r3881 - in trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Simon Horman horms at costa.debian.org
Mon Aug 15 09:38:57 UTC 2005 

Author: horms
Date: 2005-08-15 09:38:56 +0000 (Mon, 15 Aug 2005)
New Revision: 3881

Added:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/zisofs.dpatch
Modified:
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
Log:
  * zisofs.dpatch
    Check input buffer size in zisofs
    From 2.6.12.5


Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-08-15 09:34:41 UTC (rev 3880)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	2005-08-15 09:38:56 UTC (rev 3881)
@@ -191,11 +191,16 @@
   * linux-zlib-fixes.dpatch
     [Security] Fix security bugs in the Linux zlib implementations.
     See CAN-2005-2458, CAN-2005-2459
+    From 2.6.12.5
     http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
     http://bugs.gentoo.org/show_bug.cgi?id=94584
 
- -- Simon Horman <horms at debian.org>  Mon, 15 Aug 2005 18:31:47 +0900
+  * zisofs.dpatch
+    Check input buffer size in zisofs
+    From 2.6.12.5
 
+ -- Simon Horman <horms at debian.org>  Mon, 15 Aug 2005 18:36:45 +0900
+
 kernel-source-2.6.8 (2.6.8-16) unstable; urgency=low
 
   * smbfs-overrun.dpatch:

Modified: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17	2005-08-15 09:34:41 UTC (rev 3880)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17	2005-08-15 09:38:56 UTC (rev 3881)
@@ -51,3 +51,4 @@
 + arch-x86_64-nmi.dpatch
 + arch-x86_64-kernel-stack-faults.dpatch
 + linux-zlib-fixes.dpatch
++ zisofs.dpatch

Added: trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/zisofs.dpatch
===================================================================
--- trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/zisofs.dpatch	2005-08-15 09:34:41 UTC (rev 3880)
+++ trunk/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/zisofs.dpatch	2005-08-15 09:38:56 UTC (rev 3881)
@@ -0,0 +1,62 @@
+From torvalds at osdl.org  Sat Aug  6 11:33:12 2005
+Date: Sat, 6 Aug 2005 11:33:11 -0700 (PDT)
+From: Linus Torvalds <torvalds at osdl.org>
+To: Tim Yamin <plasmaroo at gentoo.org>
+cc: "H. Peter Anvin" <hpa at zytor.com>, Chris Wright <chrisw at osdl.org>,
+        security at kernel.org
+Subject: Check input buffer size in zisofs
+
+Add fakey 'deflateBound()' function to the in-kernel zlib routines
+
+It's not the real deflateBound() in newer zlib libraries, partly because
+the upcoming usage of it won't have the "stream" available, so we can't
+have the same interfaces anyway.
+
+This uses the new deflateBound() thing to sanity-check the input to the
+zlib decompressor before we even bother to start reading in the blocks.
+
+Problem noted by Tim Yamin <plasmaroo at gentoo.org>
+
+Signed-off-by: Chris Wright <chrisw at osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+Signed-off-by: H. Peter Anvin <hpa at zytor.com>
+---
+ fs/isofs/compress.c  |    6 ++++++
+ include/linux/zlib.h |    5 +++++
+ 2 files changed, 11 insertions(+)
+
+Index: linux-2.6.12.y/include/linux/zlib.h
+===================================================================
+--- linux-2.6.12.y.orig/include/linux/zlib.h
++++ linux-2.6.12.y/include/linux/zlib.h
+@@ -506,6 +506,11 @@ extern int zlib_deflateReset (z_streamp 
+    stream state was inconsistent (such as zalloc or state being NULL).
+ */
+ 
++static inline unsigned long deflateBound(unsigned long s)
++{
++	return s + ((s + 7) >> 3) + ((s + 63) >> 6) + 11;
++}
++
+ extern int zlib_deflateParams (z_streamp strm, int level, int strategy);
+ /*
+      Dynamically update the compression level and compression strategy.  The
+Index: linux-2.6.12.y/fs/isofs/compress.c
+===================================================================
+--- linux-2.6.12.y.orig/fs/isofs/compress.c
++++ linux-2.6.12.y/fs/isofs/compress.c
+@@ -129,8 +129,14 @@ static int zisofs_readpage(struct file *
+ 	cend = le32_to_cpu(*(__le32 *)(bh->b_data + (blockendptr & bufmask)));
+ 	brelse(bh);
+ 
++	if (cstart > cend)
++		goto eio;
++		
+ 	csize = cend-cstart;
+ 
++	if (csize > deflateBound(1UL << zisofs_block_shift))
++		goto eio;
++
+ 	/* Now page[] contains an array of pages, any of which can be NULL,
+ 	   and the locks on which we hold.  We should now read the data and
+ 	   release the pages.  If the pages are NULL the decompressed data

More information about the Kernel-svn-changes mailing list