r2850 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Simon Horman
horms@costa.debian.org
Tue, 29 Mar 2005 08:48:57 +0000
Author: horms
Date: 2005-03-29 08:48:56 +0000 (Tue, 29 Mar 2005)
New Revision: 2850
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-1.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-2.diff
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-3.diff
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10
Log:
[Security] Fix range checking in isofs which leads to a local crash
and arbitary code execution. See CAN-2005-0815
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-03-29 08:35:22 UTC (rev 2849)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-03-29 08:48:56 UTC (rev 2850)
@@ -10,8 +10,14 @@
a local information leak. See CAN-2005-0400
(Simon Horman)
- -- Simon Horman <horms@debian.org> Tue, 29 Mar 2005 17:33:32 +0900
+ * 157_fs-isofs-range-check-1.diff, 157_fs-isofs-range-check-2.diff,
+ 157_fs-isofs-range-check-3.diff:
+ [Security] Fix range checking in isofs which leads to a local crash
+ and arbitary code execution. See CAN-2005-0815
+ (Simon Horman)
+ -- Simon Horman <horms@debian.org> Tue, 29 Mar 2005 17:47:24 +0900
+
kernel-source-2.4.27 (2.4.27-9) unstable; urgency=low
* There was a stray file in 2.4.27-8. Don't include it this time.
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-1.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-1.diff 2005-03-29 08:35:22 UTC (rev 2849)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-1.diff 2005-03-29 08:48:56 UTC (rev 2850)
@@ -0,0 +1,132 @@
+# origin: chrisw (BitKeeper)
+# cset: 1.1483 (2.4) key=4244a3aeRsXj7r4AC7s1QgPvWpjtoA
+# URL: http://linux.bkbits.net:8080/linux-2.4/cset@4244a3aeRsXj7r4AC7s1QgPvWpjtoA
+# inclusion: upstream
+# descrition: [PATCH] isofs: Handle corupted rock-ridge info slightly better.
+# revision date: Tue, 29 Mar 2005 17:40:33 +0900
+#
+# S rset: ChangeSet|1.1482..1.1483
+# I rset: fs/isofs/rock.c|1.7..1.8
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# fs/isofs/rock.c
+# 2005/03/26 00:38:11-03:00 chrisw@osdl.org +14 -7
+# isofs: Handle corupted rock-ridge info slightly better.
+#
+# ChangeSet
+# 2005/03/25 20:50:06-03:00 chrisw@osdl.org
+# [PATCH] isofs: Handle corupted rock-ridge info slightly better.
+#
+# Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
+# iso9660 filesystem.
+#
+# http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
+#
+# CAN-2005-0815 is assigned to this issue.
+#
+# From: Linus Torvalds <torvalds@osdl.org>
+#
+# isofs: Handle corupted rock-ridge info slightly better.
+#
+# Keyword here being 'slightly'. The code is a mess.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+#
+===== fs/isofs/rock.c 1.7 vs 1.8 =====
+--- 1.7/fs/isofs/rock.c 2004-04-14 09:00:00 +09:00
++++ 1.8/fs/isofs/rock.c 2005-03-26 12:38:11 +09:00
+@@ -52,6 +52,7 @@
+ if(LEN & 1) LEN++; \
+ CHR = ((unsigned char *) DE) + LEN; \
+ LEN = *((unsigned char *) DE) - LEN; \
++ if (LEN<0) LEN=0; \
+ if (inode->i_sb->u.isofs_sb.s_rock_offset!=-1) \
+ { \
+ LEN-=inode->i_sb->u.isofs_sb.s_rock_offset; \
+@@ -172,12 +173,13 @@ int get_rock_ridge_filename(struct iso_d
+ struct rock_ridge * rr;
+ int sig;
+
+- while (len > 1){ /* There may be one byte for padding somewhere */
++ while (len > 2){ /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0) goto out; /* Something got screwed up here */
++ if (rr->len < 3) goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0) goto out; /* corrupted isofs */
+
+ switch(sig){
+ case SIG('R','R'):
+@@ -191,6 +193,7 @@ int get_rock_ridge_filename(struct iso_d
+ break;
+ case SIG('N','M'):
+ if (truncate) break;
++ if (rr->len < 5) break;
+ /*
+ * If the flags are 2 or 4, this indicates '.' or '..'.
+ * We don't want to do anything with this, because it
+@@ -252,12 +255,13 @@ int parse_rock_ridge_inode_internal(stru
+ struct rock_ridge * rr;
+ int rootflag;
+
+- while (len > 1){ /* There may be one byte for padding somewhere */
++ while (len > 2){ /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0) goto out; /* Something got screwed up here */
++ if (rr->len < 3) goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0) goto out; /* corrupted isofs */
+
+ switch(sig){
+ #ifndef CONFIG_ZISOFS /* No flag for SF or ZF */
+@@ -523,7 +527,7 @@ static int rock_ridge_symlink_readpage(s
+ struct rock_ridge *rr;
+
+ if (!inode->i_sb->u.isofs_sb.s_rock)
+- panic ("Cannot have symlink with high sierra variant of iso filesystem\n");
++ goto error;
+
+ block = inode->i_ino >> bufbits;
+ lock_kernel();
+@@ -547,13 +551,15 @@ static int rock_ridge_symlink_readpage(s
+ SETUP_ROCK_RIDGE(raw_inode, chr, len);
+
+ repeat:
+- while (len > 1) { /* There may be one byte for padding somewhere */
++ while (len > 2) { /* There may be one byte for padding somewhere */
+ rr = (struct rock_ridge *) chr;
+- if (rr->len == 0)
++ if (rr->len < 3)
+ goto out; /* Something got screwed up here */
+ sig = isonum_721(chr);
+ chr += rr->len;
+ len -= rr->len;
++ if (len < 0)
++ goto out; /* corrupted isofs */
+
+ switch (sig) {
+ case SIG('R', 'R'):
+@@ -601,6 +607,7 @@ static int rock_ridge_symlink_readpage(s
+ fail:
+ brelse(bh);
+ unlock_kernel();
++ error:
+ SetPageError(page);
+ kunmap(page);
+ UnlockPage(page);
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-2.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-2.diff 2005-03-29 08:35:22 UTC (rev 2849)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-2.diff 2005-03-29 08:48:56 UTC (rev 2850)
@@ -0,0 +1,59 @@
+# origin: chrisw (BitKeeper)
+# cset: 1.1485 (2.4) key=4244a417jb-ZTWgax2mcR2so3l3KaQ
+# URL: http://linux.bkbits.net:8080/linux-2.4/cset@4244a417jb-ZTWgax2mcR2so3l3KaQ
+# inclusion: upstream
+# descrition: [PATCH] isofs: Some more defensive checks to keep corrupt isofs images from corrupting memory/oopsing.
+# revision date: Tue, 29 Mar 2005 17:40:41 +0900
+#
+# S rset: ChangeSet|1.1484..1.1485
+# I rset: fs/isofs/rock.c|1.8..1.9
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# fs/isofs/rock.c
+# 2005/03/24 05:41:31-03:00 chrisw@osdl.org +4 -0
+# isofs: Some more defensive checks to keep corrupt isofs images from corrupting memory/oopsing.
+#
+# ChangeSet
+# 2005/03/25 20:51:51-03:00 chrisw@osdl.org
+# [PATCH] isofs: Some more defensive checks to keep corrupt isofs images from corrupting memory/oopsing.
+#
+# Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
+# iso9660 filesystem.
+#
+# http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
+#
+# CAN-2005-0815 is assigned to this issue.
+#
+# Some more defensive checks to keep corrupt isofs images from corrupting
+# memory or causing Oops.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+# ===== fs/isofs/rock.c 1.23 vs edited =====
+#
+#
+===== fs/isofs/rock.c 1.8 vs 1.9 =====
+--- 1.8/fs/isofs/rock.c 2005-03-26 12:38:11 +09:00
++++ 1.9/fs/isofs/rock.c 2005-03-24 17:41:31 +09:00
+@@ -73,6 +73,10 @@
+ offset1 = 0; \
+ pbh = sb_bread(DEV->i_sb, block); \
+ if(pbh){ \
++ if (offset > pbh->b_size || offset + cont_size > pbh->b_size){ \
++ brelse(pbh); \
++ goto out; \
++ } \
+ memcpy(buffer + offset1, pbh->b_data + offset, cont_size - offset1); \
+ brelse(pbh); \
+ chr = (unsigned char *) buffer; \
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-3.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-3.diff 2005-03-29 08:35:22 UTC (rev 2849)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/157_fs-isofs-range-check-3.diff 2005-03-29 08:48:56 UTC (rev 2850)
@@ -0,0 +1,58 @@
+# origin: chrisw (BitKeeper)
+# cset: 1.1484 (2.4) key=4244a3d91w2q8hQzZefX9zsDlTlJtA
+# URL: http://linux.bkbits.net:8080/linux-2.4/cset@4244a3d91w2q8hQzZefX9zsDlTlJtA
+# inclusion: upstream
+# descrition: [PATCH] isofs: more "corrupted iso image" error cases
+# revision date: Tue, 29 Mar 2005 17:41:06 +0900
+#
+# S rset: ChangeSet|1.1483..1.1484
+# I rset: fs/isofs/inode.c|1.10..1.11
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# fs/isofs/inode.c
+# 2005/03/26 00:41:03-03:00 chrisw@osdl.org +2 -0
+# isofs: more "corrupted iso image" error cases
+#
+# ChangeSet
+# 2005/03/25 20:50:49-03:00 chrisw@osdl.org
+# [PATCH] isofs: more "corrupted iso image" error cases
+#
+# Michal Zalewski <lcamtuf@dione.ids.pl> discovers range checking flaws in
+# iso9660 filesystem.
+#
+# http://marc.theaimsgroup.com/?l=bugtraq&m=111110067304783&w=2
+#
+# CAN-2005-0815 is assigned to this issue.
+#
+# From: Linus Torvalds <torvalds@osdl.org>
+#
+# isofs: more "corrupted iso image" error cases
+#
+# Thanks to Michal Zalewski for testing.
+#
+# Signed-off-by: Chris Wright <chrisw@osdl.org>
+#
+#
+===== fs/isofs/inode.c 1.10 vs 1.11 =====
+--- 1.10/fs/isofs/inode.c 2004-11-19 03:11:56 +09:00
++++ 1.11/fs/isofs/inode.c 2005-03-26 12:41:03 +09:00
+@@ -609,6 +609,8 @@ root_found:
+ s->u.isofs_sb.s_log_zone_size = isonum_723 (h_pri->logical_block_size);
+ s->u.isofs_sb.s_max_size = isonum_733(h_pri->volume_space_size);
+ } else {
++ if (!pri)
++ goto out_freebh;
+ rootp = (struct iso_directory_record *) pri->root_directory_record;
+ s->u.isofs_sb.s_nzones = isonum_733 (pri->volume_space_size);
+ s->u.isofs_sb.s_log_zone_size = isonum_723 (pri->logical_block_size);
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10 2005-03-29 08:35:22 UTC (rev 2849)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10 2005-03-29 08:48:56 UTC (rev 2850)
@@ -1,2 +1,5 @@
+ 155_bluetooth_signdness-fix.diff
+ 156_fs-ext2-info-leak.diff
++ 157_fs-isofs-range-check-1.diff
++ 157_fs-isofs-range-check-2.diff
++ 157_fs-isofs-range-check-3.diff