[kernel] r8411 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Sat Mar 31 21:49:15 UTC 2007 

Author: dannf
Date: Sat Mar 31 21:49:15 2007
New Revision: 8411

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/242_ext3-fsfuzz.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Log:
* 242_ext3-fsfuzz.diff
  [SECURITY] Fix a DoS vulnerability that can be triggered by a local
  user with the ability to mount a corrupted ext3 filesystem
  See CVE-2006-6053

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Sat Mar 31 21:49:15 2007
@@ -10,8 +10,12 @@
     [SECURITY] Add additional length checks to avoid potential remote
     DoS attacks in the handling of CAPI messages in the bluetooth driver
     See CVE-2006-6106
+  * 242_ext3-fsfuzz.diff
+    [SECURITY] Fix a DoS vulnerability that can be triggered by a local
+    user with the ability to mount a corrupted ext3 filesystem
+    See CVE-2006-6053
 
- -- dann frazier <dannf at debian.org>  Tue, 27 Feb 2007 00:10:14 -0700
+ -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 15:49:18 -0600
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/242_ext3-fsfuzz.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/242_ext3-fsfuzz.diff	Sat Mar 31 21:49:15 2007
@@ -0,0 +1,65 @@
+From: Eric Sandeen <sandeen at redhat.com>
+Date: Thu, 7 Dec 2006 04:36:26 +0000 (-0800)
+Subject: [PATCH] handle ext3 directory corruption better
+X-Git-Tag: v2.6.20~683^2^2~203
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=40b851348fe9bf49c26025b34261d25142269b60
+
+[PATCH] handle ext3 directory corruption better
+
+I've been using Steve Grubb's purely evil "fsfuzzer" tool, at
+http://people.redhat.com/sgrubb/files/fsfuzzer-0.4.tar.gz
+
+Basically it makes a filesystem, splats some random bits over it, then
+tries to mount it and do some simple filesystem actions.
+
+At best, the filesystem catches the corruption gracefully.  At worst,
+things spin out of control.
+
+As you might guess, we found a couple places in ext3 where things spin out
+of control :)
+
+First, we had a corrupted directory that was never checked for
+consistency...  it was corrupt, and pointed to another bad "entry" of
+length 0.  The for() loop looped forever, since the length of
+ext3_next_entry(de) was 0, and we kept looking at the same pointer over and
+over and over and over...  I modeled this check and subsequent action on
+what is done for other directory types in ext3_readdir...
+
+(adding this check adds some computational expense; I am testing a followup
+patch to reduce the number of times we check and re-check these directory
+entries, in all cases.  Thanks for the idea, Andreas).
+
+Next we had a root directory inode which had a corrupted size, claimed to
+be > 200M on a 4M filesystem.  There was only really 1 block in the
+directory, but because the size was so large, readdir kept coming back for
+more, spewing thousands of printk's along the way.
+
+Per Andreas' suggestion, if we're in this read error condition and we're
+trying to read an offset which is greater than i_blocks worth of bytes,
+stop trying, and break out of the loop.
+
+With these two changes fsfuzz test survives quite well on ext3.
+
+Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+Cc: <linux-ext4 at vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+Backported to Debian's 2.4.27 by dann frazier <dannf at debian.org>
+Only the first hunk applies to 2.4, second hunk dropped from backport
+
+diff --git a/fs/ext3/dir.c b/fs/ext3/dir.c
+index d0b54f3..5a9313e 100644
+--- a/fs/ext3/dir.c
++++ b/fs/ext3/dir.c
+@@ -154,6 +154,9 @@ static int ext3_readdir(struct file * filp,
+ 			ext3_error (sb, "ext3_readdir",
+ 				"directory #%lu contains a hole at offset %lu",
+ 				inode->i_ino, (unsigned long)filp->f_pos);
++			/* corrupt size?  Maybe no more blocks to read */
++			if (filp->f_pos > inode->i_blocks << 9)
++				break;
+ 			filp->f_pos += sb->s_blocksize - offset;
+ 			continue;
+ 		}

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	Sat Mar 31 21:49:15 2007
@@ -1,3 +1,4 @@
 + 239_mincore-hang.diff
 + 240_smbfs-honor-mount-opts-2.diff
 + 241_bluetooth-capi-size-checks.diff
++ 242_ext3-fsfuzz.diff

More information about the Kernel-svn-changes mailing list