[kernel] r9004 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Tue Jun 19 00:08:13 UTC 2007

Author: dannf
Date: Tue Jun 19 00:08:12 2007
New Revision: 9004

Log:
* compat_sys_mount-NULL-data_page.dpatch
  [SECURITY] Fix oops in compat_sys_mount triggered by NULL data_page
  See CVE-2006-7203

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================

--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Tue Jun 19 00:08:12 2007
@@ -1,3 +1,11 @@
+kernel-source-2.6.8 (2.6.8-17sarge1) UNRELEASED; urgency=high
+
+  * compat_sys_mount-NULL-data_page.dpatch
+    [SECURITY] Fix oops in compat_sys_mount triggered by NULL data_page
+    See CVE-2006-7203
+
+ -- dann frazier <dannf at debian.org>  Tue, 19 Jun 2007 01:02:58 +0100
+
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 
   [ Simon Horman ]

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch	Tue Jun 19 00:08:12 2007
@@ -0,0 +1,39 @@
+From: Andrey Mirkin <amirkin at openvz.org>
+Date: Thu, 7 Dec 2006 04:31:35 +0000 (-0800)
+Subject: [PATCH] skip data conversion in compat_sys_mount when data_page is NULL
+X-Git-Tag: v2.6.20~683^2^2~360
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=822191a2fa1584a29c3224ab328507adcaeac1ab
+
+[PATCH] skip data conversion in compat_sys_mount when data_page is NULL
+
+OpenVZ Linux kernel team has found a problem with mounting in compat mode.
+
+Simple command "mount -t smbfs ..." on Fedora Core 5 distro in 32-bit mode
+leads to oops:
+
+  Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: compat_sys_mount+0xd6/0x290
+  Process mount (pid: 14656, veid=300, threadinfo ffff810034d30000, task ffff810034c86bc0)
+  Call Trace: ia32_sysret+0x0/0xa
+
+The problem is that data_page pointer can be NULL, so we should skip data
+conversion in this case.
+
+Signed-off-by: Andrey Mirkin <amirkin at openvz.org>
+Cc: <stable at kernel.org>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+diff --git a/fs/compat.c b/fs/compat.c
+index 06dad66..7aef541 100644
+--- a/fs/compat.c
++++ b/fs/compat.c
+@@ -871,7 +871,7 @@ asmlinkage long compat_sys_mount(char __user * dev_name, char __user * dir_name,
+ 
+ 	retval = -EINVAL;
+ 
+-	if (type_page) {
++	if (type_page && data_page) {
+ 		if (!strcmp((char *)type_page, SMBFS_NAME)) {
+ 			do_smb_super_data_conv((void *)data_page);
+ 		} else if (!strcmp((char *)type_page, NCPFS_NAME)) {

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Tue Jun 19 00:08:12 2007
@@ -0,0 +1 @@
++ compat_sys_mount-NULL-data_page.dpatch

