Author: dannf Date: Fri Feb 8 21:23:25 2008 New Revision: 10442 Log: * ext2-skip-pages-past-num-blocks.dpatch [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Fri Feb 8 21:23:25 2008 @@ -30,8 +30,12 @@ [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823 + * ext2-skip-pages-past-num-blocks.dpatch + [SECURITY] Add some sanity checking for a corrupted i_size in + ext2_find_entry() + See CVE-2006-6054 - -- dann frazier <[EMAIL PROTECTED]> Fri, 08 Feb 2008 14:08:04 -0700 + -- dann frazier <[EMAIL PROTECTED]> Fri, 08 Feb 2008 14:22:01 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/ext2-skip-pages-past-num-blocks.dpatch Fri Feb 8 21:23:25 2008 @@ -0,0 +1,42 @@ +commit d8adb9cef7e406a9a82881695097c702bc98422f +Author: Eric Sandeen <[EMAIL PROTECTED]> +Date: Sat Feb 10 01:45:06 2007 -0800 + + [PATCH] ext2: skip pages past number of blocks in ext2_find_entry + + This one was pointed out on the MOKB site: + http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html + + If a directory's i_size is corrupted, ext2_find_entry() will keep + processing pages until the i_size is reached, even if there are no more + blocks associated with the directory inode. This patch puts in some + minimal sanity-checking so that we don't keep checking pages (and issuing + errors) if we know there can be no more data to read, based on the block + count of the directory inode. + + This is somewhat similar in approach to the ext3 patch I sent earlier this + year. + + Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]> + Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> + Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> + +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c +index 0b02ba9..e89bfc8 100644 +--- a/fs/ext2/dir.c ++++ b/fs/ext2/dir.c +@@ -368,6 +368,14 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode * dir, + } + if (++n >= npages) + n = 0; ++ /* next page is past the blocks we've got */ ++ if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9)))) { ++ ext2_error(dir->i_sb, __FUNCTION__, ++ "dir %lu size %lld exceeds block count %llu", ++ dir->i_ino, dir->i_size, ++ (unsigned long long)dir->i_blocks); ++ goto out; ++ } + } while (n != start); + out: + return NULL; Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Fri Feb 8 21:23:25 2008 @@ -8,3 +8,4 @@ + coredump-only-to-same-uid.dpatch + i4l-isdn_ioctl-mem-overrun.dpatch + cramfs-check-block-length.dpatch ++ ext2-skip-pages-past-num-blocks.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes