Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v2.6.16.9 2006-04-19T06:10:14Z 2006-04-19T06:10:14Z Greg Kroah-Hartman gregkh@suse.de 2006-04-19T06:10:14Z urn:sha1:9d395d1961a0eeb9e8b1ef2854f3ca8f0b985266 2006-04-19T05:54:44Z Andi Kleen ak@suse.de 2006-04-19T05:17:31Z urn:sha1:7466f9e72dac13452d871a3fb72fc7bd9c93c864 AMD K7/K8 CPUs only save/restore the FOP/FIP/FDP x87 registers in FXSAVE when an exception is pending. This means the value leak through context switches and allow processes to observe some x87 instruction state of other processes. This was actually documented by AMD, but nobody recognized it as being different from Intel before. The fix first adds an optimization: instead of unconditionally calling FNCLEX after each FXSAVE test if ES is pending and skip it when not needed. Then do a x87 load from a kernel variable to clear FOP/FIP/FDP. This means other processes always will only see a constant value defined by the kernel in their FP state. I took some pain to make sure to chose a variable that's already in L1 during context switch to make the overhead of this low. Also alternative() is used to patch away the new code on CPUs who don't need it. Patch for both i386/x86-64. The problem was discovered originally by Jan Beulich. Richard Brunner provided the basic code for the workarounds, with contribution from Jan. This is CVE-2006-1056 Cc: richard.brunner@amd.com Cc: jbeulich@novell.com Signed-off-by: Andi Kleen <ak@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2006-04-18T21:32:07Z Greg Kroah-Hartman gregkh@suse.de 2006-04-18T21:32:07Z urn:sha1:aa48603d1ba772d0a2b28ab73098be2119878eba 2006-04-18T21:31:47Z Stephen Hemminger shemminger@osdl.org 2006-04-18T00:27:11Z urn:sha1:a0b277b4fdcbc24c26af7c5d019e9448a51c79cf This fixes http://bugzilla.kernel.org/show_bug.cgi?id=6388 The bug is caused by ip_route_input dereferencing skb->nh.protocol of the dummy skb passed dow from inet_rtm_getroute (Thanks Thomas for seeing it). It only happens if the route requested is for a multicast IP address. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2006-04-17T21:53:25Z Greg Kroah-Hartman gregkh@suse.de 2006-04-17T21:53:25Z urn:sha1:54e5705fd460c7621a4d73c71197e2650ba034a2 2006-04-17T21:52:57Z Hugh Dickins hugh@veritas.com 2006-04-17T21:46:32Z urn:sha1:00ec474c9bed7883f1b3e5f46e3bf09f7de69975 madvise_remove needs to respect file and mmap protections. Signed-off-by: Hugh Dickins <hugh@veritas.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2006-04-17T20:36:51Z Greg Kroah-Hartman gregkh@suse.de 2006-04-17T20:36:51Z urn:sha1:37863c8a9b7b0261ec76daad8afffe9ab5314794 2006-04-17T20:16:07Z Hugh Dickins hugh@veritas.com 2006-04-12T21:34:27Z urn:sha1:512dba41bae0ec8de72269167f23b75a4770097d I found that all of 2.4 and 2.6 have been letting mprotect give write permission to a readonly attachment of shared memory, whether or not IPC would give the caller that permission. SUS says "The behaviour of this function [mprotect] is unspecified if the mapping was not established by a call to mmap", but I don't think we can interpret that as allowing it to subvert IPC permissions. I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and the patch below reproduces that behaviour - mprotect cannot be used to add write permission to a shared memory segment attached readonly. This patch is simple, and I'm sure it's what we should have done in 2.4.0: if you want to go on to switch write permission on and off with mprotect, just don't attach the segment readonly in the first place. However, we could have accumulated apps which attach readonly (even though they would be permitted to attach read/write), and which subsequently use mprotect to switch write permission on and off: it's not unreasonable. I was going to add a second ipcperms check in do_shmat, to check for writable when readonly, and if not writable find_vma and clear VM_MAYWRITE. But security_ipc_permission might do auditing, and it seems wrong to report an attempt for write permission when there has been none. Or we could flag the vma as SHM, note the shmid or shp in vm_private_data, and then get mprotect to check. But the patch below is a lot simpler: I'd rather stick with it, if we can convince ourselves somehow that it'll be safe. Signed-off-by: Hugh Dickins <hugh@veritas.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2006-04-17T20:16:06Z Stephen Hemminger shemminger@osdl.org 2006-04-12T21:52:54Z urn:sha1:23e0ac040b8052729c32dfec78f751d82515e73e If Classical IP over ATM module is loaded, its neighbor table gets populated when permanent neighbor entries are created; but these entries are not flushed when the device is removed. Since the entry never gets flushed the unregister of the network device never completes. This version of the patch also adds locking around the reference to the atm arp daemon to avoid races with events and daemon state changes. (Note: barrier() was never really safe) Bug-reference: http://bugzilla.kernel.org/show_bug.cgi?id=6295 Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> 2006-04-17T20:16:06Z Roland McGrath roland@redhat.com 2006-04-12T23:30:20Z urn:sha1:18b1e8193eef97f3ac854276a7c4bacbb1bdfbd1 This reverts most of commit 30e0fca6c1d7d26f3f2daa4dd2b12c51dadc778a. It broke the case of non-leader MT exec when ptraced. I think the bug it was intended to fix was already addressed by commit 788e05a67c343fa22f2ae1d3ca264e7f15c25eaf. Signed-off-by: Roland McGrath <roland@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>