Author: dannf Date: Mon Jan 21 08:03:11 2008 New Revision: 10158 Log: * 255_ext2-skip-pages-past-num-blocks.diff [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Mon Jan 21 08:03:11 2008 @@ -49,8 +49,12 @@ [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823 + * 255_ext2-skip-pages-past-num-blocks.diff + [SECURITY] Add some sanity checking for a corrupted i_size in + ext2_find_entry() + See CVE-2006-6054 - -- dann frazier <[EMAIL PROTECTED]> Mon, 21 Jan 2008 00:48:39 -0700 + -- dann frazier <[EMAIL PROTECTED]> Mon, 21 Jan 2008 01:00:19 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff Mon Jan 21 08:03:11 2008 @@ -0,0 +1,43 @@ +From: Eric Sandeen <[EMAIL PROTECTED]> +Date: Sat, 30 Dec 2006 23:30:32 +0000 (-0500) +Subject: [PATCH] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054) +X-Git-Tag: v2.6.19.2~20 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.19.y.git;a=commitdiff_plain;h=8d312ae11257a259d78e122fd73274b8ef4789d1 + +[PATCH] ext2: skip pages past number of blocks in ext2_find_entry (CVE-2006-6054) + +This one was pointed out on the MOKB site: +http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html + +If a directory's i_size is corrupted, ext2_find_entry() will keep processing +pages until the i_size is reached, even if there are no more blocks associated +with the directory inode. This patch puts in some minimal sanity-checking +so that we don't keep checking pages (and issuing errors) if we know there +can be no more data to read, based on the block count of the directory inode. + +This is somewhat similar in approach to the ext3 patch I sent earlier this +year. + +Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]> +Signed-off-by: Chris Wright <[EMAIL PROTECTED]> +--- + +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c +index 3e7a84a..852780b 100644 +--- a/fs/ext2/dir.c ++++ b/fs/ext2/dir.c +@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode * dir, + } + if (++n >= npages) + n = 0; ++ /* next page is past the blocks we've got */ ++ if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9)))) { ++ ext2_error(dir->i_sb, __FUNCTION__, ++ "dir %lu size %lld exceeds block count %llu", ++ dir->i_ino, dir->i_size, ++ (unsigned long long)dir->i_blocks); ++ goto out; ++ } + } while (n != start); + out: + return NULL; Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Mon Jan 21 08:03:11 2008 @@ -14,3 +14,4 @@ + 252_openpromfs-checks-3.diff + 253_coredump-only-to-same-uid.diff + 254_cramfs-check-block-length.diff ++ 255_ext2-skip-pages-past-num-blocks.diff _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes