From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 11 Dec 2007 22:38:57 +0000 (-0800)
Subject: another 2.6.23 patch
X-Git-Tag: v2.6.23.10~19
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=00eaef350c054327ad3cd8736f1fefca22010a24;p=thirdparty%2Fkernel%2Fstable-queue.git

another 2.6.23 patch
---

diff --git a/queue-2.6.23/hrtimers-avoid-overflow-for-large-relative-timeouts.patch b/queue-2.6.23/hrtimers-avoid-overflow-for-large-relative-timeouts.patch
new file mode 100644
index 00000000000..5e0f8adb8eb
--- /dev/null
+++ b/queue-2.6.23/hrtimers-avoid-overflow-for-large-relative-timeouts.patch
@@ -0,0 +1,47 @@
+From 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Fri, 7 Dec 2007 19:16:17 +0100
+Subject: hrtimers: avoid overflow for large relative timeouts (CVE-2007-5966)
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+patch 62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5 in mainline
+
+Relative hrtimers with a large timeout value might end up as negative
+timer values, when the current time is added in hrtimer_start().
+
+This in turn is causing the clockevents_set_next() function to set an
+huge timeout and sleep for quite a long time when we have a clock
+source which is capable of long sleeps like HPET. With PIT this almost
+goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code
+sorts this out in the next timer interrupt, so we never noticed that
+problem which has been there since the first day of hrtimers.
+
+This bug became more apparent in 2.6.24 which activates HPET on more
+hardware.
+
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/hrtimer.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -826,6 +826,14 @@ hrtimer_start(struct hrtimer *timer, kti
+ #ifdef CONFIG_TIME_LOW_RES
+ 		tim = ktime_add(tim, base->resolution);
+ #endif
++		/*
++		 * Careful here: User space might have asked for a
++		 * very long sleep, so the add above might result in a
++		 * negative number, which enqueues the timer in front
++		 * of the queue.
++		 */
++		if (tim.tv64 < 0)
++			tim.tv64 = KTIME_MAX;
+ 	}
+ 	timer->expires = tim;
+ 
diff --git a/queue-2.6.23/series b/queue-2.6.23/series
index c9fb3efdada..f60ca3a2e2c 100644
--- a/queue-2.6.23/series
+++ b/queue-2.6.23/series
@@ -13,3 +13,4 @@ tmpfs-restore-missing-clear_highpage.patch
 i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch
 forcedeth-new-mcp79-pci-ids.patch
 forcedeth-boot-delay-fix.patch
+hrtimers-avoid-overflow-for-large-relative-timeouts.patch