[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#657574: Changes from longterm

Package: src:linux-2.6
Version: 2.6.32-41
Severity: important

- ext4: fix undefined behavior in ext4_fill_flex_info()

Fixes a case where a corrupted filesystem can cause division by zero
(i.e. denial of service).  This was originally assigned CVE-2009-4307
and was supposed to have been fixed.  The vulnerability left by the
incorrect fix may have been assigned a new CVE number, but seems to be
essentially the same.

- ALSA: snd-usb-us122l: Delete calls to preempt_disable

I don't know what the impact of this is.

- ALSA: ice1724 - Check for ac97 to avoid kernel oops

Fixes crash (oops) in initialisation of this sound driver on some

- ALSA: hda - Return the error from get_wcaps_type() for invalid NIDs

Fixes sound playback from this driver on some systems.

- HID: bump maximum global item tag report size to 96 bytes

Adds support for some N-Trig touchscreen devices.

- UBI: fix use-after-free on error path

Fixes potential memory corruption in this flash translation layer.


Fixes an incorrect register value definition.  I believe this will
enable restoration of PCI Express error reporting configuration after
suspend/resume on some systems where previously it would be reset.

- PCI: msi: Disable msi interrupts when we initialize a pci device

Fixes potential hang after kexec.

- xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX.

Adds check for a protocol error that would otherwise result in memory
corruption.  If I understand correctly, this is not a security
vulnerability as the peer must already be trusted; however the commit
message is not entirely clear about this.

- ima: free duplicate measurement memory

No effect on Debian configurations, as this subsystem is not enabled.

- PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB

Seems clear enough.

- x86: Fix mmap random address range

This is *reducing* the range of ASLR for mmap on i386 only.  The
function generating random offsets is supposed to return an offset up to
1 MB, but could also return a negative value down to -1 MB.  This isn't
obviously disastrous, but I may be missing something subtle.

- UBI: fix nameless volumes handling

Adds earlier check for an invalid name of an UBI flash partition, which
would then be unusable and undeletable.

- i2c: Fix error value returned by several bus drivers

Several I2C bus drivers could return 0 for several failure cases in
their probe functions.  They would therefore continue operating on a
device that was not properly initialised or was in use by the system
firmware, likely resulting in a crash or interfering with hardware

- V4L/DVB: v4l2-ioctl: integer overflow in video_usercopy()

Fixes integer overflow leading to heap buffer overflow, possibly only on
32-bit systems.  This is exploitable by users in the video group if any
V4L2 devices are present.

- svcrpc: fix double-free on shutdown of nfsd after changing pool mode

Fixes memory corruption after changing the mode of the SunRPC service
thread pool and then shutting it down.  This affects NFS servers.

- svcrpc: destroy server sockets all at once

I don't know what the impact of this is.

- nfsd: Fix oops when parsing a 0 length export

Seems fairly clear.  I don't believe this is a security issue because
only root can write to the relevant file.

- USB: cdc-wdm: fix misuse of logical operation in place of bitop

Fixes blocking writes through this driver, used for some USB-connected
cellular modems (and phones acting as modems).  Previously they could
wrongly be made non-blocking; this would break simple scripts that write
to the modem.  (Most 'real' modem control programs would deliberately
use non-blocking mode.)

- USB: Fix 'bad dma' problem on WDM device disconnect

Fixes buffer management for the cdc-wdm driver.  On disconnection, it
would specify an incorrect size for the buffers being freed.  This
resulted in a warning message and memory leak.

- fix cputime overflow in uptime_proc_show

Fixes the display of the total idle time (not uptime) in /proc/uptime on
32-bit architectures.  This will overflow after 2^32 ticks (~200 days of
at 250 Hz) summed across all CPUs.  This has no impact on continued
operation of the kernel.

- block: add and use scsi_blk_cmd_ioctl
- kernel.h: add printk_ratelimited and pr_<level>_rl

Part of the fix for CVE-2011-4127.  We have these already.

- ALSA: HDA: Fix internal microphone on Dell Studio 16 XPS 1645

Clear enough.

- sym53c8xx: Fix NULL pointer dereference in slave_destroy

I'm not convinced this fixes a bug in 2.6.32, but it doesn't do any

- score: fix off-by-one index into syscall table

Irrelevant to Debian as we don't support this architecture.

- kprobes: initialize before using a hlist

Fixes memory leak when using kprobes.  I don't believe this is a
security issue as only root can use kprobes.


Ben Hutchings
Horngren's Observation:
                   Among economists, the real world is often a special case.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: