[kernel] r9966 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Mon Dec 17 02:04:50 UTC 2007

Author: dannf
Date: Mon Dec 17 02:04:50 2007
New Revision: 9966

Log:
* bugfix/hrtimer-large-relative-timeouts-overflow.patch
  [SECURITY] Avoid overflow in hrtimers due to large relative timeouts
  See CVE-2007-5966

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/hrtimer-large-relative-timeouts-overflow.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch6

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Mon Dec 17 02:04:50 2007
@@ -7,8 +7,11 @@
     [SECURITY] Fix an issue where core dumping over a file that
     already exists retains the ownership of the original file
     See CVE-2007-6206
+  * bugfix/hrtimer-large-relative-timeouts-overflow.patch
+    [SECURITY] Avoid overflow in hrtimers due to large relative timeouts
+    See CVE-2007-5966
 
- -- dann frazier <dannf at debian.org>  Wed, 05 Dec 2007 23:41:52 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 16 Dec 2007 18:46:17 -0700
 
 linux-2.6 (2.6.18.dfsg.1-13etch5) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/hrtimer-large-relative-timeouts-overflow.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/hrtimer-large-relative-timeouts-overflow.patch	Mon Dec 17 02:04:50 2007
@@ -0,0 +1,45 @@
+From: Thomas Gleixner <tglx at linutronix.de>
+Date: Fri, 7 Dec 2007 18:16:17 +0000 (+0100)
+Subject: hrtimers: avoid overflow for large relative timeouts
+X-Git-Tag: v2.6.24-rc5~49^2~2
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=62f0f61e6673e67151a7c8c0f9a09c7ea43fe2b5;hp=f194d132e4971111f85c18c96067acffb13cee6d
+
+hrtimers: avoid overflow for large relative timeouts
+
+Relative hrtimers with a large timeout value might end up as negative
+timer values, when the current time is added in hrtimer_start().
+
+This in turn is causing the clockevents_set_next() function to set an
+huge timeout and sleep for quite a long time when we have a clock
+source which is capable of long sleeps like HPET. With PIT this almost
+goes unnoticed as the maximum delta is ~27ms. The non-hrt/nohz code
+sorts this out in the next timer interrupt, so we never noticed that
+problem which has been there since the first day of hrtimers.
+
+This bug became more apparent in 2.6.24 which activates HPET on more
+hardware.
+
+Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+Signed-off-by: Ingo Molnar <mingo at elte.hu>
+---
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/kernel/hrtimer.c linux-source-2.6.18/kernel/hrtimer.c
+--- linux-source-2.6.18.orig/kernel/hrtimer.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/kernel/hrtimer.c	2007-12-16 18:43:03.000000000 -0700
+@@ -443,6 +443,14 @@ hrtimer_start(struct hrtimer *timer, kti
+ #ifdef CONFIG_TIME_LOW_RES
+ 		tim = ktime_add(tim, base->resolution);
+ #endif
++		/*
++		 * Careful here: User space might have asked for a
++		 * very long sleep, so the add above might result in a
++		 * negative number, which enqueues the timer in front
++		 * of the queue.
++		 */
++		if (tim.tv64 < 0)
++			tim.tv64 = KTIME_MAX;
+ 	}
+ 	timer->expires = tim;
+ 

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch6
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch6	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch6	Mon Dec 17 02:04:50 2007
@@ -1,2 +1,3 @@
 + bugfix/isdn-net-overflow.patch
 + bugfix/coredump-only-to-same-uid.patch
++ bugfix/hrtimer-large-relative-timeouts-overflow.patch

