Author: qboosh Date: Fri Sep 1 09:58:03 2006 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- 2.4.33.3 :/
---- Files affected:
SOURCES:
linux-2.4-update.patch (1.2 -> 1.3)
---- Diffs:
================================================================
Index: SOURCES/linux-2.4-update.patch
diff -u SOURCES/linux-2.4-update.patch:1.2 SOURCES/linux-2.4-update.patch:1.3
--- SOURCES/linux-2.4-update.patch:1.2 Mon Aug 28 16:14:57 2006
+++ SOURCES/linux-2.4-update.patch Fri Sep 1 11:57:58 2006
@@ -1,3 +1,22 @@
+Summary of changes from v2.4.33.2 to v2.4.33.3
+============================================
+
+dann frazier:
+ [SCTP] Fix sctp_primitive_ABORT() call in sctp_close()
+ Fix possible UDF deadlock and memory corruption (CVE-2006-4145)
+
+Jeff Mahoney:
+ [DISKLABEL] SUN: Fix signed int usage for sector count
+
+PaX Team:
+ cciss: do not mark cciss_scsi_detect __init
+
+Solar Designer:
+ crypto : prevent cryptoloop from oopsing on stupid ciphers
+ loop.c: kernel_thread() retval check
+
+Willy Tarreau:
+ Change VERSION to 2.4.33.3
Summary of changes from v2.4.33.1 to v2.4.33.2
============================================
@@ -28,7 +47,7 @@
Change VERSION to 2.4.33.1
#diff --git a/Makefile b/Makefile
-#index 34125f6..340a66a 100644
+#index fd6884d..635682e 100644
#--- a/Makefile
#+++ b/Makefile
#@@ -1,7 +1,7 @@
@@ -36,7 +55,7 @@
# PATCHLEVEL = 4
# SUBLEVEL = 33
#-EXTRAVERSION =
-#+EXTRAVERSION = .2
+#+EXTRAVERSION = .3
#
# KERNELRELEASE=$(VERSION).$(PATCHLEVEL).$(SUBLEVEL)$(EXTRAVERSION)
#
@@ -77,6 +96,135 @@
# EXPORT_SYMBOL_NOVERS(memset);
# EXPORT_SYMBOL_NOVERS(memmove);
#
+diff --git a/crypto/cipher.c b/crypto/cipher.c
+index 6ab56eb..9b03eda 100644
+--- a/crypto/cipher.c
++++ b/crypto/cipher.c
+@@ -147,6 +147,15 @@ static int ecb_encrypt(struct crypto_tfm
+ ecb_process, 1, NULL);
+ }
+
++static int ecb_encrypt_iv(struct crypto_tfm *tfm,
++ struct scatterlist *dst,
++ struct scatterlist *src,
++ unsigned int nbytes, u8 *iv)
++{
++ ecb_encrypt(tfm, dst, src, nbytes);
++ return -ENOSYS;
++}
++
+ static int ecb_decrypt(struct crypto_tfm *tfm,
+ struct scatterlist *dst,
+ struct scatterlist *src,
+@@ -157,6 +166,15 @@ static int ecb_decrypt(struct crypto_tfm
+ ecb_process, 1, NULL);
+ }
+
++static int ecb_decrypt_iv(struct crypto_tfm *tfm,
++ struct scatterlist *dst,
++ struct scatterlist *src,
++ unsigned int nbytes, u8 *iv)
++{
++ ecb_decrypt(tfm, dst, src, nbytes);
++ return -ENOSYS;
++}
++
+ static int cbc_encrypt(struct crypto_tfm *tfm,
+ struct scatterlist *dst,
+ struct scatterlist *src,
+@@ -197,11 +215,20 @@ static int cbc_decrypt_iv(struct crypto_
+ cbc_process, 0, iv);
+ }
+
++/*
++ * nocrypt*() zeroize the destination buffer to make sure we don't leak
++ * uninitialized memory contents if the caller ignores the return value.
++ * This is bad since the data in the source buffer is unused and may be
++ * lost, but an infoleak would be even worse. The performance cost of
++ * memset() is irrelevant since a well-behaved caller would not bump into
++ * the error repeatedly.
++ */
+ static int nocrypt(struct crypto_tfm *tfm,
+ struct scatterlist *dst,
+ struct scatterlist *src,
+ unsigned int nbytes)
+ {
++ memset(dst, 0, nbytes);
+ return -ENOSYS;
+ }
+
+@@ -210,6 +237,7 @@ static int nocrypt_iv(struct crypto_tfm
+ struct scatterlist *src,
+ unsigned int nbytes, u8 *iv)
+ {
++ memset(dst, 0, nbytes);
+ return -ENOSYS;
+ }
+
+@@ -235,6 +263,11 @@ int crypto_init_cipher_ops(struct crypto
+ case CRYPTO_TFM_MODE_ECB:
+ ops->cit_encrypt = ecb_encrypt;
+ ops->cit_decrypt = ecb_decrypt;
++/* These should have been nocrypt_iv, but patch-cryptoloop-jari-2.4.22.0
++ * (and its other revisions) directly calls the *_iv() functions even in
++ * ECB mode and ignores their return value. */
++ ops->cit_encrypt_iv = ecb_encrypt_iv;
++ ops->cit_decrypt_iv = ecb_decrypt_iv;
+ break;
+
+ case CRYPTO_TFM_MODE_CBC:
+diff --git a/drivers/block/cciss_scsi.c b/drivers/block/cciss_scsi.c
+index cb5a3bb..085c855 100644
+--- a/drivers/block/cciss_scsi.c
++++ b/drivers/block/cciss_scsi.c
+@@ -49,7 +49,7 @@ static int sendcmd(
+ unsigned char *scsi3addr );
+
+
+-int __init cciss_scsi_detect(Scsi_Host_Template *tpnt);
++int cciss_scsi_detect(Scsi_Host_Template *tpnt);
+ int cciss_scsi_release(struct Scsi_Host *sh);
+ const char *cciss_scsi_info(struct Scsi_Host *sa);
+
+@@ -777,7 +777,7 @@ complete_scsi_command( CommandList_struc
+ The scsi mid layer (scsi_register_module) is
+ called from cciss.c:cciss_init_one(). */
+
+-int __init
++int
+ cciss_scsi_detect(Scsi_Host_Template *tpnt)
+ {
+ int i;
+diff --git a/drivers/block/loop.c b/drivers/block/loop.c
+index 777712f..4b1afa6 100644
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -869,12 +869,23 @@ static int loop_set_fd(struct loop_devic
+ loop_hardsizes[MINOR(dev)] = hardsz;
+ loop_set_softblksz(lo, dev);
+
+- kernel_thread(loop_thread, lo, CLONE_FS | CLONE_FILES | CLONE_SIGHAND);
+- down(&lo->lo_sem);
++ error = kernel_thread(loop_thread, lo,
++ CLONE_FS | CLONE_FILES | CLONE_SIGHAND);
++ if (error < 0)
++ goto out_clr;
++ down(&lo->lo_sem); /* wait for the thread to start */
+
+ fput(file);
+ return 0;
+
++ out_clr:
++ lo->lo_backing_file = NULL;
++ lo->lo_device = 0;
++ lo->lo_flags = 0;
++ loop_sizes[lo->lo_number] = 0;
++ inode->i_mapping->gfp_mask = lo->old_gfp_mask;
++ lo->lo_state = Lo_unbound;
++ fput(file); /* yes, have to do it twice */
+ out_putf:
+ fput(file);
+ out:
diff --git a/drivers/mtd/devices/blkmtd.c b/drivers/mtd/devices/blkmtd.c
index f4280a1..9399d4e 100644
--- a/drivers/mtd/devices/blkmtd.c
@@ -179,6 +327,113 @@
goto out;
if (inode)
inode->i_nlink--;
+diff --git a/fs/partitions/sun.c b/fs/partitions/sun.c
+index a0ca0b1..cd087ca 100644
+--- a/fs/partitions/sun.c
++++ b/fs/partitions/sun.c
+@@ -86,7 +86,7 @@ int sun_partition(struct gendisk *hd, st
+ spc = be16_to_cpu(label->ntrks) * be16_to_cpu(label->nsect);
+ for (i = 0; i < 8; i++, p++) {
+ unsigned long st_sector;
+- int num_sectors;
++ unsigned int num_sectors;
+
+ st_sector = first_sector + be32_to_cpu(p->start_cylinder) * spc;
+ num_sectors = be32_to_cpu(p->num_sectors);
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 9df2fa2..0c5b54e 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1515,7 +1515,7 @@ #endif
+ iput(inode);
+ goto error_out;
+ }
+- sb->s_maxbytes = MAX_LFS_FILESIZE;
++ sb->s_maxbytes = 1<<30;
+ return sb;
+
+ error_out:
+diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c
+index 0ae7e96..0567211 100644
+--- a/fs/udf/truncate.c
++++ b/fs/udf/truncate.c
+@@ -182,37 +182,51 @@ void udf_truncate_extents(struct inode *
+ {
+ if (offset)
+ {
+- extoffset -= adsize;
+- etype = udf_next_aext(inode, &bloc, &extoffset, &eloc,
&elen, &bh, 1);
+- if (etype == (EXT_NOT_RECORDED_NOT_ALLOCATED >> 30))
+- {
+- extoffset -= adsize;
+- elen = EXT_NOT_RECORDED_NOT_ALLOCATED | (elen +
offset);
+- udf_write_aext(inode, bloc, &extoffset, eloc,
elen, bh, 0);
++ /*
++ * OK, there is not extent covering inode->i_size and
++ * no extent above inode->i_size => truncate is
++ * extending the file by 'offset'.
++ */
++ if ((!bh && extoffset ==
udf_file_entry_alloc_offset(inode)) ||
++ (bh && extoffset == sizeof(struct allocExtDesc))) {
++ /* File has no extents at all! */
++ memset(&eloc, 0x00, sizeof(lb_addr));
++ elen = EXT_NOT_RECORDED_NOT_ALLOCATED | offset;
++ udf_add_aext(inode, &bloc, &extoffset, eloc,
elen, &bh, 1);
+ }
+- else if (etype == (EXT_NOT_RECORDED_ALLOCATED >> 30))
+- {
+- lb_addr neloc = { 0, 0 };
++ else {
+ extoffset -= adsize;
+- nelen = EXT_NOT_RECORDED_NOT_ALLOCATED |
+- ((elen + offset +
inode->i_sb->s_blocksize - 1) &
+- ~(inode->i_sb->s_blocksize - 1));
+- udf_write_aext(inode, bloc, &extoffset, neloc,
nelen, bh, 1);
+- udf_add_aext(inode, &bloc, &extoffset, eloc,
(etype << 30) | elen, &bh, 1);
+- }
+- else
+- {
+- if (elen & (inode->i_sb->s_blocksize - 1))
++ etype = udf_next_aext(inode, &bloc, &extoffset,
&eloc, &elen, &bh, 1);
++ if (etype == (EXT_NOT_RECORDED_NOT_ALLOCATED >>
30))
++ {
++ extoffset -= adsize;
++ elen = EXT_NOT_RECORDED_NOT_ALLOCATED |
(elen + offset);
++ udf_write_aext(inode, bloc, &extoffset,
eloc, elen, bh, 0);
++ }
++ else if (etype == (EXT_NOT_RECORDED_ALLOCATED
>> 30))
+ {
++ lb_addr neloc = { 0, 0 };
+ extoffset -= adsize;
+- elen = EXT_RECORDED_ALLOCATED |
+- ((elen +
inode->i_sb->s_blocksize - 1) &
++ nelen = EXT_NOT_RECORDED_NOT_ALLOCATED |
++ ((elen + offset +
inode->i_sb->s_blocksize - 1) &
+ ~(inode->i_sb->s_blocksize -
1));
+- udf_write_aext(inode, bloc, &extoffset,
eloc, elen, bh, 1);
++ udf_write_aext(inode, bloc, &extoffset,
neloc, nelen, bh, 1);
++ udf_add_aext(inode, &bloc, &extoffset,
eloc, (etype << 30) | elen, &bh, 1);
++ }
++ else
++ {
++ if (elen & (inode->i_sb->s_blocksize -
1))
++ {
++ extoffset -= adsize;
++ elen = EXT_RECORDED_ALLOCATED |
++ ((elen +
inode->i_sb->s_blocksize - 1) &
++
~(inode->i_sb->s_blocksize - 1));
++ udf_write_aext(inode, bloc,
&extoffset, eloc, elen, bh, 1);
++ }
++ memset(&eloc, 0x00, sizeof(lb_addr));
++ elen = EXT_NOT_RECORDED_NOT_ALLOCATED |
offset;
++ udf_add_aext(inode, &bloc, &extoffset,
eloc, elen, &bh, 1);
+ }
+- memset(&eloc, 0x00, sizeof(lb_addr));
+- elen = EXT_NOT_RECORDED_NOT_ALLOCATED | offset;
+- udf_add_aext(inode, &bloc, &extoffset, eloc,
elen, &bh, 1);
+ }
+ }
+ }
diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h
index 0e01fef..28d25a3 100644
--- a/include/net/sctp/sctp.h
@@ -332,10 +587,27 @@
sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
SCTP_STATE(SCTP_STATE_CLOSED));
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
-index 277b19f..6620b87 100644
+index 277b19f..8d13849 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
-@@ -1199,8 +1199,16 @@ SCTP_STATIC int sctp_sendmsg(struct sock
+@@ -967,9 +967,13 @@ SCTP_STATIC void sctp_close(struct sock
+ sctp_unhash_established(asoc);
+ sctp_association_free(asoc);
+
+- } else if (sk->linger && !sk->lingertime)
+- sctp_primitive_ABORT(asoc, NULL);
+- else
++ } else if (sk->linger && !sk->lingertime) {
++ struct sctp_chunk *chunk;
++
++ chunk = sctp_make_abort_user(asoc, NULL, 0);
++ if (chunk)
++ sctp_primitive_ABORT(asoc, NULL);
++ } else
+ sctp_primitive_SHUTDOWN(asoc, NULL);
+ } else
+ sctp_primitive_SHUTDOWN(asoc, NULL);
+@@ -1199,8 +1203,16 @@ SCTP_STATIC int sctp_sendmsg(struct sock
goto out_unlock;
}
if (sinfo_flags & MSG_ABORT) {
================================================================
---- CVS-web:
http://cvs.pld-linux.org/SOURCES/linux-2.4-update.patch?r1=1.2&r2=1.3&f=u
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
