Bumping 2.6.18 patchset to Debian 2.6.18.dfsg.1-18etch6

svn path=/patches/; revision=78

8 files changed, 330 insertions, 0 deletions

diff --git a/trunk/2.6.18/00000_README b/trunk/2.6.18/00000_README
index 576a93b..7ee89f7 100644
--- a/trunk/2.6.18/00000_README
+++ b/trunk/2.6.18/00000_README
@@ -299,5 +299,36 @@ Patches
     [SECURITY] Fix a race in the directory notify
     See CVE-2008-1375
 
+30066_fcntl_setlk-close-race.patch
+    [SECURITY] Fix an SMP race to prevent reordering of flock updates
+    and accesses to the descriptor table on close().
+    See CVE-2008-1669
+
+30067_sit-missing-kfree_skb-on-pskb_may_pull.patch
+    [SECURITY] Fix remotely-triggerable memory leak in the Simple
+    Internet Transition (SIT) code used for IPv6 over IPv4 tunnels
+    See CVE-2008-2136
+
+30068_hrtimer-prevent-overrun.patch
+30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
+    [SECURITY] Fix potential infinite loop in hrtimer_forward on
+    64-bit systems
+    See CVE-2007-6712
+
+30070_amd64-cs-corruption.patch
+    [SECURITY] Fix local ptrace denial of service for amd64 flavor
+    kernels, bug #480390
+    See CVE-2008-1615
+
+30071_dccp-feature-length-check.patch
+    [SECURITY] Validate feature length to avoid heap overflow
+    See CVE-2008-2358
+
+30072_asn1-ber-decoding-checks.patch
+    [SECURITY] Validate lengths in ASN.1 decoding code to avoid
+    heap overflow
+    See CVE-2008-1673
+
+
 50009_gentooify-tls-warning.patch
     Change tls warning instructions to apply directly to Gentoo.
diff --git a/trunk/2.6.18/30066_fcntl_setlk-close-race.patch b/trunk/2.6.18/30066_fcntl_setlk-close-race.patch
new file mode 100644
index 0000000..9292f22
--- /dev/null
+++ b/trunk/2.6.18/30066_fcntl_setlk-close-race.patch
@@ -0,0 +1,76 @@
+commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9
+Author: Al Viro <viro@zeniv.linux.org.uk>
+Date:   Tue May 6 13:58:34 2008 -0400
+
+    [PATCH] fix SMP ordering hole in fcntl_setlk()
+    
+    fcntl_setlk()/close() race prevention has a subtle hole - we need to
+    make sure that if we *do* have an fcntl/close race on SMP box, the
+    access to descriptor table and inode->i_flock won't get reordered.
+    
+    As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
+    STORE descriptor table entry, LOAD inode->i_flock with not a single
+    lock in common on both sides.  We do have BKL around the first STORE,
+    but check in locks_remove_posix() is outside of BKL and for a good
+    reason - we don't want BKL on common path of close(2).
+    
+    Solution is to hold ->file_lock around fcheck() in there; that orders
+    us wrt removal from descriptor table that preceded locks_remove_posix()
+    on close path and we either come first (in which case eviction will be
+    handled by the close side) or we'll see the effect of close and do
+    eviction ourselves.  Note that even though it's read-only access,
+    we do need ->file_lock here - rcu_read_lock() won't be enough to
+    order the things.
+    
+    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf@hp.com>
+
+diff -urpN linux-source-2.6.18.orig/fs/locks.c linux-source-2.6.18/fs/locks.c
+--- linux-source-2.6.18.orig/fs/locks.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/locks.c	2008-05-06 17:02:29.000000000 -0600
+@@ -1680,6 +1680,7 @@ int fcntl_setlk(unsigned int fd, struct 
+ 	struct file_lock *file_lock = locks_alloc_lock();
+ 	struct flock flock;
+ 	struct inode *inode;
++	struct file *f;
+ 	int error;
+ 
+ 	if (file_lock == NULL)
+@@ -1754,7 +1755,15 @@ again:
+ 	 * Attempt to detect a close/fcntl race and recover by
+ 	 * releasing the lock that was just acquired.
+ 	 */
+-	if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) {
++	/*
++	 * we need that spin_lock here - it prevents reordering between
++	 * update of inode->i_flock and check for it done in close().
++	 * rcu_read_lock() wouldn't do.
++	 */
++	spin_lock(&current->files->file_lock);
++	f = fcheck(fd);
++	spin_unlock(&current->files->file_lock);
++	if (!error && f != filp && flock.l_type != F_UNLCK) {
+ 		flock.l_type = F_UNLCK;
+ 		goto again;
+ 	}
+@@ -1823,6 +1832,7 @@ int fcntl_setlk64(unsigned int fd, struc
+ 	struct file_lock *file_lock = locks_alloc_lock();
+ 	struct flock64 flock;
+ 	struct inode *inode;
++	struct file *f;
+ 	int error;
+ 
+ 	if (file_lock == NULL)
+@@ -1897,7 +1907,10 @@ again:
+ 	 * Attempt to detect a close/fcntl race and recover by
+ 	 * releasing the lock that was just acquired.
+ 	 */
+-	if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) {
++	spin_lock(&current->files->file_lock);
++	f = fcheck(fd);
++	spin_unlock(&current->files->file_lock);
++	if (!error && f != filp && flock.l_type != F_UNLCK) {
+ 		flock.l_type = F_UNLCK;
+ 		goto again;
+ 	}
diff --git a/trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch b/trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch
new file mode 100644
index 0000000..cffb4b1
--- /dev/null
+++ b/trunk/2.6.18/30067_sit-missing-kfree_skb-on-pskb_may_pull.patch
@@ -0,0 +1,26 @@
+commit 36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02
+Author: David S. Miller <davem@davemloft.net>
+Date:   Thu May 8 23:40:26 2008 -0700
+
+    sit: Add missing kfree_skb() on pskb_may_pull() failure.
+    
+    Noticed by Paul Marks <paul@pmarks.net>.
+    
+    Signed-off-by: David S. Miller <davem@davemloft.net>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.24.orig/net/ipv6/sit.c linux-source-2.6.24/net/ipv6/sit.c
+--- linux-source-2.6.24.orig/net/ipv6/sit.c	2008-01-24 15:58:37.000000000 -0700
++++ linux-source-2.6.24/net/ipv6/sit.c	2008-05-21 00:00:08.000000000 -0600
+@@ -395,9 +395,9 @@ static int ipip6_rcv(struct sk_buff *skb
+ 	}
+ 
+ 	icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+-	kfree_skb(skb);
+ 	read_unlock(&ipip6_lock);
+ out:
++	kfree_skb(skb);
+ 	return 0;
+ }
+ 
diff --git a/trunk/2.6.18/30068_hrtimer-prevent-overrun.patch b/trunk/2.6.18/30068_hrtimer-prevent-overrun.patch
new file mode 100644
index 0000000..d8c622e
--- /dev/null
+++ b/trunk/2.6.18/30068_hrtimer-prevent-overrun.patch
@@ -0,0 +1,38 @@
+commit 13788ccc41ceea5893f9c747c59bc0b28f2416c2
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date:   Fri Mar 16 13:38:20 2007 -0800
+
+    [PATCH] hrtimer: prevent overrun DoS in hrtimer_forward()
+    
+    hrtimer_forward() does not check for the possible overflow of
+    timer->expires.  This can happen on 64 bit machines with large interval
+    values and results currently in an endless loop in the softirq because the
+    expiry value becomes negative and therefor the timer is expired all the
+    time.
+    
+    Check for this condition and set the expiry value to the max.  expiry time
+    in the future.  The fix should be applied to stable kernel series as well.
+    
+    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+    Acked-by: Ingo Molnar <mingo@elte.hu>
+    Cc: <stable@kernel.org>
+    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/kernel/hrtimer.c b/kernel/hrtimer.c
+index ec4cb9f..5e7122d 100644
+--- a/kernel/hrtimer.c
++++ b/kernel/hrtimer.c
+@@ -644,6 +644,12 @@ hrtimer_forward(struct hrtimer *timer, ktime_t now, ktime_t interval)
+ 		orun++;
+ 	}
+ 	timer->expires = ktime_add(timer->expires, interval);
++	/*
++	 * Make sure, that the result did not wrap with a very large
++	 * interval.
++	 */
++	if (timer->expires.tv64 < 0)
++		timer->expires = ktime_set(KTIME_SEC_MAX, 0);
+ 
+ 	return orun;
+ }
diff --git a/trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch b/trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
new file mode 100644
index 0000000..6bd6bd1
--- /dev/null
+++ b/trunk/2.6.18/30069_ktime-fix-MTIME_SEC_MAX-on-32-bit.patch
@@ -0,0 +1,29 @@
+commit 5379058b718ac6354ba99cc74d10c28d632dc28a
+Author: Thomas Gleixner <tglx@linutronix.de>
+Date:   Fri Mar 16 14:15:57 2007 -0800
+
+    [PATCH] fix MTIME_SEC_MAX on 32-bit
+    
+    The maximum seconds value we can handle on 32bit is LONG_MAX.
+    
+    Cc: Ingo Molnar <mingo@elte.hu>
+    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+diff --git a/include/linux/ktime.h b/include/linux/ktime.h
+index c68c7ac..248305b 100644
+--- a/include/linux/ktime.h
++++ b/include/linux/ktime.h
+@@ -57,7 +57,11 @@ typedef union {
+ } ktime_t;
+ 
+ #define KTIME_MAX			((s64)~((u64)1 << 63))
+-#define KTIME_SEC_MAX			(KTIME_MAX / NSEC_PER_SEC)
++#if (BITS_PER_LONG == 64)
++# define KTIME_SEC_MAX			(KTIME_MAX / NSEC_PER_SEC)
++#else
++# define KTIME_SEC_MAX			LONG_MAX
++#endif
+ 
+ /*
+  * ktime_t definitions when using the 64-bit scalar representation:
diff --git a/trunk/2.6.18/30070_amd64-cs-corruption.patch b/trunk/2.6.18/30070_amd64-cs-corruption.patch
new file mode 100644
index 0000000..da24cd3
--- /dev/null
+++ b/trunk/2.6.18/30070_amd64-cs-corruption.patch
@@ -0,0 +1,12 @@
+diff -urpN linux-source-2.6.18.orig/arch/x86_64/kernel/entry.S linux-source-2.6.18/arch/x86_64/kernel/entry.S
+--- linux-source-2.6.18.orig/arch/x86_64/kernel/entry.S	2008-04-23 21:53:06.000000000 -0600
++++ linux-source-2.6.18/arch/x86_64/kernel/entry.S	2008-05-08 17:19:58.000000000 -0600
+@@ -776,7 +776,7 @@ paranoid_swapgs\trace:
+ 	swapgs
+ paranoid_restore\trace:
+ 	RESTORE_ALL 8
+-	iretq
++	jmp iret_label
+ paranoid_userspace\trace:
+ 	GET_THREAD_INFO(%rcx)
+ 	movl threadinfo_flags(%rcx),%ebx
diff --git a/trunk/2.6.18/30071_dccp-feature-length-check.patch b/trunk/2.6.18/30071_dccp-feature-length-check.patch
new file mode 100644
index 0000000..9ceb18c
--- /dev/null
+++ b/trunk/2.6.18/30071_dccp-feature-length-check.patch
@@ -0,0 +1,15 @@
+diff -urpN linux-source-2.6.18.orig/net/dccp/feat.c linux-source-2.6.18/net/dccp/feat.c
+--- linux-source-2.6.18.orig/net/dccp/feat.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/dccp/feat.c	2008-06-05 19:57:08.000000000 -0600
+@@ -25,6 +25,11 @@ int dccp_feat_change(struct dccp_minisoc
+ 
+ 	dccp_pr_debug("feat change type=%d feat=%d\n", type, feature);
+ 
++	if (len > 3) {
++		if (net_ratelimit())
++			printk("%s: invalid length %d\n", __func__, len);
++		return -EINVAL;
++	}
+ 	/* XXX sanity check feat change request */
+ 
+ 	/* check if that feature is already being negotiated */
diff --git a/trunk/2.6.18/30072_asn1-ber-decoding-checks.patch b/trunk/2.6.18/30072_asn1-ber-decoding-checks.patch
new file mode 100644
index 0000000..2b512fe
--- /dev/null
+++ b/trunk/2.6.18/30072_asn1-ber-decoding-checks.patch
@@ -0,0 +1,103 @@
+From: Chris Wright <chrisw@sous-sol.org>
+Date: Wed, 4 Jun 2008 16:16:33 +0000 (-0700)
+Subject: asn1: additional sanity checking during BER decoding
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=ddb2c43594f22843e9f3153da151deaba1a834c5
+
+asn1: additional sanity checking during BER decoding
+
+- Don't trust a length which is greater than the working buffer.
+  An invalid length could cause overflow when calculating buffer size
+  for decoding oid.
+
+- An oid length of zero is invalid and allows for an off-by-one error when
+  decoding oid because the first subid actually encodes first 2 subids.
+
+- A primitive encoding may not have an indefinite length.
+
+Thanks to Wei Wang from McAfee for report.
+
+Cc: Steven French <sfrench@us.ibm.com>
+Cc: stable@kernel.org
+Acked-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf@debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/cifs/asn1.c linux-source-2.6.18/fs/cifs/asn1.c
+--- linux-source-2.6.18.orig/fs/cifs/asn1.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/cifs/asn1.c	2008-06-05 21:52:32.000000000 -0600
+@@ -182,6 +182,11 @@ asn1_length_decode(struct asn1_ctx *ctx,
+ 			}
+ 		}
+ 	}
++
++	/* don't trust len bigger than ctx buffer */
++	if (*len > ctx->end - ctx->pointer)
++		return 0;
++
+ 	return 1;
+ }
+ 
+@@ -199,6 +204,10 @@ asn1_header_decode(struct asn1_ctx *ctx,
+ 	if (!asn1_length_decode(ctx, &def, &len))
+ 		return 0;
+ 
++	/* primitive shall be definite, indefinite shall be constructed */
++	if (*con == ASN1_PRI && !def)
++		return 0;
++
+ 	if (def)
+ 		*eoc = ctx->pointer + len;
+ 	else
+@@ -385,6 +394,11 @@ asn1_oid_decode(struct asn1_ctx *ctx,
+ 	unsigned long *optr;
+ 
+ 	size = eoc - ctx->pointer + 1;
++
++	/* first subid actually encodes first two subids */
++	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++		return 0;
++
+ 	*oid = kmalloc(size * sizeof (unsigned long), GFP_ATOMIC);
+ 	if (*oid == NULL) {
+ 		return 0;
+diff -urpN linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c
+--- linux-source-2.6.18.orig/net/ipv4/netfilter/ip_nat_snmp_basic.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/net/ipv4/netfilter/ip_nat_snmp_basic.c	2008-06-05 21:53:29.000000000 -0600
+@@ -235,6 +235,11 @@ static unsigned char asn1_length_decode(
+ 			}
+ 		}
+ 	}
++
++	/* don't trust len bigger than ctx buffer */
++	if (*len > ctx->end - ctx->pointer)
++		return 0;
++
+ 	return 1;
+ }
+ 
+@@ -253,6 +258,10 @@ static unsigned char asn1_header_decode(
+ 	if (!asn1_length_decode(ctx, &def, &len))
+ 		return 0;
+ 		
++	/* primitive shall be definite, indefinite shall be constructed */
++	if (*con == ASN1_PRI && !def)
++		return 0;
++
+ 	if (def)
+ 		*eoc = ctx->pointer + len;
+ 	else
+@@ -437,6 +446,11 @@ static unsigned char asn1_oid_decode(str
+ 	unsigned long *optr;
+ 	
+ 	size = eoc - ctx->pointer + 1;
++
++	/* first subid actually encodes first two subids */
++	if (size < 2 || size > ULONG_MAX/sizeof(unsigned long))
++		return 0;
++
+ 	*oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC);
+ 	if (*oid == NULL) {
+ 		if (net_ratelimit())