Author: dannf Date: Thu Feb 14 06:28:45 2008 New Revision: 10543 Log: * 258_ext2_readdir-f_pos-fix.diff, 259_ext2_readdir-infinite-loop.diff, 260_ext2-skip-pages-past-num-blocks.diff [SECURITY] Add some sanity checking for a corrupted i_size in ext2_find_entry() See CVE-2006-6054
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/258_ext2_readdir-f_pos-fix.diff dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/259_ext2_readdir-infinite-loop.diff dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/260_ext2-skip-pages-past-num-blocks.diff Removed: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Thu Feb 14 06:28:45 2008 @@ -49,18 +49,20 @@ [SECURITY] Add a sanity check of the block length in cramfs_readpage to avoid a potential oops condition See CVE-2006-5823 - * 255_ext2-skip-pages-past-num-blocks.diff - [SECURITY] Add some sanity checking for a corrupted i_size in - ext2_find_entry() - See CVE-2006-6054 * 256_i4l-isdn_ioctl-mem-overrun.diff [SECURITY] Fix potential isdn ioctl memory overrun See CVE-2007-6151 * 257_isdn-net-overflow.diff [SECURITY] Fix potential overflows in the ISDN subsystem See CVE-2007-6063 + * 258_ext2_readdir-f_pos-fix.diff, + 259_ext2_readdir-infinite-loop.diff, + 260_ext2-skip-pages-past-num-blocks.diff + [SECURITY] Add some sanity checking for a corrupted i_size in + ext2_find_entry() + See CVE-2006-6054 - -- dann frazier <[EMAIL PROTECTED]> Fri, 01 Feb 2008 14:48:58 -0600 + -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 23:10:11 -0700 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/258_ext2_readdir-f_pos-fix.diff ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/258_ext2_readdir-f_pos-fix.diff Thu Feb 14 06:28:45 2008 @@ -0,0 +1,62 @@ +commit c30306fb287323591c854a0982d9fa5351859b45 +Author: dann frazier <[EMAIL PROTECTED]> +Date: Mon Jan 21 17:13:06 2008 -0700 + + ext2_readdir() filp->f_pos fix + + This is a 2.4 backport of a linux-2.6 change by Jan Blunck + (old-2.6-bkcvs commit 2196b4744393d4f6c06fc4d63b98556d05b90933) + + Commit log from 2.6 follows. + + [PATCH] ext2_readdir() filp->f_pos fix + + If the whole directory is read, ext2_readdir() sets the f_pos to a multiple + of the page size (because of the conditions of the outer for loop). This + sets the wrong f_pos for directory inodes on ext2 partitions with a block + size differing from the page size. + + Signed-off-by: dann frazier <[EMAIL PROTECTED]> + +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c +index 58b76dd..b158e60 100644 +--- a/fs/ext2/dir.c ++++ b/fs/ext2/dir.c +@@ -240,7 +240,7 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t filldir) + loff_t pos = filp->f_pos; + struct inode *inode = filp->f_dentry->d_inode; + struct super_block *sb = inode->i_sb; +- unsigned offset = pos & ~PAGE_CACHE_MASK; ++ unsigned int offset = pos & ~PAGE_CACHE_MASK; + unsigned long n = pos >> PAGE_CACHE_SHIFT; + unsigned long npages = dir_pages(inode); + unsigned chunk_mask = ~(ext2_chunk_size(inode)-1); +@@ -258,8 +258,13 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t filldir) + ext2_dirent *de; + struct page *page = ext2_get_page(inode, n); + +- if (IS_ERR(page)) ++ if (IS_ERR(page)) { ++ ext2_error(sb, __FUNCTION__, ++ "bad page in #%lu", ++ inode->i_ino); ++ filp->f_pos += PAGE_CACHE_SIZE - offset; + continue; ++ } + kaddr = page_address(page); + if (need_revalidate) { + offset = ext2_validate_entry(kaddr, offset, chunk_mask); +@@ -283,12 +288,12 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t filldir) + ext2_put_page(page); + goto done; + } ++ filp->f_pos += le16_to_cpu(de->rec_len); + } + ext2_put_page(page); + } + + done: +- filp->f_pos = (n << PAGE_CACHE_SHIFT) | offset; + filp->f_version = inode->i_version; + UPDATE_ATIME(inode); + return 0; Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/259_ext2_readdir-infinite-loop.diff ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/259_ext2_readdir-infinite-loop.diff Thu Feb 14 06:28:45 2008 @@ -0,0 +1,54 @@ +commit 8be8243c968d85e464ba017877575355539b7965 +Author: dann frazier <[EMAIL PROTECTED]> +Date: Mon Jan 21 17:14:49 2008 -0700 + + avoid semi-infinite loop when mounting bad ext2 + + This is a 2.4 backport of a linux-2.6 change by Andries Brouwer + (old-2.6-bkcvs commit c279c5343b1796bf1db4c0b4af2c99479a6575fe) + + Commit log from 2.6 follows. + + The routine ext2_readdir() will, when reading a directory page + returns an error, try the next page, without reporting the + error to user space. That is bad, and the patch below changes that. + + In my case the filesystem was damaged, and ext2_readdir wanted + to read 60000+ pages and wrote as many error messages to syslog + ("attempt to access beyond end"), not what one wants. + + [no doubt a similar patch is appropriate for ext3] + + Signed-off-by: dann frazier <[EMAIL PROTECTED]> + +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c +index b158e60..0cbb8f9 100644 +--- a/fs/ext2/dir.c ++++ b/fs/ext2/dir.c +@@ -246,6 +246,7 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t filldir) + unsigned chunk_mask = ~(ext2_chunk_size(inode)-1); + unsigned char *types = NULL; + int need_revalidate = (filp->f_version != inode->i_version); ++ int ret = 0; + + if (pos > inode->i_size - EXT2_DIR_REC_LEN(1)) + goto done; +@@ -263,7 +264,8 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t filldir) + "bad page in #%lu", + inode->i_ino); + filp->f_pos += PAGE_CACHE_SIZE - offset; +- continue; ++ ret = -EIO; ++ goto done; + } + kaddr = page_address(page); + if (need_revalidate) { +@@ -296,7 +298,7 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t filldir) + done: + filp->f_version = inode->i_version; + UPDATE_ATIME(inode); +- return 0; ++ return ret; + } + + /* Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/260_ext2-skip-pages-past-num-blocks.diff ============================================================================== --- (empty file) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/260_ext2-skip-pages-past-num-blocks.diff Thu Feb 14 06:28:45 2008 @@ -0,0 +1,53 @@ +commit 38d832aa48ab51df8192511ffdcaea031a2cc0d1 +Author: dann frazier <[EMAIL PROTECTED]> +Date: Mon Jan 21 17:16:51 2008 -0700 + + ext2: skip pages past number of blocks in ext2_find_entry + + This is a 2.4 backport of a linux-2.6 change by Eric Sandeen + (commit d8adb9cef7e406a9a82881695097c702bc98422f) + + CVE-2006-6054 was assigned for this issue, which is easily reproducible in 2.4. + However, this changeset alone does not resolve the issue for 2.4 - two earlier + backports for ext2_readdir() are required. + + Commit log from 2.6 follows. + + [PATCH] ext2: skip pages past number of blocks in ext2_find_entry + + This one was pointed out on the MOKB site: + http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html + + If a directory's i_size is corrupted, ext2_find_entry() will keep + processing pages until the i_size is reached, even if there are no more + blocks associated with the directory inode. This patch puts in some + minimal sanity-checking so that we don't keep checking pages (and issuing + errors) if we know there can be no more data to read, based on the block + count of the directory inode. + + This is somewhat similar in approach to the ext3 patch I sent earlier this + year. + + Signed-off-by: dann frazier <[EMAIL PROTECTED]> + +diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c +index 0cbb8f9..ce27575 100644 +--- a/fs/ext2/dir.c ++++ b/fs/ext2/dir.c +@@ -343,7 +343,16 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode * dir, + } + if (++n >= npages) + n = 0; ++ /* next page is past the blocks we've got */ ++ if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9)))) { ++ ext2_error(dir->i_sb, __FUNCTION__, ++ "dir %lu size %lld exceeds block count %llu", ++ dir->i_ino, dir->i_size, ++ (unsigned long long)dir->i_blocks); ++ goto out; ++ } + } while (n != start); ++out: + return NULL; + + found: Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 ============================================================================== --- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 (original) +++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6 Thu Feb 14 06:28:45 2008 @@ -14,6 +14,8 @@ + 252_openpromfs-checks-3.diff + 253_coredump-only-to-same-uid.diff + 254_cramfs-check-block-length.diff -+ 255_ext2-skip-pages-past-num-blocks.diff + 256_i4l-isdn_ioctl-mem-overrun.diff + 257_isdn-net-overflow.diff ++ 258_ext2_readdir-f_pos-fix.diff ++ 259_ext2_readdir-infinite-loop.diff ++ 260_ext2-skip-pages-past-num-blocks.diff _______________________________________________ Kernel-svn-changes mailing list Kernel-svn-changes@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes