[kernel] r8405 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Sat Mar 31 20:24:55 UTC 2007 

Author: dannf
Date: Sat Mar 31 20:24:55 2007
New Revision: 8405

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__find_get_block_slow-race.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* __find_get_block_slow-race.dpatch
  [SECURITY] Fix infinite loop in __find_get_block_slow that can
  be triggered by mounting and accessing a malicious iso9660 or NTFS
  filesystem
  See CVE-2006-5757, CVE-2006-6060

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sat Mar 31 20:24:55 2007
@@ -24,6 +24,11 @@
     [SECURITY] Add additional length checks to avoid potential remote
     DoS attacks in the handling of CAPI messages in the bluetooth driver
     See CVE-2006-6106
+  * __find_get_block_slow-race.dpatch
+    [SECURITY] Fix infinite loop in __find_get_block_slow that can
+    be triggered by mounting and accessing a malicious iso9660 or NTFS
+    filesystem
+    See CVE-2006-5757, CVE-2006-6060
   * listxattr-mem-corruption.dpatch
     [SECURITY] Fix userspace corruption vulnerability caused by
     incorrectly promoted return values in bad_inode_ops
@@ -33,7 +38,7 @@
     avoid a race that can lead to a system crash
     See CVE-2006-5754
 
- -- dann frazier <dannf at debian.org>  Tue, 20 Mar 2007 01:05:01 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 13:51:04 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__find_get_block_slow-race.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__find_get_block_slow-race.dpatch	Sat Mar 31 20:24:55 2007
@@ -0,0 +1,69 @@
+From: Andrew Morton <akpm at osdl.org>
+Date: Sat, 30 Dec 2006 23:23:35 +0000 (-0500)
+Subject: grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)
+X-Git-Tag: v2.6.18.8^0~17
+X-Git-Url: http://www.kernel.org/git/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.18.y.git;a=commitdiff_plain;h=0fc7b9055c2069bdb2fae508cefaeef4d26f86aa;hp=6ce115c0d888086716aef2b4b3cd702d3b4f060d
+
+grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)
+
+If grow_buffers() is for some reason passed a block number which wants to lie
+outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it
+will accidentally truncate `index' and will then instnatiate a page at the
+wrong pagecache offset.  This causes __getblk_slow() to go into an infinite
+loop.
+
+This can happen with corrupted disks, or with software errors elsewhere.
+
+Detect that, and handle it.
+
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+Signed-off-by: Chris Wright <chrisw at sous-sol.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+diff --git a/fs/buffer.c b/fs/buffer.c
+index 5b329f0..29fc99f 100644
+--- a/fs/buffer.c
++++ b/fs/buffer.c
+@@ -1179,8 +1179,21 @@ grow_buffers(struct block_device *bdev, sector_t block, int size)
+ 	} while ((size << sizebits) < PAGE_SIZE);
+ 
+ 	index = block >> sizebits;
+-	block = index << sizebits;
+ 
++	/*
++	 * Check for a block which wants to lie outside our maximum possible
++	 * pagecache index.  (this comparison is done using sector_t types).
++	 */
++	if (unlikely(index != block >> sizebits)) {
++		char b[BDEVNAME_SIZE];
++
++		printk(KERN_ERR "%s: requested out-of-range block %llu for "
++			"device %s\n",
++			__FUNCTION__, (unsigned long long)block,
++			bdevname(bdev, b));
++		return -EIO;
++	}
++	block = index << sizebits;
+ 	/* Create a page with the proper size buffers.. */
+ 	page = grow_dev_page(bdev, block, index, size);
+ 	if (!page)
+@@ -1207,12 +1220,16 @@ __getblk_slow(struct block_device *bdev, sector_t block, int size)
+ 
+ 	for (;;) {
+ 		struct buffer_head * bh;
++		int ret;
+ 
+ 		bh = __find_get_block(bdev, block, size);
+ 		if (bh)
+ 			return bh;
+ 
+-		if (!grow_buffers(bdev, block, size))
++		ret = grow_buffers(bdev, block, size);
++		if (ret < 0)
++			return NULL;
++		if (ret == 0)
+ 			free_more_memory();
+ 	}
+ }

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	Sat Mar 31 20:24:55 2007
@@ -4,5 +4,6 @@
 + dvb-core-handle-0-length-ule-sndu.dpatch
 + smbfs-honor-mount-opts-2.dpatch
 + bluetooth-capi-size-checks.dpatch
++ __find_get_block_slow-race.dpatch
 + listxattr-mem-corruption.dpatch
 + aio-fix-nr_pages-init.dpatch

More information about the Kernel-svn-changes mailing list