r2852 - in trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series
Simon Horman
horms@costa.debian.org
Tue, 29 Mar 2005 09:04:17 +0000
Author: horms
Date: 2005-03-29 09:04:16 +0000 (Tue, 29 Mar 2005)
New Revision: 2852
Added:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/158_mm-shmem-truncate.diff
Modified:
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10
Log:
[Security] tmpfs caused truncate bug which leads to a local dos. CVE yet to be assigned.
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-03-29 08:49:11 UTC (rev 2851)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog 2005-03-29 09:04:16 UTC (rev 2852)
@@ -16,8 +16,13 @@
and arbitary code execution. See CAN-2005-0815
(Simon Horman)
- -- Simon Horman <horms@debian.org> Tue, 29 Mar 2005 17:47:24 +0900
+ * 158_mm-shmem-truncate.diff
+ [Security] tmpfs caused truncate bug which leads to a local dos.
+ CVE yet to be assigned.
+ (Simon Horman)
+ -- Simon Horman <horms@debian.org> Tue, 29 Mar 2005 17:58:41 +0900
+
kernel-source-2.4.27 (2.4.27-9) unstable; urgency=low
* There was a stray file in 2.4.27-8. Don't include it this time.
Added: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/158_mm-shmem-truncate.diff
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/158_mm-shmem-truncate.diff 2005-03-29 08:49:11 UTC (rev 2851)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/158_mm-shmem-truncate.diff 2005-03-29 09:04:16 UTC (rev 2852)
@@ -0,0 +1,54 @@
+# origin: hugh (BitKeeper)
+# cset: 1.1982.40.34 (2.6) key=420551fbRlv9-QG6Gw9Lw_bKVfPSsg
+# URL: http://linux.bkbits.net:8080/linux-2.6/cset@420551fbRlv9-QG6Gw9Lw_bKVfPSsg
+# inclusion: backport from 2.6, submitted upstream
+# descrition: [PATCH] tmpfs caused truncate BUG
+# revision date: Mon, 28 Mar 2005 19:00:51 +0900
+#
+# S rset: ChangeSet|1.1982.40.33..1.1982.40.34
+# I rset: mm/shmem.c|1.177..1.178
+#
+# Key:
+# S: Skipped ChangeSet file only
+# O: Original Followed by Updated
+# U: Updated Included with updated range of versions
+# I: Included Included verbatim
+# E: Excluded Excluded on request from user
+# D: Deleted Manually deleted by subsequent user edit
+# R: Revised Manually revised by subsequent user edit
+#
+#
+# This is a BitKeeper generated diff -Nru style patch.
+#
+# ChangeSet
+# 2005/02/05 15:08:43-08:00 hugh@veritas.com
+# [PATCH] tmpfs caused truncate BUG
+#
+# Just before removing truncate_complete_page's BUG_ON(page_mapped(page)),
+# thought I'd recheck on a few filesystems. The shame! Easily triggered
+# with tmpfs: not because of recent changes, but because shmem_nopage omitted
+# the i_size_read from Andrea's careful truncate_count/i_size_read
+# /cachelookup/truncate_count sequence. For varying reasons, other users of
+# shmem_getpage can't go beyond i_size, so just add it to shmem_nopage.
+#
+# Signed-off-by: Hugh Dickins <hugh@veritas.com>
+# Signed-off-by: Andrew Morton <akpm@osdl.org>
+# Signed-off-by: Linus Torvalds <torvalds@osdl.org>
+#
+# mm/shmem.c
+# 2005/02/05 12:51:43-08:00 hugh@veritas.com +2 -0
+# tmpfs caused truncate BUG
+#
+#
+===== mm/shmem.c 1.177 vs 1.178 =====
+--- 1.177/mm/shmem.c 2005-01-08 14:44:13 +09:00
++++ 1.178/mm/shmem.c 2005-02-06 05:51:43 +09:00
+@@ -1162,6 +1162,8 @@ struct page *shmem_nopage(struct vm_area
+ idx = (address - vma->vm_start) >> PAGE_SHIFT;
+ idx += vma->vm_pgoff;
+ idx >>= PAGE_CACHE_SHIFT - PAGE_SHIFT;
++ if (((loff_t) idx << PAGE_CACHE_SHIFT) >= i_size_read(inode))
++ return NOPAGE_SIGBUS;
+
+ error = shmem_getpage(inode, idx, &page, SGP_CACHE, type);
+ if (error)
Modified: trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10
===================================================================
--- trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10 2005-03-29 08:49:11 UTC (rev 2851)
+++ trunk/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10 2005-03-29 09:04:16 UTC (rev 2852)
@@ -3,3 +3,4 @@
+ 157_fs-isofs-range-check-1.diff
+ 157_fs-isofs-range-check-2.diff
+ 157_fs-isofs-range-check-3.diff
++ 158_mm-shmem-truncate.diff