Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040619093707.GA2148@openwall.com>
Date: Sat, 19 Jun 2004 13:37:07 +0400
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com, owl-users@...ts.openwall.com
Cc: lwn@....net
Subject: Linux 2.4.26-ow2

Hi,

Linux 2.4.26-ow2 is out:

	http://www.openwall.com/linux/

This update fixes multiple security-related bugs in the Linux kernel
as well as two non-security bugs in the patch itself.

The now corrected Linux kernel issues include:

- Many security-related bugs discovered by Al Viro based on his run
of the Sparse source code checking tool over Linux 2.6.x, with the
fixes later back-ported to 2.4.x (CAN-2004-0495);

- The now widely publicized fsave/frstor local DoS on x86
(CAN-2004-0554);

- A leak of potentially sensitive data from uninitialized kernel
stack locations in the Intel PRO/1000 Gigabit Ethernet driver
(CAN-2004-0535);

- A use of a just-freed data structure in the procfs code, resulting
in undefined behavior should the memory get re-allocated for another
purpose;

- Two security-related IA64-specific bugs: a local DoS (CAN-2004-0477)
and an infoleak (CAN-2004-0565);

- The potential buffer overflow in panic(), even though there's no
known way to trigger it and no known way to exploit it once triggered
due to the nature of panic().

Now, to other changes applied to code added with -ow patches:

Sergey Vlasov discovered that the non-executable stack feature
with -ow patches for Linux 2.2.x and 2.4.x (but not 2.0.x) broke
support for realtime signals when signal handlers were being installed
by means other than the appropriate glibc functions.  As Linux
applications which do not use or which bypass glibc functions are
rare, this problem went unnoticed for this long.  Sergey determined
that the problem was related to an incorrect fixup of the stack
pointer value for the case of realtime signals (the non-realtime
signals worked OK, even without glibc).  This has now been corrected.

Additionally, Sergey discovered that the GCC trampoline emulation
code in -ow patches for Linux 2.2.x and 2.4.x (but again not 2.0.x)
handled x86 instructions with certain addressing modes incorrectly,
and he provided a patch which is now included with minor changes.

These two fixes permit for Valgrind to run on Linux 2.4.26-ow2
without having to resort to doing a "chstk -e".

Finally, Michael Tokarev has explained the need for a behavior change
wrt the retried attempts to mount a root filesystem which -ow patches
for Linux 2.4.x started to do some months ago in order to support
booting off USB CD-ROMs.  Per Michael's request, the kernel will now
do a maximum of 10 retries (waiting for 1 second before each), falling
back to the usual kernel panic should all 10 retries fail.  This
permits for unattended reboots into an untested configuration where
the root filesystem might not mount and the system needs to return to
its previous kernel image automagically.  Please refer to Michael's
description of this approach in his owl-users posting:

	http://marc.theaimsgroup.com/?l=owl-users&m=108739533920021

-- 
Alexander Peslyak <solar@...nwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.