2006-01-29 17:57:07

by Willy Tarreau

[permalink] [raw]
Subject: [ANNOUNCE] Linux 2.4.32-hf32.2

Hi all,

here's the second hotfix for 2.4.32 and older kernels. There are only
a few fixes, two of them security-related, and one that I mistakenly
removed from 2.4.32-hf32.1 because I thought it was fixed in 2.4.32
while it was not. Please consult the appended changelog.

In other news, with some help from Syed Ahemed, I added support for
2.4.28 which some people still use. It is interesting to note that
some recent patches do not apply to 2.4.28 because the bugs they fix
were introduced later. That clearly demonstrates the usefulness of a
feature freeze.

I've successfully built 2.4.28-hf32.2 with all of its modules, which
puts 150 patches on top of 2.4.28.

Grant, I think it's not necessary to rebuild all versions, doing 2.4.32
should be enough.

URLs of interest :

hotfixes home : http://linux.exosec.net/kernel/2.4-hf/
last version : http://linux.exosec.net/kernel/2.4-hf/LATEST/LATEST/
RSS feed : http://linux.exosec.net/kernel/hf.xml
build results : http://bugsplatter.mine.nu/test/linux-2.4/ (Grant's site)

Cheers,
Willy


Changelog from 2.4.32-hf32.1 to 2.4.32-hf32.2
---------------------------------------
'+' = added ; '-' = removed

+ 2.4.32-wan-sdla-fix-probable-security-hole-1 (Horms)

[PATCH] wan sdla: fix probable security hole
Quoting Chris Wright : "Hrm, I believe you could use this to read 128k
of kernel memory. sdla_read() takes len as a short, whereas mem.len is
an int. So, if mem.len == 0x20000, the allocation could still succeed.
When cast to short, len will be 0x0, causing the read loop to copy
nothing into the buffer. At least it's protected by a capable() check.
I don't know what proper upper bound is for this hardware, or how much
it's used/cared about. Simple memset() is trivial fix."
This seems to be applicable to 2.4.

+ 2.4.32-CAN-2004-1058-proc_pid_cmdline-race-fix-1 (dann frazier)

The following patch fixes a race condition that allows local users to
view the environment variables of another process. Taken from Red Hat's
kernel-2.4.21-27.0.4.EL.src.rpm.

+ 2.4.32-bond_alb-hash-table-corruption-1 (ODonnell, Michael)

Our systems have been crashing during testing of PCI HotPlug
support in the various networking components. We've faulted in
the bonding driver due to a bug in bond_alb.c:tlb_clear_slave().
In that routine, the last modification to the TLB hash table is
made without protection of the lock, allowing a race that can
lead tlb_choose_channel() to select an invalid table element.

+ 2.4.32-rc2-mcast-filter-1 (Willy Tarreau)

[PATCH-2.4][MCAST]IPv6: small fix for ip6_mc_msfilter(...)
Multicast source filters aren't widely used yet, and that's really
the only feature that's affected if an application actually exercises
this bug, as far as I can tell. An ordinary filter-less multicast join
should still work, and only forwarded multicast traffic making use of
filters and doing empty-source filters with the MSFILTER ioctl would
be at risk of not getting multicast traffic forwarded to them because
the reports generated would not be based on the correct counts.
Initial 2.6 patch by Yan Zheng, bug explanation by David Stevens,
patch ACKed by David.

--
Willy Tarreau - http://w.ods.org/
EXOSEC - ZAC des Metz - 3 Rue du petit robinson - 78350 JOUY EN JOSAS
N?Indigo: 0 825 075 510 - Accueil: +33 1 72 89 72 30 - Fax: +33 1 72 89 80 19
Site web : http://www.exosec.fr/


2006-01-29 19:15:26

by Roberto Nibali

[permalink] [raw]
Subject: Re: [ANNOUNCE] Linux 2.4.32-hf32.2

Hi Willy,

> Changelog from 2.4.32-hf32.1 to 2.4.32-hf32.2

Which of those are you going to push to Marcelo for inclusion?

I've found two subtle IPVS bugs (using a persistency setup on SMP
combined with sharp TCP state transition timeouts), one of which is
fixed in my tree and has been running in production for over 1 month
now. The other is still in discussion phase with Horms and Julian Anastasov.

> + 2.4.32-bond_alb-hash-table-corruption-1 (ODonnell, Michael)
>
> Our systems have been crashing during testing of PCI HotPlug
> support in the various networking components. We've faulted in
> the bonding driver due to a bug in bond_alb.c:tlb_clear_slave().
> In that routine, the last modification to the TLB hash table is
> made without protection of the lock, allowing a race that can
> lead tlb_choose_channel() to select an invalid table element.

This is correct. Funny, It never triggered on my systems, but I only
have a bonding setup on three SMP systems, probably none of them using ALB.

Thanks for your hard work,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq'|dc

2006-01-29 19:24:46

by Willy Tarreau

[permalink] [raw]
Subject: Re: [ANNOUNCE] Linux 2.4.32-hf32.2

Hi Roberto,

On Sun, Jan 29, 2006 at 08:15:24PM +0100, Roberto Nibali wrote:
> Hi Willy,
>
> >Changelog from 2.4.32-hf32.1 to 2.4.32-hf32.2
>
> Which of those are you going to push to Marcelo for inclusion?

They're all in Marcelo's tree (at least in -git). I try to avoid publishing
patches which can escape from mainline because it's harder to re-include
them afterwards. That's also why one of them got missed in hf32.1.

> I've found two subtle IPVS bugs (using a persistency setup on SMP
> combined with sharp TCP state transition timeouts), one of which is
> fixed in my tree and has been running in production for over 1 month
> now. The other is still in discussion phase with Horms and Julian
> Anastasov.

OK, I hope you'll be able to send the fixes early enough for inclusion
in 2.4.33.

> >+ 2.4.32-bond_alb-hash-table-corruption-1 (ODonnell,
> >Michael)
> >
> > Our systems have been crashing during testing of PCI HotPlug
> > support in the various networking components. We've faulted in
> > the bonding driver due to a bug in bond_alb.c:tlb_clear_slave().
> > In that routine, the last modification to the TLB hash table is
> > made without protection of the lock, allowing a race that can
> > lead tlb_choose_channel() to select an invalid table element.
>
> This is correct. Funny, It never triggered on my systems, but I only
> have a bonding setup on three SMP systems, probably none of them using
> ALB.

I've never used ALB either.

> Thanks for your hard work,
> Roberto Nibali, ratz

Thanks,
Willy