Hi Kir
Thanks for the list. I have now made some work to apply this.
Below are some comments.
On Tue, Mar 10, 2009 at 02:00:39AM +0300, Kir Kolyshkin wrote:
Kir Kolyshkin wrote:
I am currently checking all the ~80 patches that are not in openvz
lenny kernel. Looks like most are really needed. Let me suggest some
in a few emails I will send as a reply to this one.
Here is a set of netfilter patches, quite a few. Some are very critical
(read security-related) since they fix various container/host isolation
issues, others are to prevent kernel oopses...
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=8562975430153848dd817a050133b53adda96910
nf: fix use after free
Fix use after free error, found by internal testing. Not an ABI breaker.
Attached as 0010*
Already in the debian openvz patch.
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=fa7ac0b2423dc741cd7016565545abb8e36c4af4
nf: fix call to kmem_cache_destroy from VEs
Found by internal testing. Not an ABI breaker.
Attached as 0011*
And this one as well.
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=17b09e1de42db77743ea9ae3dfd3a910ac57ee71
conntrack: prevent double allocate/free of protos
Found by internal testing. Not an ABI breaker.
Attached as 0022*
The double alloc should not be too much of a problem (or?), but the double free, I assume, can result
in real problems, right?
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=7d3f10fc5d8e268f7572cfdd2287c049bce3af7c
conntrack: prevent call register_pernet_subsys() from VE context
Found by internal audit. Not an ABI breaker.
Attached as 0023*
Security issue!
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=482dd20be37f61b2f94e6b3f3de1c1b9b4f9e6f1
conntrack: prevent call nf_register_hooks() from VE context
Found by internal audit. Not an ABI breaker.
Attached as 0024*
Security issue!
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=5fff3eb60f78acaadcae8562de5d3e6504f4d4f9
conntrack: adjust context during freeing
Found by internal audit. Not an ABI breaker.
Attached as 0029*
Security issue!
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=3cb8bc3781889ade74c02840b2eb8ddafb6d39c5
netfilter: NAT: assign nf_nat_seq_adjust_hook from VE0 context only
Found by internal audit. Not an ABI breaker.
Attached as 0033*
Security issue!
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=490910232ebe61f65e5e5c03b7286f11291b6092
netfilter: call nf_register_hooks from VE0 context only
Found by internal audit. Not an ABI breaker.
Attached as 0034*
Security issue!
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=1acba8533b788e95c52f827d06d9629d672c80fc
netfilter: Fix NULL dereference in nf_nat_setup_info.
OpenVZ Bug #1051 (http://bugzilla.openvz.org/1051). Might be an ABI breaker.
Attached as 0047*
Security issue!
http://git.openvz.org/?p=linux-2.6.26-openvz;a=commitdiff;h=b405aed753ac48a46e66cccfd0a37006fd11feb8
netfilter: Add check to the nat hooks
OpenVZ Bug #1051 (http://bugzilla.openvz.org/1051). Might be an ABI breaker.
Attached as 0048*
Is it this part that you are worried about for the ABI breakage?
/* After packet filtering, change source */
{
- .hook = nf_nat_fn,
+ .hook = nf_nat_local_in,
.owner = THIS_MODULE,
.pf = PF_INET,
.hooknum = NF_INET_LOCAL_IN,