Author: dannf
Date: Thu Feb 14 06:28:45 2008
New Revision: 10543
Log:
* 258_ext2_readdir-f_pos-fix.diff,
259_ext2_readdir-infinite-loop.diff,
260_ext2-skip-pages-past-num-blocks.diff
[SECURITY] Add some sanity checking for a corrupted i_size in
ext2_find_entry()
See CVE-2006-6054
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/258_ext2_readdir-f_pos-fix.diff
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/259_ext2_readdir-infinite-loop.diff
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/260_ext2-skip-pages-past-num-blocks.diff
Removed:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/255_ext2-skip-pages-past-num-blocks.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Thu Feb 14 06:28:45 2008
@@ -49,18 +49,20 @@
[SECURITY] Add a sanity check of the block length in cramfs_readpage to
avoid a potential oops condition
See CVE-2006-5823
- * 255_ext2-skip-pages-past-num-blocks.diff
- [SECURITY] Add some sanity checking for a corrupted i_size in
- ext2_find_entry()
- See CVE-2006-6054
* 256_i4l-isdn_ioctl-mem-overrun.diff
[SECURITY] Fix potential isdn ioctl memory overrun
See CVE-2007-6151
* 257_isdn-net-overflow.diff
[SECURITY] Fix potential overflows in the ISDN subsystem
See CVE-2007-6063
+ * 258_ext2_readdir-f_pos-fix.diff,
+ 259_ext2_readdir-infinite-loop.diff,
+ 260_ext2-skip-pages-past-num-blocks.diff
+ [SECURITY] Add some sanity checking for a corrupted i_size in
+ ext2_find_entry()
+ See CVE-2006-6054
- -- dann frazier <[EMAIL PROTECTED]> Fri, 01 Feb 2008 14:48:58 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Wed, 13 Feb 2008 23:10:11 -0700
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/258_ext2_readdir-f_pos-fix.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/258_ext2_readdir-f_pos-fix.diff
Thu Feb 14 06:28:45 2008
@@ -0,0 +1,62 @@
+commit c30306fb287323591c854a0982d9fa5351859b45
+Author: dann frazier <[EMAIL PROTECTED]>
+Date: Mon Jan 21 17:13:06 2008 -0700
+
+ ext2_readdir() filp->f_pos fix
+
+ This is a 2.4 backport of a linux-2.6 change by Jan Blunck
+ (old-2.6-bkcvs commit 2196b4744393d4f6c06fc4d63b98556d05b90933)
+
+ Commit log from 2.6 follows.
+
+ [PATCH] ext2_readdir() filp->f_pos fix
+
+ If the whole directory is read, ext2_readdir() sets the f_pos to a
multiple
+ of the page size (because of the conditions of the outer for loop). This
+ sets the wrong f_pos for directory inodes on ext2 partitions with a block
+ size differing from the page size.
+
+ Signed-off-by: dann frazier <[EMAIL PROTECTED]>
+
+diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
+index 58b76dd..b158e60 100644
+--- a/fs/ext2/dir.c
++++ b/fs/ext2/dir.c
+@@ -240,7 +240,7 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t
filldir)
+ loff_t pos = filp->f_pos;
+ struct inode *inode = filp->f_dentry->d_inode;
+ struct super_block *sb = inode->i_sb;
+- unsigned offset = pos & ~PAGE_CACHE_MASK;
++ unsigned int offset = pos & ~PAGE_CACHE_MASK;
+ unsigned long n = pos >> PAGE_CACHE_SHIFT;
+ unsigned long npages = dir_pages(inode);
+ unsigned chunk_mask = ~(ext2_chunk_size(inode)-1);
+@@ -258,8 +258,13 @@ ext2_readdir (struct file * filp, void * dirent,
filldir_t filldir)
+ ext2_dirent *de;
+ struct page *page = ext2_get_page(inode, n);
+
+- if (IS_ERR(page))
++ if (IS_ERR(page)) {
++ ext2_error(sb, __FUNCTION__,
++ "bad page in #%lu",
++ inode->i_ino);
++ filp->f_pos += PAGE_CACHE_SIZE - offset;
+ continue;
++ }
+ kaddr = page_address(page);
+ if (need_revalidate) {
+ offset = ext2_validate_entry(kaddr, offset, chunk_mask);
+@@ -283,12 +288,12 @@ ext2_readdir (struct file * filp, void * dirent,
filldir_t filldir)
+ ext2_put_page(page);
+ goto done;
+ }
++ filp->f_pos += le16_to_cpu(de->rec_len);
+ }
+ ext2_put_page(page);
+ }
+
+ done:
+- filp->f_pos = (n << PAGE_CACHE_SHIFT) | offset;
+ filp->f_version = inode->i_version;
+ UPDATE_ATIME(inode);
+ return 0;
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/259_ext2_readdir-infinite-loop.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/259_ext2_readdir-infinite-loop.diff
Thu Feb 14 06:28:45 2008
@@ -0,0 +1,54 @@
+commit 8be8243c968d85e464ba017877575355539b7965
+Author: dann frazier <[EMAIL PROTECTED]>
+Date: Mon Jan 21 17:14:49 2008 -0700
+
+ avoid semi-infinite loop when mounting bad ext2
+
+ This is a 2.4 backport of a linux-2.6 change by Andries Brouwer
+ (old-2.6-bkcvs commit c279c5343b1796bf1db4c0b4af2c99479a6575fe)
+
+ Commit log from 2.6 follows.
+
+ The routine ext2_readdir() will, when reading a directory page
+ returns an error, try the next page, without reporting the
+ error to user space. That is bad, and the patch below changes that.
+
+ In my case the filesystem was damaged, and ext2_readdir wanted
+ to read 60000+ pages and wrote as many error messages to syslog
+ ("attempt to access beyond end"), not what one wants.
+
+ [no doubt a similar patch is appropriate for ext3]
+
+ Signed-off-by: dann frazier <[EMAIL PROTECTED]>
+
+diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
+index b158e60..0cbb8f9 100644
+--- a/fs/ext2/dir.c
++++ b/fs/ext2/dir.c
+@@ -246,6 +246,7 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t
filldir)
+ unsigned chunk_mask = ~(ext2_chunk_size(inode)-1);
+ unsigned char *types = NULL;
+ int need_revalidate = (filp->f_version != inode->i_version);
++ int ret = 0;
+
+ if (pos > inode->i_size - EXT2_DIR_REC_LEN(1))
+ goto done;
+@@ -263,7 +264,8 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t
filldir)
+ "bad page in #%lu",
+ inode->i_ino);
+ filp->f_pos += PAGE_CACHE_SIZE - offset;
+- continue;
++ ret = -EIO;
++ goto done;
+ }
+ kaddr = page_address(page);
+ if (need_revalidate) {
+@@ -296,7 +298,7 @@ ext2_readdir (struct file * filp, void * dirent, filldir_t
filldir)
+ done:
+ filp->f_version = inode->i_version;
+ UPDATE_ATIME(inode);
+- return 0;
++ return ret;
+ }
+
+ /*
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/260_ext2-skip-pages-past-num-blocks.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/260_ext2-skip-pages-past-num-blocks.diff
Thu Feb 14 06:28:45 2008
@@ -0,0 +1,53 @@
+commit 38d832aa48ab51df8192511ffdcaea031a2cc0d1
+Author: dann frazier <[EMAIL PROTECTED]>
+Date: Mon Jan 21 17:16:51 2008 -0700
+
+ ext2: skip pages past number of blocks in ext2_find_entry
+
+ This is a 2.4 backport of a linux-2.6 change by Eric Sandeen
+ (commit d8adb9cef7e406a9a82881695097c702bc98422f)
+
+ CVE-2006-6054 was assigned for this issue, which is easily reproducible in
2.4.
+ However, this changeset alone does not resolve the issue for 2.4 - two
earlier
+ backports for ext2_readdir() are required.
+
+ Commit log from 2.6 follows.
+
+ [PATCH] ext2: skip pages past number of blocks in ext2_find_entry
+
+ This one was pointed out on the MOKB site:
+
http://kernelfun.blogspot.com/2006/11/mokb-09-11-2006-linux-26x-ext2checkpage.html
+
+ If a directory's i_size is corrupted, ext2_find_entry() will keep
+ processing pages until the i_size is reached, even if there are no more
+ blocks associated with the directory inode. This patch puts in some
+ minimal sanity-checking so that we don't keep checking pages (and issuing
+ errors) if we know there can be no more data to read, based on the block
+ count of the directory inode.
+
+ This is somewhat similar in approach to the ext3 patch I sent earlier
this
+ year.
+
+ Signed-off-by: dann frazier <[EMAIL PROTECTED]>
+
+diff --git a/fs/ext2/dir.c b/fs/ext2/dir.c
+index 0cbb8f9..ce27575 100644
+--- a/fs/ext2/dir.c
++++ b/fs/ext2/dir.c
+@@ -343,7 +343,16 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode *
dir,
+ }
+ if (++n >= npages)
+ n = 0;
++ /* next page is past the blocks we've got */
++ if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9)))) {
++ ext2_error(dir->i_sb, __FUNCTION__,
++ "dir %lu size %lld exceeds block count %llu",
++ dir->i_ino, dir->i_size,
++ (unsigned long long)dir->i_blocks);
++ goto out;
++ }
+ } while (n != start);
++out:
+ return NULL;
+
+ found:
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Thu Feb 14 06:28:45 2008
@@ -14,6 +14,8 @@
+ 252_openpromfs-checks-3.diff
+ 253_coredump-only-to-same-uid.diff
+ 254_cramfs-check-block-length.diff
-+ 255_ext2-skip-pages-past-num-blocks.diff
+ 256_i4l-isdn_ioctl-mem-overrun.diff
+ 257_isdn-net-overflow.diff
++ 258_ext2_readdir-f_pos-fix.diff
++ 259_ext2_readdir-infinite-loop.diff
++ 260_ext2-skip-pages-past-num-blocks.diff
_______________________________________________
Kernel-svn-changes mailing list
Kernel-svn-changes@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
