Linux 2.6.24.6

author Greg Kroah-Hartman <gregkh@suse.de>

Thu, 1 May 2008 21:51:29 +0000 (14:51 -0700)

committer Greg Kroah-Hartman <gregkh@suse.de>

Thu, 1 May 2008 21:51:29 +0000 (14:51 -0700)
author Greg Kroah-Hartman <gregkh@suse.de>
Thu, 1 May 2008 21:51:29 +0000 (14:51 -0700)
committer Greg Kroah-Hartman <gregkh@suse.de>
Thu, 1 May 2008 21:51:29 +0000 (14:51 -0700)
diff --git a/releases/2.6.24.6/fix-dnotify-close-race.patch b/releases/2.6.24.6/fix-dnotify-close-race.patch

new file mode 100644 (file)

index 0000000..2f71ec9
--- /dev/null
+++ b/releases/2.6.24.6/fix-dnotify-close-race.patch
@@ -0,0 +1,62 @@
+From 214b7049a7929f03bbd2786aaef04b8b79db34e2 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@ZenIV.linux.org.uk>
+Date: Thu, 1 May 2008 03:52:22 +0100
+Subject: Fix dnotify/close race (CVE-2008-1375)
+
+From: Al Viro <viro@ZenIV.linux.org.uk>
+
+commit 214b7049a7929f03bbd2786aaef04b8b79db34e2 upstream.
+
+We have a race between fcntl() and close() that can lead to
+dnotify_struct inserted into inode's list *after* the last descriptor
+had been gone from current->files.
+
+Since that's the only point where dnotify_struct gets evicted, we are
+screwed - it will stick around indefinitely.  Even after struct file in
+question is gone and freed.  Worse, we can trigger send_sigio() on it at
+any later point, which allows to send an arbitrary signal to arbitrary
+process if we manage to apply enough memory pressure to get the page
+that used to host that struct file and fill it with the right pattern...
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/dnotify.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/fs/dnotify.c
++++ b/fs/dnotify.c
+@@ -20,6 +20,7 @@
+ #include <linux/init.h>
+ #include <linux/spinlock.h>
+ #include <linux/slab.h>
++#include <linux/file.h>
+ 
+ int dir_notify_enable __read_mostly = 1;
+ 
+@@ -66,6 +67,7 @@ int fcntl_dirnotify(int fd, struct file 
+       struct dnotify_struct **prev;
+       struct inode *inode;
+       fl_owner_t id = current->files;
++      struct file *f;
+       int error = 0;
+ 
+       if ((arg & ~DN_MULTISHOT) == 0) {
+@@ -92,6 +94,15 @@ int fcntl_dirnotify(int fd, struct file 
+               prev = &odn->dn_next;
+       }
+ 
++      rcu_read_lock();
++      f = fcheck(fd);
++      rcu_read_unlock();
++      /* we'd lost the race with close(), sod off silently */
++      /* note that inode->i_lock prevents reordering problems
++       * between accesses to descriptor table and ->i_dnotify */
++      if (f != filp)
++              goto out_free;
++
+       error = __f_setown(filp, task_pid(current), PIDTYPE_PID, 0);
+       if (error)
+               goto out_free;
diff --git a/review-2.6.24/fix-oops-on-rmmod-capidrv.patch b/releases/2.6.24.6/fix-oops-on-rmmod-capidrv.patch

similarity index 100%

rename from review-2.6.24/fix-oops-on-rmmod-capidrv.patch

rename to releases/2.6.24.6/fix-oops-on-rmmod-capidrv.patch
diff --git a/review-2.6.24/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch b/releases/2.6.24.6/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch

similarity index 100%

rename from review-2.6.24/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch

rename to releases/2.6.24.6/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch
diff --git a/review-2.6.24/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch b/releases/2.6.24.6/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch

similarity index 100%

rename from review-2.6.24/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch

rename to releases/2.6.24.6/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch
diff --git a/review-2.6.24/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch b/releases/2.6.24.6/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch

similarity index 100%

rename from review-2.6.24/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch

rename to releases/2.6.24.6/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch
diff --git a/review-2.6.24/mbox b/releases/2.6.24.6/mbox

similarity index 100%

rename from review-2.6.24/mbox

rename to releases/2.6.24.6/mbox
diff --git a/review-2.6.24/series b/releases/2.6.24.6/series

similarity index 95%

rename from review-2.6.24/series

rename to releases/2.6.24.6/series

index d8bd8c91e2a4a91f915b9aa129da0422fae7537b..d1a338b9376a3d3f0c5125d5e68198e63f754d1d 100644 (file)
--- a/review-2.6.24/series
+++ b/releases/2.6.24.6/series
@@ -10,3 +10,4 @@ usb-remove-broken-usb-serial-num_endpoints-check.patch
  v4l-fix-vidiocgap-corruption-in-ivtv.patch
  v4l-cx88-enable-radio-gpio-correctly.patch
  isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch
+fix-dnotify-close-race.patch
diff --git a/review-2.6.24/splice-use-mapping_gfp_mask.patch b/releases/2.6.24.6/splice-use-mapping_gfp_mask.patch

similarity index 100%

rename from review-2.6.24/splice-use-mapping_gfp_mask.patch

rename to releases/2.6.24.6/splice-use-mapping_gfp_mask.patch
diff --git a/review-2.6.24/tehuti-check-register-size.patch b/releases/2.6.24.6/tehuti-check-register-size.patch

similarity index 100%

rename from review-2.6.24/tehuti-check-register-size.patch

rename to releases/2.6.24.6/tehuti-check-register-size.patch
diff --git a/review-2.6.24/tehuti-move-ioctl-perm-check-closer-to-function-start.patch b/releases/2.6.24.6/tehuti-move-ioctl-perm-check-closer-to-function-start.patch

similarity index 100%

rename from review-2.6.24/tehuti-move-ioctl-perm-check-closer-to-function-start.patch

rename to releases/2.6.24.6/tehuti-move-ioctl-perm-check-closer-to-function-start.patch
diff --git a/review-2.6.24/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch b/releases/2.6.24.6/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch

similarity index 100%

rename from review-2.6.24/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch

rename to releases/2.6.24.6/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch
diff --git a/review-2.6.24/usb-remove-broken-usb-serial-num_endpoints-check.patch b/releases/2.6.24.6/usb-remove-broken-usb-serial-num_endpoints-check.patch

similarity index 100%

rename from review-2.6.24/usb-remove-broken-usb-serial-num_endpoints-check.patch

rename to releases/2.6.24.6/usb-remove-broken-usb-serial-num_endpoints-check.patch
diff --git a/review-2.6.24/v4l-cx88-enable-radio-gpio-correctly.patch b/releases/2.6.24.6/v4l-cx88-enable-radio-gpio-correctly.patch

similarity index 100%

rename from review-2.6.24/v4l-cx88-enable-radio-gpio-correctly.patch

rename to releases/2.6.24.6/v4l-cx88-enable-radio-gpio-correctly.patch
diff --git a/review-2.6.24/v4l-fix-vidiocgap-corruption-in-ivtv.patch b/releases/2.6.24.6/v4l-fix-vidiocgap-corruption-in-ivtv.patch

similarity index 100%

rename from review-2.6.24/v4l-fix-vidiocgap-corruption-in-ivtv.patch

rename to releases/2.6.24.6/v4l-fix-vidiocgap-corruption-in-ivtv.patch
diff --git a/review-2.6.24/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch b/releases/2.6.24.6/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch

similarity index 100%

rename from review-2.6.24/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch

rename to releases/2.6.24.6/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch
author	Greg Kroah-Hartman <gregkh@suse.de>
	Thu, 1 May 2008 21:51:29 +0000 (14:51 -0700)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Thu, 1 May 2008 21:51:29 +0000 (14:51 -0700)
releases/2.6.24.6/fix-dnotify-close-race.patch	[new file with mode: 0644]	patch \| blob
releases/2.6.24.6/fix-oops-on-rmmod-capidrv.patch	[moved from review-2.6.24/fix-oops-on-rmmod-capidrv.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch	[moved from review-2.6.24/increase-the-max_burst-threshold-from-3-to-tp-reordering.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch	[moved from review-2.6.24/isdn-do-not-validate-isdn-net-device-address-prior-to-interface-up.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch	[moved from review-2.6.24/jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/mbox	[moved from review-2.6.24/mbox with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/series	[moved from review-2.6.24/series with 95% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/splice-use-mapping_gfp_mask.patch	[moved from review-2.6.24/splice-use-mapping_gfp_mask.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/tehuti-check-register-size.patch	[moved from review-2.6.24/tehuti-check-register-size.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/tehuti-move-ioctl-perm-check-closer-to-function-start.patch	[moved from review-2.6.24/tehuti-move-ioctl-perm-check-closer-to-function-start.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch	[moved from review-2.6.24/usb-gadget-queue-usb-usb_cdc_get_encapsulated_response-message.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/usb-remove-broken-usb-serial-num_endpoints-check.patch	[moved from review-2.6.24/usb-remove-broken-usb-serial-num_endpoints-check.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/v4l-cx88-enable-radio-gpio-correctly.patch	[moved from review-2.6.24/v4l-cx88-enable-radio-gpio-correctly.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/v4l-fix-vidiocgap-corruption-in-ivtv.patch	[moved from review-2.6.24/v4l-fix-vidiocgap-corruption-in-ivtv.patch with 100% similarity]	patch \| blob \| blame \| history
releases/2.6.24.6/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch	[moved from review-2.6.24/x86-fix-32-bit-x86-msi-x-allocation-leakage.patch with 100% similarity]	patch \| blob \| blame \| history