Author: dannf
Date: Fri Feb 8 21:55:19 2008
New Revision: 10444
Log:
* minixfs-printk-hang.dpatch
[SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
filesystem that would otherwise cause a system to hang (printk storm)
See CVE-2006-6058
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
Fri Feb 8 21:55:19 2008
@@ -34,8 +34,12 @@
[SECURITY] Add some sanity checking for a corrupted i_size in
ext2_find_entry()
See CVE-2006-6054
+ * minixfs-printk-hang.dpatch
+ [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
+ filesystem that would otherwise cause a system to hang (printk storm)
+ See CVE-2006-6058
- -- dann frazier <[EMAIL PROTECTED]> Fri, 08 Feb 2008 14:22:01 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Fri, 08 Feb 2008 14:54:19 -0700
kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch
Fri Feb 8 21:55:19 2008
@@ -0,0 +1,69 @@
+commit f44ec6f3f89889a469773b1fd894f8fcc07c29cf
+Author: Eric Sandeen <[EMAIL PROTECTED]>
+Date: Tue Oct 16 23:27:15 2007 -0700
+
+ limit minixfs printks on corrupted dir i_size
+
+ This attempts to address CVE-2006-6058
+ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
+
+ first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
+
+ Essentially a corrupted minix dir inode reporting a very large
+ i_size will loop for a very long time in minix_readdir, minix_find_entry,
+ etc, because on EIO they just move on to try the next page. This is
+ under the BKL, printk-storming as well. This can lock up the machine
+ for a very long time. Simply ratelimiting the printks gets things back
+ under control. Make the message a bit more informative while we're here.
+
+ Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]>
+ Cc: Bodo Eggert <[EMAIL PROTECTED]>
+ Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+ Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+
+Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v1.c
kernel-source-2.6.8/fs/minix/itree_v1.c
+--- kernel-source-2.6.8.orig/fs/minix/itree_v1.c 2004-08-13
23:38:10.000000000 -0600
++++ kernel-source-2.6.8/fs/minix/itree_v1.c 2008-02-08 14:33:09.000000000
-0700
+@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ int n = 0;
++ char b[BDEVNAME_SIZE];
+
+ if (block < 0) {
+- printk("minix_bmap: block<0");
++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++ block, bdevname(inode->i_sb->s_bdev, b));
+ } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+- printk("minix_bmap: block>big");
++ if (printk_ratelimit())
++ printk("MINIX-fs: block_to_path: "
++ "block %ld too big on dev %s\n",
++ block, bdevname(inode->i_sb->s_bdev, b));
+ } else if (block < 7) {
+ offsets[n++] = block;
+ } else if ((block -= 7) < 512) {
+diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v2.c
kernel-source-2.6.8/fs/minix/itree_v2.c
+--- kernel-source-2.6.8.orig/fs/minix/itree_v2.c 2004-08-13
23:37:39.000000000 -0600
++++ kernel-source-2.6.8/fs/minix/itree_v2.c 2008-02-08 14:33:56.000000000
-0700
+@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ int n = 0;
++ char b[BDEVNAME_SIZE];
+
+ if (block < 0) {
+- printk("minix_bmap: block<0");
++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++ block, bdevname(sb->s_bdev, b));
+ } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+- printk("minix_bmap: block>big");
++ if (printk_ratelimit())
++ printk("MINIX-fs: block_to_path: "
++ "block %ld too big on dev %s\n",
++ block, bdevname(sb->s_bdev, b));
+ } else if (block < 7) {
+ offsets[n++] = block;
+ } else if ((block -= 7) < 256) {
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Fri Feb 8 21:55:19 2008
@@ -9,3 +9,4 @@
+ i4l-isdn_ioctl-mem-overrun.dpatch
+ cramfs-check-block-length.dpatch
+ ext2-skip-pages-past-num-blocks.dpatch
++ minixfs-printk-hang.dpatch
_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
