Author: dannf Date: Fri Feb 8 21:09:22 2008 New Revision: 10441 Log: * cramfs-check-block-length.dpatch [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Fri Feb 8 21:09:22 2008 @@ -26,8 +26,12 @@ * i4l-isdn_ioctl-mem-overrun.dpatch [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151 + * cramfs-check-block-length.dpatch + [SECURITY] Add a sanity check of the block length in cramfs_readpage to + avoid a potential oops condition + See CVE-2006-5823 - -- dann frazier <[EMAIL PROTECTED]> Sat, 05 Jan 2008 18:10:05 -0700 + -- dann frazier <[EMAIL PROTECTED]> Fri, 08 Feb 2008 14:08:04 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch Fri Feb 8 21:09:22 2008 @@ -0,0 +1,39 @@ +From: Phillip Lougher <[EMAIL PROTECTED]> +Date: Thu, 7 Dec 2006 04:37:20 +0000 (-0800) +Subject: [PATCH] corrupted cramfs filesystems cause kernel oops +X-Git-Tag: v2.6.20-rc1~15^2~14^2~175 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=8bb0269160df2a60764013994d0bc5165406cf4a;hp=2e591bbc0d563e12f5a260fbbca0df7d5810910e + +[PATCH] corrupted cramfs filesystems cause kernel oops + +Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/ +fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause +Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops +is an unchecked corrupted block length field read by cramfs_readpage(). + +This patch adds a sanity check to cramfs_readpage() which checks that the +block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is +intentional, even though the uncompressed data is not going to be larger +than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than +the original source data. Mkcramfs checks that the compressed size is +always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could +use the original uncompressed data in this case, but it doesn't. + +Signed-off-by: Phillip Lougher <[EMAIL PROTECTED]> +Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> +Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> +--- + +diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c +index a624c3e..0509ced 100644 +--- a/fs/cramfs/inode.c ++++ b/fs/cramfs/inode.c +@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page * page) + pgdata = kmap(page); + if (compr_len == 0) + ; /* hole */ ++ else if (compr_len > (PAGE_CACHE_SIZE << 1)) ++ printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len); + else { + mutex_lock(&read_mutex); + bytes_filled = cramfs_uncompress_block(pgdata, Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Fri Feb 8 21:09:22 2008 @@ -7,3 +7,4 @@ + bluetooth-l2cap-hci-info-leaks.dpatch + coredump-only-to-same-uid.dpatch + i4l-isdn_ioctl-mem-overrun.dpatch ++ cramfs-check-block-length.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes