Hi Kir Thanks for the list. I have now made some work to apply this. Below are some comments.
On Tue, Mar 10, 2009 at 02:00:39AM +0300, Kir Kolyshkin wrote: > Kir Kolyshkin wrote: > >I am currently checking all the ~80 patches that are not in openvz > >lenny kernel. Looks like most are really needed. Let me suggest some > >in a few emails I will send as a reply to this one. > > Here is a set of netfilter patches, quite a few. Some are very critical > (read security-related) since they fix various container/host isolation > issues, others are to prevent kernel oopses... > > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=8562975430153848dd817a050133b53adda96910 > nf: fix use after free > Fix use after free error, found by internal testing. Not an ABI breaker. > Attached as 0010* Already in the debian openvz patch. > > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=fa7ac0b2423dc741cd7016565545abb8e36c4af4 > nf: fix call to kmem_cache_destroy from VEs > Found by internal testing. Not an ABI breaker. > Attached as 0011* And this one as well. > > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=17b09e1de42db77743ea9ae3dfd3a910ac57ee71 > conntrack: prevent double allocate/free of protos > Found by internal testing. Not an ABI breaker. > Attached as 0022* The double alloc should not be too much of a problem (or?), but the double free, I assume, can result in real problems, right? > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=7d3f10fc5d8e268f7572cfdd2287c049bce3af7c > conntrack: prevent call register_pernet_subsys() from VE context > Found by internal audit. Not an ABI breaker. > Attached as 0023* Security issue! > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=482dd20be37f61b2f94e6b3f3de1c1b9b4f9e6f1 > conntrack: prevent call nf_register_hooks() from VE context > Found by internal audit. Not an ABI breaker. > Attached as 0024* Security issue! > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=5fff3eb60f78acaadcae8562de5d3e6504f4d4f9 > conntrack: adjust context during freeing > Found by internal audit. Not an ABI breaker. > Attached as 0029* Security issue! > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=3cb8bc3781889ade74c02840b2eb8ddafb6d39c5 > netfilter: NAT: assign nf_nat_seq_adjust_hook from VE0 context only > Found by internal audit. Not an ABI breaker. > Attached as 0033* Security issue! > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=490910232ebe61f65e5e5c03b7286f11291b6092 > netfilter: call nf_register_hooks from VE0 context only > Found by internal audit. Not an ABI breaker. > Attached as 0034* Security issue! > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=1acba8533b788e95c52f827d06d9629d672c80fc > netfilter: Fix NULL dereference in nf_nat_setup_info. > OpenVZ Bug #1051 (http://bugzilla.openvz.org/1051). Might be an ABI breaker. > Attached as 0047* Security issue! > > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=b405aed753ac48a46e66cccfd0a37006fd11feb8 > netfilter: Add check to the nat hooks > OpenVZ Bug #1051 (http://bugzilla.openvz.org/1051). Might be an ABI breaker. > Attached as 0048* Is it this part that you are worried about for the ABI breakage? /* After packet filtering, change source */ { - .hook = nf_nat_fn, + .hook = nf_nat_local_in, .owner = THIS_MODULE, .pf = PF_INET, .hooknum = NF_INET_LOCAL_IN, -- > > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=b5e1f74cee5bc2c45bdca53a7218fb8de89215dd > netlink: Fix oops in netlink conntrack module > OpenVZ bug #788 (http://bugzilla.openvz.org/788) > Attached as 0053* Already applied by Dann some days ago. > > http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=09686c184a2cb815cbd5af500fe468311887d746 > Free skb->nf_bridge in veth_xmit() and venet_xmit() > OpenVZ bug #1146 (http://bugzilla.openvz.org/1146) > Attached as 0066* > This one is important because it worked in 2.6.24. Best regards, // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- / [email protected] Annebergsslingan 37 \ | [email protected] 654 65 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / --------------------------------------------------------------- -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
