[kernel] r7253 - in
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian:
patches patches/series
Dann Frazier
dannf at costa.debian.org
Mon Aug 28 00:07:53 UTC 2006
Author: dannf
Date: Mon Aug 28 00:07:46 2006
New Revision: 7253
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/229_udf-deadlock.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4
Log:
* 229_udf-deadlock.diff
[SECURITY] Fix possible UDF deadlock and memory corruption
See CVE-2006-4145
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog Mon Aug 28 00:07:46 2006
@@ -28,8 +28,11 @@
* 228_sctp-priv-elevation.diff
[SECURITY] Fix SCTP privelege escalation
See CVE-2006-3745
+ * 229_udf-deadlock.diff
+ [SECURITY] Fix possible UDF deadlock and memory corruption
+ See CVE-2006-4145
- -- dann frazier <dannf at debian.org> Sat, 26 Aug 2006 23:43:16 -0600
+ -- dann frazier <dannf at debian.org> Sun, 27 Aug 2006 18:05:54 -0600
kernel-source-2.4.27 (2.4.27-10sarge3) stable-security; urgency=high
Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/229_udf-deadlock.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/229_udf-deadlock.diff Mon Aug 28 00:07:46 2006
@@ -0,0 +1,113 @@
+From: Jan Kara <jack at suse.cz>
+Date: Tue, 15 Aug 2006 11:56:26 +0000 (+0200)
+Subject: Fix possible UDF deadlock and memory corruption (CVE-2006-4145)
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.17.y.git;a=commitdiff;h=7127be29378b1230eb8dd8b84f18d6b69c56e959
+
+Fix possible UDF deadlock and memory corruption (CVE-2006-4145)
+
+UDF code is not really ready to handle extents larger that 1GB. This is
+the easy way to forbid creating those.
+
+Also truncation code did not count with the case when there are no
+extents in the file and we are extending the file.
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+Backported to Debian's 2.4.27 by dann frazier <dannf at debian.org>
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 9df2fa2..0c5b54e 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1515,7 +1515,7 @@ #endif
+ iput(inode);
+ goto error_out;
+ }
+- sb->s_maxbytes = MAX_LFS_FILESIZE;
++ sb->s_maxbytes = 1<<30;
+ return sb;
+
+ error_out:
+diff --git a/fs/udf/truncate.c b/fs/udf/truncate.c
+index 0ae7e96..0567211 100644
+--- a/fs/udf/truncate.c
++++ b/fs/udf/truncate.c
+@@ -182,37 +182,51 @@ void udf_truncate_extents(struct inode *
+ {
+ if (offset)
+ {
+- extoffset -= adsize;
+- etype = udf_next_aext(inode, &bloc, &extoffset, &eloc, &elen, &bh, 1);
+- if (etype == (EXT_NOT_RECORDED_NOT_ALLOCATED >> 30))
+- {
+- extoffset -= adsize;
+- elen = EXT_NOT_RECORDED_NOT_ALLOCATED | (elen + offset);
+- udf_write_aext(inode, bloc, &extoffset, eloc, elen, bh, 0);
++ /*
++ * OK, there is not extent covering inode->i_size and
++ * no extent above inode->i_size => truncate is
++ * extending the file by 'offset'.
++ */
++ if ((!bh && extoffset == udf_file_entry_alloc_offset(inode)) ||
++ (bh && extoffset == sizeof(struct allocExtDesc))) {
++ /* File has no extents at all! */
++ memset(&eloc, 0x00, sizeof(lb_addr));
++ elen = EXT_NOT_RECORDED_NOT_ALLOCATED | offset;
++ udf_add_aext(inode, &bloc, &extoffset, eloc, elen, &bh, 1);
+ }
+- else if (etype == (EXT_NOT_RECORDED_ALLOCATED >> 30))
+- {
+- lb_addr neloc = { 0, 0 };
++ else {
+ extoffset -= adsize;
+- nelen = EXT_NOT_RECORDED_NOT_ALLOCATED |
+- ((elen + offset + inode->i_sb->s_blocksize - 1) &
+- ~(inode->i_sb->s_blocksize - 1));
+- udf_write_aext(inode, bloc, &extoffset, neloc, nelen, bh, 1);
+- udf_add_aext(inode, &bloc, &extoffset, eloc, (etype << 30) | elen, &bh, 1);
+- }
+- else
+- {
+- if (elen & (inode->i_sb->s_blocksize - 1))
++ etype = udf_next_aext(inode, &bloc, &extoffset, &eloc, &elen, &bh, 1);
++ if (etype == (EXT_NOT_RECORDED_NOT_ALLOCATED >> 30))
++ {
++ extoffset -= adsize;
++ elen = EXT_NOT_RECORDED_NOT_ALLOCATED | (elen + offset);
++ udf_write_aext(inode, bloc, &extoffset, eloc, elen, bh, 0);
++ }
++ else if (etype == (EXT_NOT_RECORDED_ALLOCATED >> 30))
+ {
++ lb_addr neloc = { 0, 0 };
+ extoffset -= adsize;
+- elen = EXT_RECORDED_ALLOCATED |
+- ((elen + inode->i_sb->s_blocksize - 1) &
++ nelen = EXT_NOT_RECORDED_NOT_ALLOCATED |
++ ((elen + offset + inode->i_sb->s_blocksize - 1) &
+ ~(inode->i_sb->s_blocksize - 1));
+- udf_write_aext(inode, bloc, &extoffset, eloc, elen, bh, 1);
++ udf_write_aext(inode, bloc, &extoffset, neloc, nelen, bh, 1);
++ udf_add_aext(inode, &bloc, &extoffset, eloc, (etype << 30) | elen, &bh, 1);
++ }
++ else
++ {
++ if (elen & (inode->i_sb->s_blocksize - 1))
++ {
++ extoffset -= adsize;
++ elen = EXT_RECORDED_ALLOCATED |
++ ((elen + inode->i_sb->s_blocksize - 1) &
++ ~(inode->i_sb->s_blocksize - 1));
++ udf_write_aext(inode, bloc, &extoffset, eloc, elen, bh, 1);
++ }
++ memset(&eloc, 0x00, sizeof(lb_addr));
++ elen = EXT_NOT_RECORDED_NOT_ALLOCATED | offset;
++ udf_add_aext(inode, &bloc, &extoffset, eloc, elen, &bh, 1);
+ }
+- memset(&eloc, 0x00, sizeof(lb_addr));
+- elen = EXT_NOT_RECORDED_NOT_ALLOCATED | offset;
+- udf_add_aext(inode, &bloc, &extoffset, eloc, elen, &bh, 1);
+ }
+ }
+ }
Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4 (original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge4 Mon Aug 28 00:07:46 2006
@@ -4,3 +4,4 @@
+ 226_snmp-nat-mem-corruption-fix.diff
+ 227_kfree_skb.diff
+ 228_sctp-priv-elevation.diff
++ 229_udf-deadlock.diff
More information about the Kernel-svn-changes
mailing list