• R/O
  • HTTP
  • SSH

linux-2.4.36: List of commits

2.4.36-stable kernel tree

Rev. Time Author
ba89d5a 2008-02-11 06:54:44 Willy Tarreau

i386: fix setCx86/getCx86 race in macros

Because of the way the setCx86 macro is defined, a call to
setCx86(XXXX, getCx86(XXXX)) will produce the wrong output sequence.
This affects at least one place in arch/i386/kernel/setup.c :

/* Enable MMX extensions (App note 108) */
setCx86(CX86_CCR7, getCx86(CX86_CCR7)|1);

A correct solution consists in passing the value argument via a
temporary variable. 2.6 has a different fix using inline functions,
which produce equivalent code though.

Signed-off-by: Willy Tarreau <w@1wt.eu>

1994e10 2008-02-07 13:54:21 dann frazier

2.4: USB: fix DoS in pwc USB video driver

This is a 2.4 backport of a linux-2.6 change by Oliver Neukum.
(commit 85237f202d46d55c1bffe0c5b1aa3ddc0f1dce4d)

CVE-2007-5093 was assigned for this issue.
This backport has been compile-tested only.

Commit log from 2.6 follows.

the pwc driver has a disconnect method that waits for user space to
close the device. This opens up an opportunity for a DoS attack,
blocking the USB subsystem and making khubd's task busy wait in
kernel space. This patch shifts freeing resources to close if an opened
device is disconnected.

Signed-off-by: dann frazier <dannf@hp.com>

c6cd2bb 2008-02-06 04:32:56 dann frazier

2.4: [SCSI] aacraid: Fix security hole

This is a 2.4 backport of a linux-2.6 change by Alan Cox.
(commit 60395bb60e0b5e4e0808ac8eb07a92f6c9cdea1f)

It has been build-tested only (I don't have the hardware).
CVE-2007-4308 was assigned for this issue.

Commit log from 2.6 follows.

On the SCSI layer ioctl path there is no implicit permissions check for
ioctls (and indeed other drivers implement unprivileged ioctls). aacraid
however allows all sorts of very admin only things to be done so should

f654703 2008-02-04 00:37:46 dann frazier

2.4: fix memory corruption from misinterpreted bad_inode_ops return values

This is a 2.4 backport of a linux-2.6 change by Eric Sandeen
(commit be6aab0e9fa6d3c6d75aa1e38ac972d8b4ee82b8)

CVE-2006-5753 was assigned for this issue.

I've built and boot-tested this, but I'm not sure how to exercise
these codepaths.

Commit log from 2.6 follows.

CVE-2006-5753 is for a case where an inode can be marked bad, switching
the ops to bad_inode_ops, which are all connected as:

static int return_EIO(void)
return -EIO;

#define EIO_ERROR ((void *) (return_EIO))

static struct inode_operations bad_inode_ops =
.create = bad_inode_create

The problem here is that the void cast causes return types to not be
promoted, and for ops such as listxattr which expect more than 32 bits of
return value, the 32-bit -EIO is interpreted as a large positive 64-bit
number, i.e. 0x00000000fffffffa instead of 0xfffffffa.

This goes particularly badly when the return value is taken as a number of
bytes to copy into, say, a user's buffer for example...

I originally had coded up the fix by creating a return_EIO_<TYPE> macro
for each return type, like this:

static int return_EIO_int(void)
return -EIO;
#define EIO_ERROR_INT ((void *) (return_EIO_int))

static struct inode_operations bad_inode_ops =
.create = EIO_ERROR_INT,

but Al felt that it was probably better to create an EIO-returner for each
actual op signature. Since so few ops share a signature, I just went ahead
& created an EIO function for each individual file & inode op that returns
a value.

Signed-off-by: dann frazier <dannf@hp.com>

f1e9813 2008-02-04 00:37:46 dann frazier

memory leak when socket is release()d before PPPIOCGCHAN has been called on it

This is a 2.4 backport of a linux-2.6 change by Florian Zumbiehl.
(commit 202a03acf9994076055df40ae093a5c5474ad0bd)

CVE-2007-2525 was assigned for this issue - compile-tested only.

Commit log from 2.6 follows.

below you find a patch that fixes a memory leak when a PPPoE socket is
release()d after it has been connect()ed, but before the PPPIOCGCHAN ioctl
ever has been called on it.

This is somewhat of a security problem, too, since PPPoE sockets can be
created by any user, so any user can easily allocate all the machine's
RAM to non-swappable address space and thus DoS the system.

Is there any specific reason for PPPoE sockets being available to any
unprivileged process, BTW? After all, you need a packet socket for the
discovery stage anyway, so it's unlikely that any unprivileged process
will ever need to create a PPPoE socket, no? Allocating all session IDs
for a known AC is a kind of DoS, too, after all - with Juniper ERXes,
this is really easy, actually, since they don't ever assign session ids
above 8000 ...

38d832a 2008-02-04 00:37:46 dann frazier

ext2: skip pages past number of blocks in ext2_find_entry

This is a 2.4 backport of a linux-2.6 change by Eric Sandeen
(commit d8adb9cef7e406a9a82881695097c702bc98422f)

CVE-2006-6054 was assigned for this issue, which is easily reproducible in 2.4.
However, this changeset alone does not resolve the issue for 2.4 - two earlier
backports for ext2_readdir() are required.

Commit log from 2.6 follows.

[PATCH] ext2: skip pages past number of blocks in ext2_find_entry

This one was pointed out on the MOKB site:

If a directory's i_size is corrupted, ext2_find_entry() will keep
processing pages until the i_size is reached, even if there are no more
blocks associated with the directory inode. This patch puts in some
minimal sanity-checking so that we don't keep checking pages (and issuing
errors) if we know there can be no more data to read, based on the block
count of the directory inode.

This is somewhat similar in approach to the ext3 patch I sent earlier this

Signed-off-by: dann frazier <dannf@hp.com>

8be8243 2008-02-04 00:37:45 dann frazier

avoid semi-infinite loop when mounting bad ext2

This is a 2.4 backport of a linux-2.6 change by Andries Brouwer
(old-2.6-bkcvs commit c279c5343b1796bf1db4c0b4af2c99479a6575fe)

Commit log from 2.6 follows.

The routine ext2_readdir() will, when reading a directory page
returns an error, try the next page, without reporting the
error to user space. That is bad, and the patch below changes that.

In my case the filesystem was damaged, and ext2_readdir wanted
to read 60000+ pages and wrote as many error messages to syslog
("attempt to access beyond end"), not what one wants.

[no doubt a similar patch is appropriate for ext3]

Signed-off-by: dann frazier <dannf@hp.com>

c30306f 2008-02-04 00:37:45 dann frazier

ext2_readdir() filp->f_pos fix

This is a 2.4 backport of a linux-2.6 change by Jan Blunck
(old-2.6-bkcvs commit 2196b4744393d4f6c06fc4d63b98556d05b90933)

Commit log from 2.6 follows.

[PATCH] ext2_readdir() filp->f_pos fix

If the whole directory is read, ext2_readdir() sets the f_pos to a multiple
of the page size (because of the conditions of the outer for loop). This
sets the wrong f_pos for directory inodes on ext2 partitions with a block
size differing from the page size.

Signed-off-by: dann frazier <dannf@hp.com>

ba8bc43 2008-02-04 00:35:55 Willy Tarreau

Do not complain about gcc 4.2 for user-space

Some user-space include compiler.h, so do not disable gcc 4.2
if __KERNEL__ is not defined.

Problem reported and fix confirmed by Gabor Z. Papp :
gcc -Wp,-MT,syslinux.o,-MMD,.syslinux.o.d -W -Wall -D_FILE_OFFSET_BITS=64 -g -Os -I. -I.. -I../libinstaller -c -o syslinux.o syslinux.c
In file included from /usr/include/asm/byteorder.h:5,
from /usr/include/linux/msdos_fs.h:11,
from syslinux.c:51:
/usr/include/linux/compiler.h:45:2: error: #error "GCC >= 4.2 miscompiles kernel 2.4, do not use it!"
/usr/include/linux/compiler.h:46:2: error: #error "While the resulting kernel may boot, you will encounter random bugs"
/usr/include/linux/compiler.h:47:2: error: #error "at runtime. Only versions 2.95.3 to 4.1 are known to work reliably."
/usr/include/linux/compiler.h:48:2: error: #error "To build with another version, for instance 3.3, please do"
/usr/include/linux/compiler.h:49:2: error: #error " make bzImage CC=gcc-3.3 "
make[1]: *** [syslinux.o] Error 1

After patching compiler.h, compile was fine.

Signed-off-by: Willy Tarreau <w@1wt.eu>

89daf14 2008-01-01 21:06:40 Willy Tarreau

Change VERSION to 2.4.36

f8c8846 2007-12-17 08:16:40 Willy Tarreau

Change VERSION to 2.4.36-rc1

- net/ipv4/arp.c: Fix arp reply when sender ip 0
- fix arch/i386/config.in to be able to boot on 386
- usb: Move linux-usb-devel
- GCC >= 4.2 miscompiles the kernel
- prevent do_brk() from allocating below mmap_min_addr
- fix build of ia32entry.S on x86_64
- vfs: coredumping fix
- isdn: avoid copying overly-long strings
- prevent SIGCONT from waking up a PTRACED process (CVE-2007-4774)
- isdn: fix isdn_ioctl memory overrun vulnerability

eb0a063 2007-12-17 08:11:53 Willy Tarreau

[PATCH] isdn: fix isdn_ioctl memory overrun vulnerability

Backport of 2.6 commit eafe1aa37e6ec2d56f14732b5240c4dd09f0613a by Karsten Keil

I4L: fix isdn_ioctl memory overrun vulnerability

Fix possible memory overrun issue in the isdn ioctl code.

Found by ADLAB <adlab@venustech.com.cn>

Signed-off-by: Karsten Keil <kkeil@suse.de>
Cc: ADLAB <adlab@venustech.com.cn>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: Willy Tarreau <w@1wt.eu>

bdcb9a9 2007-12-17 08:06:51 Willy Tarreau

[PATCH] prevent SIGCONT from waking up a PTRACED process (CVE-2007-4774)

Tavis Ormandy discovered that it was possible to bypass systrace policies
by flooding the ptraced process with SIGCONT signals. The same is possible
with SIGKILL, but obviously the attacker has to finely adjust its target
as it can only shoot once.

This issue was assigned identifier CVE-2007-4774.

The following patch fixes the SIGCONT case and adds some documentation for
authors of monitoring programs such as systrace.

Signed-off-by: Willy Tarreau <w@1wt.eu>
Acked-by: Tavis Ormandy <taviso@sdf.lonestar.org>

f76d36d 2007-12-10 15:18:34 Willy Tarreau

[PATCH] isdn: avoid copying overly-long strings

Backport of 2.6 commit 0f13864e5b24d9cbe18d125d41bfa4b726a82e40 by Karsten Keil

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416

Signed-off-by: Willy Tarreau <w@1wt.eu>

62b548a 2007-12-10 15:01:53 Willy Tarreau

[PATCH] vfs: coredumping fix

Backport of 2.6 commit c46f739dd39db3b07ab5deb4e3ec81e1c04a91af by Ingo Molnar.

fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043

only allow coredumping to the same uid that the coredumping
task runs under.

Signed-off-by: Willy Tarreau <w@1wt.eu>

01de636 2007-12-10 03:38:53 Willy Tarreau

[PATCH] fix build of ia32entry.S on x86_64

Krzysztof Strasburger reported the following problem.
Commit 7e6ba255062b79f2cf34590ac0987abb335d29f1 broke build
of arch/x86_64/ia32/ia32entry.S with the following message :

ia32entry.S: Assembler messages:
ia32entry.S:76: Error: Incorrect register `%rax' used with `l' suffix

Solution is simply to replace cmpl with cmpq to fix the register problem.

Signed-off-by: Willy Tarreau <w@1wt.eu>

a2cbc5d 2007-12-10 03:28:54 Krzysztof Strasburger

[PATCH] fix arch/i386/config.in to be able to boot on 386

I tried to run 2.4 on a really old machine with 386 processor, only to find
that the kernel does not boot, claiming that TSC is needed. It seems that
nobody (except me, of course) uses 386, as the bug in the config
script arch/i386/config.in, leading to CONFIG_X86_TSC enabled for 386,
seems to be very old and never noticed.

69a1b88 2007-12-10 03:14:03 Willy Tarreau

[PATCH] prevent do_brk() from allocating below mmap_min_addr

This is the 2.4 equivalent of the following 2.6 patch by Eric Paris :

Given a specifically crafted binary do_brk() can be used to get low
pages available in userspace virtually memory and can thus be used to
circumvent the mmap_min_addr low memory protection. Add security checks
in do_brk().

Signed-off-by: Willy Tarreau <w@1wt.eu>

d5d88bb 2007-12-10 01:26:13 Willy Tarreau

[PATCH] GCC >= 4.2 miscompiles the kernel

Add a check for GCC >= 4.2 and refuse to use it. It miscompiles
kernel 2.4 in a very nasty way, and it's hard to identify faulty

15004be 2007-12-08 19:39:03 Jonas Danielsson

[PATCH] net/ipv4/arp.c: Fix arp reply when sender ip 0

Fix arp reply when received arp probe with sender ip 0.

Send arp reply with target ip address and target hardware address
set to hardware address of requester. Previously sent reply with target
ip address and target hardware address set to same as source fields.

Signed-off-by: Jonas Danielsson <the.sator@gmail.com>
Acked-by: Alexey Kuznetov <kuznet@ms2.inr.ac.ru>

ad4b96b 2007-12-08 19:37:06 Pete Zaitcev

usb: Move linux-usb-devel

Update documentation to reflect the new home of linux-usb list.
I did not try to fix any fiction accumulated (except taking over
printer from Vojtech). There is too much, so I only moved the list.

The patch was originally written by Steve Bangert.

Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>

b191af7 2007-11-18 04:27:03 Willy Tarreau

Change VERSION to 2.4.36-pre2

- x86_64: Make sure to validate all 64bits of ptrace information
- fix missing MODULE_LICENSE in some drivers
- fix unresolved symbols on alpha
- corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
- Bridge STP timer fixes
- sym53c8xx_2 SMP deadlock on driver load
- ATM: avoid kernel panic upon access to /proc/net/atm/arp
- PPP: fix crash using usb-serial on high speed devices
- [OpenPROM]: Fix signedness bug in openprom char driver
- [OpenPROM]: Fix user-access checking bugs in openpromfs
- [OpenPROM] Prevent overflow of sprintf buffer
- [OpenPROM] Prevent unsigned roll-overs in
- IDE: enable support for JMicron 20363
- IDE: enable PATA UDMA support for ICH7

2cc1ccf 2007-11-12 03:02:39 ivaylo@bglans.net

[PATCH] IDE: enable PATA UDMA support for ICH7


I have ASUS P5LD2-VM mobo with Intel ICH7 PATA IDE. It works only
in PIO mode, so I changed piix driver in 2.4.35 to support UDMA modes -
patch is bellow.

I'm a little bit confused about the specifications of ICH7 PATA, from ASUS
say it is UDMA 100, but from Intel and in 2.6.XX kernel tree it is as UDMA
133. My confusion became stronger and from bios ide SATA/PATA options of
my mobo.

Anyway, the patch works for me and it should work for all mobos with 945
chipset, but need to be tested. If there are any volunteers to apply patch
and test it will be good.

Please report the results and play around with mobo bios SATA/PATA IDE

Best Regards,
Ivaylo Josifov

f88c372 2007-11-12 02:54:12 ivaylo@bglans.net

[PATCH] IDE: enable support for JMicron 20363


I have ASUS P5B-VM DO mobo with JMicron SATA/PATA controler. I write mail
to Alan Cox and he told me that PATA part of JMicron controler can be
pressant as generic ide. So I make some changes to generic ide driver in
kernel 2.4.35 to be support JMicron PATA controler, but I'm not advanced
in C programing and not sure what I did is right. It works for me.

If there are any interes I send you (see bellow) changes.

Best Regards.
Ivaylo Josifov

bf45d0b 2007-11-12 02:44:09 Moritz Muehlenhoff

[PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)

From http://projects.info-pull.com/mokb/MOKB-07-11-2006.html :

| The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a
| denial of service (crash) via a malformed filesystem that uses zlib
| compression that triggers memory corruption, as demonstrated using cramfs.

We could reproduce this with 2.4.27, since there aren't any changes to git
for cramfs since initial import this is likely unfixed in 2.4.35 too.
2.6 patch below.


| Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
| fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
| Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops
| is an unchecked corrupted block length field read by cramfs_readpage().
| This patch adds a sanity check to cramfs_readpage() which checks that the
| block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is
| intentional, even though the uncompressed data is not going to be larger
| than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
| the original source data. Mkcramfs checks that the compressed size is
| always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could
| use the original uncompressed data in this case, but it doesn't.
| Signed-off-by: Phillip Lougher <phillip@lougher.org.uk>
| Signed-off-by: Andrew Morton <akpm@osdl.org>
| Signed-off-by: Linus Torvalds <torvalds@osdl.org>

5031521 2007-11-12 02:44:05 Willy Tarreau

[PATCH] PPP: fix crash using usb-serial on high speed devices

Problem discussed here and reported and tracked by Gilles Espinasse :

Patch and description provided by David W Studeman :
"...This patch prevents the kernel from crashing during uploads with
some 3G devices. On my XU870, certain irc rooms would cause my machine
to crash and reboot. This also happened with the Nozomi drivers and
the Option GT Max when uploading torrents. Neither happen anymore with
the ppp_async patched driver."

On linux-ppp, James Cameron confirmed to Gilles that the patch fixes
the hangs problem for him :

ee731f5 2007-11-12 02:44:01 Tony Battersby

[PATCH] sym53c8xx_2 SMP deadlock on driver load

This patch fixes two problems with sym53c8xx_2.o in 2.4.x kernels:

1) A system hang when loading sym53c8xx_2.o on a SMP system with two
dual-channel LSI HBAs (http://bugzilla.kernel.org/show_bug.cgi?id=3680)

2) A function improperly marked __init.

Comment from Matthew Wilcox:
" This is a pretty ugly patch, but I think the three alternatives are

- Drop the iorl at the beginning of ->detect and reacquire it at exit.
We don't know what else the iorl might be protecting. Probably
nothing, but I don't want to audit it.
- Convert sym2 back to old error handling so the midlayer doesn't
acquire the iorl for us in ->detect.
- Acquire the iorl in ->release. We might deadlock on something.

So, sure, apply this patch. "

Signed-off-by: Tony Battersby <tonyb@cybernetics.com>

6108030 2007-11-12 02:43:57 Gilles Espinasse

[PATCH] fix unresolved symbols on alpha

When compiling the out-of-tree e100 driver, some unresolved symbols
errors happened due to the fact that asm-alpha/pci.h does not include
asm/io.h, contrarily to most other archs.

This trivial patch fixes the problem.

91ba06f 2007-11-12 02:43:51 Franck Bourdonnec

[PATCH] fix missing MODULE_LICENSE in some drivers

I was looking at our installer output (IPCop) and saw
module 3C523 tainting kernel.

Looking at the source (drivers/net/3C523.c) it is gpl
source and it misses then

Reading that this source '3c523.c' is based on 'ni52.c' a
look inside 'ni52.c' shows the MODULE_LICENSE....
but not inside the correct #ifdef module ..... #endif

Here come fixes for other missing GPL entries in drivers/net
when GPL was indicated somewhere.

090a4d5 2007-11-12 02:43:45 dann frazier

[PATCH 4/4] [OpenPROM] Prevent unsigned roll-overs in

These overflow fixes were originally submitted to 2.5 by Dave Miller:

Signed-off-by: dann frazier <dannf@hp.com>

Show on old repository browser