[kernel] r9976 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Dec 19 05:35:56 UTC 2007
Author: dannf
Date: Wed Dec 19 05:35:55 2007
New Revision: 9976
Log:
* bugfix/tmpfs-restore-clear_highpage.patch
[SECURITY] Fix a theoretical kernel memory leak in the tmpfs filesystem
See CVE-2007-6417
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/tmpfs-restore-clear_highpage.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/13etch6
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Wed Dec 19 05:35:55 2007
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.18.dfsg.1-13etch6) UNRELEASED; urgency=low
+linux-2.6 (2.6.18.dfsg.1-13etch6) stable-security; urgency=high
* bugfix/isdn-net-overflow.patch
[SECURITY] Fix potential overflows in the ISDN subsystem
@@ -14,8 +14,11 @@
[SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
filesystem that would otherwise cause a system to hang (printk storm)
See CVE-2006-6058
+ * bugfix/tmpfs-restore-clear_highpage.patch
+ [SECURITY] Fix a theoretical kernel memory leak in the tmpfs filesystem
+ See CVE-2007-6417
- -- dann frazier <dannf at debian.org> Sun, 16 Dec 2007 19:46:30 -0700
+ -- dann frazier <dannf at debian.org> Tue, 18 Dec 2007 08:01:00 -0700
linux-2.6 (2.6.18.dfsg.1-13etch5) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/tmpfs-restore-clear_highpage.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/tmpfs-restore-clear_highpage.patch Wed Dec 19 05:35:55 2007
@@ -0,0 +1,44 @@
+commit e84e2e132c9c66d8498e7710d4ea532d1feaaac5
+Author: Hugh Dickins <hugh at veritas.com>
+Date: Wed Nov 28 18:55:10 2007 +0000
+
+ tmpfs: restore missing clear_highpage
+
+ tmpfs was misconverted to __GFP_ZERO in 2.6.11. There's an unusual case in
+ which shmem_getpage receives the page from its caller instead of allocating.
+ We must cover this case by clear_highpage before SetPageUptodate, as before.
+
+ Signed-off-by: Hugh Dickins <hugh at veritas.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/mm/shmem.c linux-source-2.6.18/mm/shmem.c
+--- linux-source-2.6.18.orig/mm/shmem.c 2007-12-01 15:24:42.000000000 -0700
++++ linux-source-2.6.18/mm/shmem.c 2007-12-17 18:24:57.000000000 -0700
+@@ -972,7 +972,7 @@ shmem_alloc_page(gfp_t gfp, struct shmem
+ pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, idx);
+ pvma.vm_pgoff = idx;
+ pvma.vm_end = PAGE_SIZE;
+- page = alloc_page_vma(gfp | __GFP_ZERO, &pvma, 0);
++ page = alloc_page_vma(gfp, &pvma, 0);
+ mpol_free(pvma.vm_policy);
+ return page;
+ }
+@@ -992,7 +992,7 @@ shmem_swapin(struct shmem_inode_info *in
+ static inline struct page *
+ shmem_alloc_page(gfp_t gfp,struct shmem_inode_info *info, unsigned long idx)
+ {
+- return alloc_page(gfp | __GFP_ZERO);
++ return alloc_page(gfp);
+ }
+ #endif
+
+@@ -1201,6 +1201,7 @@ repeat:
+
+ info->alloced++;
+ spin_unlock(&info->lock);
++ clear_highpage(filepage);
+ flush_dcache_page(filepage);
+ SetPageUptodate(filepage);
+ }
Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch6
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch6 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch6 Wed Dec 19 05:35:55 2007
@@ -2,3 +2,4 @@
+ bugfix/coredump-only-to-same-uid.patch
+ bugfix/hrtimer-large-relative-timeouts-overflow.patch
+ bugfix/minixfs-printk-hang.patch
++ bugfix/tmpfs-restore-clear_highpage.patch
More information about the Kernel-svn-changes
mailing list