Author: dannf
Date: Fri Feb 8 21:23:25 2008
New Revision: 10442
Log:
* ext2-skip-pages-past-num-blocks.dpatch
[SECURITY] Add some sanity checking for a corrupted i_size in
ext2_find_entry()
See CVE-2006-6054
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
Fri Feb 8 21:23:25 2008
@@ -30,8 +30,12 @@
[SECURITY] Add a sanity check of the block length in cramfs_readpage to
avoid a potential oops condition
See CVE-2006-5823
+ * ext2-skip-pages-past-num-blocks.dpatch
+ [SECURITY] Add some sanity checking for a corrupted i_size in
+ ext2_find_entry()
+ See CVE-2006-6054
- -- dann frazier <[EMAIL PROTECTED]> Fri, 08 Feb 2008 14:08:04 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Fri, 08 Feb 2008 14:22:01 -0700
kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch
Fri Feb 8 21:23:25 2008
@@ -0,0 +1,42 @@
+commit d8adb9cef7e406a9a82881695097c702bc98422f
+Author: Eric Sandeen <[EMAIL PROTECTED]>
+Date: Sat Feb 10 01:45:06 2007 -0800
+
+ [PATCH] ext2: skip pages past number of blocks in ext2_find_entry
+
+ This one was pointed out on the MOKB site:
+
http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html
+
+ If a directory's i_size is corrupted, ext2_find_entry() will keep
+ processing pages until the i_size is reached, even if there are no more
+ blocks associated with the directory inode. This patch puts in some
+ minimal sanity-checking so that we don't keep checking pages (and issuing
+ errors) if we know there can be no more data to read, based on the block
+ count of the directory inode.
+
+ This is somewhat similar in approach to the ext3 patch I sent earlier this
+ year.
+
+ Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]>
+ Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+ Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+
+diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
+index 0b02ba9..e89bfc8 100644
+--- a/fs/ext2/dir.c
++++ b/fs/ext2/dir.c
+@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode *
dir,
+ }
+ if (++n >= npages)
+ n = 0;
++ /* next page is past the blocks we've got */
++ if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9)))) {
++ ext2_error(dir->i_sb, __FUNCTION__,
++ "dir %lu size %lld exceeds block count %llu",
++ dir->i_ino, dir->i_size,
++ (unsigned long long)dir->i_blocks);
++ goto out;
++ }
+ } while (n != start);
+ out:
+ return NULL;
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Fri Feb 8 21:23:25 2008
@@ -8,3 +8,4 @@
+ coredump-only-to-same-uid.dpatch
+ i4l-isdn_ioctl-mem-overrun.dpatch
+ cramfs-check-block-length.dpatch
++ ext2-skip-pages-past-num-blocks.dpatch
_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
