From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Fri, 16 Nov 2007 18:09:15 +0000 (-0800)
Subject: more 2.6.23 patches
X-Git-Tag: v2.6.23.8~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e599d3ecfe2340c2b5f74c4cceb0fb9725f9f52b;p=thirdparty%2Fkernel%2Fstable-queue.git

more 2.6.23 patches
---

diff --git a/queue-2.6.23/series b/queue-2.6.23/series
new file mode 100644
index 00000000000..e790b898907
--- /dev/null
+++ b/queue-2.6.23/series
@@ -0,0 +1,2 @@
+tcp-make-sure-write_queue_from-does-not-begin-with-null-ptr.patch
+wait_task_stopped-check-p-exit_state-instead-of-task_traced.patch
diff --git a/queue-2.6.23/tcp-make-sure-write_queue_from-does-not-begin-with-null-ptr.patch b/queue-2.6.23/tcp-make-sure-write_queue_from-does-not-begin-with-null-ptr.patch
new file mode 100644
index 00000000000..7afdc5251de
--- /dev/null
+++ b/queue-2.6.23/tcp-make-sure-write_queue_from-does-not-begin-with-null-ptr.patch
@@ -0,0 +1,45 @@
+From 96a2d41a3e495734b63bff4e5dd0112741b93b38 Mon Sep 17 00:00:00 2001
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Date: Wed, 14 Nov 2007 15:47:18 -0800
+Subject: TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)
+
+From: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline.
+
+NULL ptr can be returned from tcp_write_queue_head to cached_skb
+and then assigned to skb if packets_out was zero. Without this,
+system is vulnerable to a carefully crafted ACKs which obviously
+is remotely triggerable.
+
+Besides, there's very little that needs to be done in sacktag
+if there weren't any packets outstanding, just skipping the rest
+doesn't hurt.
+
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+
+---
+ net/ipv4/tcp_input.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -1012,6 +1012,9 @@ tcp_sacktag_write_queue(struct sock *sk,
+ 	if (before(TCP_SKB_CB(ack_skb)->ack_seq, prior_snd_una - tp->max_window))
+ 		return 0;
+ 
++	if (!tp->packets_out)
++		goto out;
++
+ 	/* SACK fastpath:
+ 	 * if the only SACK change is the increase of the end_seq of
+ 	 * the first block then only apply that SACK block
+@@ -1280,6 +1283,8 @@ tcp_sacktag_write_queue(struct sock *sk,
+ 	    (!tp->frto_highmark || after(tp->snd_una, tp->frto_highmark)))
+ 		tcp_update_reordering(sk, ((tp->fackets_out + 1) - reord), 0);
+ 
++out:
++
+ #if FASTRETRANS_DEBUG > 0
+ 	BUG_TRAP((int)tp->sacked_out >= 0);
+ 	BUG_TRAP((int)tp->lost_out >= 0);
diff --git a/queue-2.6.23/wait_task_stopped-check-p-exit_state-instead-of-task_traced.patch b/queue-2.6.23/wait_task_stopped-check-p-exit_state-instead-of-task_traced.patch
new file mode 100644
index 00000000000..0bb354251ba
--- /dev/null
+++ b/queue-2.6.23/wait_task_stopped-check-p-exit_state-instead-of-task_traced.patch
@@ -0,0 +1,40 @@
+From a3474224e6a01924be40a8255636ea5522c1023a Mon Sep 17 00:00:00 2001
+From: Roland McGrath <roland@redhat.com>
+Date: Tue, 13 Nov 2007 22:11:50 -0800
+Subject: wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)
+
+From: Roland McGrath <roland@redhat.com>
+
+patch a3474224e6a01924be40a8255636ea5522c1023a in mainline
+
+The original meaning of the old test (p->state > TASK_STOPPED) was
+"not dead", since it was before TASK_TRACED existed and before the
+state/exit_state split.  It was a wrong correction in commit
+14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for
+TASK_TRACED instead.  It should have been changed when TASK_TRACED
+was introducted and again when exit_state was introduced.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Cc: Oleg Nesterov <oleg@tv-sign.ru>
+Cc: Alexey Dobriyan <adobriyan@sw.ru>
+Cc: Kees Cook <kees@ubuntu.com>
+Acked-by: Scott James Remnant <scott@ubuntu.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ kernel/exit.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/exit.c
++++ b/kernel/exit.c
+@@ -1362,8 +1362,7 @@ static int wait_task_stopped(struct task
+ 		int why = (p->ptrace & PT_PTRACED) ? CLD_TRAPPED : CLD_STOPPED;
+ 
+ 		exit_code = p->exit_code;
+-		if (unlikely(!exit_code) ||
+-		    unlikely(p->state & TASK_TRACED))
++		if (unlikely(!exit_code) || unlikely(p->exit_state))
+ 			goto bail_ref;
+ 		return wait_noreap_copyout(p, pid, uid,
+ 					   why, (exit_code << 8) | 0x7f,