[kernel] r7776 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Mon Nov 13 00:51:30 UTC 2006 

Author: dannf
Date: Mon Nov 13 01:51:29 2006
New Revision: 7776

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__block_prepare_write-recovery.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
Log:
* __block_prepare_write-recovery.dpatch
  [SECURITY] Fix an information leak in __block_prepare_write()
  See CVE-2006-4813

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Mon Nov 13 01:51:29 2006
@@ -9,8 +9,11 @@
     [SECURITY] Prevent cross-region mappings on ia64 and sparc which
     could be used in a local DoS attack (system crash)
     See CVE-2006-4538
+  * __block_prepare_write-recovery.dpatch
+    [SECURITY] Fix an information leak in __block_prepare_write()
+    See CVE-2006-4813
 
- -- dann frazier <dannf at debian.org>  Wed,  8 Nov 2006 00:05:49 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 12 Nov 2006 17:50:06 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__block_prepare_write-recovery.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__block_prepare_write-recovery.dpatch	Mon Nov 13 01:51:29 2006
@@ -0,0 +1,69 @@
+From: Anton Altaparmakov <aia21 at cam.ac.uk>
+Date: Thu, 23 Jun 2005 07:10:21 +0000 (-0700)
+Subject: [PATCH] Bug in error recovery in fs/buffer.c::__block_prepare_write()
+X-Git-Tag: v2.6.13-rc1
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=152becd26e0563aefdbc4fd1fe491928efe92d1f
+
+[PATCH] Bug in error recovery in fs/buffer.c::__block_prepare_write()
+
+fs/buffer.c::__block_prepare_write() has broken error recovery.  It calls
+the get_block() callback with "create = 1" and if that succeeds it
+immediately clears buffer_new on the just allocated buffer (which has
+buffer_new set).
+
+The bug is that if an error occurs and get_block() returns != 0, we break
+from this loop and go into recovery code.  This code has this comment:
+
+/* Error case: */
+/*
+ * Zero out any newly allocated blocks to avoid exposing stale
+ * data.  If BH_New is set, we know that the block was newly
+ * allocated in the above loop.
+ */
+
+So the intent is obviously good in that it wants to clear just allocated
+and hence not zeroed buffers.  However the code recognises allocated
+buffers by checking for buffer_new being set.
+
+Unfortunately __block_prepare_write() as discussed above already cleared
+buffer_new on all allocated buffers thus no buffers will be cleared during
+error recovery and old data will be leaked.
+
+The simplest way I can see to fix this is to make the current recovery code
+work by _not_ clearing buffer_new after calling get_block() in
+__block_prepare_write().
+
+We cannot safely allow buffer_new buffers to "leak out" of
+__block_prepare_write(), thus we simply do a quick loop over the buffers
+clearing buffer_new on each of them if it is set just before returning
+"success" from __block_prepare_write().
+
+Signed-off-by: Anton Altaparmakov <aia21 at cantab.net>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at hp.com>
+
+--- kernel-source-2.6.8.orig/fs/buffer.c	2004-08-13 23:37:14.000000000 -0600
++++ kernel-source-2.6.8/fs/buffer.c	2006-11-12 17:32:44.704241381 -0700
+@@ -2021,7 +2021,6 @@ static int __block_prepare_write(struct 
+ 			if (err)
+ 				goto out;
+ 			if (buffer_new(bh)) {
+-				clear_buffer_new(bh);
+ 				unmap_underlying_metadata(bh->b_bdev,
+ 							bh->b_blocknr);
+ 				if (PageUptodate(page)) {
+@@ -2063,6 +2062,11 @@ static int __block_prepare_write(struct 
+ 		if (!buffer_uptodate(*wait_bh))
+ 			return -EIO;
+ 	}
++	bh = head;
++	do {
++		if (buffer_new(bh))
++			clear_buffer_new(bh);
++	} while ((bh = bh->b_this_page) != head);
+ 	return 0;
+ out:
+ 	/*

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6	Mon Nov 13 01:51:29 2006
@@ -1,2 +1,3 @@
 + perfmon-fd-refcnt.dpatch
 + ia64-sparc-cross-region-mappings.dpatch
++ __block_prepare_write-recovery.dpatch

More information about the Kernel-svn-changes mailing list