[kernel] r9004 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Jun 19 00:08:13 UTC 2007
Author: dannf
Date: Tue Jun 19 00:08:12 2007
New Revision: 9004
Log:
* compat_sys_mount-NULL-data_page.dpatch
[SECURITY] Fix oops in compat_sys_mount triggered by NULL data_page
See CVE-2006-7203
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Tue Jun 19 00:08:12 2007
@@ -1,3 +1,11 @@
+kernel-source-2.6.8 (2.6.8-17sarge1) UNRELEASED; urgency=high
+
+ * compat_sys_mount-NULL-data_page.dpatch
+ [SECURITY] Fix oops in compat_sys_mount triggered by NULL data_page
+ See CVE-2006-7203
+
+ -- dann frazier <dannf at debian.org> Tue, 19 Jun 2007 01:02:58 +0100
+
kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
[ Simon Horman ]
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch Tue Jun 19 00:08:12 2007
@@ -0,0 +1,39 @@
+From: Andrey Mirkin <amirkin at openvz.org>
+Date: Thu, 7 Dec 2006 04:31:35 +0000 (-0800)
+Subject: [PATCH] skip data conversion in compat_sys_mount when data_page is NULL
+X-Git-Tag: v2.6.20~683^2^2~360
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=822191a2fa1584a29c3224ab328507adcaeac1ab
+
+[PATCH] skip data conversion in compat_sys_mount when data_page is NULL
+
+OpenVZ Linux kernel team has found a problem with mounting in compat mode.
+
+Simple command "mount -t smbfs ..." on Fedora Core 5 distro in 32-bit mode
+leads to oops:
+
+ Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: compat_sys_mount+0xd6/0x290
+ Process mount (pid: 14656, veid=300, threadinfo ffff810034d30000, task ffff810034c86bc0)
+ Call Trace: ia32_sysret+0x0/0xa
+
+The problem is that data_page pointer can be NULL, so we should skip data
+conversion in this case.
+
+Signed-off-by: Andrey Mirkin <amirkin at openvz.org>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+diff --git a/fs/compat.c b/fs/compat.c
+index 06dad66..7aef541 100644
+--- a/fs/compat.c
++++ b/fs/compat.c
+@@ -871,7 +871,7 @@ asmlinkage long compat_sys_mount(char __user * dev_name, char __user * dir_name,
+
+ retval = -EINVAL;
+
+- if (type_page) {
++ if (type_page && data_page) {
+ if (!strcmp((char *)type_page, SMBFS_NAME)) {
+ do_smb_super_data_conv((void *)data_page);
+ } else if (!strcmp((char *)type_page, NCPFS_NAME)) {
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Tue Jun 19 00:08:12 2007
@@ -0,0 +1 @@
++ compat_sys_mount-NULL-data_page.dpatch
More information about the Kernel-svn-changes
mailing list