Author: dannf Date: Fri Feb 8 21:55:19 2008 New Revision: 10444 Log: * minixfs-printk-hang.dpatch [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs filesystem that would otherwise cause a system to hang (printk storm) See CVE-2006-6058
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Fri Feb 8 21:55:19 2008 @@ -34,8 +34,12 @@ [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054 + * minixfs-printk-hang.dpatch + [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs + filesystem that would otherwise cause a system to hang (printk storm) + See CVE-2006-6058 - -- dann frazier <[EMAIL PROTECTED]> Fri, 08 Feb 2008 14:22:01 -0700 + -- dann frazier <[EMAIL PROTECTED]> Fri, 08 Feb 2008 14:54:19 -0700 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch ============================================================================== --- (empty file) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch Fri Feb 8 21:55:19 2008 @@ -0,0 +1,69 @@ +commit f44ec6f3f89889a469773b1fd894f8fcc07c29cf +Author: Eric Sandeen <[EMAIL PROTECTED]> +Date: Tue Oct 16 23:27:15 2007 -0700 + + limit minixfs printks on corrupted dir i_size + + This attempts to address CVE-2006-6058 + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058 + + first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html + + Essentially a corrupted minix dir inode reporting a very large + i_size will loop for a very long time in minix_readdir, minix_find_entry, + etc, because on EIO they just move on to try the next page. This is + under the BKL, printk-storming as well. This can lock up the machine + for a very long time. Simply ratelimiting the printks gets things back + under control. Make the message a bit more informative while we're here. + + Signed-off-by: Eric Sandeen <[EMAIL PROTECTED]> + Cc: Bodo Eggert <[EMAIL PROTECTED]> + Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> + Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]> + +Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]> + +diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v1.c kernel-source-2.6.8/fs/minix/itree_v1.c +--- kernel-source-2.6.8.orig/fs/minix/itree_v1.c 2004-08-13 23:38:10.000000000 -0600 ++++ kernel-source-2.6.8/fs/minix/itree_v1.c 2008-02-08 14:33:09.000000000 -0700 +@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino + static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + { + int n = 0; ++ char b[BDEVNAME_SIZE]; + + if (block < 0) { +- printk("minix_bmap: block<0"); ++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", ++ block, bdevname(inode->i_sb->s_bdev, b)); + } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) { +- printk("minix_bmap: block>big"); ++ if (printk_ratelimit()) ++ printk("MINIX-fs: block_to_path: " ++ "block %ld too big on dev %s\n", ++ block, bdevname(inode->i_sb->s_bdev, b)); + } else if (block < 7) { + offsets[n++] = block; + } else if ((block -= 7) < 512) { +diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v2.c kernel-source-2.6.8/fs/minix/itree_v2.c +--- kernel-source-2.6.8.orig/fs/minix/itree_v2.c 2004-08-13 23:37:39.000000000 -0600 ++++ kernel-source-2.6.8/fs/minix/itree_v2.c 2008-02-08 14:33:56.000000000 -0700 +@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino + static int block_to_path(struct inode * inode, long block, int offsets[DEPTH]) + { + int n = 0; ++ char b[BDEVNAME_SIZE]; + + if (block < 0) { +- printk("minix_bmap: block<0"); ++ printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n", ++ block, bdevname(sb->s_bdev, b)); + } else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) { +- printk("minix_bmap: block>big"); ++ if (printk_ratelimit()) ++ printk("MINIX-fs: block_to_path: " ++ "block %ld too big on dev %s\n", ++ block, bdevname(sb->s_bdev, b)); + } else if (block < 7) { + offsets[n++] = block; + } else if ((block -= 7) < 256) { Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 ============================================================================== --- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original) +++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Fri Feb 8 21:55:19 2008 @@ -9,3 +9,4 @@ + i4l-isdn_ioctl-mem-overrun.dpatch + cramfs-check-block-length.dpatch + ext2-skip-pages-past-num-blocks.dpatch ++ minixfs-printk-hang.dpatch _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes