From: Greg Kroah-Hartman Date: Mon, 17 Apr 2006 21:12:50 +0000 (-0700) Subject: 2.6.16.6 release X-Git-Tag: v2.6.16.6^0 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d19b285a6520c53e9e91be1fbdfac2f409684c3e;p=thirdparty%2Fkernel%2Fstable-queue.git 2.6.16.6 release --- diff --git a/review-2.6.16/CIFS-Incorrect-signature-sent-on-SMB-Read.patch b/2.6.16.6/CIFS-Incorrect-signature-sent-on-SMB-Read.patch similarity index 100% rename from review-2.6.16/CIFS-Incorrect-signature-sent-on-SMB-Read.patch rename to 2.6.16.6/CIFS-Incorrect-signature-sent-on-SMB-Read.patch diff --git a/review-2.6.16/Fix-suspend-with-traced-tasks.patch b/2.6.16.6/Fix-suspend-with-traced-tasks.patch similarity index 100% rename from review-2.6.16/Fix-suspend-with-traced-tasks.patch rename to 2.6.16.6/Fix-suspend-with-traced-tasks.patch diff --git a/review-2.6.16/RLIMIT_CPU-fix-handling-of-a-zero-limit.patch b/2.6.16.6/RLIMIT_CPU-fix-handling-of-a-zero-limit.patch similarity index 100% rename from review-2.6.16/RLIMIT_CPU-fix-handling-of-a-zero-limit.patch rename to 2.6.16.6/RLIMIT_CPU-fix-handling-of-a-zero-limit.patch diff --git a/review-2.6.16/XFS-Fix-utime-2-in-the-case-that-no-times-parameter-was-passed-in.patch b/2.6.16.6/XFS-Fix-utime-2-in-the-case-that-no-times-parameter-was-passed-in.patch similarity index 100% rename from review-2.6.16/XFS-Fix-utime-2-in-the-case-that-no-times-parameter-was-passed-in.patch rename to 2.6.16.6/XFS-Fix-utime-2-in-the-case-that-no-times-parameter-was-passed-in.patch diff --git a/review-2.6.16/alpha-smp-boot-fixes.patch b/2.6.16.6/alpha-smp-boot-fixes.patch similarity index 100% rename from review-2.6.16/alpha-smp-boot-fixes.patch rename to 2.6.16.6/alpha-smp-boot-fixes.patch diff --git a/review-2.6.16/atm-clip-causes-unregister-hang.patch b/2.6.16.6/atm-clip-causes-unregister-hang.patch similarity index 100% rename from review-2.6.16/atm-clip-causes-unregister-hang.patch rename to 2.6.16.6/atm-clip-causes-unregister-hang.patch diff --git a/review-2.6.16/cciss-bug-fix-for-crash-when-running-hpacucli.patch b/2.6.16.6/cciss-bug-fix-for-crash-when-running-hpacucli.patch similarity index 100% rename from review-2.6.16/cciss-bug-fix-for-crash-when-running-hpacucli.patch rename to 2.6.16.6/cciss-bug-fix-for-crash-when-running-hpacucli.patch diff --git a/review-2.6.16/edac_752x-needs-config_hotplug.patch b/2.6.16.6/edac_752x-needs-config_hotplug.patch similarity index 100% rename from review-2.6.16/edac_752x-needs-config_hotplug.patch rename to 2.6.16.6/edac_752x-needs-config_hotplug.patch diff --git a/review-2.6.16/ext3-fix-missed-mutex-unlock.patch b/2.6.16.6/ext3-fix-missed-mutex-unlock.patch similarity index 100% rename from review-2.6.16/ext3-fix-missed-mutex-unlock.patch rename to 2.6.16.6/ext3-fix-missed-mutex-unlock.patch diff --git a/review-2.6.16/fix-block-device-symlink-name.patch b/2.6.16.6/fix-block-device-symlink-name.patch similarity index 100% rename from review-2.6.16/fix-block-device-symlink-name.patch rename to 2.6.16.6/fix-block-device-symlink-name.patch diff --git a/review-2.6.16/fix-buddy-list-race-that-could-lead-to-page-lru-list-corruptions.patch b/2.6.16.6/fix-buddy-list-race-that-could-lead-to-page-lru-list-corruptions.patch similarity index 100% rename from review-2.6.16/fix-buddy-list-race-that-could-lead-to-page-lru-list-corruptions.patch rename to 2.6.16.6/fix-buddy-list-race-that-could-lead-to-page-lru-list-corruptions.patch diff --git a/review-2.6.16/fix-non-leader-exec-under-ptrace.patch b/2.6.16.6/fix-non-leader-exec-under-ptrace.patch similarity index 100% rename from review-2.6.16/fix-non-leader-exec-under-ptrace.patch rename to 2.6.16.6/fix-non-leader-exec-under-ptrace.patch diff --git a/review-2.6.16/fuse-fix-oops-in-fuse_send_readpages.patch b/2.6.16.6/fuse-fix-oops-in-fuse_send_readpages.patch similarity index 100% rename from review-2.6.16/fuse-fix-oops-in-fuse_send_readpages.patch rename to 2.6.16.6/fuse-fix-oops-in-fuse_send_readpages.patch diff --git a/review-2.6.16/isd200-limit-to-blk_dev_ide.patch b/2.6.16.6/isd200-limit-to-blk_dev_ide.patch similarity index 100% rename from review-2.6.16/isd200-limit-to-blk_dev_ide.patch rename to 2.6.16.6/isd200-limit-to-blk_dev_ide.patch diff --git a/review-2.6.16/m32r-fix-cpu_possible_map-and-cpu_present_map-initialization-for-smp-kernel.patch b/2.6.16.6/m32r-fix-cpu_possible_map-and-cpu_present_map-initialization-for-smp-kernel.patch similarity index 100% rename from review-2.6.16/m32r-fix-cpu_possible_map-and-cpu_present_map-initialization-for-smp-kernel.patch rename to 2.6.16.6/m32r-fix-cpu_possible_map-and-cpu_present_map-initialization-for-smp-kernel.patch diff --git a/review-2.6.16/m32r-security-fix-of-get-put-_user-macros.patch b/2.6.16.6/m32r-security-fix-of-get-put-_user-macros.patch similarity index 100% rename from review-2.6.16/m32r-security-fix-of-get-put-_user-macros.patch rename to 2.6.16.6/m32r-security-fix-of-get-put-_user-macros.patch diff --git a/review-2.6.16/mpbl0010-driver-sysfs-permissions-wide-open.patch b/2.6.16.6/mpbl0010-driver-sysfs-permissions-wide-open.patch similarity index 100% rename from review-2.6.16/mpbl0010-driver-sysfs-permissions-wide-open.patch rename to 2.6.16.6/mpbl0010-driver-sysfs-permissions-wide-open.patch diff --git a/review-2.6.16/netfilter-fix-fragmentation-issues-with-bridge-netfilter.patch b/2.6.16.6/netfilter-fix-fragmentation-issues-with-bridge-netfilter.patch similarity index 100% rename from review-2.6.16/netfilter-fix-fragmentation-issues-with-bridge-netfilter.patch rename to 2.6.16.6/netfilter-fix-fragmentation-issues-with-bridge-netfilter.patch diff --git a/review-2.6.16/powerpc-fix-incorrect-sa_onstack-behaviour-for-64-bit-processes.patch b/2.6.16.6/powerpc-fix-incorrect-sa_onstack-behaviour-for-64-bit-processes.patch similarity index 100% rename from review-2.6.16/powerpc-fix-incorrect-sa_onstack-behaviour-for-64-bit-processes.patch rename to 2.6.16.6/powerpc-fix-incorrect-sa_onstack-behaviour-for-64-bit-processes.patch diff --git a/review-2.6.16/powerpc-iseries-needs-slb_initialize-to-be-called.patch b/2.6.16.6/powerpc-iseries-needs-slb_initialize-to-be-called.patch similarity index 100% rename from review-2.6.16/powerpc-iseries-needs-slb_initialize-to-be-called.patch rename to 2.6.16.6/powerpc-iseries-needs-slb_initialize-to-be-called.patch diff --git a/review-2.6.16/send.mbox b/2.6.16.6/send.mbox similarity index 100% rename from review-2.6.16/send.mbox rename to 2.6.16.6/send.mbox diff --git a/review-2.6.16/series b/2.6.16.6/series similarity index 93% rename from review-2.6.16/series rename to 2.6.16.6/series index 0561b4b206c..1b6e9612b50 100644 --- a/review-2.6.16/series +++ b/2.6.16.6/series @@ -20,3 +20,4 @@ Fix-suspend-with-traced-tasks.patch usb-remove-__init-from-usb_console_setup.patch fix-non-leader-exec-under-ptrace.patch atm-clip-causes-unregister-hang.patch +shmat-stop-mprotect-from-giving-write-permission-to-a-readonly-attachment.patch diff --git a/2.6.16.6/shmat-stop-mprotect-from-giving-write-permission-to-a-readonly-attachment.patch b/2.6.16.6/shmat-stop-mprotect-from-giving-write-permission-to-a-readonly-attachment.patch new file mode 100644 index 00000000000..7cfaf49a060 --- /dev/null +++ b/2.6.16.6/shmat-stop-mprotect-from-giving-write-permission-to-a-readonly-attachment.patch @@ -0,0 +1,60 @@ +From akpm@osdl.org Wed Apr 12 14:32:33 2006 +Message-Id: <200604122132.k3CLW1Io021188@shell0.pdx.osdl.net> +Subject: shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524) +To: greg@kroah.com +Cc: chrisw@sous-sol.org, akpm@osdl.org, hugh@veritas.com, stable@kernel.org +From: akpm@osdl.org +Date: Wed, 12 Apr 2006 14:34:27 -0700 + + +From: Hugh Dickins + +I found that all of 2.4 and 2.6 have been letting mprotect give write +permission to a readonly attachment of shared memory, whether or not IPC +would give the caller that permission. + +SUS says "The behaviour of this function [mprotect] is unspecified if the +mapping was not established by a call to mmap", but I don't think we can +interpret that as allowing it to subvert IPC permissions. + +I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and +the patch below reproduces that behaviour - mprotect cannot be used to add +write permission to a shared memory segment attached readonly. + +This patch is simple, and I'm sure it's what we should have done in 2.4.0: +if you want to go on to switch write permission on and off with mprotect, +just don't attach the segment readonly in the first place. + +However, we could have accumulated apps which attach readonly (even though +they would be permitted to attach read/write), and which subsequently use +mprotect to switch write permission on and off: it's not unreasonable. + +I was going to add a second ipcperms check in do_shmat, to check for +writable when readonly, and if not writable find_vma and clear VM_MAYWRITE. + But security_ipc_permission might do auditing, and it seems wrong to +report an attempt for write permission when there has been none. Or we +could flag the vma as SHM, note the shmid or shp in vm_private_data, and +then get mprotect to check. + +But the patch below is a lot simpler: I'd rather stick with it, if we can +convince ourselves somehow that it'll be safe. + +Signed-off-by: Hugh Dickins +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/shm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- linux-2.6.16.5.orig/ipc/shm.c ++++ linux-2.6.16.5/ipc/shm.c +@@ -161,6 +161,8 @@ static int shm_mmap(struct file * file, + ret = shmem_mmap(file, vma); + if (ret == 0) { + vma->vm_ops = &shm_vm_ops; ++ if (!(vma->vm_flags & VM_WRITE)) ++ vma->vm_flags &= ~VM_MAYWRITE; + shm_inc(file->f_dentry->d_inode->i_ino); + } + diff --git a/review-2.6.16/sky2-bad-memory-reference-on-dual-port-cards.patch b/2.6.16.6/sky2-bad-memory-reference-on-dual-port-cards.patch similarity index 100% rename from review-2.6.16/sky2-bad-memory-reference-on-dual-port-cards.patch rename to 2.6.16.6/sky2-bad-memory-reference-on-dual-port-cards.patch diff --git a/review-2.6.16/usb-remove-__init-from-usb_console_setup.patch b/2.6.16.6/usb-remove-__init-from-usb_console_setup.patch similarity index 100% rename from review-2.6.16/usb-remove-__init-from-usb_console_setup.patch rename to 2.6.16.6/usb-remove-__init-from-usb_console_setup.patch