig up
- build fix for lvm with gcc 4
- fix wdt83627 build breakage with gcc 4.x
- wdt83627: fix wdt_init() return code
- module fdomain_cs requires fdomain_setup()
- do not use gcc's builtin strpbrk
- fix incorrect use of -fno-unit-at-a-time on GCC >= 4
- second build fix for some rare buggy versions of GCC 4
- CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG
- i386: do_test_wp_bit() must not be inlined
- restore -fno-unit-at-a-time on GCC >= 4
- sysctl to prevent normal processes from mapping NULL

97fdf52 2007-09-09 02:41:48 Willy Tarreau

[PATCH] sysctl to prevent normal processes from mapping NULL

After a patch proposal from Solar Designer, and discussions with
Alan Cox and Chris Wright, I modeled this patch which permits to
restrict mapping of lower virtual addresses to CAP_RAW_IO capable
processes only.

This makes it harder for processes to try to exploit NULL pointer
dereference bugs in the kernel.

In order to ease transition from 2.4 to 2.6, the patch has also
been inspired by Eric Paris's patch now present in 2.6, which
adds the sys/vm/mmap_min_addr sysctl by which the lowest mappable
address is set. This sysctl defaults to zero, meaning NULL is
allowed by default.

According to test ran by Solar Designer, both Xorg and Wine run
correctly as a normal user with the restriction enabled. There
should be very few regressions when enabling it, and it is
recommended to enable it on servers after the obviously needed

Alan points that some rare programs use a trick consisting in
mapping this page in order to reduce the number of NULL checks
in linked lists for instance.

Signed-off-by: Willy Tarreau <w@1wt.eu>

e56ce11 2007-09-09 02:39:20 Willy Tarreau

[PATCH] restore -fno-unit-at-a-time on GCC >= 4

-fno-unit-at-a-time was removed for gcc >= 4 in order to
support gcc 4.2. Unfortunately, this caused nasty problems
in many modules which had some of their read-only parameters
optimized away.

So we have to restore -fno-unit-at-a-time for the moment.
This will break gcc 4.2 again, and another solution will be
needed in order to support it. Note that -fno-unit-at-a-time
may not be supported in future versions of gcc.

Signed-off-by: Willy Tarreau <w@1wt.eu>

3c8aaf1 2007-09-09 02:38:56 Willy Tarreau

[PATCH] i386: do_test_wp_bit() must not be inlined

do_test_wp_bit() has a comment stating that it must not be inlined.
Unfortunately, the trick to prevent it from being inlined is not
reliable under gcc 4.x.

The simple fix consists in specifying the noinline attribute.
Tested and confirmed to produce the correct code for gcc versions
2.95.3, 3.3.6, 3.4.6, 4.0.2, 4.1.1 and 4.2.1.

Special thanks to Axel Reinhold and Richard Kojedzinszky for their
continuous feedback when trying to solve this issue.

Signed-off-by: Willy Tarreau <w@1wt.eu>

c152676 2007-08-15 16:15:09 Willy Tarreau

[PATCH] CVE-2007-3848 Privilege escalation via PR_SET_PDEATHSIG

Fix the "parent process death signal" vulnerability in the Linux kernel
discovered by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security
Research (CVE-2007-3848).

To sum up, any local user could manage to start a setuid program then
send it an arbitrary signal while it is running, by first setting the
PR_SET_PDEATHSIG argument of the prctl() system call, and then running
another setuid program from the parent process. This is something the
user is normally supposed to be able to do only as long as the setuid
program has not completely switched its UID.

Depending on the installed setuid programs, this may lead to either a
denial of service or even to a privilege escalation, so this issue is
very distribution specific.

For more information regarding this issue, please refer to the original
advisory :


The following fix has been provided by Solar Designer and is already
part of the latest Openwall kernel.

Signed-off-by: Willy Tarreau <w@1wt.eu>

a35c6d8 2007-08-10 06:07:53 Willy Tarreau

[PATCH] second build fix for some rare buggy versions of GCC 4

Last gcc4 fix 78bf0892b4008a0011f7af916460bc59103acd0a uncoverred a known
bug which appeared in gcc between 4.1 and 4.2.0 and which makes it ignore
the first -fno-builtin-xxx when more than one of those params is passed.
This resulted in the kernel not building with some versions such as
gcc version 4.1.2 20061115 (prerelease) as shipped by Debian as version

Since those versions do not need -fno-builtin-strpbrk, set this option
first so that it doesn't matter wether it's ignored. This fix was confirmed
by Richard Kojedzinszky. So with this fix, we know the kernel builds on x86
with gcc-4.1.1 (already did), 4.1.2-20061115, and 4.2.1.

Reference to the thread discussing this bug on gcc-ml :


Signed-off-by: Willy Tarreau <w@1wt.eu>

50fa1ba 2007-08-06 05:02:11 Willy Tarreau

[PATCH] fix incorrect use of -fno-unit-at-a-time on GCC >= 4

Axel Reinhold reported wrong code being emitted for arch/i386/kernel/i8259.c
using gcc-4.2, while the same code with gcc-4.1 was valid. The problem was
tracked down to gcc-4.2 messing up with sections with this option which is
already deprecated for gcc 4.x, and the asm statements were incorrectly
assigned to section .data. It was also possible to trick gcc-4.1 into the
same error by simply declaring an array before any asm statement.

The correct fix is to remove -fno-unit-at-a-time with gcc >= 4, which is
also what has been done in 2.6. In anticipation of such other problems with
gcc 4.x, a new function "if_gcc4" has been added to the main Makefile.

Signed-off-by: Willy Tarreau <w@1wt.eu>

78bf089 2007-08-06 04:51:45 Willy Tarreau

[PATCH] do not use gcc's builtin strpbrk

Some drivers rely on strpbrk and complain about a lack of strchr().
This is caused by gcc's builtin strpbrk which must be disabled.

f9ae9de 2007-08-06 04:51:05 Willy Tarreau

[PATCH] module fdomain_cs requires fdomain_setup()

The function which was called was once declared static
and once extern. Also, the arguments were messed up. That
one must not have worked for a long time.

9314997 2007-08-06 04:50:49 Willy Tarreau

[PATCH] wdt83627: fix wdt_init() return code

wdt_init() could return an uninitialized value if it
could not create a /proc entry.

3e6fbc6 2007-08-06 04:50:20 Willy Tarreau

[PATCH] fix wdt83627 build breakage with gcc 4.x

gcc 4 complains about a function declared static after
being used.

577076a 2007-08-05 05:29:57 Marc Haisenko

[PATCH] b44: fix force mac address before ifconfig up

Hi Willy,
I discovered that a bug in the Broadcom driver that has been fixed in the 2.6
tree is still present in 2.4 (up to 2.4.35). In our case it resulted in a
complete system crash when starting the net-snmp daemon (not even a kernel
panic is seen; the system is just gone).

The patch is rather trivial, here's the link to the patch from the netdev


It applies cleanly to 2.4.35 (with fuzz offset, of course :-)


Marc Haisenko
Comdasys AG

---- patch below ----

From: Gary Zambrano <zambrano@broadcom.com>
Date: Wed, 29 Mar 2006 22:12:05 -0500
Subject: b44: fix force mac address before ifconfig up

Initializing the b44 MAC & PCI functional blocks in the controller must
occur inside init_one(). This will allow access to the MAC registers.
The controller was being powered up in b44_open() which would not allow
access to the registers before ifconfig was up.
Philip Kohlbecher found this bug.

Signed-off-by: Gary Zambrano <zambrano@broadcom.com>

0a1b181 2007-08-05 04:45:54 Willy Tarreau

[PATCH] build fix for lvm with gcc 4

Reported by Marco Gatti :

I decided to upgrade from 2.4.34 to 2.4.35 in one of my servers but i
encountered a compile problem:

lvm.c:397: error: static declaration of 'vg_count' follows non-static
lvm-internal.h:48: error: previous declaration of 'vg_count' was here

I know this was an already fixed bug but now it seems to come out again
compiling 2.4.35 vanilla with gcc version 4.1.3 20070629 (prerelease) (Debian
4.1.2-13). vanilla compiled fine.

Simple fix below tested and confirmed by Marco.

b22d008 2007-07-27 05:53:41 Willy Tarreau

Change VERSION to 2.4.35

c1c5617 2007-07-22 22:39:09 Willy Tarreau

Change VERSION to 2.4.35-rc1

- 2.4.34 - VIA VT8237A support
- Add some AHCI PCI IDs
- notsc support for x86_64
- Fix divide by 0 in vegas_cong_avoid()
- random device reseed bugfix, possibly security problem
- SATA update: add ICH8 PCI IDs
- Documentations/SubmittingPatches was outdated

fa44f70 2007-07-22 21:45:10 Willy Tarreau

[PATCH] Documentations/SubmittingPatches was outdated

Li Yang <leo@zh-kernel.org> proposed a patch to update
SubmittingPatches in 2.6, and looking at 2.4's state, it
was clearly outdated. I just updated to the 2.6 version
without the section about power management.

3f2c972 2007-07-22 21:45:10 Filippo Carletti


This patch adds support for some chipsets in AHCI driver.
The list comes from a patch for redhat kernel 2.6.9-34.
I only tested ICH8.


60b9e02 2007-07-22 21:45:10 Filippo Carletti

[PATCH] 2.4.34 - VIA VT8237A support

This patch adds support for VIA VT8237A.
It enables DMA on IDE and it makes sata drives work.
Tested on an Asus VINTAGE V2-P5V90.


1cd6ab3 2007-07-22 21:45:09 Vincent Bernat

[PATCH] SATA update: add ICH8 PCI IDs

I have patched 2.4.34 with the following patch to allow the use of
SATA drive on an ICH8 motherboard. This works fine for the disk but
this does not work for the SATA CDROM. There is no PATA controller
on the motherboard (Dell OptiPlex 745). There is no change when
disabling ATA/IDE support. With an ICH7 controller, CDROM is not
working either.

6850bd7 2007-07-22 21:45:09 Lior Dotan

[PATCH] Fix divide by 0 in vegas_cong_avoid()


I had a divide by zero on kernel 2.4.33 running with Vegas enabled.
What happens is that vegas_rtt_calc() gets rtt as -1, so when it adds
1 the rtt is set to zero.
It seems that the -1 came from tcp_clean_rtx_queue() so I made this
small patch to fix the problem. I think it is also relevant to 2.6.

Don't perform congestion avoidance on packets that we didn't calculate
there RTT, as this may result in a divide by zero later on.

Signed-off-by: Lior Dotan <liodot@gmail.com>

66438bd 2007-07-22 21:45:09 PaX Team

[PATCH] random device reseed bugfix, possibly security problem


recently while trying to figure out something i ran across
some code in drivers/char/random.c:xfer_secondary_pool() which
looked wrong and further investigation of history confirmed
it as well.

the problem is that xfer_secondary_pool() used to use a local
buffer in the past that was used during the reseed operation
however when this buffer was moved out to the caller site, the
sizeof(tmp) code wasn't properly adjusted, therefore the sizeof
now operates on a pointer type (vs. array) and gives the wrong

in this case it means that when the code thinks it reseeds the
entire buffer (0x154 bytes on i386/sha1), it only reseeds
sizeof(ptr), 4 bytes on i386.

since all this 'catastrophic reseeding' has something to do with
some (maybe theoretical) attack (i'm not a crypto guy to tell ;),
i can imagine that this error has some security consequences,
please treat it as such until confirmed otherwise.

the commit that introduced the bug:

the attached fix has been in PaX/grsecurity for a few weeks now
and seems to work.

2.6 doesn't have this bug as the buffer in question is again
local to the function that uses sizeof on it (i haven't checked
when it was fixed).

cf6878a 2007-06-27 14:18:36 Krzysztof Strasburger

[PATCH] notsc support for x86_64

This patch deals with a problem with unsynced TSCs on dual core Athlon 64.
The time goes sometimes backwards with TSC based gettimeofday(), while the
dummy routine gives time resolution of 10 milliseconds, which is too coarse
for some applications. There are no HPET timers on the mainboard, so I ported
the good old gettimeoffset_slow routine from arch/i386. It seems to work and
gives nice time resolution of about 5 microseconds.

In order to use this code, one will have to specify the "notsc" option on
the kernel command line, just as on x86.

Kernel 2.6 does not need this code as it uses different techniques to
workaround the unsynced TSCs.

b77abdb 2007-06-06 16:07:58 Willy Tarreau

Change VERSION to 2.4.35-pre5

- fix 'pc_keyb: controller jammed (0xA7)' error on systems with KVM
- do not mark init_idle() __init
- Bluetooth: correct fix for CVE-2007-1353
- [BACKPORT] Bluetooth: Fix NULL pointer dereference in HCI line discipline
- [BACKPORT] Bluetooth: Fix unintentional fall-through in HCI line discipline
- lvm: update to latest fixes from the LVM package
- lvm: do not update extent count if snapshot allocation fails

c2afbe1 2007-06-06 15:29:49 Willy Tarreau

[PATCH] lvm: do not update extent count if snapshot allocation fails

Fix from RHEL3 U8, explained by Heinz Mauelshagen :

That change makes sure that the extent count *only* gets updated in
case the allocation of the snapshot succeeds. Like you said: proper
error path handling.

Show on old repository browser