2.6.32.9 Release notes

Stable kernel update announcements posted on LWN have a certain tendency to be followed by complaints about the amount of information which is made available. It seems that there is a desire for a description of the changes which is more accessible than the patches themselves, and for attention to be drawn to the security-relevant fixes. As an exercise in determining what kind of effort is being asked of the kernel maintainers, your editor decided to make a pass through the proposed 2.6.32.9 update and attempt to describe the impact of each of the changes - all 93 of them. The results can be found below.

Disclaimers: there is no way to review 93 patches in a finite time and fully understand each of them. So there are probably certainly errors in what follows. The simple truth of the matter is that it is very hard to say which fixes have security implications; a determined attacker can find a way to exploit some very obscure bugs.

Your editor would also like to discourage anybody from thinking that this will become a regular LWN feature. The amount of work required is considerable; it's not something we're able to commit to doing for every release.

That said, here's a look at what's in this update.

Security-related fixes

• #2: futex_lock_pi() key refcnt fix. It's possible to create dangling futex references, leading to a user-triggerable BUG_ON() oops. It's thus a denial of service vulnerability; it has been present since 2.6.28.

• #3: futex: Handle user space corruption gracefully. Malicious programs can cause a null pointer dereference or hijack somebody else's futex.

• #4: futex: Handle futex value corruption gracefully. User-space processes can cause warning floods, spamming the system logs.

• #5: Fix race in tty_fasync() properly. Possible (if unlikely) deadlock, and thus denial of service.

• #22: regulator: Fix display of null constraints for regulators. Fixes an information disclosure issue in the regulator code.

• #23: ALSA: hda-intel: Avoid divide by zero crash. Papers over a user-triggerable divide-by-zero crash; the real cause of the problem remains unknown.

• #26: cciss: Make cciss_seq_show handle holes in the h->drv[] array. Null pointer dereference in the cciss driver; probably not triggerable without privilege.

• #35: NFS: Fix an Oops when truncating a file. User-triggerable oops when truncating a file on an NFS filesystem.

• #36: NFS: Fix a umount race. Dangling pointer dereference on NFS filesystem unmount. Maybe triggerable in situations where users can cause mounts and unmounts to happen.

• #40: V4L/DVB: dvb-core: fix initialization of feeds list in demux filter. User-triggerable dereference of a corrupted pointer, with an oops being the best-case scenario.

• #47: netfilter: nf_conntrack: per netns nf_conntrack_cachep. Fixes a potential leak of information between network namespaces. Probably very hard to exploit in any useful way.

• #50: netfilter: nf_conntrack: fix hash resizing with namespaces. Changing the conntrack hash size in one namespace causes that size to be incorrect for all others, leading to unsightly kernel oops issues.

• #54: [S390] dasd: remove strings from s390dbf. Stale pointer dereference bugs in the S390 DASD driver.

• #57: dell-wmi, hp-wmi, msi-wmi: check wmi_get_event_data() return value. Fix a potential null pointer dereference on memory allocation failure.

• #75: ALSA: usb-audio - Avoid Oops after disconnect. Fixes a user-triggerable oops in the USB audio driver.

• #79: USB: usbfs: only copy the actual data received. Usbfs was copying more data than actually existed in some situations, leading to a potential information disclosure problem.

• #82: ACPI: Add NULL pointer check in acpi_bus_start. A null pointer dereference in the ACPI code.

• #92: dm log: userspace fix overhead_size calculations. A couple of structure-size miscalculations make both buffer overruns and information disclosure possible, though it's not at all clear that either is readily exploitable.

Other bug fixes

• #1: Fix potential crash with sys_move_pages. Fix an unreliable test which could cause a crash in the page migration code. [Update: as has been pointed out in the comments, this one is exploitable and should have been in the security list above.]

• #6: hwmon: (w83781d) Request I/O ports individually for probing. More robust access to hardware monitoring ports.

• #7: hwmon: (lm78) Request I/O ports individually for probing. More robust access to hardware monitoring ports.

• #8: hwmon: (adt7462) Wrong ADT7462_VOLT_COUNT. Fixes a bug which could cause one voltage measurement to be passed over.

• #9: ALSA: ctxfi - fix PTP address initialization. Fixes an alignment bug in the ctxfi sound driver.

• #10: drm/i915: disable hotplug detect before Ironlake CRT detect. Fixes a possible hang in the monitor detection code.

• #12: drm/i915: Disable SR when more than one pipe is enabled. Fixes a flicker-causing i915 bug.

• #13: drm/i915: Fix DDC on some systems by clearing BIOS GMBUS setup. Fixes a bug which can cause failure to detect some monitors.

• #15: drm/i915: Fix the incorrect DMI string for Samsung SX20S laptop. Incorrect identification information was returned to user space.

• #17: usb: r8a66597-hcd: Flush the D-cache for the pipe-in transfer buffers. Fixes a cache consistency problem.

• #18: i2c-tiny-usb: Fix on big-endian systems. An endianness bug in i2c-tiny-usb caused incorrect information to be returned to user space.

• #19: drm/i915: handle FBC and self-refresh better. Eliminates an i915 flicker problem.

• #20: drm/i915: Increase fb alignment to 64k. Fixes an obscure error in the i915 driver.

• #24: CPUFREQ: Fix use after free of struct powernow_k8_data. Fixes a use-after-free bug in the cpufreq code; does not appear to be user-triggerable.

• #25: freeze_bdev: dont deactivate successfully frozen MS_RDONLY sb. Fixes a boot-time crash in the block layer.

• #27: ioat: fix infinite timeout checking in ioat2_quiesce. Fixes a typo in the IOAT code.

• #29: fs/exec.c: restrict initial stack space expansion to rlimit. Fixes a bug which could cause process creation failures in the presence of tight stack limits.a

• #30: cifs: fix length calculation for converted unicode readdir names. Fixes a CIFS data consistency bug.

• #31: NFS: Fix a reference leak in nfs_wb_cancel_page(). Fixes a reference leak in the NFS cancellation code.

• #32: NFS: Try to commit unstable writes in nfs_release_page(). Looks like a fix for a potential data loss problem in the NFS code.

• #33: NFSv4: Dont allow posix locking against servers that dont support it. Be sure to notice if a server does not support POSIX locking.

• #34: NFSv4: Ensure that the NFSv4 locking can recover from stateid errors. Fix an NFSv4 locking problem with unknown effects.

• #37: NFS: Fix a bug in nfs_fscache_release_page(). Removes a spurious BUG_ON() call.

• #38: NFS: Fix the mapping of the NFSERR_SERVERFAULT error. Fix an incorrect error value returned to user space.

• #39: md: fix degraded calculation when starting a reshape. Some old code can cause the MD subsystem to be unclear on whether a given array is running in a degraded mode or not after a reshape.

• #42: kvmclock: count total_sleep_time when updating guest clock. Fix an error which could lead to incorrect wall clock time in KVM guests.

• #43: KVM: PIT: control word is write-only. Prevent attempts to read a write-only register.

• #44: tpm_infineon: fix suspend/resume handler for pnp_driver. Fixes a hang-on-suspend bug.

• #45: amd64_edac: Do not falsely trigger kerneloops. Remove a spurious warning in the amd64 EDAC code.

• #46: netfilter: nf_conntrack: fix memory corruption with multiple namespaces. Fixes a potential race condition which could lead to memory corruption. Requires the instantiation of a new namespace (and, thus, root privilege) to trigger.

• #48: netfilter: nf_conntrack: restrict runtime expect hashsize modifications. Don't allow the connection tracking expect_hashsize attribute to be modified, since the code isn't prepared to handle that.

• #49: netfilter: xtables: compat out of scope fix. Fixes a potential stack-based dangling pointer bug.

• #51: drm/i915: remove full registers dump debug. Removes an i915 debug option which could hang the machine.

• #52: drm/i915: add i915_lp_ring_sync helper. Code and performance improvement in the i915 driver.

• #53: drm/i915: Dont wait interruptible for possible plane buffer flush. The i915 DRM driver can corrupt the hardware state if a signal comes in at the wrong time. Could be seen as a denial of service problem, but that's a big stretch.

• #56: wmi: Free the allocated acpi objects through wmi_get_event_data. Fixes a memory leak in the WMI code.

• #58: /dev/mem: introduce size_inside_page(). Eliminates some duplicate code and fixes the alignment logic for /dev/kmem, which was described simply as "buggy." But who uses /dev/kmem anymore?

• #59: devmem: check vmalloc address on kmem read/write. A missing test for addresses in the vmalloc() space could cause an oops from the /dev/kmem code. Probably not triggerable by ordinary users, though, even on systems where /dev/kmem is enabled.

• #60: devmem: fix kmem write bug on memory holes. An attempt to write data to /dev/mem would get confused if a memory hole is hit, causing incorrect data to be written after the hole.

• #61: SCSI: mptfusion : mptscsih_abort return value should be SUCCESS instead of value 0. The mptfusion driver had an incorrect return value with unknown effects.

• #62: sh: Couple kernel and user write page perm bits for CONFIG_X2TLB. The SuperH architecture had a problem handling write faults for pages in the vmalloc() space, which could cause problems with drivers that map such pages into user space.

• #63: ALSA: hda - use WARN_ON_ONCE() for zero-division detection. Avoid spamming the log files if the hardware goes nuts.

• #64: dst: call cond_resched() in dst_gc_task(). The network destination cache code can process very long lists, leading to soft lockup warnings.

• #66: befs: fix leak. There is a memory leak in the BeFS mount code; one would not normally expect it to be user-triggerable.

• #67: rtc-fm3130: add missing braces. Missing braces in the rtc-fm3130 would cause spurious warnings to be emitted.

• #68: [libata] Call flush_dcache_page after PIO data transfers in libata-sff.c. Fix a cache coherency bug in the ATA code.

• #70: pktgen: Fix freezing problem. The packet generator could prevent the system from suspending or hibernating.

• #71: x86/amd-iommu: Fix IOMMU-API initialization for iommu=pt. Fix a boot-time initialization error in the IOMMU code.

• #72: x86/amd-iommu: Fix deassignment of a device from the pt_domain. Fix a KVM device assignment failure.

• #73: x86: Re-get cfg_new in case reuse/move irq_desc. Fix a bug in interrupt migration with unknown effect.

• #74: Staging: fix rtl8187se compilation errors with mac80211. Boring compilation problem fix.

• #76: serial: 8250: add serial transmitter fully empty test. Fixes a serial driver problem which could cause the loss of some transmitted data.

• #77: sysfs: sysfs_sd_setattr set iattrs unconditionally. An omitted initialization can cause sysfs attributes to have more restrictive permissions than desired.

• #78: class: Free the class private data in class_release. Fix a memory leak in the sysfs class code. Potentially user-exploitable if somebody were willing to dedicate a month of their life to repeatedly plugging and unplugging a device.

• #80: USB: usbfs: properly clean up the as structure on error paths. Fixes a memory leak in the usbfs error recovery paths.

• #83: ACPI: fix High cpu temperature with 2.6.32. Fixes behavior on a couple of laptops with problematic power management operation.

• #84: drm/radeon/kms: use udelay for short delays. Use of schedule_timeout() for short delays was slowing bootstrap considerably on some systems.

• #85: NFS: Too many GETATTR and ACCESS calls after direct I/O. Fixes a performance regression in the NFS code.

• #86: eCryptfs: Add getattr function. The eCryptfs filesystem would show incorrect file sizes.

• #87: b43: Fix throughput regression. Throughput on some BCM4311 devices is said to have dropped from 18Mb/s to 0.7Mb/s, which is a bit more of a penalty than some users wanted to pay.

• #88: ath9k: Fix sequence numbers for PAE frames. Fixes a protocol error in the ath9k driver.

• #89: mac80211: Fix probe request filtering in IBSS mode. The wireless code could reply to probe requests directed at a different SSID.

• #90: iwlwifi: Fix to set correct ht configuration. The iwlwifi driver was not configuring associations correctly, leading to dropped connections.

• #91: dm stripe: avoid divide by zero with invalid stripe count. Giving a bad stripe size to the device mapper code would cause a division by zero.

• #93: dm mpath: fix stall when requeueing io. Fixes a root-triggerable stall in the device mapper multipath code.

Enhancements

• #11: drm/i915: enable self-refresh on 965. Hardware feature enablement.

• #14: drm/i915: Add HP nx9020/SamsungSX20S to ACPI LID quirk list. Adds a quirk entry for buggy hardware.

• #16: drm/i915: Add MALATA PC-81005 to ACPI LID quirk list. Adds a quirk entry for more buggy hardware.

• #21: drm/i915: Update write_domains on active list after flush. Performance improvement in the i915 driver.

• #28: resource: add helpers for fetching rlimits. Adds helper functions to ensure that resource limit values are not fetched multiple times.

• #41: Export the symbol of getboottime and mmonotonic_to_bootbased. Adds a couple of symbol exports.

• #55: crypto: padlock-sha - Add import/export support. Improve interoperation with some HMAC code.

• #65: ALSA: hda - Improved MacBook (Pro) 5,1 / 5,2 support. Improves sound behavior on those systems.

• #69: ahci: add Acer G725 to broken suspend list. Note that Acer G725 laptops with old firmware have buggy suspend behavior.

• #81: rtl8187: Add new device ID. Recognize another device ID.

Conclusions

Out of 93 patches, 18 struck your editor as having clear security implications. Quite a few other patches fix crashes which could possibly be security problems; if they are not listed as such, it's because there was no immediately evident way that a user could trigger the problem. Doubtless people with more imagination will figure out ways to take advantage of some of these bugs.

What it comes down to is that the identification of security problems is often hard. In the kernel environment, almost any bug could potentially create some kind of vulnerability. So it is not surprising to see developers "silently fix" security bugs; they simply fix bugs without realizing the implications. It is also not surprising that some developers are reluctant to call attention to security-related fixes. The list above almost certainly includes "security fixes" for bugs that nobody can exploit while classifying true vulnerabilities as mere bug fixes. Any list of security-relevant patches is sure to be an incomplete and partially deceptive thing.

That said, it may well be that fixes which are truly known to have security implications should be marked as such. Attackers will make the effort to figure that out anyway; it's not clear that making life harder for everybody else has any benefits. Still, those who would complain about how the stable tree is managed would do well to remember that, a few years ago, we had no such tree. It came into being because people stepped up to do the work of maintaining it. There can be no doubt that a better job could be done here (as is the case almost everywhere else too); its just a matter of somebody finding the time and the energy to do it.

---

(Log in to post comments)

    Impact: Stop turning machines into botnet fodder