linux-toradex.git, branch v2.6.16.5 Linux kernel for Apalis and Colibri modules Linux 2.6.16.5 2006-04-12T20:27:57+00:00 Greg Kroah-Hartman gregkh@suse.de 2006-04-12T20:27:57+00:00 a7603f9099869f9aeebd6c72a4ffbc792868ff3a 






[PATCH] x86_64: When user could have changed RIP always force IRET (CVE-2006-0744)
2006-04-12T20:06:54+00:00

Andi Kleen
ak@suse.de

2006-04-12T06:19:29+00:00

6b12095a4a0e1f21bbf83f95f13299ca99d758fe

Intel EM64T CPUs handle uncanonical return addresses differently from
AMD CPUs.

The exception is reported in the SYSRET, not the next instruction.
Thgis leads to the kernel exception handler running on the user stack
with the wrong GS because the kernel didn't expect exceptions on this
instruction.

This version of the patch has the teething problems that plagued an
earlier version fixed.

This is CVE-2006-0744

Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
patches.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





Intel EM64T CPUs handle uncanonical return addresses differently from
AMD CPUs.

The exception is reported in the SYSRET, not the next instruction.
Thgis leads to the kernel exception handler running on the user stack
with the wrong GS because the kernel didn't expect exceptions on this
instruction.

This version of the patch has the teething problems that plagued an
earlier version fixed.

This is CVE-2006-0744

Thanks to Ernie Petrides and Asit B. Mallick for analysis and initial
patches.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







[PATCH] x86_64: Clean up execve
2006-04-12T20:06:53+00:00

Andi Kleen
ak@suse.de

2006-04-12T06:18:46+00:00

59b2832a31ae2f3279bb5b16ae9b1c4e38e40dea

Just call IRET always, no need for any special cases.

Needed for the next bug fix.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





Just call IRET always, no need for any special cases.

Needed for the next bug fix.

Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Linux 2.6.16.4
2006-04-11T17:19:28+00:00

Greg Kroah-Hartman
gregkh@suse.de

2006-04-11T17:19:28+00:00

623c30d2ae22cd4b8703c7750812464184d20f79












[PATCH] RCU signal handling
2006-04-11T16:46:41+00:00

Oleg Nesterov
oleg@tv-sign.ru

2006-04-11T18:18:58+00:00

0945e1a305ef6128c0405f1c5c8b5368d8756224

made this BUG_ON() unsafe. This code runs under ->siglock,
while switch_exec_pids() takes tasklist_lock.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





made this BUG_ON() unsafe. This code runs under ->siglock,
while switch_exec_pids() takes tasklist_lock.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Linux 2.6.16.3
2006-04-11T05:27:44+00:00

Greg Kroah-Hartman
gregkh@suse.de

2006-04-11T05:27:44+00:00

e2c78fb27dd13ab8c778a9689affe95c92030a32












[PATCH] Keys: Fix oops when adding key to non-keyring [CVE-2006-1522]
2006-04-11T04:48:21+00:00

David Howells
dhowells@redhat.com

2006-04-10T17:01:40+00:00

5494bd6a500cc7c5a502279eabfbdacccd4b89d1

This fixes the problem of an oops occuring when a user attempts to add a
key to a non-keyring key [CVE-2006-1522].

The problem is that __keyring_search_one() doesn't check that the
keyring it's been given is actually a keyring.

I've fixed this problem by:

 (1) declaring that caller of __keyring_search_one() must guarantee that
     the keyring is a keyring; and

 (2) making key_create_or_update() check that the keyring is a keyring,
     and return -ENOTDIR if it isn't.

This can be tested by:

	keyctl add user b b `keyctl add user a a @s`

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





This fixes the problem of an oops occuring when a user attempts to add a
key to a non-keyring key [CVE-2006-1522].

The problem is that __keyring_search_one() doesn't check that the
keyring it's been given is actually a keyring.

I've fixed this problem by:

 (1) declaring that caller of __keyring_search_one() must guarantee that
     the keyring is a keyring; and

 (2) making key_create_or_update() check that the keyring is a keyring,
     and return -ENOTDIR if it isn't.

This can be tested by:

	keyctl add user b b `keyctl add user a a @s`

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







Linux 2.6.16.2
2006-04-07T16:56:47+00:00

Greg Kroah-Hartman
gregkh@suse.de

2006-04-07T16:56:47+00:00

dbb676d1214c181e6cde4ce67b7bf012d071f1ed












[PATCH] kdump proc vmcore size oveflow fix
2006-04-07T16:44:30+00:00

Vivek Goyal
vgoyal@in.ibm.com

2006-04-03T23:38:11+00:00

72ecdfb827a267b5fb5b20016175be21b0b0f953

A couple of /proc/vmcore data structures overflow with 32bit systems having
memory more than 4G.  This patch fixes those.

Signed-off-by: Ken'ichi Ohmichi <oomichi@mxs.nes.nec.co.jp>
Signed-off-by: Vivek Goyal <vgoyal@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





A couple of /proc/vmcore data structures overflow with 32bit systems having
memory more than 4G.  This patch fixes those.

Signed-off-by: Ken'ichi Ohmichi <oomichi@mxs.nes.nec.co.jp>
Signed-off-by: Vivek Goyal <vgoyal@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>







[PATCH] knfsd: Correct reserved reply space for read requests.
2006-04-07T16:44:30+00:00

NeilBrown
neilb@suse.de

2006-03-30T06:01:15+00:00

01ede1fd9200b73b2ec4f906fb6af94e93577504

NFSd makes sure there is enough space to hold the maximum possible reply
before accepting a request.  The units for this maximum is (4byte) words.
However in three places, particularly for read request, the number given is
a number of bytes.

This means too much space is reserved which is slightly wasteful.

This is the sort of patch that could uncover a deeper bug, and it is not
critical, so it would be best for it to spend a while in -mm before going
in to mainline.

(akpm: target 2.6.17-rc2, 2.6.16.3 (approx))

Discovered-by: "Eivind  Sarto" <ivan@kasenna.com>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>





NFSd makes sure there is enough space to hold the maximum possible reply
before accepting a request.  The units for this maximum is (4byte) words.
However in three places, particularly for read request, the number given is
a number of bytes.

This means too much space is reserved which is slightly wasteful.

This is the sort of patch that could uncover a deeper bug, and it is not
critical, so it would be best for it to spend a while in -mm before going
in to mainline.

(akpm: target 2.6.17-rc2, 2.6.16.3 (approx))

Discovered-by: "Eivind  Sarto" <ivan@kasenna.com>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>