[kernel] r7251 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Dann Frazier dannf at costa.debian.org
Sun Aug 27 19:26:47 UTC 2006 

Author: dannf
Date: Sun Aug 27 19:26:45 2006
New Revision: 7251

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/udf-deadlock.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5

Log:
* udf-deadlock.dpatch
  [SECURITY] Fix possible UDF deadlock and memory corruption
  See CVE-2006-4145

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sun Aug 27 19:26:45 2006
@@ -58,8 +58,11 @@
   * ppc-hid0-dos.dpatch
     [SECURITY][ppc[ Fix local DoS by clearing HID0 attention enable on
     PPC970 at boot time
+  * udf-deadlock.dpatch
+    [SECURITY] Fix possible UDF deadlock and memory corruption
+    See CVE-2006-4145
 
- -- dann frazier <dannf at debian.org>  Sat, 26 Aug 2006 23:49:27 -0600
+ -- dann frazier <dannf at debian.org>  Sun, 27 Aug 2006 13:24:40 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high
 

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5	Sun Aug 27 19:26:45 2006
@@ -13,3 +13,4 @@
 + kfree_skb-race.dpatch
 + sctp-priv-elevation.dpatch
 + ppc-hid0-dos.dpatch
++ udf-deadlock.dpatch

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/udf-deadlock.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/udf-deadlock.dpatch	Sun Aug 27 19:26:45 2006
@@ -0,0 +1,111 @@
+From: Jan Kara <jack at suse.cz>
+Date: Tue, 15 Aug 2006 11:56:26 +0000 (+0200)
+Subject: Fix possible UDF deadlock and memory corruption (CVE-2006-4145)
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commitdiff;h=7127be29378b1230eb8dd8b84f18d6b69c56e959
+
+Fix possible UDF deadlock and memory corruption (CVE-2006-4145)
+
+UDF code is not really ready to handle extents larger that 1GB. This is
+the easy way to forbid creating those.
+
+Also truncation code did not count with the case when there are no
+extents in the file and we are extending the file.
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urpN kernel-source-2.6.8.orig/fs/udf/super.c kernel-source-2.6.8/fs/udf/super.c
+--- kernel-source-2.6.8.orig/fs/udf/super.c	2004-08-13 23:37:25.000000000 -0600
++++ kernel-source-2.6.8/fs/udf/super.c	2006-08-27 12:52:26.058059500 -0600
+@@ -1646,7 +1646,7 @@ static int udf_fill_super(struct super_b
+ 		iput(inode);
+ 		goto error_out;
+ 	}
+-	sb->s_maxbytes = MAX_LFS_FILESIZE;
++	sb->s_maxbytes = 1<<30;
+ 	return 0;
+ 
+ error_out:
+diff -urpN kernel-source-2.6.8.orig/fs/udf/truncate.c kernel-source-2.6.8/fs/udf/truncate.c
+--- kernel-source-2.6.8.orig/fs/udf/truncate.c	2004-08-13 23:36:56.000000000 -0600
++++ kernel-source-2.6.8/fs/udf/truncate.c	2006-08-27 13:05:54.872607250 -0600
+@@ -244,37 +244,51 @@ void udf_truncate_extents(struct inode *
+ 	{
+ 		if (offset)
+ 		{
+-			extoffset -= adsize;
+-			etype = udf_next_aext(inode, &bloc, &extoffset, &eloc, &elen, &bh, 1);
+-			if (etype == (EXT_NOT_RECORDED_NOT_ALLOCATED >> 30))
+-			{
+-				extoffset -= adsize;
+-				elen = EXT_NOT_RECORDED_NOT_ALLOCATED | (elen + offset);
+-				udf_write_aext(inode, bloc, &extoffset, eloc, elen, bh, 0);
++			/*
++			 *  OK, there is not extent covering inode->i_size and
++			 *  no extent above inode->i_size => truncate is
++			 *  extending the file by 'offset'.
++			 */
++			if ((!bh && extoffset == udf_file_entry_alloc_offset(inode)) ||
++			    (bh && extoffset == sizeof(struct allocExtDesc))) {
++				/* File has no extents at all! */
++				memset(&eloc, 0x00, sizeof(lb_addr));
++				elen = EXT_NOT_RECORDED_NOT_ALLOCATED | offset;
++				udf_add_aext(inode, &bloc, &extoffset, eloc, elen, &bh, 1);
+ 			}
+-			else if (etype == (EXT_NOT_RECORDED_ALLOCATED >> 30))
+-			{
+-				lb_addr neloc = { 0, 0 };
++			else {
+ 				extoffset -= adsize;
+-				nelen = EXT_NOT_RECORDED_NOT_ALLOCATED |
+-					((elen + offset + inode->i_sb->s_blocksize - 1) &
+-					~(inode->i_sb->s_blocksize - 1));
+-				udf_write_aext(inode, bloc, &extoffset, neloc, nelen, bh, 1);
+-				udf_add_aext(inode, &bloc, &extoffset, eloc, (etype << 30) | elen, &bh, 1);
+-			}
+-			else
+-			{
+-				if (elen & (inode->i_sb->s_blocksize - 1))
++				etype = udf_next_aext(inode, &bloc, &extoffset, &eloc, &elen, &bh, 1);
++				if (etype == (EXT_NOT_RECORDED_NOT_ALLOCATED >> 30))
+ 				{
+ 					extoffset -= adsize;
+-					elen = EXT_RECORDED_ALLOCATED |
+-						((elen + inode->i_sb->s_blocksize - 1) &
++					elen = EXT_NOT_RECORDED_NOT_ALLOCATED | (elen + offset);
++					udf_write_aext(inode, bloc, &extoffset, eloc, elen, bh, 0);
++				}
++				else if (etype == (EXT_NOT_RECORDED_ALLOCATED >> 30))
++				{
++					lb_addr neloc = { 0, 0 };
++					extoffset -= adsize;
++					nelen = EXT_NOT_RECORDED_NOT_ALLOCATED |
++						((elen + offset + inode->i_sb->s_blocksize - 1) &
+ 						~(inode->i_sb->s_blocksize - 1));
+-					udf_write_aext(inode, bloc, &extoffset, eloc, elen, bh, 1);
++					udf_write_aext(inode, bloc, &extoffset, neloc, nelen, bh, 1);
++					udf_add_aext(inode, &bloc, &extoffset, eloc, (etype << 30) | elen, &bh, 1);
++				}
++				else
++				{
++					if (elen & (inode->i_sb->s_blocksize - 1))
++					{
++						extoffset -= adsize;
++						elen = EXT_RECORDED_ALLOCATED |
++							((elen + inode->i_sb->s_blocksize - 1) &
++							~(inode->i_sb->s_blocksize - 1));
++						udf_write_aext(inode, bloc, &extoffset, eloc, elen, bh, 1);
++					}
++					memset(&eloc, 0x00, sizeof(lb_addr));
++					elen = EXT_NOT_RECORDED_NOT_ALLOCATED | offset;
++					udf_add_aext(inode, &bloc, &extoffset, eloc, elen, &bh, 1);
+ 				}
+-				memset(&eloc, 0x00, sizeof(lb_addr));
+-				elen = EXT_NOT_RECORDED_NOT_ALLOCATED | offset;
+-				udf_add_aext(inode, &bloc, &extoffset, eloc, elen, &bh, 1);
+ 			}
+ 		}
+ 	}

More information about the Kernel-svn-changes mailing list