Package: src:linux-2.6 Version: 2.6.32-46 Severity: important - udf: Avoid run away loop when partition table length is corrupted - udf: Fortify loading of sparing table - locks: fix checking of fcntl_setlease argument - tcp: Don't change unlocked socket state in tcp_v4_err(). - cred: copy_process() should clear child->replacement_session_keyring - hfsplus: Fix potential buffer overflows - dl2k: Clean up rio_ioctl - dl2k: use standard #defines from mii.h. - net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() - ntp: Fix leap-second hrtimer livelock - ntp: Correct TAI offset during leap second - timekeeping: Fix CLOCK_MONOTONIC inconsistency during leapsecond - time: Move common updates to a function - hrtimer: Provide clock_was_set_delayed() - timekeeping: Fix leapsecond triggered load spike issue - timekeeping: Maintain ktime_t based offsets for hrtimers - hrtimers: Move lock held region in hrtimer_interrupt() - timekeeping: Provide hrtimer update function - hrtimer: Update hrtimer base offsets each hrtimer_interrupt - timekeeping: Add missing update call in timekeeping_resume() - usb: Fix deadlock in hid_reset when Dell iDRAC is reset - jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer - security: fix compile error in commoncap.c - fcaps: clear the same personality flags as suid when fcaps are used - hugepages: fix use after free bug in "quota" handling - KVM: Ensure all vcpus are consistent with in-kernel irqchip settings - KVM: x86: disallow multiple KVM_CREATE_IRQCHIP - block: Fix io_context leak after failure of clone with CLONE_IO - block: Fix io_context leak after clone with CLONE_IO - fix pgd_lock deadlock - KVM: x86: fix missing checks in syscall emulation - KVM: x86: extend "struct x86_emulate_ops" with "get_cpuid" - KVM: Device assignment permission checks - KVM: Remove ability to assign a device without iommu support - rose: Add length checks to CALL_REQUEST parsing - KVM: x86: Prevent starting PIT timers in the absence of irqchip support - xfs: Fix possible memory corruption in xfs_readlink
We already applied these. - netxen: support for GbE port settings Fixes support for some Ethernet modes in this network driver (#638921). - Fix sparc build with newer tools. Does not affect squeeze as it's specific to 32-bit SPARC. - powerpc/pmac: Fix SMP kernels on pre-core99 UP machines Fixes boot crash for 32-bit PowerPC SMP kernel on some UP systems. We build separate UP and SMP kernels so this isn't really important, but the fix is quite obviously correct. - Bluetooth: btusb: fix bInterval for high/super speed isochronous endpoints Fixes miscalculation of the data transfer interval for high/super speed (i.e. 480 Mbit/s or 4.8 Gbit/s transfer rate) USB-attached Bluetooth adapters. I assume these used to be mostly full-speed (12 Mbit/s), and this falls under new hardware support. - futex: Fix uninterruptible loop due to gate_area Fixes user-triggerable DoS. - time: Improve sanity checking of timekeeping inputs - time: Move ktime_t overflow checking into timespec_valid_strict Improve validation of hardware/user-provided times to avoid overflow in subsequent calculations. This is intended to improve security and stability, but I don't know what specific problems are fixed. - time: Avoid making adjustments if we haven't accumulated anything Removes unnecessary recalculation of real time (wall-clock time) which results in inconsistencies of the different clocks. - ioat2: kill pending flag Fixes a major performance problem with this DMA engine driver. - drm/i915: Attempt to fix watermark setup on 85x (v2) Fixes a hardware support regression in 2.6.32 (#661696). However we'll need to apply this separately since we updated DRM to 2.6.33.y. - eCryptfs: Copy up lower inode attrs after setting lower xattr Newly added extended attributes were not being properly cached by eCryptfs. This could result in the kernel applying incorrect security restrictions on such filesystems. - eCryptfs: Clear ECRYPTFS_NEW_FILE flag during truncate Fixes data corruption on eCryptfs filesystems. - oprofile: use KM_NMI slot for kmap_atomic Fixes potential crash while using oprofile on systems with highmem. - tty_audit: fix tty_audit_add_data live lock on audit disabled If auditing is enabled for a tty and then globally disabled, a racing read from that tty can enter an uninterruptible infinite loop. - bonding: 802.3ad - fix agg_device_up The bonding driver would in some cases check the link status of the wrong slave device when deciding whether it needed to failover to another slave. I assume this could result in loss of network connectivity. - usbnet: increase URB reference count before usb_unlink_urb - usbnet: don't clear urb->dev in tx_complete Fix possible memory corruption, crash or other badness when using USB network interfaces. - sched: Fix signed unsigned comparison in check_preempt_tick() Fix a bug in the scheduler: it will spuriously decide that it's time to reschedule from the current task, and ends up scheduling it again for a longer period. This reduces responsiveness of the system. - x86/PCI: amd: factor out MMCONFIG discovery - PNP: fix "work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB" Completes a bug fix that was supposed to be in 2.6.32.55. On the mentioned Dell systems, there is a reserved region of memory not described by the firmware. We avoid mapping any PCI devices there as they won't be accessible. - KVM: ia64: fix build due to typo This has no effect in squeeze since we don't enable KVM on ia64. - xfs: Fix missing xfs_iunlock() on error recovery path in xfs_readlink() The fix for CVE-2011-4077 replaced a buffer overflow vulnerability with a DoS; this fixes that. - x86: Derandom delay_tsc for 64 bit Fixes implementation of short delays for amd64, which would sometimes be much shorter than intended. These short delays are typically needed when sequencing hardware access, and a too-short delay may result in various kinds of failure depending on the hardware device, but certainly including data corruption, hanging or crashing. - ipsec: be careful of non existing mac headers Fixes crash when using IPsec over an ATM device (e.g. plug-in DSL modem). - block, sx8: fix pointer math issue getting fw version This SATA driver calculates the wrong address for firmware version information during its initialisation. The most likely result is getting incorrect information about the controller's capabilities, but it could also crash the system. - nilfs2: fix NULL pointer dereference in nilfs_load_super_block() Fixes crash when mounting a corrupted filesystem of this type. - USB: ftdi_sio: fix problem when the manufacture is a NULL string Fixes crash when inserting some USB serial adapters. - ntp: Fix integer overflow when setting time This is really an integer truncation which can result in division by zero on 64-bit systems. The backported version does not prevent truncation but does avoid the division by zero. This might be a DoS vulnerability, though I suspect it's not a real problem. - SUNRPC: We must not use list_for_each_entry_safe() in rpc_wake_up() Fixes case where SunRPC users (NFS client or server) can hang. - ext4: check for zero length extent Fixes crash when reading a corrupted filesystem of this type. - xfs: Fix oops on IO error during xlog_recover_process_iunlinks() An I/O failure should leave the filesystem read-only but otherwise usable, but during deletion it could result in a crash. - nfsd: don't allow zero length strings in cache_parse() The kernel NFS server may request various information from userland daemons; an empty string is never a valid response and may result in a crash. This adds a check for that. - sched/x86: Fix overflow in cyc2ns_offset Fixes bug in TSC (timestamp counter) initialisation which could lead to incorrect timekeeping after using kexec. - Bluetooth: add NULL pointer check in HCI - Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close Fix potential crashes when shutting down a UART Bluetooth adapter. - sparc64: Fix bootup crash on sun4v. The DS driver used on sun4v (T-series CPUs) could crash in initialisation. - video:uvesafb: Fix oops that uvesafb try to execute NX-protected page The VESA BIOS code typically ends up mapped with the NX (no-execute) flag set on systems if NX is enabled, and apparently it's not practical to clear the flag. Direct BIOS calls will result in a crash. However the driver already relies on a userland daemon to emulate most BIOS calls on i386 and all of them on other architectures. This switches to using userland emulation for all calls when NX is enabled. - USB: serial: fix race between probe and open The race could lead to a crash or other badness. - xhci: Don't write zeroed pointers to xHC registers. Fixes memory corruption on some systems with a USB 3.0 controller. - xHCI: Correct the #define XHCI_LEGACY_DISABLE_SMI The USB 3.0 controller driver was not properly disabling handling of the controller by the BIOS. This could presumably result in unreliable USB devices, memory corruption or other badness. - crypto: sha512 - Fix byte counter overflow in SHA-512 Fixes possible miscalculation of SHA-512 for a stream longer than 2^64 bytes. - PCI: Add quirk for still enabled interrupts on Intel Sandy Bridge GPUs A common BIOS bug leaves interrupts enabled on an Intel GPU, which will lead to its IRQ line being forcibly disabled by the kernel. This can later cause the i915 driver to crash. This disables interrupts cleanly during PCI setup and allows i915 to enable them later. - phonet: Check input from user before allocating The phonet protocol allocates a kernel buffer of whatever size the user tries to send. This can lead to DoS (specifically OOM). Fixed by immediately failing sends that exceed the maximum SDU size. - netlink: fix races after skb queueing - net: fix a race in sock_queue_err_skb() Fix potential use-after-free cases; might be exploitable by a local user. - atl1: fix kernel panic in case of DMA errors - net/ethernet: ks8851_mll fix rx frame buffer overflow Network drivers would blow up your computer. - net_sched: gred: Fix oops in gred_dump() in WRED mode Fix crash after certain reconfigurations of the 'gred' network scheduler. - ARM: 7410/1: Add extra clobber registers for assembly in kernel_execve Fixes potential panic at boot, dependent on compiler version. Presumably has no effect in squeeze. - netem: fix possible skb leak This is the 'network emulator', not something you'd use in production, so probably not security relevant. - ALSA: echoaudio: Remove incorrect part of assertion Fixes initialisation of some devices supported by this driver, including the 'Darla20'. - NFSv4: Revalidate uid/gid after open Fixes spurious EPERM errors (#659111). - ext3: Fix error handling on inode bitmap corruption - ext4: fix error handling on inode bitmap corruption Fixes bug in handling of corrupt filesystems; presumably a security vulnerability. - xhci: Reset reserved command ring TRBs on cleanup. Fixes bug in the USB 3.0 controller driver. It did not reset software state properly when resetting the hardware, and the controller could become unusable after several suspend/resume cycles. - SCSI: fix scsi_wait_scan initramfs-tools uses the scsi_wait_scan module to wait for all SCSI adapters to finish scanning their buses, before trying to mount the real root device. However, for some time this was not waiting at all! Possibly serialisation of module loading has the desired effect so long as all SCSI adapter drivers are modular. I don't know. - powerpc: Fix kernel panic during kernel module load - powerpc/ftrace: Fix assembly trampoline register usage On PowerPC the module loader must sometimes generate 'trampoline' code for calls between the initialisation code and other code in a module. A similar issue exists with the ftrace facility. Their trampolines used the wrong register as a temporary, which could result in a crash, memory corruption or other badness. - fuse: fix stat call on 32 bit platforms FUSE always uses 64-bit inode numbers, and stat() may return 64-bit inode numbers (depending on which architecture and syscall is used), but the VFS caches inode numbers as native words. Previously FUSE would rely on the VFS cache, so inode numbers could be truncated on 32-bit systems. This adds a private cache of the full inode number so stat() returns a consistent value. - udf: Improve table length check to avoid possible overflow Fix a possible integer overflow which might allow the original fix for CVE-2012-3400 to be defeated. - stable: Allow merging of backports for serious user-visible performance issues Documentation change to stable rules. - eCryptfs: Properly check for O_RDONLY flag before doing privileged open eCryptfs could unnecessarily retry opening a file when the lower filesystem was mounted read-only. It looks like this could be a performance problem. The fix is simple enough. - USB: cdc-wdm: fix lockup on error in wdm_read Fixes uninterruptible infinite loop in this USB communication driver, used for many cellular modems. - mm: Hold a file reference in madvise_remove Fixes possible user-after-free when madvise() races with munmap() with close(). Probably exploitable for at least local DoS. - ntp: Fix STA_INS/DEL clearing bug Fixes minor regression introduced by 'ntp: Fix leap-second hrtimer livelock': a userland request to cancel a scheduled leap second could be ignored. - MIPS: Properly align the .data..init_task section. Fixes a possible error in kernel memory layout that would lead to crashes at boot time or later. - powerpc: Add "memory" attribute for mfmsr() Fixes potential mis-ordering of CPU reconfiguration when using gcc 4.6 or later. This should have no effect in squeeze. - SCSI: libsas: continue revalidation The kernel sometimes needs to re-discover devices attached to a SAS controller. This fixes some cases where it would miss some devices, presumably making them inaccessible. - SCSI: libsas: fix sas_discover_devices return code handling Fixes another bug which could lead to SAS devices not being discovered. - SCSI: fix eh wakeup (scsi_schedule_eh vs scsi_restart_operations) A race condition in the SCSI core can result in deferred error handling not being done for a controller. In particular, hotplugging a SATA device in a SAS port can trigger this and results in the device not being usable. - SCSI: Avoid dangling pointer in scsi_requeue_command() Fixes potential crash after SCSI(-like) device removal. - usbdevfs: Correct amount of data copied to user in processcompl_compat Fixes inconsistency between native and compat (32-bit userland on 64-bit kernel) behaviour for userland USB drivers reading isochronous packets. This would presumably result in some such drivers failing in this configuration. - ACPI/AC: prevent OOPS on some boxes due to missing check power_supply_register() return value check Fixes crash at boot on some x86 systems with a BIOS bug/quirk. - Btrfs: call the ordered free operation without any locks held Fixes potential deadlock when using this filesystem. - nfsd4: our filesystems are normally case sensitive The NFSv4 server used to report that its filesystems were case- insensitive. I assume this could result in some client unexpectedly performing case-insensitive matching locally, resulting in data loss. The Linux client does not check this flag. - ext4: don't let i_reserved_meta_blocks go negative Workaround for a bug in block accounting in this filesystem, that previously caused it to be corrupted. The underlying bug doesn't appear to have been understood or fixed yet. - sctp: Fix list corruption resulting from freeing an association on a list Fixes bug in this network protocol that can lead to a crash or memory corruption. This is at least a local DoS. - cipso: don't follow a NULL pointer when setsockopt() is called Fixes locally-triggered null dereference which kills the calling task but doesn't seem to do anything more. - wanmain: comparing array with NULL Removes a condition that is always false, which presumably provokes a warning from some compilers. Not that important but quite safe. - USB: kaweth.c: use GFP_ATOMIC under spin_lock Fixes potential deadlock when using this network driver. - tcp: perform DMA to userspace only if there is a task waiting for it Fixes possible userland hang in recvmsg() on systems which use a DMA engine (e.g. Intel I/OAT) for this. - net/tun: fix ioctl() based info leaks Fixes leak of kernel stack contents to userland. - USB: echi-dbgp: increase the controller wait time to come out of halt. We don't include this driver in squeeze. - ALSA: mpu401: Fix missing initialization of irq field If this driver failed to probe a device, it would try to remove an IRQ handler it had not installed. This would result in a WARNING but nothing worse. - futex: Test for pi_mutex on fault in futex_wait_requeue_pi() - futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi() Fix locally-triggered null dereferences which kill the calling task but don't seem to do anything more. - futex: Fix bug in WARN_ON for NULL q.pi_state Fix condition for a WARNING, which was previously always false. It appears that the warning would be shortly followed by a null dereference anyway. - pcdp: use early_ioremap/early_iounmap to access pcdp table This is bogus and will be reverted. - mm: mmu_notifier: fix freed page still mapped in secondary MMU If a process's memory is mapped by 'secondary MMUs', e.g. shadow page tables used by KVM, it must be removed from all those page tables before being freed. However, it was sometimes freed too early when a process exited. This might result in memory corruption, a crash, or other badness and could be a security vulnerability for KVM hosts. - fuse: verify all ioctl retry iov elements FUSE servers may copy arbitrary memory from and to a process that calls an ioctl, but the total length to be copied is limited as there is an intermediate kernel buffer. It specifies an iovec for which summing of lengths may result in an integer overflow. However, the kernel would consistently use the same total length when range- checking and copying, so this isn't a security vulnerability. Neither is it practically likely to cause data loss. But the fix is obviously correct, and the old code is obviously not. - xhci: Increase reset timeout for Renesas 720201 host. Summary is pretty good. The driver just won't work with this chip, so this counts as hardware support. - usb: serial: mos7840: Fixup mos7840_chars_in_buffer() Fixes data loss (truncated writes) in this driver. - ALSA: hda - fix Copyright debug message Corrects reporting in procfs of the 'copyright' flag for a digital input to this sound driver. Could be considered data loss though this flag has never been (and practically cannot be) reliable. - vfs: missed source of ->f_pos races Changes to the file position by readv() and writev() in a compat task were non-atomic. This could perhaps result in data loss, though it doesn't seem very likely. Anyway, it was inconsistent with native behaviour. - NFSv3: Ensure that do_proc_get_root() reports errors correctly Fixes a missing error check in NFSv3 mounting. This might have led to data loss or other failures. - NFS: Alias the nfs module to nfs4 This is intended to smooth upgrades to later kernel versions. Currently the alias is defined in a modprobe configuration file, and it should be removed from there so that nfs4 can be moved to a separate module in later kernel versions (see #683972). - svcrpc: fix svc_xprt_enqueue/svc_recv busy-looping Fixes infinite loop in SunRPC services such as the NFS server. This might be exploitable for denial-of-service by an NFS client. - svcrpc: sends on closed socket should stop immediately A SunRPC server such as the NFS server may fail to send a complete response to a client for various reasons. It must then close the socket and let the client recover. However, another server thread might send successfully on the socket before it was closed. This would result in data corruption as the client treats it as the remainder of the first response. - cciss: fix incorrect scsi status reporting Removes some incorrect though actually harmless (by my reading) code. - USB: CDC ACM: Fix NULL pointer dereference Fixes null dereference when probing a USB communication device with invalid descriptors. - Remove user-triggerable BUG from mpol_to_str A task can easily trigger this in itself, and potentially other tasks looking at /proc/$PID/numa_maps. - udf: Fix data corruption for files in ICB Fixes corruption of small files on this filesystem. - ext3: Fix fdatasync() for files with only i_size changes If a file on ext3 was truncated/extended without any new data being written, fdatasync() did not force the size change to be written to disk. This is data corruption. - PARISC: Redefine ATOMIC_INIT and ATOMIC64_INIT to drop the casts This was not a release architecture for squeeze. - dccp: check ccid before dereferencing Fixes a user-triggerable null dereference in this network protocol. - ia64: Add accept4() syscall Add the accept4() function to the system call table. This was already implemented on all other release architectures and is required by udev in wheezy (#647825, #648325). - tcp: do_tcp_sendpages() must try to push data out on oom conditions Fixes a potential TCP connection stall. - tcp: drop SYN+FIN messages Fixes a remote DoS vulnerability. - xen: correctly check for pending events when restoring irq flags Prevents unnecessary hypervisor calls under Xen which can be a major performance problem. - x86, amd, xen: Avoid NULL pointer paravirt references Fixes crash at boot(?) as Xen dom0 on AMD 'Trinity' CPUs. - x86, tls: Off by one limit check Fixes potential out-of-bounds access to the kernel's TLS descriptors for a 32-bit task. So far as I can see, this is not a security vulnerability - the only caller is the ELF core-dump code which always passes valid parameters. - sparc64: Eliminate obsolete __handle_softirq() function Fixes potential use-after-free of RCU-protected structures used in soft-IRQ context (e.g. most network receive processing). - udf: fix retun value on error path in udf_load_logicalvol The initial fix for CVE-2012-3400 did not actually abort mounting when an invalid filesystem was detected. An invalid filesystem may therefore still result in a crash or other badness. - mtd: cafe_nand: fix an & vs | mistake This flash chip driver would wrongly report that the chip was always ready to accept a command. This presumably could result in data loss. - epoll: introduce POLLFREE to flush ->signalfd_wqh before kfree() - epoll: ep_unregister_pollwait() can use the freed pwq->whead - epoll: limit paths - Don't limit non-nested epoll paths Fixes local DoS (CVE-2011-1083). - epoll: clear the tfile_check_list on -ELOOP Fixes a flaw in the previous fix (CVE-2012-3375). - random: Reorder struct entropy_store to remove padding on 64bits - random: update interface comments to reflect reality - random: simplify fips mode - x86, cpu: Add CPU flags for F16C and RDRND - x86, cpufeature: Update CPU feature RDRND to RDRAND - random: Add support for architectural random hooks - x86, random: Architectural inlines to get random integers with RDRAND - x86, random: Verify RDRAND functionality and allow it to be disabled - fix typo/thinko in get_random_bytes() - random: Use arch_get_random_int instead of cycle counter if avail - random: Use arch-specific RNG to initialize the entropy store - random: Adjust the number of loops when initializing - drivers/char/random.c: fix boot id uniqueness race - random: make 'add_interrupt_randomness()' do something sane - random: use lockless techniques in the interrupt path - random: create add_device_randomness() interface - random: use the arch-specific rng in xfer_secondary_pool - random: add new get_random_bytes_arch() function - random: mix in architectural randomness in extract_buf() - MAINTAINERS: Theodore Ts'o is taking over the random driver - usb: feed USB device information to the /dev/random driver - net: feed /dev/random with the MAC address when registering a device - random: remove rand_initialize_irq() - random: Add comment to random_initialize() - rtc: wm831x: Feed the write counter into device_add_randomness() - mfd: wm831x: Feed the device UUID into device_add_randomness() - dmi: Feed DMI table to /dev/random driver Increase the availability of entropy for (pseudo-)random number generation. Lack of entropy is an important security problem, particularly during installation when we may need to generate a random key for an encrypted partition, or an SSH host key - but don't have any entropy carried over from a previous boot. Ben. -- System Information: Debian Release: 7.0 APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130113000709.30727.9454.report...@deadeye.wl.decadent.org.uk
