[kernel] r9976 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Wed Dec 19 05:35:56 UTC 2007

Author: dannf
Date: Wed Dec 19 05:35:55 2007
New Revision: 9976

Log:
* bugfix/tmpfs-restore-clear_highpage.patch
  [SECURITY] Fix a theoretical kernel memory leak in the tmpfs filesystem
  See CVE-2007-6417

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/tmpfs-restore-clear_highpage.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/13etch6

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed Dec 19 05:35:55 2007
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.18.dfsg.1-13etch6) UNRELEASED; urgency=low
+linux-2.6 (2.6.18.dfsg.1-13etch6) stable-security; urgency=high
 
   * bugfix/isdn-net-overflow.patch
     [SECURITY] Fix potential overflows in the ISDN subsystem
@@ -14,8 +14,11 @@
     [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
     filesystem that would otherwise cause a system to hang (printk storm)
     See CVE-2006-6058
+  * bugfix/tmpfs-restore-clear_highpage.patch
+    [SECURITY] Fix a theoretical kernel memory leak in the tmpfs filesystem
+    See CVE-2007-6417
 
- -- dann frazier <dannf at debian.org>  Sun, 16 Dec 2007 19:46:30 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 18 Dec 2007 08:01:00 -0700
 
 linux-2.6 (2.6.18.dfsg.1-13etch5) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/tmpfs-restore-clear_highpage.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/tmpfs-restore-clear_highpage.patch	Wed Dec 19 05:35:55 2007
@@ -0,0 +1,44 @@
+commit e84e2e132c9c66d8498e7710d4ea532d1feaaac5
+Author: Hugh Dickins <hugh at veritas.com>
+Date:   Wed Nov 28 18:55:10 2007 +0000
+
+    tmpfs: restore missing clear_highpage
+    
+    tmpfs was misconverted to __GFP_ZERO in 2.6.11.  There's an unusual case in
+    which shmem_getpage receives the page from its caller instead of allocating.
+    We must cover this case by clear_highpage before SetPageUptodate, as before.
+    
+    Signed-off-by: Hugh Dickins <hugh at veritas.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/mm/shmem.c linux-source-2.6.18/mm/shmem.c
+--- linux-source-2.6.18.orig/mm/shmem.c	2007-12-01 15:24:42.000000000 -0700
++++ linux-source-2.6.18/mm/shmem.c	2007-12-17 18:24:57.000000000 -0700
+@@ -972,7 +972,7 @@ shmem_alloc_page(gfp_t gfp, struct shmem
+ 	pvma.vm_policy = mpol_shared_policy_lookup(&info->policy, idx);
+ 	pvma.vm_pgoff = idx;
+ 	pvma.vm_end = PAGE_SIZE;
+-	page = alloc_page_vma(gfp | __GFP_ZERO, &pvma, 0);
++	page = alloc_page_vma(gfp, &pvma, 0);
+ 	mpol_free(pvma.vm_policy);
+ 	return page;
+ }
+@@ -992,7 +992,7 @@ shmem_swapin(struct shmem_inode_info *in
+ static inline struct page *
+ shmem_alloc_page(gfp_t gfp,struct shmem_inode_info *info, unsigned long idx)
+ {
+-	return alloc_page(gfp | __GFP_ZERO);
++	return alloc_page(gfp);
+ }
+ #endif
+ 
+@@ -1201,6 +1201,7 @@ repeat:
+ 
+ 		info->alloced++;
+ 		spin_unlock(&info->lock);
++		clear_highpage(filepage);
+ 		flush_dcache_page(filepage);
+ 		SetPageUptodate(filepage);
+ 	}

Modified: dists/etch-security/linux-2.6/debian/patches/series/13etch6
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/13etch6	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/13etch6	Wed Dec 19 05:35:55 2007
@@ -2,3 +2,4 @@
 + bugfix/coredump-only-to-same-uid.patch
 + bugfix/hrtimer-large-relative-timeouts-overflow.patch
 + bugfix/minixfs-printk-hang.patch
++ bugfix/tmpfs-restore-clear_highpage.patch

