Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v2.6.16.18 2006-05-22T18:04:35Z 2006-05-22T18:04:35Z Chris Wright chrisw@sous-sol.org 2006-05-22T18:04:35Z urn:sha1:b7d061792b4c09fe7c290ddccae3f998d5b513c0 2006-05-22T18:04:25Z Patrick McHardy kaber@trash.net 2006-05-20T07:31:26Z urn:sha1:1db6b5a66e93ff125ab871d6b3f7363412cc87e8 CVE-2006-2444 - Potential remote DoS in SNMP NAT helper. Fix memory corruption caused by snmp_trap_decode: - When snmp_trap_decode fails before the id and address are allocated, the pointers contain random memory, but are freed by the caller (snmp_parse_mangle). - When snmp_trap_decode fails after allocating just the ID, it tries to free both address and ID, but the address pointer still contains random memory. The caller frees both ID and random memory again. - When snmp_trap_decode fails after allocating both, it frees both, and the callers frees both again. The corruption can be triggered remotely when the ip_nat_snmp_basic module is loaded and traffic on port 161 or 162 is NATed. Found by multiple testcases of the trap-app and trap-enc groups of the PROTOS c06-snmpv1 testsuite. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2006-05-20T22:00:46Z Chris Wright chrisw@sous-sol.org 2006-05-20T22:00:46Z urn:sha1:d87319c3e4d908e157a462d0e3e7fbffbf25324d 2006-05-20T22:00:34Z Vladislav Yasevich vladislav.yasevich@hp.com 2006-05-19T21:25:53Z urn:sha1:1a9807fd86f9a112a39720e99be4eeae7b4e3694 If SCTP receives a badly formatted HB-ACK chunk, it is possible that we may access invalid memory and potentially have a buffer overflow. We should really make sure that the chunk format is what we expect, before attempting to touch the data. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2006-05-20T22:00:34Z Vladislav Yasevich vladislav.yasevich@hp.com 2006-05-19T18:52:20Z urn:sha1:0eca2317be1345e056fb75d256099a04c97f7021 When performing bound checks during the parameter processing, we want to use the real chunk and paramter lengths for bounds instead of the rounded ones. This prevents us from potentially walking of the end if the chunk length was miscalculated. We still use rounded lengths when advancing the pointer. This was found during a conformance test that changed the chunk length without modifying parameters. (Vlad noted elsewhere: the most you'd overflow is 3 bytes, so problem is parameter dependent). Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2006-05-20T22:00:33Z Linus Torvalds torvalds@g5.osdl.org 2006-05-11T18:08:49Z urn:sha1:f91962f90eb89684ecbfb3f6b8578b3ebd6937df Eric Biederman points out that we can't take the task_lock while holding tasklist_lock for writing, because another CPU that holds the task lock might take an interrupt that then tries to take tasklist_lock for writing. Which would be a nasty deadlock, with one CPU spinning forever in an interrupt handler (although admittedly you need to really work at triggering it ;) Since the ptrace_attach() code is special and very unusual, just make it be extra careful, and use trylock+repeat to avoid the possible deadlock. Cc: Oleg Nesterov <oleg@tv-sign.ru> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Roland McGrath <roland@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2006-05-20T22:00:33Z Linus Torvalds torvalds@g5.osdl.org 2006-05-07T17:49:33Z urn:sha1:65b01b76265047aa59d6eb741ec61468c8867256 This holds the task lock (and, for ptrace_attach, the tasklist_lock) over the actual attach event, which closes a race between attacking to a thread that is either doing a PTRACE_TRACEME or getting de-threaded. Thanks to Oleg Nesterov for reminding me about this, and Chris Wright for noticing a lost return value in my first version. Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2006-05-20T22:00:33Z Christoph Lameter clameter@sgi.com 2006-05-01T19:16:08Z urn:sha1:1d4532d4d7351b552220d9ef0a1901a33f00ee5f Currently we check PageDirty() in order to make the decision to swap out the page. However, the dirty information may be only be contained in the ptes pointing to the page. We need to first unmap the ptes before checking for PageDirty(). If unmap is successful then the page count of the page will also be decreased so that pageout() works properly. This is a fix necessary for 2.6.17. Without this fix we may migrate dirty pages for filesystems without migration functions. Filesystems may keep pointers to dirty pages. Migration of dirty pages can result in the filesystem keeping pointers to freed pages. Unmapping is currently not be separated out from removing all the references to a page and moving the mapping. Therefore try_to_unmap will be called again in migrate_page() if the writeout is successful. However, it wont do anything since the ptes are already removed. The coming updates to the page migration code will restructure the code so that this is no longer necessary. Signed-off-by: Christoph Lameter <clameter@sgi.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2006-05-20T22:00:33Z Lee Schermerhorn Lee.Schermerhorn@hp.com 2006-04-22T09:35:48Z urn:sha1:75178298c6c807a7274ab48ef9c4d6be7d0114d8 Basic problem: pages of a shared memory segment can only be migrated once. In 2.6.16 through 2.6.17-rc1, shared memory mappings do not have a migratepage address space op. Therefore, migrate_pages() falls back to default processing. In this path, it will try to pageout() dirty pages. Once a shared memory page has been migrated it becomes dirty, so migrate_pages() will try to page it out. However, because the page count is 3 [cache + current + pte], pageout() will return PAGE_KEEP because is_page_cache_freeable() returns false. This will abort all subsequent migrations. This patch adds a migratepage address space op to shared memory segments to avoid taking the default path. We use the "migrate_page()" function because it knows how to migrate dirty pages. This allows shared memory segment pages to migrate, subject to other conditions such as # pte's referencing the page [page_mapcount(page)], when requested. I think this is safe. If we're migrating a shared memory page, then we found the page via a page table, so it must be in memory. Can be verified with memtoy and the shmem-mbind-test script, both available at: http://free.linux.hp.com/~lts/Tools/ Signed-off-by: Lee Schermerhorn <lee.schermerhorn@hp.com> Acked-by: Christoph Lameter <clameter@sgi.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org> 2006-05-20T22:00:32Z Christoph Lameter clameter@sgi.com 2006-04-20T09:43:12Z urn:sha1:602e0343a69b4300de4b889d644f95983dfdc9cd gather_stats() is called with a spinlock held from check_pte_range. We cannot reschedule with a lock held. Signed-off-by: Christoph Lameter <clameter@sgi.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>