Skip to content
Snippets Groups Projects
  1. Apr 24, 2006
  2. Apr 17, 2006
    • Hugh Dickins's avatar
      [PATCH] shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524) · 512dba41
      Hugh Dickins authored
      
      I found that all of 2.4 and 2.6 have been letting mprotect give write
      permission to a readonly attachment of shared memory, whether or not IPC
      would give the caller that permission.
      
      SUS says "The behaviour of this function [mprotect] is unspecified if the
      mapping was not established by a call to mmap", but I don't think we can
      interpret that as allowing it to subvert IPC permissions.
      
      I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
      the patch below reproduces that behaviour - mprotect cannot be used to add
      write permission to a shared memory segment attached readonly.
      
      This patch is simple, and I'm sure it's what we should have done in 2.4.0:
      if you want to go on to switch write permission on and off with mprotect,
      just don't attach the segment readonly in the first place.
      
      However, we could have accumulated apps which attach readonly (even though
      they would be permitted to attach read/write), and which subsequently use
      mprotect to switch write permission on and off: it's not unreasonable.
      
      I was going to add a second ipcperms check in do_shmat, to check for
      writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
       But security_ipc_permission might do auditing, and it seems wrong to
      report an attempt for write permission when there has been none.  Or we
      could flag the vma as SHM, note the shmid or shp in vm_private_data, and
      then get mprotect to check.
      
      But the patch below is a lot simpler: I'd rather stick with it, if we can
      convince ourselves somehow that it'll be safe.
      
      Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      512dba41
  3. Feb 10, 2006
  4. Feb 09, 2006
    • Alexey Kuznetsov's avatar
      [NETLINK]: Fix a severe bug · a70ea994
      Alexey Kuznetsov authored
      
      netlink overrun was broken while improvement of netlink.
      Destination socket is used in the place where it was meant to be source socket,
      so that now overrun is never sent to user netlink sockets, when it should be,
      and it even can be set on kernel socket, which results in complete deadlock
      of rtnetlink.
      
      Suggested fix is to restore status quo passing source socket as additional
      argument to netlink_attachskb().
      
      A little explanation: overrun is set on a socket, when it failed
      to receive some message and sender of this messages does not or even
      have no way to handle this error. This happens in two cases:
      1. when kernel sends something. Kernel never retransmits and cannot
         wait for buffer space.
      2. when user sends a broadcast and the message was not delivered
         to some recipients.
      
      Signed-off-by: default avatarAlexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a70ea994
  5. Jan 14, 2006
    • Christian Kujau's avatar
      correct email address of Manfred Spraul · 624dffcb
      Christian Kujau authored
      
      I  tried to send the forcedeth maintainer an email, but it came back with:
      
      "The mail address manfreds@colorfullife.com is not read anymore.
      Please resent your mail to manfred@ instead of manfreds@."
      
      This patch fixes this.
      
      Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
      624dffcb
    • Alexander Viro's avatar
      [PATCH] Fix double decrement of mqueue_mnt->mnt_count in sys_mq_open · 7c7dce92
      Alexander Viro authored
      
      Fixed the refcounting on failure exits in sys_mq_open() and
      cleaned the logics up.  Rules are actually pretty simple - dentry_open()
      expects vfsmount and dentry to be pinned down and it either transfers
      them into created struct file or drops them.  Old code had been very
      confused in that area - if dentry_open() had failed either in do_open()
      or do_create(), we ended up dentry and mqueue_mnt dropped twice, once
      by dentry_open() cleanup and then by sys_mq_open().
      
      Fix consists of making the rules for do_create() and do_open()
      same as for dentry_open() and updating the sys_mq_open() accordingly;
      that actually leads to more straightforward code and less work on
      normal path.
      
      Signed-off-by: default avatarAl Viro <aviro@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      7c7dce92
  6. Jan 11, 2006
  7. Jan 09, 2006
  8. Jan 08, 2006
  9. Jan 06, 2006
    • David Howells's avatar
      [PATCH] NOMMU: Make SYSV IPC SHM use ramfs facilities on NOMMU · b0e15190
      David Howells authored
      
      The attached patch makes the SYSV IPC shared memory facilities use the new
      ramfs facilities on a no-MMU kernel.
      
      The following changes are made:
      
       (1) There are now shmem_mmap() and shmem_get_unmapped_area() functions to
           allow the IPC SHM facilities to commune with the tiny-shmem and shmem
           code.
      
       (2) ramfs files now need resizing using do_truncate() rather than by modifying
           the inode size directly (see shmem_file_setup()). This causes ramfs to
           attempt to bind a block of pages of sufficient size to the inode.
      
       (3) CONFIG_SYSVIPC is no longer contingent on CONFIG_MMU.
      
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
      b0e15190
  10. Dec 24, 2005
  11. Nov 07, 2005
  12. Nov 06, 2005
  13. Oct 29, 2005
  14. Sep 27, 2005
  15. Sep 10, 2005
  16. Sep 07, 2005
  17. Aug 05, 2005
  18. Aug 01, 2005
  19. Jul 12, 2005
  20. Jul 07, 2005
  21. Jun 23, 2005
  22. May 01, 2005
  23. Apr 16, 2005
    • Linus Torvalds's avatar
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds authored
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      
      Let it rip!
Loading