[kernel] r10158 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Mon, 21 Jan 2008 00:03:09 -0800 

Author: dannf
Date: Mon Jan 21 08:03:11 2008
New Revision: 10158

Log:
* 255_ext2-skip-pages-past-num-blocks.diff
  [SECURITY] Add some sanity checking for a corrupted i_size in
  ext2_find_entry()
  See CVE-2006-6054

Added:
   
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff
Modified:
   
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6

Modified: 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
 (original)
+++ 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
 Mon Jan 21 08:03:11 2008
@@ -49,8 +49,12 @@
     [SECURITY] Add a sanity check of the block length in cramfs_readpage to
     avoid a potential oops condition
     See CVE-2006-5823
+  * 255_ext2-skip-pages-past-num-blocks.diff
+    [SECURITY] Add some sanity checking for a corrupted i_size in
+    ext2_find_entry()
+    See CVE-2006-6054
 
- -- dann frazier <[EMAIL PROTECTED]>  Mon, 21 Jan 2008 00:48:39 -0700
+ -- dann frazier <[EMAIL PROTECTED]>  Mon, 21 Jan 2008 01:00:19 -0700
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff
  Mon Jan 21 08:03:11 2008
@@ -0,0 +1,43 @@
+From: Eric Sandeen <[EMAIL PROTECTED]>
+Date: Sat, 30 Dec 2006 23:30:32 +0000 (-0500)
+Subject: [PATCH] ext2: skip pages past number of blocks in ext2_find_entry 
(CVE-2006-6054)
+X-Git-Tag: v2.6.19.2~20
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.19.y.git;a=commitdiff_plain;h=8d312ae11257a259d78e122fd73274b8ef4789d1
+
+[PATCH] ext2: skip pages past number of blocks in ext2_find_entry 
(CVE-2006-6054)
+
+This one was pointed out on the MOKB site:
+http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html
+
+If a directory's i_size is corrupted, ext2_find_entry() will keep processing
+pages until the i_size is reached, even if there are no more blocks associated
+with the directory inode.  This patch puts in some minimal sanity-checking
+so that we don't keep checking pages (and issuing errors) if we know there
+can be no more data to read, based on the block count of the directory inode.
+
+This is somewhat similar in approach to the ext3 patch I sent earlier this
+year.
+
+Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]>
+Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
+---
+
+diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
+index 3e7a84a..852780b 100644
+--- a/fs/ext2/dir.c
++++ b/fs/ext2/dir.c
+@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode * 
dir,
+               }
+               if (++n >= npages)
+                       n = 0;
++              /* next page is past the blocks we've got */
++              if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9)))) {
++                      ext2_error(dir->i_sb, __FUNCTION__,
++                              "dir %lu size %lld exceeds block count %llu",
++                              dir->i_ino, dir->i_size,
++                              (unsigned long long)dir->i_blocks);
++                              goto out;
++              }
+       } while (n != start);
+ out:
+       return NULL;

Modified: 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
    (original)
+++ 
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
    Mon Jan 21 08:03:11 2008
@@ -14,3 +14,4 @@
 + 252_openpromfs-checks-3.diff
 + 253_coredump-only-to-same-uid.diff
 + 254_cramfs-check-block-length.diff
++ 255_ext2-skip-pages-past-num-blocks.diff

_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

Reply via email to