[kernel] r9967 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Mon Dec 17 03:33:34 UTC 2007 

Author: dannf
Date: Mon Dec 17 03:33:33 2007
New Revision: 9967

Log:
* bugfix/minixfs-printk-hang.patch
  [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
  filesystem that would otherwise cause a system to hang (printk storm)
  See CVE-2006-6058

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/minixfs-printk-hang.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch6

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Mon Dec 17 03:33:33 2007
@@ -10,8 +10,12 @@
   * bugfix/hrtimer-large-relative-timeouts-overflow.patch
     [SECURITY] Avoid overflow in hrtimers due to large relative timeouts
     See CVE-2007-5966
+  * bugfix/minixfs-printk-hang.patch
+    [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
+    filesystem that would otherwise cause a system to hang (printk storm)
+    See CVE-2006-6058
 
- -- dann frazier <dannf at debian.org>  Sun, 16 Dec 2007 18:46:17 -0700
+ -- dann frazier <dannf at debian.org>  Sun, 16 Dec 2007 19:46:30 -0700
 
 linux-2.6 (2.6.18.dfsg.1-13etch5) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/minixfs-printk-hang.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/minixfs-printk-hang.patch	Mon Dec 17 03:33:33 2007
@@ -0,0 +1,76 @@
+From: Eric Sandeen <sandeen at redhat.com>
+Date: Wed, 17 Oct 2007 06:27:15 +0000 (-0700)
+Subject: minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
+X-Git-Tag: v2.6.23.7~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.23.y.git;a=commitdiff_plain;h=f0ae3188daf70ed07a4dfbeb133bef3a92838a15
+
+minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)
+
+patch f44ec6f3f89889a469773b1fd894f8fcc07c29cf upstream.
+
+This attempts to address CVE-2006-6058
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
+
+first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
+
+Essentially a corrupted minix dir inode reporting a very large
+i_size will loop for a very long time in minix_readdir, minix_find_entry,
+etc, because on EIO they just move on to try the next page.  This is
+under the BKL, printk-storming as well.  This can lock up the machine
+for a very long time.  Simply ratelimiting the printks gets things back
+under control.  Make the message a bit more informative while we're here.
+
+Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+Cc: Bodo Eggert <7eggert at gmx.de>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/minix/itree_v1.c linux-source-2.6.18/fs/minix/itree_v1.c
+--- linux-source-2.6.18.orig/fs/minix/itree_v1.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/minix/itree_v1.c	2007-12-16 19:13:41.000000000 -0700
+@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ 	int n = 0;
++	char b[BDEVNAME_SIZE];
+ 
+ 	if (block < 0) {
+-		printk("minix_bmap: block<0\n");
++		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++			block, bdevname(inode->i_sb->s_bdev, b));
+ 	} else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+-		printk("minix_bmap: block>big\n");
++		if (printk_ratelimit())
++			printk("MINIX-fs: block_to_path: "
++			       "block %ld too big on dev %s\n",
++				block, bdevname(inode->i_sb->s_bdev, b));
+ 	} else if (block < 7) {
+ 		offsets[n++] = block;
+ 	} else if ((block -= 7) < 512) {
+diff -urpN linux-source-2.6.18.orig/fs/minix/itree_v2.c linux-source-2.6.18/fs/minix/itree_v2.c
+--- linux-source-2.6.18.orig/fs/minix/itree_v2.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/minix/itree_v2.c	2007-12-16 19:40:06.000000000 -0700
+@@ -23,11 +23,17 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ 	int n = 0;
++	char b[BDEVNAME_SIZE];
++	struct super_block *sb = inode->i_sb;
+ 
+ 	if (block < 0) {
+-		printk("minix_bmap: block<0\n");
++		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++			block, bdevname(sb->s_bdev, b));
+ 	} else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+-		printk("minix_bmap: block>big\n");
++		if (printk_ratelimit())
++			printk("MINIX-fs: block_to_path: "
++			       "block %ld too big on dev %s\n",
++				block, bdevname(sb->s_bdev, b));
+ 	} else if (block < 7) {
+ 		offsets[n++] = block;
+ 	} else if ((block -= 7) < 256) {

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch6
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch6	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch6	Mon Dec 17 03:33:33 2007
@@ -1,3 +1,4 @@
 + bugfix/isdn-net-overflow.patch
 + bugfix/coredump-only-to-same-uid.patch
 + bugfix/hrtimer-large-relative-timeouts-overflow.patch
++ bugfix/minixfs-printk-hang.patch

More information about the Kernel-svn-changes mailing list