Skip to content

Stable kernel 2.6.34.10

Lançado kernel 2.6.34.10 estável. Para conferir parte das notas de lançamento:

commit 0eafe6686c56b91d436265c9098e72a1f8ab4f19
Author: Paul Gortmaker <paul.gortmaker@windriver.com>
Date:   Sun Jun 26 12:47:42 2011 -0400

    Linux 2.6.34.10

commit 83264a0f19be3fe69f5c9048210bb39402fb57db
Author: Al Viro <viro@ftp.linux.org.uk>
Date:   Tue Sep 28 18:50:27 2010 +0100

    MIPS: secure_computing, syscall audit: syscall number should in r2, not r0.

    commit e5b377a8fb7b05f27647698ac739a0504cb2bf80 upstream.

    As it is, audit_syscall_entry() and secure_computing() get the
    bogus value (0, in fact)

    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Cc: linux-kernel@vger.kernel.org
    Cc: linux-arch@vger.kernel.org
    Cc: linux-mips@linux-mips.org
    Patchwork: https://patchwork.linux-mips.org/patch/1697/
    Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 48adbc4b330cefb3b77111e47c17e833404893ef
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Oct 28 15:40:55 2010 +0000

    net: fix rds_iovec page count overflow

    commit 1b1f693d7ad6d193862dcb1118540a030c5e761f upstream.

    As reported by Thomas Pollet, the rdma page counting can overflow.  We
    get the rdma sizes in 64-bit unsigned entities, but then limit it to
    UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
    an unaligned address).

    So each individual page count fits comfortably in an 'unsigned int' (not
    even close to overflowing into signed), but as they are added up, they
    might end up resulting in a signed return value. Which would be wrong.

    Catch the case of tot_pages turning negative, and return the appropriate
    error code.

    [PG: In 34, var names are slightly different, 1b1f6's tot_pages is
     34's nr_pages, and 1b1f6's nr_pages is 34's nr; so map accordingly.]

    Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Andy Grover <andy.grover@oracle.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit e0843d17d6d9997f23534f1ffe9dafb0d5912636
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Thu Mar 17 01:40:10 2011 +0000

    econet: 4 byte infoleak to the network

    commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream.

    struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
    x86_64.  These bytes are not initialized in the variable 'ah' before
    sending 'ah' to the network.  This leads to 4 bytes kernel stack
    infoleak.

    This bug was introduced before the git epoch.

    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Acked-by: Phil Blundell <philb@gnu.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 3e3b57978a0e1140d91f09d3a4197b6411b18f12
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Tue Mar 15 13:37:13 2011 +0100

    ipv6: netfilter: ip6_tables: fix infoleak to userspace

    commit 6a8ab060779779de8aea92ce3337ca348f973f54 upstream.

    Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.

    The first bug was introduced before the git epoch;  the second was
    introduced in 3bc3fe5e (v2.6.25-rc1);  the third is introduced by
    6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
    CAP_NET_ADMIN.

    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 1d9064bb2d8f0ea26a67b2ce74c6d1d461dcfe7d
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Tue Mar 15 13:36:05 2011 +0100

    netfilter: ip_tables: fix infoleak to userspace

    commit 78b79876761b86653df89c48a7010b5cbd41a84a upstream.

    Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.

    The first and the third bugs were introduced before the git epoch; the
    second was introduced in 2722971c (v2.6.17-rc1).  To trigger the bug
    one should have CAP_NET_ADMIN.

    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit f1f486501fa9b401c762b2355a238cf9e7f18385
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Tue Mar 15 13:35:21 2011 +0100

    netfilter: arp_tables: fix infoleak to userspace

    commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream.

    Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
    copied from userspace.  Fields of these structs that are
    zero-terminated strings are not checked.  When they are used as argument
    to a format string containing "%s" in request_module(), some sensitive
    information is leaked to userspace via argument of spawned modprobe
    process.

    The first bug was introduced before the git epoch;  the second is
    introduced by 6b7d31fc (v2.6.15-rc1);  the third is introduced by
    6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
    CAP_NET_ADMIN.

    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 41c6364db6028e2776250be12961b30f4a2ffbf9
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Mon Feb 14 16:49:23 2011 +0100

    bridge: netfilter: fix information leak

    commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream.

    Struct tmp is copied from userspace.  It is not checked whether the "name"
    field is NULL terminated.  This may lead to buffer overflow and passing
    contents of kernel stack as a module name to try_then_request_module() and,
    consequently, to modprobe commandline.  It would be seen by all userspace
    processes.

    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 26b6a59e8b70435996c86f705dfb7f66124f5b1e
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Mon Feb 14 13:54:31 2011 +0300

    Bluetooth: bnep: fix buffer overflow

    commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.

    Struct ca is copied from userspace.  It is not checked whether the "device"
    field is NULL terminated.  This potentially leads to BUG() inside of
    alloc_netdev_mqs() and/or information leak by creating a device with a name
    made of contents of kernel stack.

    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit f8107dd119c9fd62aa0a3d3eb55d67bdd84b8036
Author: Vasiliy Kulikov <segoon@openwall.com>
Date:   Mon Feb 14 13:54:26 2011 +0300

    Bluetooth: sco: fix information leak to userspace

    commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.

    struct sco_conninfo has one padding byte in the end.  Local variable
    cinfo of type sco_conninfo is copied to userspace with this uninizialized
    one byte, leading to old stack contents leak.

    Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
    Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 973800f01aa1ab2bf5b8a412af07fc2cc568c783
Author: Alex Elder <aelder@sgi.com>
Date:   Tue Mar 1 17:50:00 2011 +0000

    xfs: zero proper structure size for geometry calls

    commit af24ee9ea8d532e16883251a6684dfa1be8eec29 upstream.

    Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
    xfs_fs_geometry() in order to avoid passing kernel stack data back
    to user space:

    +       memset(geo, 0, sizeof(*geo));

    Unfortunately, one of the callers of that function passes the
    address of a smaller data type, cast to fit the type that
    xfs_fs_geometry() requires.  As a result, this can happen:

    Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
    in: f87aca93

    Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
    Call Trace:

    [<c12991ac>] ? panic+0x50/0x150
    [<c102ed71>] ? __stack_chk_fail+0x10/0x18
    [<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]

    Fix this by fixing that one caller to pass the right type and then
    copy out the subset it is interested in.

    Note: This patch is an alternative to one originally proposed by
    Eric Sandeen.

    Reported-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
    Signed-off-by: Alex Elder <aelder@sgi.com>
    Reviewed-by: Eric Sandeen <sandeen@redhat.com>
    Tested-by: Jeffrey Hundstad <jeffrey.hundstad@mnsu.edu>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 5658d0e0d4830af95fcde40bc7c6db2dec8ebddf
Author: Dan Rosenberg <drosenberg@vsecurity.com>
Date:   Mon Feb 14 13:45:28 2011 +0000

    xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1

    commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba upstream.

    The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
    xfs_fs_geometry() with a version number of 3.  This code path does not
    fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
    the leaking of four bytes of uninitialized stack data to potentially
    unprivileged callers.

    v2 switches to memset() to avoid future issues if structure members
    change, on suggestion of Dave Chinner.

    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Reviewed-by: Eugene Teo <eugeneteo@kernel.org>
    Signed-off-by: Alex Elder <aelder@sgi.com>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 11c66be05f49f70a635a6eb63e6cffea520b22c5
Author: Dan Rosenberg <drosenberg@vsecurity.com>
Date:   Sun Dec 26 06:54:53 2010 +0000

    CAN: Use inode instead of kernel address for /proc file

    commit 9f260e0efa4766e56d0ac14f1aeea6ee5eb8fe83 upstream.

    Since the socket address is just being used as a unique identifier, its
    inode number is an alternative that does not leak potentially sensitive
    information.

    CC-ing stable because MITRE has assigned CVE-2010-4565 to the issue.

    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 5cf8a08026f539f396a3170d1991d651ee0fb30c
Author: Dan Rosenberg <drosenberg@vsecurity.com>
Date:   Wed Dec 22 13:58:27 2010 +0000

    irda: prevent integer underflow in IRLMP_ENUMDEVICES

    commit fdac1e0697356ac212259f2147aa60c72e334861 upstream.

    If the user-provided len is less than the expected offset, the
    IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
    size value.  While this isn't be a security issue on x86 because it will
    get caught by the access_ok() check, it may leak large amounts of kernel
    heap on other architectures.  In any event, this patch fixes it.

    Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 32e92da012e081ce4f741974761e92b215ff58b5
Author: Nelson Elhage <nelhage@ksplice.com>
Date:   Wed Nov 3 16:35:40 2010 +0000

    netlink: Make nlmsg_find_attr take a const nlmsghdr*.

    commit 6b8c92ba07287578718335ce409de8e8d7217e40 upstream.

    This will let us use it on a nlmsghdr stored inside a netlink_callback.

    Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 02e6f1ee075a325dc9079b3dc143d898e924ce64
Author: Nelson Elhage <nelhage@ksplice.com>
Date:   Wed Nov 3 16:35:41 2010 +0000

    inet_diag: Make sure we actually run the same bytecode we audited.

    commit 22e76c849d505d87c5ecf3d3e6742a65f0ff4860 upstream.

    We were using nlmsg_find_attr() to look up the bytecode by attribute when
    auditing, but then just using the first attribute when actually running
    bytecode. So, if we received a message with two attribute elements, where only
    the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
    bytecode strings.

    Fix this by consistently using nlmsg_find_attr everywhere.

    Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
    Signed-off-by: Thomas Graf <tgraf@infradead.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit ddfd87424bef1dc8b2930acae2311b286ab9de12
Author: Kulikov Vasiliy <segooon@gmail.com>
Date:   Sun Oct 31 07:10:32 2010 +0000

    net: tipc: fix information leak to userland

    commit 88f8a5e3e7defccd3925cabb1ee4d3994e5cdb52 upstream.

    Structure sockaddr_tipc is copied to userland with padding bytes after
    "id" field in union field "name" unitialized.  It leads to leaking of
    contents of kernel stack memory.  We have to initialize them to zero.

    Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 262b3d2e9f111516bf5cc1211f9128180e0329ef
Author: Vasiliy Kulikov <segooon@gmail.com>
Date:   Wed Nov 10 10:14:33 2010 -0800

    net: ax25: fix information leak to userland

    commit fe10ae53384e48c51996941b7720ee16995cbcb7 upstream.

    Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
    field of fsa struct, also the struct has padding bytes between
    sax25_call and sax25_ndigis fields.  This structure is then copied to
    userland.  It leads to leaking of contents of kernel stack memory.

    Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 44a214c1611386aa49ce86c70ebcddcad8a7a3f0
Author: Stuart Hayes <stuart_hayes@yahoo.com>
Date:   Wed Mar 2 13:42:05 2011 +0100

    dcdbas: force SMI to happen when expected

    commit dd65c736d1b5312c80c88a64bf521db4959eded5 upstream.

    The dcdbas driver can do an I/O write to cause a SMI to occur.  The SMI handler
    looks at certain registers and memory locations, so the SMI needs to happen
    immediately.  On some systems I/O writes are posted, though, causing the SMI to
    happen well after the "outb" occurred, which causes random failures.  Following
    the "outb" with an "inb" forces the write to go through even if it is posted.

    Signed-off-by: Stuart Hayes <stuart_hayes@yahoo.com>
    Acked-by: Doug Warzecha <douglas_warzecha@dell.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit e4b2f0cae9c5cd1d5a0959ee529e6a6fee620c5c
Author: Josef Bacik <josef@redhat.com>
Date:   Thu Nov 18 20:52:55 2010 -0500

    fs: call security_d_instantiate in d_obtain_alias V2

    commit 24ff6663ccfdaf088dfa7acae489cb11ed4f43c4 upstream

    While trying to track down some NFS problems with BTRFS, I kept noticing I was
    getting -EACCESS for no apparent reason.  Eric Paris and printk() helped me
    figure out that it was SELinux that was giving me grief, with the following
    denial

    type=AVC msg=audit(1290013638.413:95): avc:  denied  { 0x800000 } for  pid=1772
    comm="nfsd" name="" dev=sda1 ino=256 scontext=system_u:system_r:kernel_t:s0
    tcontext=system_u:object_r:unlabeled_t:s0 tclass=file

    Turns out this is because in d_obtain_alias if we can't find an alias we create
    one and do all the normal instantiation stuff, but we don't do the
    security_d_instantiate.

    Usually we are protected from getting a hashed dentry that hasn't yet run
    security_d_instantiate() by the parent's i_mutex, but obviously this isn't an
    option there, so in order to deal with the case that a second thread comes in
    and finds our new dentry before we get to run security_d_instantiate(), we go
    ahead and call it if we find a dentry already.  Eric assures me that this is ok
    as the code checks to see if the dentry has been initialized already so calling
    security_d_instantiate() against the same dentry multiple times is ok.  With
    this patch I'm no longer getting errant -EACCESS values.

    Signed-off-by: Josef Bacik <josef@redhat.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

commit 0ec63bc8c16763ab565ab97d39f10eb9a6ab9125
Author: Robin Holt <holt@sgi.com>
Date:   Wed Jan 12 17:00:01 2011 -0800

    epoll: convert max_user_watches to long

    commit 52bd19f7691b2ea6433aef0ef94c08c57efd7e79 upstream.

    On a 16TB machine, max_user_watches has an integer overflow.  Convert it
    to use a long and handle the associated fallout.

    Signed-off-by: Robin Holt <holt@sgi.com>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Acked-by: Davide Libenzi <davidel@xmailserver.org>
    Cc: Pekka Enberg <penberg@cs.helsinki.fi>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

O resto pode ser visto em: http://www.kernel.org/pub/linux/kernel/v2.6/longterm/v2.6.34/ChangeLog-2.6.34.10
Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.