rpms/kernel/FC-3 linux-2.6-CAN-2005-2973.patch, NONE, 1.1 linux-2.6-CAN-2005-3179.patch, NONE, 1.1 linux-2.6-CAN-2005-3180.patch, NONE, 1.1 linux-2.6-CAN-2005-3181.patch, NONE, 1.1 kernel-2.6.spec, 1.891, 1.892 linux-2.6-orinoco-infoleak.patch, 1.1, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Oct 19 23:36:56 UTC 2005
Author: davej
Update of /cvs/dist/rpms/kernel/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv13172
Modified Files:
kernel-2.6.spec
Added Files:
linux-2.6-CAN-2005-2973.patch linux-2.6-CAN-2005-3179.patch
linux-2.6-CAN-2005-3180.patch linux-2.6-CAN-2005-3181.patch
Removed Files:
linux-2.6-orinoco-infoleak.patch
Log Message:
- CAN-2005-2973 (ipv6 infinite loop)
- CAN-2005-3179 (world writable drm sysfs file)
- CAN-2005-3180 (orinoco driver information leakage)
- CAN-2005-3181 (names_cache memory leak)
linux-2.6-CAN-2005-2973.patch:
udp.c | 18 +++++++++++++-----
1 files changed, 13 insertions(+), 5 deletions(-)
--- NEW FILE linux-2.6-CAN-2005-2973.patch ---
--- linux-2.6.12/net/ipv6/udp.c~ 2005-10-19 18:48:39.000000000 -0400
+++ linux-2.6.12/net/ipv6/udp.c 2005-10-19 18:49:00.000000000 -0400
@@ -98,7 +98,7 @@ static int udp_v6_get_port(struct sock *
next:;
}
result = best;
- for(;; result += UDP_HTABLE_SIZE) {
+ for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) {
if (result > sysctl_local_port_range[1])
result = sysctl_local_port_range[0]
+ ((result - sysctl_local_port_range[0]) &
@@ -106,6 +106,8 @@ static int udp_v6_get_port(struct sock *
if (!udp_lport_inuse(result))
break;
}
+ if (i >= (1 << 16) / UDP_HTABLE_SIZE)
+ goto fail;
gotit:
udp_port_rover = snum = result;
} else {
--- linux-2.6.12/net/ipv6/udp.c~ 2005-10-19 18:49:20.000000000 -0400
+++ linux-2.6.12/net/ipv6/udp.c 2005-10-19 18:50:44.000000000 -0400
@@ -844,10 +844,16 @@ do_append_data:
else if (!corkreq)
err = udp_v6_push_pending_frames(sk, up);
- if (dst)
- ip6_dst_store(sk, dst,
- ipv6_addr_equal(&fl->fl6_dst, &np->daddr) ?
- &np->daddr : NULL);
+ if (dst) {
+ if (connected) {
+ ip6_dst_store(sk, dst,
+ ipv6_addr_equal(&fl->fl6_dst, &np->daddr) ?
+ &np->daddr : NULL);
+ } else {
+ dst_release(dst);
+ }
+ }
+
if (err > 0)
err = np->recverr ? net_xmit_errno(err) : 0;
release_sock(sk);
linux-2.6-CAN-2005-3179.patch:
drm_stub.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE linux-2.6-CAN-2005-3179.patch ---
--- linux-2.6.12/drivers/char/drm/drm_stub.c~ 2005-10-19 18:56:59.000000000 -0400
+++ linux-2.6.12/drivers/char/drm/drm_stub.c 2005-10-19 18:57:06.000000000 -0400
@@ -47,7 +47,7 @@ MODULE_PARM_DESC(cards_limit, "Maximum n
MODULE_PARM_DESC(debug, "Enable debug output");
module_param_named(cards_limit, drm_cards_limit, int, 0444);
-module_param_named(debug, drm_debug, int, 0666);
+module_param_named(debug, drm_debug, int, 0600);
drm_head_t **drm_heads;
struct drm_sysfs_class *drm_class;
linux-2.6-CAN-2005-3180.patch:
orinoco.c | 14 +++++++++-----
1 files changed, 9 insertions(+), 5 deletions(-)
--- NEW FILE linux-2.6-CAN-2005-3180.patch ---
--- linux-2.6.12/drivers/net/wireless/orinoco.c~ 2005-10-19 19:04:10.000000000 -0400
+++ linux-2.6.12/drivers/net/wireless/orinoco.c 2005-10-19 19:05:06.000000000 -0400
@@ -913,9 +913,14 @@ static int orinoco_xmit(struct sk_buff *
return 0;
}
- /* Length of the packet body */
- /* FIXME: what if the skb is smaller than this? */
- len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
+ /* Check packet length, pad short packets, round up odd length */
+ len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
+ if (skb->len < len) {
+ skb = skb_padto(skb, len);
+ if (skb == NULL)
+ goto fail;
+ }
+ len -= ETH_HLEN;
eh = (struct ethhdr *)skb->data;
@@ -967,8 +972,7 @@ static int orinoco_xmit(struct sk_buff *
p = skb->data;
}
- /* Round up for odd length packets */
- err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
+ err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
txfid, data_off);
if (err) {
printk(KERN_ERR "%s: Error %d writing packet to BAP\n",
linux-2.6-CAN-2005-3181.patch:
namei.c | 6 +++---
1 files changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE linux-2.6-CAN-2005-3181.patch ---
--- linux-2.6.12/fs/namei.c~ 2005-10-19 19:06:59.000000000 -0400
+++ linux-2.6.12/fs/namei.c 2005-10-19 19:07:27.000000000 -0400
@@ -1562,19 +1562,19 @@ do_link:
if (nd->last_type != LAST_NORM)
goto exit;
if (nd->last.name[nd->last.len]) {
- putname(nd->last.name);
+ __putname(nd->last.name);
goto exit;
}
error = -ELOOP;
if (count++==32) {
- putname(nd->last.name);
+ __putname(nd->last.name);
goto exit;
}
dir = nd->dentry;
down(&dir->d_inode->i_sem);
path.dentry = __lookup_hash(&nd->last, nd->dentry, nd);
path.mnt = nd->mnt;
- putname(nd->last.name);
+ __putname(nd->last.name);
goto do_last;
}
Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-3/kernel-2.6.spec,v
retrieving revision 1.891
retrieving revision 1.892
diff -u -r1.891 -r1.892
--- kernel-2.6.spec 6 Oct 2005 06:38:58 -0000 1.891
+++ kernel-2.6.spec 19 Oct 2005 23:36:52 -0000 1.892
@@ -334,7 +334,10 @@
Patch3000: linux-2.6-CAN-2005-2490.patch
Patch3001: linux-2.6-CAN-2005-2492.patch
-Patch3002: linux-2.6-orinoco-infoleak.patch
+Patch3002: linux-2.6-CAN-2005-2973.patch
+Patch3003: linux-2.6-CAN-2005-3179.patch
+Patch3004: linux-2.6-CAN-2005-3180.patch
+Patch3005: linux-2.6-CAN-2005-3181.patch
#
# External drivers that are about to get accepted upstream
@@ -704,6 +707,9 @@
%patch3000 -p1
%patch3001 -p1
%patch3002 -p1
+%patch3003 -p1
+%patch3004 -p1
+%patch3005 -p1
#
# External drivers that are about to get accepted upstream
@@ -1018,7 +1024,13 @@
%endif
%changelog
-* Thu Oct 06 2005 Dav Jones <davej at redhat.com>
+* Wed Oct 19 2005 Dave Jones <davej at redhat.com>
+- CAN-2005-2973 (ipv6 infinite loop)
+- CAN-2005-3179 (world writable drm sysfs file)
+- CAN-2005-3180 (orinoco driver information leakage)
+- CAN-2005-3181 (names_cache memory leak)
+
+* Thu Oct 06 2005 Dave Jones <davej at redhat.com>
- Fix information leak in orinoco driver.
* Sun Oct 02 2005 Dave Jones <davej at redhat.com>
--- linux-2.6-orinoco-infoleak.patch DELETED ---
More information about the fedora-cvs-commits
mailing list