series

Dann Frazier Fri, 08 Feb 2008 13:09:26 -0800

Author: dannf
Date: Fri Feb  8 21:09:22 2008
New Revision: 10441

Log:
* cramfs-check-block-length.dpatch
  [SECURITY] Add a sanity check of the block length in cramfs_readpage to
  avoid a potential oops condition
  See CVE-2006-5823


Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Fri Feb  8 21:09:22 2008
@@ -26,8 +26,12 @@
   * i4l-isdn_ioctl-mem-overrun.dpatch
     [SECURITY] Fix potential isdn ioctl memory overrun
     See CVE-2007-6151
+  * cramfs-check-block-length.dpatch
+    [SECURITY] Add a sanity check of the block length in cramfs_readpage to
+    avoid a potential oops condition
+    See CVE-2006-5823
 
- -- dann frazier <[EMAIL PROTECTED]>  Sat, 05 Jan 2008 18:10:05 -0700
+ -- dann frazier <[EMAIL PROTECTED]>  Fri, 08 Feb 2008 14:08:04 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch
        Fri Feb  8 21:09:22 2008
@@ -0,0 +1,39 @@
+From: Phillip Lougher <[EMAIL PROTECTED]>
+Date: Thu, 7 Dec 2006 04:37:20 +0000 (-0800)
+Subject: [PATCH] corrupted cramfs filesystems cause kernel oops
+X-Git-Tag: v2.6.20-rc1~15^2~14^2~175
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=8bb0269160df2a60764013994d0bc5165406cf4a;hp=2e591bbc0d563e12f5a260fbbca0df7d5810910e
+
+[PATCH] corrupted cramfs filesystems cause kernel oops
+
+Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
+fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
+Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
+is an unchecked corrupted block length field read by cramfs_readpage().
+
+This patch adds a sanity check to cramfs_readpage() which checks that the
+block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
+intentional, even though the uncompressed data is not going to be larger
+than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
+the original source data.  Mkcramfs checks that the compressed size is
+always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
+use the original uncompressed data in this case, but it doesn't.
+
+Signed-off-by: Phillip Lougher <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
+index a624c3e..0509ced 100644
+--- a/fs/cramfs/inode.c
++++ b/fs/cramfs/inode.c
+@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page 
* page)
+               pgdata = kmap(page);
+               if (compr_len == 0)
+                       ; /* hole */
++              else if (compr_len > (PAGE_CACHE_SIZE << 1))
++                      printk(KERN_ERR "cramfs: bad compressed blocksize 
%u\n", compr_len);
+               else {
+                       mutex_lock(&read_mutex);
+                       bytes_filled = cramfs_uncompress_block(pgdata,

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   Fri Feb  8 21:09:22 2008
@@ -7,3 +7,4 @@
 + bluetooth-l2cap-hci-info-leaks.dpatch
 + coredump-only-to-same-uid.dpatch
 + i4l-isdn_ioctl-mem-overrun.dpatch
++ cramfs-check-block-length.dpatch

_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r10441 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Reply via email to