Author: dannf Date: Mon Jan 21 07:53:09 2008 New Revision: 10157 Log: * 254_cramfs-check-block-length.diff [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Mon Jan 21 07:53:09 2008 @@ -45,8 +45,12 @@ [SECURITY] Fix an issue where core dumping over a file that already exists retains the ownership of the original file See CVE-2007-6206 + * 254_cramfs-check-block-length.diff + [SECURITY] Add a sanity check of the block length in cramfs_readpage to + avoid a potential oops condition + See CVE-2006-5823 - -- dann frazier <[EMAIL PROTECTED]> Mon, 12 Nov 2007 16:29:16 -0700 + -- dann frazier <[EMAIL PROTECTED]> Mon, 21 Jan 2008 00:48:39 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff Mon Jan 21 07:53:09 2008 @@ -0,0 +1,51 @@ +From: Moritz Muehlenhoff <[EMAIL PROTECTED]> +Date: Sun, 11 Nov 2007 17:02:24 +0000 (+0100) +Subject: [PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823) +X-Git-Tag: v2.4.36-pre2~3 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=bf45d0bda54148841426979209d5f1df4f4d34e0 + +[PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823) + +From http://projects.info-pull.com/mokb/MOKB-07-11-2006.html : + +| The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a +| denial of service (crash) via a malformed filesystem that uses zlib +| compression that triggers memory corruption, as demonstrated using cramfs. + +We could reproduce this with 2.4.27, since there aren't any changes to git +for cramfs since initial import this is likely unfixed in 2.4.35 too. +2.6 patch below. + +http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8bb0269160df2a60764013994d0bc5165406cf4a + +| Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ +| fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause +| Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops +| is an unchecked corrupted block length field read by cramfs_readpage(). +| +| This patch adds a sanity check to cramfs_readpage() which checks that the +| block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is +| intentional, even though the uncompressed data is not going to be larger +| than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than +| the original source data. Mkcramfs checks that the compressed size is +| always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could +| use the original uncompressed data in this case, but it doesn't. +| +| Signed-off-by: Phillip Lougher <[EMAIL PROTECTED]> +| Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> +| Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c +index 8fb1e70..71495ac 100644 +--- a/fs/cramfs/inode.c ++++ b/fs/cramfs/inode.c +@@ -404,6 +404,8 @@ static int cramfs_readpage(struct file *file, struct page * page) + pgdata = kmap(page); + if (compr_len == 0) + ; /* hole */ ++ else if (compr_len > (PAGE_CACHE_SIZE << 1)) ++ printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len); + else { + down(&read_mutex); + bytes_filled = cramfs_uncompress_block(pgdata, Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Mon Jan 21 07:53:09 2008 @@ -13,3 +13,4 @@ + 251_openpromfs-checks-2.diff + 252_openpromfs-checks-3.diff + 253_coredump-only-to-same-uid.diff ++ 254_cramfs-check-block-length.diff _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes