rpms/kernel/FC-3 linux-2.6-CAN-2005-2973.patch, NONE, 1.1 linux-2.6-CAN-2005-3179.patch, NONE, 1.1 linux-2.6-CAN-2005-3180.patch, NONE, 1.1 linux-2.6-CAN-2005-3181.patch, NONE, 1.1 kernel-2.6.spec, 1.891, 1.892 linux-2.6-orinoco-infoleak.patch, 1.1, NONE

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Oct 19 23:36:56 UTC 2005 

Author: davej

Update of /cvs/dist/rpms/kernel/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv13172

Modified Files:
	kernel-2.6.spec 
Added Files:
	linux-2.6-CAN-2005-2973.patch linux-2.6-CAN-2005-3179.patch 
	linux-2.6-CAN-2005-3180.patch linux-2.6-CAN-2005-3181.patch 
Removed Files:
	linux-2.6-orinoco-infoleak.patch 
Log Message:
- CAN-2005-2973 (ipv6 infinite loop)
- CAN-2005-3179 (world writable drm sysfs file)
- CAN-2005-3180 (orinoco driver information leakage)
- CAN-2005-3181 (names_cache memory leak)



linux-2.6-CAN-2005-2973.patch:
 udp.c |   18 +++++++++++++-----
 1 files changed, 13 insertions(+), 5 deletions(-)

--- NEW FILE linux-2.6-CAN-2005-2973.patch ---
--- linux-2.6.12/net/ipv6/udp.c~	2005-10-19 18:48:39.000000000 -0400
+++ linux-2.6.12/net/ipv6/udp.c	2005-10-19 18:49:00.000000000 -0400
@@ -98,7 +98,7 @@ static int udp_v6_get_port(struct sock *
 		next:;
 		}
 		result = best;
-		for(;; result += UDP_HTABLE_SIZE) {
+		for(i = 0; i < (1 << 16) / UDP_HTABLE_SIZE; i++, result += UDP_HTABLE_SIZE) {
 			if (result > sysctl_local_port_range[1])
 				result = sysctl_local_port_range[0]
 					+ ((result - sysctl_local_port_range[0]) &
@@ -106,6 +106,8 @@ static int udp_v6_get_port(struct sock *
 			if (!udp_lport_inuse(result))
 				break;
 		}
+		if (i >= (1 << 16) / UDP_HTABLE_SIZE)
+			goto fail;
 gotit:
 		udp_port_rover = snum = result;
 	} else {
--- linux-2.6.12/net/ipv6/udp.c~	2005-10-19 18:49:20.000000000 -0400
+++ linux-2.6.12/net/ipv6/udp.c	2005-10-19 18:50:44.000000000 -0400
@@ -844,10 +844,16 @@ do_append_data:
 	else if (!corkreq)
 		err = udp_v6_push_pending_frames(sk, up);
 
-	if (dst)
-		ip6_dst_store(sk, dst,
-			      ipv6_addr_equal(&fl->fl6_dst, &np->daddr) ?
-			      &np->daddr : NULL);
+	if (dst) {
+		if (connected) {
+			ip6_dst_store(sk, dst,
+				ipv6_addr_equal(&fl->fl6_dst, &np->daddr) ?
+				&np->daddr : NULL);
+		} else {
+			dst_release(dst);
+		}
+	}
+
 	if (err > 0)
 		err = np->recverr ? net_xmit_errno(err) : 0;
 	release_sock(sk);

linux-2.6-CAN-2005-3179.patch:
 drm_stub.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE linux-2.6-CAN-2005-3179.patch ---
--- linux-2.6.12/drivers/char/drm/drm_stub.c~	2005-10-19 18:56:59.000000000 -0400
+++ linux-2.6.12/drivers/char/drm/drm_stub.c	2005-10-19 18:57:06.000000000 -0400
@@ -47,7 +47,7 @@ MODULE_PARM_DESC(cards_limit, "Maximum n
 MODULE_PARM_DESC(debug, "Enable debug output");
 
 module_param_named(cards_limit, drm_cards_limit, int, 0444);
-module_param_named(debug, drm_debug, int, 0666);
+module_param_named(debug, drm_debug, int, 0600);
 
 drm_head_t **drm_heads;
 struct drm_sysfs_class *drm_class;

linux-2.6-CAN-2005-3180.patch:
 orinoco.c |   14 +++++++++-----
 1 files changed, 9 insertions(+), 5 deletions(-)

--- NEW FILE linux-2.6-CAN-2005-3180.patch ---
--- linux-2.6.12/drivers/net/wireless/orinoco.c~	2005-10-19 19:04:10.000000000 -0400
+++ linux-2.6.12/drivers/net/wireless/orinoco.c	2005-10-19 19:05:06.000000000 -0400
@@ -913,9 +913,14 @@ static int orinoco_xmit(struct sk_buff *
 		return 0;
 	}
 
-	/* Length of the packet body */
-	/* FIXME: what if the skb is smaller than this? */
-	len = max_t(int,skb->len - ETH_HLEN, ETH_ZLEN - ETH_HLEN);
+	/* Check packet length, pad short packets, round up odd length */
+	len = max_t(int, ALIGN(skb->len, 2), ETH_ZLEN);
+	if (skb->len < len) {
+		skb = skb_padto(skb, len);
+		if (skb == NULL)
+			goto fail;
+	}
+	len -= ETH_HLEN;
 
 	eh = (struct ethhdr *)skb->data;
 
@@ -967,8 +972,7 @@ static int orinoco_xmit(struct sk_buff *
 		p = skb->data;
 	}
 
-	/* Round up for odd length packets */
-	err = hermes_bap_pwrite(hw, USER_BAP, p, ALIGN(data_len, 2),
+	err = hermes_bap_pwrite(hw, USER_BAP, p, data_len,
 				txfid, data_off);
 	if (err) {
 		printk(KERN_ERR "%s: Error %d writing packet to BAP\n",

linux-2.6-CAN-2005-3181.patch:
 namei.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

--- NEW FILE linux-2.6-CAN-2005-3181.patch ---
--- linux-2.6.12/fs/namei.c~	2005-10-19 19:06:59.000000000 -0400
+++ linux-2.6.12/fs/namei.c	2005-10-19 19:07:27.000000000 -0400
@@ -1562,19 +1562,19 @@ do_link:
 	if (nd->last_type != LAST_NORM)
 		goto exit;
 	if (nd->last.name[nd->last.len]) {
-		putname(nd->last.name);
+		__putname(nd->last.name);
 		goto exit;
 	}
 	error = -ELOOP;
 	if (count++==32) {
-		putname(nd->last.name);
+		__putname(nd->last.name);
 		goto exit;
 	}
 	dir = nd->dentry;
 	down(&dir->d_inode->i_sem);
 	path.dentry = __lookup_hash(&nd->last, nd->dentry, nd);
 	path.mnt = nd->mnt;
-	putname(nd->last.name);
+	__putname(nd->last.name);
 	goto do_last;
 }
 


Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-3/kernel-2.6.spec,v
retrieving revision 1.891
retrieving revision 1.892
diff -u -r1.891 -r1.892
--- kernel-2.6.spec	6 Oct 2005 06:38:58 -0000	1.891
+++ kernel-2.6.spec	19 Oct 2005 23:36:52 -0000	1.892
@@ -334,7 +334,10 @@
 
 Patch3000: linux-2.6-CAN-2005-2490.patch
 Patch3001: linux-2.6-CAN-2005-2492.patch
-Patch3002: linux-2.6-orinoco-infoleak.patch
+Patch3002: linux-2.6-CAN-2005-2973.patch
+Patch3003: linux-2.6-CAN-2005-3179.patch
+Patch3004: linux-2.6-CAN-2005-3180.patch
+Patch3005: linux-2.6-CAN-2005-3181.patch
 
 #
 # External drivers that are about to get accepted upstream
@@ -704,6 +707,9 @@
 %patch3000 -p1
 %patch3001 -p1
 %patch3002 -p1
+%patch3003 -p1
+%patch3004 -p1
+%patch3005 -p1
 
 #
 # External drivers that are about to get accepted upstream
@@ -1018,7 +1024,13 @@
 %endif
 
 %changelog
-* Thu Oct 06 2005 Dav Jones <davej at redhat.com>
+* Wed Oct 19 2005 Dave Jones <davej at redhat.com>
+- CAN-2005-2973 (ipv6 infinite loop)
+- CAN-2005-3179 (world writable drm sysfs file)
+- CAN-2005-3180 (orinoco driver information leakage)
+- CAN-2005-3181 (names_cache memory leak)
+
+* Thu Oct 06 2005 Dave Jones <davej at redhat.com>
 - Fix information leak in orinoco driver.
 
 * Sun Oct 02 2005 Dave Jones <davej at redhat.com>


--- linux-2.6-orinoco-infoleak.patch DELETED ---

More information about the fedora-cvs-commits mailing list