Bug#698022: Changes from longterm 2.6.32.60
Package: src:linux-2.6
Version: 2.6.32-46
Severity: important
- udf: Avoid run away loop when partition table length is corrupted
- udf: Fortify loading of sparing table
- locks: fix checking of fcntl_setlease argument
- tcp: Don't change unlocked socket state in tcp_v4_err().
- cred: copy_process() should clear child->replacement_session_keyring
- hfsplus: Fix potential buffer overflows
- dl2k: Clean up rio_ioctl
- dl2k: use standard #defines from mii.h.
- net: sock: validate data_len before allocating skb in sock_alloc_send_pskb()
- ntp: Fix leap-second hrtimer livelock
- ntp: Correct TAI offset during leap second
- timekeeping: Fix CLOCK_MONOTONIC inconsistency during leapsecond
- time: Move common updates to a function
- hrtimer: Provide clock_was_set_delayed()
- timekeeping: Fix leapsecond triggered load spike issue
- timekeeping: Maintain ktime_t based offsets for hrtimers
- hrtimers: Move lock held region in hrtimer_interrupt()
- timekeeping: Provide hrtimer update function
- hrtimer: Update hrtimer base offsets each hrtimer_interrupt
- timekeeping: Add missing update call in timekeeping_resume()
- usb: Fix deadlock in hid_reset when Dell iDRAC is reset
- jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
- security: fix compile error in commoncap.c
- fcaps: clear the same personality flags as suid when fcaps are used
- hugepages: fix use after free bug in "quota" handling
- KVM: Ensure all vcpus are consistent with in-kernel irqchip settings
- KVM: x86: disallow multiple KVM_CREATE_IRQCHIP
- block: Fix io_context leak after failure of clone with CLONE_IO
- block: Fix io_context leak after clone with CLONE_IO
- fix pgd_lock deadlock
- KVM: x86: fix missing checks in syscall emulation
- KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid"
- KVM: Device assignment permission checks
- KVM: Remove ability to assign a device without iommu support
- rose: Add length checks to CALL_REQUEST parsing
- KVM: x86: Prevent starting PIT timers in the absence of irqchip support
- xfs: Fix possible memory corruption in xfs_readlink
We already applied these.
- netxen: support for GbE port settings
Fixes support for some Ethernet modes in this network driver (#638921).
- Fix sparc build with newer tools.
Does not affect squeeze as it's specific to 32-bit SPARC.
- powerpc/pmac: Fix SMP kernels on pre-core99 UP machines
Fixes boot crash for 32-bit PowerPC SMP kernel on some UP systems.
We build separate UP and SMP kernels so this isn't really important,
but the fix is quite obviously correct.
- Bluetooth: btusb: fix bInterval for high/super speed isochronous endpoints
Fixes miscalculation of the data transfer interval for high/super
speed (i.e. 480 Mbit/s or 4.8 Gbit/s transfer rate) USB-attached
Bluetooth adapters. I assume these used to be mostly full-speed
(12 Mbit/s), and this falls under new hardware support.
- futex: Fix uninterruptible loop due to gate_area
Fixes user-triggerable DoS.
- time: Improve sanity checking of timekeeping inputs
- time: Move ktime_t overflow checking into timespec_valid_strict
Improve validation of hardware/user-provided times to avoid overflow
in subsequent calculations. This is intended to improve security and
stability, but I don't know what specific problems are fixed.
- time: Avoid making adjustments if we haven't accumulated anything
Removes unnecessary recalculation of real time (wall-clock time)
which results in inconsistencies of the different clocks.
- ioat2: kill pending flag
Fixes a major performance problem with this DMA engine driver.
- drm/i915: Attempt to fix watermark setup on 85x (v2)
Fixes a hardware support regression in 2.6.32 (#661696). However
we'll need to apply this separately since we updated DRM to 2.6.33.y.
- eCryptfs: Copy up lower inode attrs after setting lower xattr
Newly added extended attributes were not being properly cached by
eCryptfs. This could result in the kernel applying incorrect security
restrictions on such filesystems.
- eCryptfs: Clear ECRYPTFS_NEW_FILE flag during truncate
Fixes data corruption on eCryptfs filesystems.
- oprofile: use KM_NMI slot for kmap_atomic
Fixes potential crash while using oprofile on systems with highmem.
- tty_audit: fix tty_audit_add_data live lock on audit disabled
If auditing is enabled for a tty and then globally disabled, a racing
read from that tty can enter an uninterruptible infinite loop.
- bonding: 802.3ad - fix agg_device_up
The bonding driver would in some cases check the link status of the
wrong slave device when deciding whether it needed to failover to
another slave. I assume this could result in loss of network
connectivity.
- usbnet: increase URB reference count before usb_unlink_urb
- usbnet: don't clear urb->dev in tx_complete
Fix possible memory corruption, crash or other badness when using USB
network interfaces.
- sched: Fix signed unsigned comparison in check_preempt_tick()
Fix a bug in the scheduler: it will spuriously decide that it's time
to reschedule from the current task, and ends up scheduling it again
for a longer period. This reduces responsiveness of the system.
- x86/PCI: amd: factor out MMCONFIG discovery
- PNP: fix "work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB"
Completes a bug fix that was supposed to be in 2.6.32.55. On the
mentioned Dell systems, there is a reserved region of memory not
described by the firmware. We avoid mapping any PCI devices there as
they won't be accessible.
- KVM: ia64: fix build due to typo
This has no effect in squeeze since we don't enable KVM on ia64.
- xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink()
The fix for CVE-2011-4077 replaced a buffer overflow vulnerability
with a DoS; this fixes that.
- x86: Derandom delay_tsc for 64 bit
Fixes implementation of short delays for amd64, which would sometimes
be much shorter than intended. These short delays are typically
needed when sequencing hardware access, and a too-short delay may
result in various kinds of failure depending on the hardware device,
but certainly including data corruption, hanging or crashing.
- ipsec: be careful of non existing mac headers
Fixes crash when using IPsec over an ATM device (e.g. plug-in DSL
modem).
- block, sx8: fix pointer math issue getting fw version
This SATA driver calculates the wrong address for firmware version
information during its initialisation. The most likely result is
getting incorrect information about the controller's capabilities, but
it could also crash the system.
- nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
Fixes crash when mounting a corrupted filesystem of this type.
- USB: ftdi_sio: fix problem when the manufacture is a NULL string
Fixes crash when inserting some USB serial adapters.
- ntp: Fix integer overflow when setting time
This is really an integer truncation which can result in division by
zero on 64-bit systems. The backported version does not prevent
truncation but does avoid the division by zero. This might be a DoS
vulnerability, though I suspect it's not a real problem.
- SUNRPC: We must not use list_for_each_entry_safe() in rpc_wake_up()
Fixes case where SunRPC users (NFS client or server) can hang.
- ext4: check for zero length extent
Fixes crash when reading a corrupted filesystem of this type.
- xfs: Fix oops on IO error during xlog_recover_process_iunlinks()
An I/O failure should leave the filesystem read-only but otherwise
usable, but during deletion it could result in a crash.
- nfsd: don't allow zero length strings in cache_parse()
The kernel NFS server may request various information from userland
daemons; an empty string is never a valid response and may result in
a crash. This adds a check for that.
- sched/x86: Fix overflow in cyc2ns_offset
Fixes bug in TSC (timestamp counter) initialisation which could lead
to incorrect timekeeping after using kexec.
- Bluetooth: add NULL pointer check in HCI
- Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
Fix potential crashes when shutting down a UART Bluetooth adapter.
- sparc64: Fix bootup crash on sun4v.
The DS driver used on sun4v (T-series CPUs) could crash in
initialisation.
- video:uvesafb: Fix oops that uvesafb try to execute NX-protected page
The VESA BIOS code typically ends up mapped with the NX (no-execute)
flag set on systems if NX is enabled, and apparently it's not practical
to clear the flag. Direct BIOS calls will result in a crash. However
the driver already relies on a userland daemon to emulate most BIOS
calls on i386 and all of them on other architectures. This switches
to using userland emulation for all calls when NX is enabled.
- USB: serial: fix race between probe and open
The race could lead to a crash or other badness.
- xhci: Don't write zeroed pointers to xHC registers.
Fixes memory corruption on some systems with a USB 3.0 controller.
- xHCI: Correct the #define XHCI_LEGACY_DISABLE_SMI
The USB 3.0 controller driver was not properly disabling handling of
the controller by the BIOS. This could presumably result in
unreliable USB devices, memory corruption or other badness.
- crypto: sha512 - Fix byte counter overflow in SHA-512
Fixes possible miscalculation of SHA-512 for a stream longer than
2^64 bytes.
- PCI: Add quirk for still enabled interrupts on Intel Sandy Bridge GPUs
A common BIOS bug leaves interrupts enabled on an Intel GPU, which
will lead to its IRQ line being forcibly disabled by the kernel. This
can later cause the i915 driver to crash. This disables interrupts
cleanly during PCI setup and allows i915 to enable them later.
- phonet: Check input from user before allocating
The phonet protocol allocates a kernel buffer of whatever size the
user tries to send. This can lead to DoS (specifically OOM). Fixed
by immediately failing sends that exceed the maximum SDU size.
- netlink: fix races after skb queueing
- net: fix a race in sock_queue_err_skb()
Fix potential use-after-free cases; might be exploitable by a local user.
- atl1: fix kernel panic in case of DMA errors
- net/ethernet: ks8851_mll fix rx frame buffer overflow
Network drivers would blow up your computer.
- net_sched: gred: Fix oops in gred_dump() in WRED mode
Fix crash after certain reconfigurations of the 'gred' network
scheduler.
- ARM: 7410/1: Add extra clobber registers for assembly in kernel_execve
Fixes potential panic at boot, dependent on compiler version.
Presumably has no effect in squeeze.
- netem: fix possible skb leak
This is the 'network emulator', not something you'd use in production,
so probably not security relevant.
- ALSA: echoaudio: Remove incorrect part of assertion
Fixes initialisation of some devices supported by this driver,
including the 'Darla20'.
- NFSv4: Revalidate uid/gid after open
Fixes spurious EPERM errors (#659111).
- ext3: Fix error handling on inode bitmap corruption
- ext4: fix error handling on inode bitmap corruption
Fixes bug in handling of corrupt filesystems; presumably a security
vulnerability.
- xhci: Reset reserved command ring TRBs on cleanup.
Fixes bug in the USB 3.0 controller driver. It did not reset software
state properly when resetting the hardware, and the controller could
become unusable after several suspend/resume cycles.
- SCSI: fix scsi_wait_scan
initramfs-tools uses the scsi_wait_scan module to wait for all SCSI
adapters to finish scanning their buses, before trying to mount the
real root device. However, for some time this was not waiting at all!
Possibly serialisation of module loading has the desired effect so
long as all SCSI adapter drivers are modular. I don't know.
- powerpc: Fix kernel panic during kernel module load
- powerpc/ftrace: Fix assembly trampoline register usage
On PowerPC the module loader must sometimes generate 'trampoline' code
for calls between the initialisation code and other code in a module.
A similar issue exists with the ftrace facility. Their trampolines
used the wrong register as a temporary, which could result in a crash,
memory corruption or other badness.
- fuse: fix stat call on 32 bit platforms
FUSE always uses 64-bit inode numbers, and stat() may return 64-bit
inode numbers (depending on which architecture and syscall is used),
but the VFS caches inode numbers as native words. Previously FUSE
would rely on the VFS cache, so inode numbers could be truncated on
32-bit systems. This adds a private cache of the full inode number so
stat() returns a consistent value.
- udf: Improve table length check to avoid possible overflow
Fix a possible integer overflow which might allow the original fix
for CVE-2012-3400 to be defeated.
- stable: Allow merging of backports for serious user-visible performance issues
Documentation change to stable rules.
- eCryptfs: Properly check for O_RDONLY flag before doing privileged open
eCryptfs could unnecessarily retry opening a file when the lower
filesystem was mounted read-only. It looks like this could be a
performance problem. The fix is simple enough.
- USB: cdc-wdm: fix lockup on error in wdm_read
Fixes uninterruptible infinite loop in this USB communication driver,
used for many cellular modems.
- mm: Hold a file reference in madvise_remove
Fixes possible user-after-free when madvise() races with munmap()
with close(). Probably exploitable for at least local DoS.
- ntp: Fix STA_INS/DEL clearing bug
Fixes minor regression introduced by 'ntp: Fix leap-second hrtimer
livelock': a userland request to cancel a scheduled leap second
could be ignored.
- MIPS: Properly align the .data..init_task section.
Fixes a possible error in kernel memory layout that would lead to
crashes at boot time or later.
- powerpc: Add "memory" attribute for mfmsr()
Fixes potential mis-ordering of CPU reconfiguration when using gcc
4.6 or later. This should have no effect in squeeze.
- SCSI: libsas: continue revalidation
The kernel sometimes needs to re-discover devices attached to a SAS
controller. This fixes some cases where it would miss some devices,
presumably making them inaccessible.
- SCSI: libsas: fix sas_discover_devices return code handling
Fixes another bug which could lead to SAS devices not being
discovered.
- SCSI: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations)
A race condition in the SCSI core can result in deferred error
handling not being done for a controller. In particular, hotplugging
a SATA device in a SAS port can trigger this and results in the device
not being usable.
- SCSI: Avoid dangling pointer in scsi_requeue_command()
Fixes potential crash after SCSI(-like) device removal.
- usbdevfs: Correct amount of data copied to user in processcompl_compat
Fixes inconsistency between native and compat (32-bit userland on
64-bit kernel) behaviour for userland USB drivers reading isochronous
packets. This would presumably result in some such drivers failing in
this configuration.
- ACPI/AC: prevent OOPS on some boxes due to missing check power_supply_register() return value check
Fixes crash at boot on some x86 systems with a BIOS bug/quirk.
- Btrfs: call the ordered free operation without any locks held
Fixes potential deadlock when using this filesystem.
- nfsd4: our filesystems are normally case sensitive
The NFSv4 server used to report that its filesystems were case-
insensitive. I assume this could result in some client unexpectedly
performing case-insensitive matching locally, resulting in data loss.
The Linux client does not check this flag.
- ext4: don't let i_reserved_meta_blocks go negative
Workaround for a bug in block accounting in this filesystem, that
previously caused it to be corrupted. The underlying bug doesn't
appear to have been understood or fixed yet.
- sctp: Fix list corruption resulting from freeing an association on a list
Fixes bug in this network protocol that can lead to a crash or memory
corruption. This is at least a local DoS.
- cipso: don't follow a NULL pointer when setsockopt() is called
Fixes locally-triggered null dereference which kills the calling task
but doesn't seem to do anything more.
- wanmain: comparing array with NULL
Removes a condition that is always false, which presumably provokes a
warning from some compilers. Not that important but quite safe.
- USB: kaweth.c: use GFP_ATOMIC under spin_lock
Fixes potential deadlock when using this network driver.
- tcp: perform DMA to userspace only if there is a task waiting for it
Fixes possible userland hang in recvmsg() on systems which use a DMA
engine (e.g. Intel I/OAT) for this.
- net/tun: fix ioctl() based info leaks
Fixes leak of kernel stack contents to userland.
- USB: echi-dbgp: increase the controller wait time to come out of halt.
We don't include this driver in squeeze.
- ALSA: mpu401: Fix missing initialization of irq field
If this driver failed to probe a device, it would try to remove an IRQ
handler it had not installed. This would result in a WARNING but
nothing worse.
- futex: Test for pi_mutex on fault in futex_wait_requeue_pi()
- futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()
Fix locally-triggered null dereferences which kill the calling task
but don't seem to do anything more.
- futex: Fix bug in WARN_ON for NULL q.pi_state
Fix condition for a WARNING, which was previously always false. It
appears that the warning would be shortly followed by a null
dereference anyway.
- pcdp: use early_ioremap/early_iounmap to access pcdp table
This is bogus and will be reverted.
- mm: mmu_notifier: fix freed page still mapped in secondary MMU
If a process's memory is mapped by 'secondary MMUs', e.g. shadow page
tables used by KVM, it must be removed from all those page tables
before being freed. However, it was sometimes freed too early when a
process exited. This might result in memory corruption, a crash, or
other badness and could be a security vulnerability for KVM hosts.
- fuse: verify all ioctl retry iov elements
FUSE servers may copy arbitrary memory from and to a process that
calls an ioctl, but the total length to be copied is limited as there
is an intermediate kernel buffer. It specifies an iovec for which
summing of lengths may result in an integer overflow. However, the
kernel would consistently use the same total length when range-
checking and copying, so this isn't a security vulnerability. Neither
is it practically likely to cause data loss. But the fix is obviously
correct, and the old code is obviously not.
- xhci: Increase reset timeout for Renesas 720201 host.
Summary is pretty good. The driver just won't work with this chip,
so this counts as hardware support.
- usb: serial: mos7840: Fixup mos7840_chars_in_buffer()
Fixes data loss (truncated writes) in this driver.
- ALSA: hda - fix Copyright debug message
Corrects reporting in procfs of the 'copyright' flag for a digital
input to this sound driver. Could be considered data loss though this
flag has never been (and practically cannot be) reliable.
- vfs: missed source of ->f_pos races
Changes to the file position by readv() and writev() in a compat task
were non-atomic. This could perhaps result in data loss, though it
doesn't seem very likely. Anyway, it was inconsistent with native
behaviour.
- NFSv3: Ensure that do_proc_get_root() reports errors correctly
Fixes a missing error check in NFSv3 mounting. This might have led to
data loss or other failures.
- NFS: Alias the nfs module to nfs4
This is intended to smooth upgrades to later kernel versions.
Currently the alias is defined in a modprobe configuration file, and
it should be removed from there so that nfs4 can be moved to a
separate module in later kernel versions (see #683972).
- svcrpc: fix svc_xprt_enqueue/svc_recv busy-looping
Fixes infinite loop in SunRPC services such as the NFS server.
This might be exploitable for denial-of-service by an NFS client.
- svcrpc: sends on closed socket should stop immediately
A SunRPC server such as the NFS server may fail to send a complete
response to a client for various reasons. It must then close the
socket and let the client recover. However, another server thread
might send successfully on the socket before it was closed. This
would result in data corruption as the client treats it as the
remainder of the first response.
- cciss: fix incorrect scsi status reporting
Removes some incorrect though actually harmless (by my reading) code.
- USB: CDC ACM: Fix NULL pointer dereference
Fixes null dereference when probing a USB communication device with
invalid descriptors.
- Remove user-triggerable BUG from mpol_to_str
A task can easily trigger this in itself, and potentially other tasks
looking at /proc/$PID/numa_maps.
- udf: Fix data corruption for files in ICB
Fixes corruption of small files on this filesystem.
- ext3: Fix fdatasync() for files with only i_size changes
If a file on ext3 was truncated/extended without any new data being
written, fdatasync() did not force the size change to be written to
disk. This is data corruption.
- PARISC: Redefine ATOMIC_INIT and ATOMIC64_INIT to drop the casts
This was not a release architecture for squeeze.
- dccp: check ccid before dereferencing
Fixes a user-triggerable null dereference in this network protocol.
- ia64: Add accept4() syscall
Add the accept4() function to the system call table. This was already
implemented on all other release architectures and is required by udev
in wheezy (#647825, #648325).
- tcp: do_tcp_sendpages() must try to push data out on oom conditions
Fixes a potential TCP connection stall.
- tcp: drop SYN+FIN messages
Fixes a remote DoS vulnerability.
- xen: correctly check for pending events when restoring irq flags
Prevents unnecessary hypervisor calls under Xen which can be a major
performance problem.
- x86, amd, xen: Avoid NULL pointer paravirt references
Fixes crash at boot(?) as Xen dom0 on AMD 'Trinity' CPUs.
- x86, tls: Off by one limit check
Fixes potential out-of-bounds access to the kernel's TLS descriptors
for a 32-bit task. So far as I can see, this is not a security
vulnerability - the only caller is the ELF core-dump code which always
passes valid parameters.
- sparc64: Eliminate obsolete __handle_softirq() function
Fixes potential use-after-free of RCU-protected structures used in
soft-IRQ context (e.g. most network receive processing).
- udf: fix retun value on error path in udf_load_logicalvol
The initial fix for CVE-2012-3400 did not actually abort mounting
when an invalid filesystem was detected. An invalid filesystem
may therefore still result in a crash or other badness.
- mtd: cafe_nand: fix an & vs | mistake
This flash chip driver would wrongly report that the chip was
always ready to accept a command. This presumably could result in
data loss.
- epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree()
- epoll: ep_unregister_pollwait() can use the freed pwq->whead
- epoll: limit paths
- Don't limit non-nested epoll paths
Fixes local DoS (CVE-2011-1083).
- epoll: clear the tfile_check_list on -ELOOP
Fixes a flaw in the previous fix (CVE-2012-3375).
- random: Reorder struct entropy_store to remove padding on 64bits
- random: update interface comments to reflect reality
- random: simplify fips mode
- x86, cpu: Add CPU flags for F16C and RDRND
- x86, cpufeature: Update CPU feature RDRND to RDRAND
- random: Add support for architectural random hooks
- x86, random: Architectural inlines to get random integers with RDRAND
- x86, random: Verify RDRAND functionality and allow it to be disabled
- fix typo/thinko in get_random_bytes()
- random: Use arch_get_random_int instead of cycle counter if avail
- random: Use arch-specific RNG to initialize the entropy store
- random: Adjust the number of loops when initializing
- drivers/char/random.c: fix boot id uniqueness race
- random: make 'add_interrupt_randomness()' do something sane
- random: use lockless techniques in the interrupt path
- random: create add_device_randomness() interface
- random: use the arch-specific rng in xfer_secondary_pool
- random: add new get_random_bytes_arch() function
- random: mix in architectural randomness in extract_buf()
- MAINTAINERS: Theodore Ts'o is taking over the random driver
- usb: feed USB device information to the /dev/random driver
- net: feed /dev/random with the MAC address when registering a device
- random: remove rand_initialize_irq()
- random: Add comment to random_initialize()
- rtc: wm831x: Feed the write counter into device_add_randomness()
- mfd: wm831x: Feed the device UUID into device_add_randomness()
- dmi: Feed DMI table to /dev/random driver
Increase the availability of entropy for (pseudo-)random number
generation. Lack of entropy is an important security problem,
particularly during installation when we may need to generate a random
key for an encrypted partition, or an SSH host key - but don't have
any entropy carried over from a previous boot.
Ben.
-- System Information:
Debian Release: 7.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Reply to: