Google Git
Sign in
kernel / pub / scm / linux / kernel / git / stable / stable-queue / refs/tags/v5.10.116 / . / releases / 2.6.14.7 / 2.6.14.7-review.mbox
blob: 5ebf4a3149cc8b09774c0f4e88ee7f6cb40651f0 [file] [log] [blame]
From greg@press.kroah.org Fri Jan 27 18:00:39 2006
Message-Id: <20060128015840.722214000@press.kroah.org>
Date: Fri, 27 Jan 2006 17:58:41 -0800
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk
Subject: [patch 0/6] 2.6.14.7 -stable review
Status: RO
Content-Length: 735
Lines: 17
This is the start of the stable review cycle for the 2.6.14.7 release.
There are 6 patches in this series, all will be posted as a response to
this one. If anyone has any issues with these being applied, please let
us know. If anyone is a maintainer of the proper subsystem, and wants
to add a signed-off-by: line to the patch, please respond with it.
These patches are sent out with a number of different people on the Cc:
line. If you wish to be a reviewer, please email stable@kernel.org to
add your name to the list. If you want to be off the reviewer list,
also email us.
Responses should be made by Monday, January 30, 00:00:00 UTC. Anything
received after that time, might be too late.
thanks,
the -stable release team
From greg@press.kroah.org Fri Jan 27 18:00:40 2006
Message-Id: <20060128020039.784060000@press.kroah.org>
References: <20060128015840.722214000@press.kroah.org>
Date: Fri, 27 Jan 2006 00:00:01 -0800
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk, shaohua.li@intel.com
Subject: [patch 1/6] setting irq affinity is broken in ia32 with MSI enabled
Content-Disposition: inline; filename=setting-irq-affinity-is-broken-in-ia32-with-MSI-enabled.patch
Status: RO
Content-Length: 1167
Lines: 41
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Shaohua Li <shaohua.li@intel.com>
Setting irq affinity stops working when MSI is enabled. With MSI, move_irq
is empty, so we can't change irq affinity. It appears a typo in Ashok's
original commit for this issue. X86_64 actually is using move_native_irq.
Signed-off-by: Shaohua Li <shaohua.li@intel.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/i386/kernel/io_apic.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- linux-2.6.14.6.orig/arch/i386/kernel/io_apic.c
+++ linux-2.6.14.6/arch/i386/kernel/io_apic.c
@@ -1937,7 +1937,7 @@ static void ack_edge_ioapic_vector(unsig
{
int irq = vector_to_irq(vector);
- move_irq(vector);
+ move_native_irq(vector);
ack_edge_ioapic_irq(irq);
}
@@ -1952,7 +1952,7 @@ static void end_level_ioapic_vector (uns
{
int irq = vector_to_irq(vector);
- move_irq(vector);
+ move_native_irq(vector);
end_level_ioapic_irq(irq);
}
--
From greg@press.kroah.org Fri Jan 27 18:00:40 2006
Message-Id: <20060128020040.687499000@press.kroah.org>
References: <20060128015840.722214000@press.kroah.org>
Date: Fri, 27 Jan 2006 00:00:02 -0800
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk, davem@davemloft.net, bdschuym@pandora.be
Subject: [patch 2/6] [EBTABLES] Don't match tcp/udp source/destination port for IP fragments
Content-Disposition: inline; filename=fix-bridge-netfilter-matching-ip-fragments.patch
Status: RO
Content-Length: 1065
Lines: 34
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/bridge/netfilter/ebt_ip.c | 3 +++
1 file changed, 3 insertions(+)
--- linux-2.6.14.6.orig/net/bridge/netfilter/ebt_ip.c
+++ linux-2.6.14.6/net/bridge/netfilter/ebt_ip.c
@@ -15,6 +15,7 @@
#include <linux/netfilter_bridge/ebtables.h>
#include <linux/netfilter_bridge/ebt_ip.h>
#include <linux/ip.h>
+#include <net/ip.h>
#include <linux/in.h>
#include <linux/module.h>
@@ -51,6 +52,8 @@ static int ebt_filter_ip(const struct sk
if (!(info->bitmask & EBT_IP_DPORT) &&
!(info->bitmask & EBT_IP_SPORT))
return EBT_MATCH;
+ if (ntohs(ih->frag_off) & IP_OFFSET)
+ return EBT_NOMATCH;
pptr = skb_header_pointer(skb, ih->ihl*4,
sizeof(_ports), &_ports);
if (pptr == NULL)
--
From greg@press.kroah.org Fri Jan 27 18:00:41 2006
Message-Id: <20060128020041.271240000@press.kroah.org>
References: <20060128015840.722214000@press.kroah.org>
Date: Fri, 27 Jan 2006 00:00:03 -0800
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk, davem@davemloft.net, richm@oldelvet.org.uk
Subject: [patch 3/6] [SPARC64]: Fix ptrace/strace
Content-Disposition: inline; filename=sparc64-fix-ptrace.patch
Status: RO
Content-Length: 1392
Lines: 45
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Richard Mortimer <richm@oldelvet.org.uk>
Don't clobber register %l0 while checking TI_SYS_NOERROR value in
syscall return path. This bug was introduced by:
db7d9a4eb700be766cc9f29241483dbb1e748832
Problem narrowed down by Luis F. Ortiz and Richard Mortimer.
I tried using %l2 as suggested by Luis and that works for me.
Looking at the code I wonder if it makes sense to simplify the code
a little bit. The following works for me but I'm not sure how to
exercise the "NOERROR" codepath.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/sparc64/kernel/entry.S | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- linux-2.6.14.6.orig/arch/sparc64/kernel/entry.S
+++ linux-2.6.14.6/arch/sparc64/kernel/entry.S
@@ -1657,13 +1657,10 @@ ret_sys_call:
/* Check if force_successful_syscall_return()
* was invoked.
*/
- ldub [%curptr + TI_SYS_NOERROR], %l0
- brz,pt %l0, 1f
- nop
- ba,pt %xcc, 80f
+ ldub [%curptr + TI_SYS_NOERROR], %l2
+ brnz,a,pn %l2, 80f
stb %g0, [%curptr + TI_SYS_NOERROR]
-1:
cmp %o0, -ERESTART_RESTARTBLOCK
bgeu,pn %xcc, 1f
andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT), %l6
--
From greg@press.kroah.org Fri Jan 27 18:00:43 2006
Message-Id: <20060128020042.145964000@press.kroah.org>
References: <20060128015840.722214000@press.kroah.org>
Date: Fri, 27 Jan 2006 00:00:04 -0800
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk, davem@davemloft.net
Subject: [patch 4/6] [SPARC64]: Fix sys_fstat64() entry in 64-bit syscall table.
Content-Disposition: inline; filename=sparc64-fix-sys_fstat64-entry-in-64-bit-syscall-table.patch
Status: RO
Content-Length: 1179
Lines: 28
-stable review patch. If anyone has any objections, please let us know.
------------------
From: "David S. Miller" <davem@davemloft.net>
Noticed by Jakub Jelinek.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/sparc64/kernel/systbls.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.14.6.orig/arch/sparc64/kernel/systbls.S
+++ linux-2.6.14.6/arch/sparc64/kernel/systbls.S
@@ -98,7 +98,7 @@ sys_call_table:
.word sys_umount, sys_setgid, sys_getgid, sys_signal, sys_geteuid
/*50*/ .word sys_getegid, sys_acct, sys_memory_ordering, sys_nis_syscall, sys_ioctl
.word sys_reboot, sys_nis_syscall, sys_symlink, sys_readlink, sys_execve
-/*60*/ .word sys_umask, sys_chroot, sys_newfstat, sys_stat64, sys_getpagesize
+/*60*/ .word sys_umask, sys_chroot, sys_newfstat, sys_fstat64, sys_getpagesize
.word sys_msync, sys_vfork, sys_pread64, sys_pwrite64, sys_nis_syscall
/*70*/ .word sys_nis_syscall, sys_mmap, sys_nis_syscall, sys64_munmap, sys_mprotect
.word sys_madvise, sys_vhangup, sys_nis_syscall, sys_mincore, sys_getgroups
--
From greg@press.kroah.org Fri Jan 27 18:00:45 2006
Message-Id: <20060128020044.285351000@press.kroah.org>
References: <20060128015840.722214000@press.kroah.org>
Date: Fri, 27 Jan 2006 00:00:05 -0800
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk, kaber@trash.net
Subject: [patch 5/6] [NETFILTER]: Fix crash in ip_nat_pptp (CVE-2006-0036)
Content-Disposition: inline; filename=netfilter-fix-crash-in-ip_nat_pptp.patch
Status: RO
Content-Length: 1004
Lines: 31
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <kaber@trash.net>
When an inbound PPTP_IN_CALL_REQUEST packet is received the
PPTP NAT helper uses a NULL pointer in pointer arithmentic to
calculate the offset in the packet which needs to be mangled
and corrupts random memory or crashes.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv4/netfilter/ip_nat_helper_pptp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.14.6.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c
+++ linux-2.6.14.6/net/ipv4/netfilter/ip_nat_helper_pptp.c
@@ -313,7 +313,7 @@ pptp_inbound_pkt(struct sk_buff **pskb,
break;
case PPTP_IN_CALL_REQUEST:
/* only need to nat in case PAC is behind NAT box */
- break;
+ return NF_ACCEPT;
case PPTP_WAN_ERROR_NOTIFY:
pcid = &pptpReq->wanerr.peersCallID;
break;
--
From greg@press.kroah.org Fri Jan 27 18:00:46 2006
Message-Id: <20060128020045.469709000@press.kroah.org>
References: <20060128015840.722214000@press.kroah.org>
Date: Fri, 27 Jan 2006 00:00:06 -0800
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org,
stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org,
akpm@osdl.org,
alan@lxorguk.ukuu.org.uk, kaber@trash.net
Subject: [patch 6/6] [NETFILTER]: Fix another crash in ip_nat_pptp (CVE-2006-0037)
Content-Disposition: inline; filename=netfilter-fix-another-crash-in-ip_nat_pptp.patch
Status: RO
Content-Length: 5633
Lines: 152
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <kaber@trash.net>
The PPTP NAT helper calculates the offset at which the packet needs
to be mangled as difference between two pointers to the header. With
non-linear skbs however the pointers may point to two seperate buffers
on the stack and the calculation results in a wrong offset beeing
used.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv4/netfilter/ip_nat_helper_pptp.c | 57 +++++++++++++++-----------------
1 file changed, 27 insertions(+), 30 deletions(-)
--- linux-2.6.14.6.orig/net/ipv4/netfilter/ip_nat_helper_pptp.c
+++ linux-2.6.14.6/net/ipv4/netfilter/ip_nat_helper_pptp.c
@@ -148,14 +148,14 @@ pptp_outbound_pkt(struct sk_buff **pskb,
{
struct ip_ct_pptp_master *ct_pptp_info = &ct->help.ct_pptp_info;
struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
-
- u_int16_t msg, *cid = NULL, new_callid;
+ u_int16_t msg, new_callid;
+ unsigned int cid_off;
new_callid = htons(ct_pptp_info->pns_call_id);
switch (msg = ntohs(ctlh->messageType)) {
case PPTP_OUT_CALL_REQUEST:
- cid = &pptpReq->ocreq.callID;
+ cid_off = offsetof(union pptp_ctrl_union, ocreq.callID);
/* FIXME: ideally we would want to reserve a call ID
* here. current netfilter NAT core is not able to do
* this :( For now we use TCP source port. This breaks
@@ -172,10 +172,10 @@ pptp_outbound_pkt(struct sk_buff **pskb,
ct_pptp_info->pns_call_id = ntohs(new_callid);
break;
case PPTP_IN_CALL_REPLY:
- cid = &pptpReq->icreq.callID;
+ cid_off = offsetof(union pptp_ctrl_union, icreq.callID);
break;
case PPTP_CALL_CLEAR_REQUEST:
- cid = &pptpReq->clrreq.callID;
+ cid_off = offsetof(union pptp_ctrl_union, clrreq.callID);
break;
default:
DEBUGP("unknown outbound packet 0x%04x:%s\n", msg,
@@ -197,18 +197,15 @@ pptp_outbound_pkt(struct sk_buff **pskb,
/* only OUT_CALL_REQUEST, IN_CALL_REPLY, CALL_CLEAR_REQUEST pass
* down to here */
-
- IP_NF_ASSERT(cid);
-
DEBUGP("altering call id from 0x%04x to 0x%04x\n",
- ntohs(*cid), ntohs(new_callid));
+ ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_callid));
/* mangle packet */
if (ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
- (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
- sizeof(new_callid),
- (char *)&new_callid,
- sizeof(new_callid)) == 0)
+ cid_off + sizeof(struct pptp_pkt_hdr) +
+ sizeof(struct PptpControlHeader),
+ sizeof(new_callid), (char *)&new_callid,
+ sizeof(new_callid)) == 0)
return NF_DROP;
return NF_ACCEPT;
@@ -297,7 +294,8 @@ pptp_inbound_pkt(struct sk_buff **pskb,
union pptp_ctrl_union *pptpReq)
{
struct ip_nat_pptp *nat_pptp_info = &ct->nat.help.nat_pptp_info;
- u_int16_t msg, new_cid = 0, new_pcid, *pcid = NULL, *cid = NULL;
+ u_int16_t msg, new_cid = 0, new_pcid;
+ unsigned int pcid_off, cid_off = 0;
int ret = NF_ACCEPT, rv;
@@ -305,23 +303,23 @@ pptp_inbound_pkt(struct sk_buff **pskb,
switch (msg = ntohs(ctlh->messageType)) {
case PPTP_OUT_CALL_REPLY:
- pcid = &pptpReq->ocack.peersCallID;
- cid = &pptpReq->ocack.callID;
+ pcid_off = offsetof(union pptp_ctrl_union, ocack.peersCallID);
+ cid_off = offsetof(union pptp_ctrl_union, ocack.callID);
break;
case PPTP_IN_CALL_CONNECT:
- pcid = &pptpReq->iccon.peersCallID;
+ pcid_off = offsetof(union pptp_ctrl_union, iccon.peersCallID);
break;
case PPTP_IN_CALL_REQUEST:
/* only need to nat in case PAC is behind NAT box */
return NF_ACCEPT;
case PPTP_WAN_ERROR_NOTIFY:
- pcid = &pptpReq->wanerr.peersCallID;
+ pcid_off = offsetof(union pptp_ctrl_union, wanerr.peersCallID);
break;
case PPTP_CALL_DISCONNECT_NOTIFY:
- pcid = &pptpReq->disc.callID;
+ pcid_off = offsetof(union pptp_ctrl_union, disc.callID);
break;
case PPTP_SET_LINK_INFO:
- pcid = &pptpReq->setlink.peersCallID;
+ pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
break;
default:
@@ -343,25 +341,24 @@ pptp_inbound_pkt(struct sk_buff **pskb,
* WAN_ERROR_NOTIFY, CALL_DISCONNECT_NOTIFY pass down here */
/* mangle packet */
- IP_NF_ASSERT(pcid);
DEBUGP("altering peer call id from 0x%04x to 0x%04x\n",
- ntohs(*pcid), ntohs(new_pcid));
+ ntohs(*(u_int16_t *)pptpReq + pcid_off), ntohs(new_pcid));
- rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
- (void *)pcid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
+ rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+ pcid_off + sizeof(struct pptp_pkt_hdr) +
+ sizeof(struct PptpControlHeader),
sizeof(new_pcid), (char *)&new_pcid,
sizeof(new_pcid));
if (rv != NF_ACCEPT)
return rv;
if (new_cid) {
- IP_NF_ASSERT(cid);
DEBUGP("altering call id from 0x%04x to 0x%04x\n",
- ntohs(*cid), ntohs(new_cid));
- rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
- (void *)cid - ((void *)ctlh - sizeof(struct pptp_pkt_hdr)),
- sizeof(new_cid),
- (char *)&new_cid,
+ ntohs(*(u_int16_t *)pptpReq + cid_off), ntohs(new_cid));
+ rv = ip_nat_mangle_tcp_packet(pskb, ct, ctinfo,
+ cid_off + sizeof(struct pptp_pkt_hdr) +
+ sizeof(struct PptpControlHeader),
+ sizeof(new_cid), (char *)&new_cid,
sizeof(new_cid));
if (rv != NF_ACCEPT)
return rv;
--