linux-toradex.git, branch v2.6.21.4 Linux kernel for Apalis and Colibri modules Linux 2.6.21.4 2007-06-07T21:27:31+00:00 Chris Wright chrisw@sous-sol.org 2007-06-07T21:27:31+00:00 e95907f256676ca48ae66d071ca0c9c066cb79ab 






[PATCH] NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)
2007-06-07T21:25:32+00:00

Patrick McHardy
kaber@trash.net

2007-06-05T12:14:22+00:00

8c640bd0c68201dd0d71b78a07bb224973580ad3

When creating a new connection by sending an unknown chunk type, we
don't transition to a valid state, causing a NULL pointer dereference in
sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

Fix by don't creating new conntrack entry if initial state is invalid.

Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>

CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>





When creating a new connection by sending an unknown chunk type, we
don't transition to a valid state, causing a NULL pointer dereference in
sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

Fix by don't creating new conntrack entry if initial state is invalid.

Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>

CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>







[PATCH] cpuset: prevent information leak in cpuset_tasks_read (CVE-2007-2875)
2007-06-07T21:25:31+00:00

Chris Wright
chrisw@sous-sol.org

2007-06-07T21:25:31+00:00

c23e7e4c94647c2c47d2c835b21cc7d745f62d05

Use simple_read_from_buffer to avoid possible underflow in
cpuset_tasks_read which could allow user to read kernel memory.

Note: This is fixed upstream in 85badbdf5120d246ce2bb3f1a7689a805f9c9006

Signed-off-by: Chris Wright <chrisw@sous-sol.org>





Use simple_read_from_buffer to avoid possible underflow in
cpuset_tasks_read which could allow user to read kernel memory.

Note: This is fixed upstream in 85badbdf5120d246ce2bb3f1a7689a805f9c9006

Signed-off-by: Chris Wright <chrisw@sous-sol.org>







[PATCH] random: fix seeding with zero entropy (CVE-2007-2453 2 of 2)
2007-06-07T21:25:30+00:00

Matt Mackall
mpm@selenic.com

2007-05-30T02:58:10+00:00

7bd369b1346bf7f15bba42ddf369fb79fe759b50

Add data from zero-entropy random_writes directly to output pools to
avoid accounting difficulties on machines without entropy sources.

Tested on lguest with all entropy sources disabled.

Signed-off-by: Matt Mackall <mpm@selenic.com>
Acked-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>





Add data from zero-entropy random_writes directly to output pools to
avoid accounting difficulties on machines without entropy sources.

Tested on lguest with all entropy sources disabled.

Signed-off-by: Matt Mackall <mpm@selenic.com>
Acked-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>







[PATCH] random: fix error in entropy extraction (CVE-2007-2453 1 of 2)
2007-06-07T21:25:30+00:00

Matt Mackall
mpm@selenic.com

2007-05-30T02:54:27+00:00

374f167dfb97c1785515a0c41e32a66b414859a8

Fix cast error in entropy extraction.
Add comments explaining the magic 16.
Remove extra confusing loop variable.

Signed-off-by: Matt Mackall <mpm@selenic.com>
Acked-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>





Fix cast error in entropy extraction.
Add comments explaining the magic 16.
Remove extra confusing loop variable.

Signed-off-by: Matt Mackall <mpm@selenic.com>
Acked-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>







Linux 2.6.21.3
2007-05-24T21:22:47+00:00

Chris Wright
chrisw@sous-sol.org

2007-05-24T21:22:47+00:00

dcf1697d4b4b9b94363b5fb0d97f7949602922ab












[PATCH] GEODE-AES: Allow in-place operations [CVE-2007-2451]
2007-05-24T21:22:35+00:00

Jordan Crouse
jordan.crouse@amd.com

2007-05-24T11:36:35+00:00

798cc2793266667e88a6d328b5d1e1e68f41095d

Allow in-place crypto operations.  Also remove the coherent user flag
(we use it automagically now), and by default use the user written
key rather then the HW hidden key - this makes crypto just work without
any special considerations, and thats OK, since its our only usage
model.

Signed-off-by: Jordan Crouse <jordan.crouse@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>





Allow in-place crypto operations.  Also remove the coherent user flag
(we use it automagically now), and by default use the user written
key rather then the HW hidden key - this makes crypto just work without
any special considerations, and thats OK, since its our only usage
model.

Signed-off-by: Jordan Crouse <jordan.crouse@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>







Linux 2.6.21.2
2007-05-23T21:33:55+00:00

Chris Wright
chrisw@sous-sol.org

2007-05-23T21:33:55+00:00

7682ffa25c68221cff1122b3ce26a05640a54898












[PATCH] CRYPTO: api: Read module pointer before freeing algorithm
2007-05-23T21:32:55+00:00

Herbert Xu
herbert@gondor.apana.org.au

2007-05-19T04:57:38+00:00

3dc006dd27bdbe69ee0069cfd037c9e7ca2dc86f

The function crypto_mod_put first frees the algorithm and then drops
the reference to its module.  Unfortunately we read the module pointer
which after freeing the algorithm and that pointer sits inside the
object that we just freed.

So this patch reads the module pointer out before we free the object.

Thanks to Luca Tettamanti for reporting this.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>





The function crypto_mod_put first frees the algorithm and then drops
the reference to its module.  Unfortunately we read the module pointer
which after freeing the algorithm and that pointer sits inside the
object that we just freed.

So this patch reads the module pointer out before we free the object.

Thanks to Luca Tettamanti for reporting this.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>







[PATCH] CPUFREQ: powernow-k7: fix MHz rounding issue with perflib
2007-05-23T21:32:54+00:00

Daniel Drake
dsd@gentoo.org

2007-05-15T19:59:03+00:00

ca5cf888be6e9261cdcf0b0de30c7237aa87f366

When the PST tables are broken, powernow-k7 uses ACPI's processor_perflib to
deduce the available frequency multipliers from the _PSS tables.

Upon frequency change, processor_perflib performs some verification on the
frequency (checks that it's within allowable bounds).

powernow-k7 deals with absolute frequencies in KHz, whereas perflib only
deals with MHz values. When performing the above verification, perflib
multiplies the MHz values by 1000 to obtain the KHz value.

We then end up with situations like the following:
 - powernow-k7 multiplies the multiplier by the FSB, and obtains a value
   such as 1266768 KHz
 - perflib belives the same state has frequency of 1266 MHz
 - acpi_processor_ppc_notifier calls cpufreq_verify_within_limits to verify
   that 1266768 is in the allowable range of 0 to 1266000 (i.e. 1266 * 1000)
 - it's not, so that frequency is rejected
 - the maximum CPU frequency is not reachable

This patch solves the problem by rounding up the MHz values stored in perflib's
tables. Additionally it corrects a broken URL.

It also fixes http://bugzilla.kernel.org/show_bug.cgi?id=8255 although this
case is a bit different: the frequencies in the _PSS tables are wildly wrong,
but we get better results if we force ACPI to respect the fsb * multiplier
calculations (even though it seems that the multiplier values aren't entirely
correct either).

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>





When the PST tables are broken, powernow-k7 uses ACPI's processor_perflib to
deduce the available frequency multipliers from the _PSS tables.

Upon frequency change, processor_perflib performs some verification on the
frequency (checks that it's within allowable bounds).

powernow-k7 deals with absolute frequencies in KHz, whereas perflib only
deals with MHz values. When performing the above verification, perflib
multiplies the MHz values by 1000 to obtain the KHz value.

We then end up with situations like the following:
 - powernow-k7 multiplies the multiplier by the FSB, and obtains a value
   such as 1266768 KHz
 - perflib belives the same state has frequency of 1266 MHz
 - acpi_processor_ppc_notifier calls cpufreq_verify_within_limits to verify
   that 1266768 is in the allowable range of 0 to 1266000 (i.e. 1266 * 1000)
 - it's not, so that frequency is rejected
 - the maximum CPU frequency is not reachable

This patch solves the problem by rounding up the MHz values stored in perflib's
tables. Additionally it corrects a broken URL.

It also fixes http://bugzilla.kernel.org/show_bug.cgi?id=8255 although this
case is a bit different: the frequencies in the _PSS tables are wildly wrong,
but we get better results if we force ACPI to respect the fsb * multiplier
calculations (even though it seems that the multiplier values aren't entirely
correct either).

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>