[plamo:27321] linux-が出ています。

  名倉 です。


 commit 4ece57945f296ab05a8a958089c9a382cbb700b4
 Author: Chris Wright <chrisw@sous-sol.org>
 Date:   Tue Jun 20 01:55:00 2006 -0700


 commit ab46ee26dc90c5608c0d51c33a029fe514c0a49d
 Author: Patrick McHardy <kaber@trash.net>
 Date:   Mon Jun 19 19:14:21 2006 +0200

    [PATCH] xt_sctp: fix endless loop caused by 0 chunk length (CVE-2006-3085)
    Fix endless loop in the SCTP match similar to those already fixed in the
    SCTP conntrack helper (was CVE-2006-1527).
    Signed-off-by: Patrick McHardy <kaber@trash.net>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>

 commit 0ba239cc0ef0ebf9d38cd733754fcf657ae79b2b
 Author: Oleg Nesterov <oleg@tv-sign.ru>
 Date:   Thu Jun 15 20:11:43 2006 +0400

    [PATCH] run_posix_cpu_timers: remove a bogus BUG_ON() (CVE-2006-2445)
    do_exit() clears ->it_##clock##_expires, but nothing prevents
    another cpu to attach the timer to exiting process after that.
    arm_timer() tries to protect against this race, but the check
    is racy.
    After exit_notify() does 'write_unlock_irq(&tasklist_lock)' and
    before do_exit() calls 'schedule() local timer interrupt can find
    tsk->exit_state != 0. If that state was EXIT_DEAD (or another cpu
    does sys_wait4) interrupted task has ->signal == NULL.
    At this moment exiting task has no pending cpu timers, they were
    cleanuped in __exit_signal()->posix_cpu_timers_exit{,_group}(),
    so we can just return from irq.
    John Stultz recently confirmed this bug, see
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>

 commit 5705264e83bd9f8918895d8f5ddddbdeb062c719
 Author: Oleg Nesterov <oleg@tv-sign.ru>
 Date:   Thu Jun 15 20:11:15 2006 +0400

    [PATCH] check_process_timers: fix possible lockup
    If the local timer interrupt happens just after do_exit() sets PF_EXITING
    (and before it clears ->it_xxx_expires) run_posix_cpu_timers() will call
    check_process_timers() with tasklist_lock + ->siglock held and
    		t = tsk;
    		do {
    			do {
    				t = next_thread(t);
    			} while (unlikely(t->flags & PF_EXITING));
    		} while (t != tsk);
    the outer loop will never stop.
    Actually, the window is bigger.  Another process can attach the timer
    after ->it_xxx_expires was cleared (see the next commit) and the 'if
    (PF_EXITING)' check in arm_timer() is racy (see the one after that).
    Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
    Signed-off-by: Linus Torvalds <torvalds@osdl.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>

 commit ad325de56677938d8c58b376e1d7813b50527263
 Author: Paul Mackerras <paulus@samba.org>
 Date:   Fri Jun 9 13:02:59 2006 +1000

    [PATCH] powerpc: Fix machine check problem on 32-bit kernels (CVE-2006-2448)
    This fixes a bug found by Dave Jones that means that it is possible
    for userspace to provoke a machine check on 32-bit kernels.  This
    also fixes a couple of other places where I found similar problems
    by inspection.
    Signed-off-by: Paul Mackerras <paulus@samba.org>
    Signed-off-by: Chris Wright <chrisw@sous-sol.org>


