[kernel] r8412 - in
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian:
. patches patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Mar 31 22:29:06 UTC 2007
Author: dannf
Date: Sat Mar 31 22:29:06 2007
New Revision: 8412
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hfs-no-root-inode.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* hfs-no-root-inode.dpatch
[SECURITY] Fix bug in HFS where hfs_fill_super returns success even
if no root inode is found. On an SELinux-enabled system, this can
be used to trigger a local DoS. Debian does not enable SELinux by
default.
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Sat Mar 31 22:29:06 2007
@@ -47,8 +47,13 @@
[SECURITY] Fix a DoS vulnerability that can be triggered by a local
user with the ability to mount a corrupted ext3 filesystem
See CVE-2006-6053
+ * hfs-no-root-inode.dpatch
+ [SECURITY] Fix bug in HFS where hfs_fill_super returns success even
+ if no root inode is found. On an SELinux-enabled system, this can
+ be used to trigger a local DoS. Debian does not enable SELinux by
+ default.
- -- dann frazier <dannf at debian.org> Sat, 31 Mar 2007 15:43:28 -0600
+ -- dann frazier <dannf at debian.org> Sat, 31 Mar 2007 16:26:49 -0600
kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hfs-no-root-inode.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hfs-no-root-inode.dpatch Sat Mar 31 22:29:06 2007
@@ -0,0 +1,63 @@
+From: Eric Sandeen <sandeen at redhat.com>
+Date: Thu, 16 Nov 2006 09:19:22 +0000 (-0800)
+Subject: [PATCH] hfs_fill_super returns success even if no root inode
+X-Git-Tag: v2.6.19~97
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d6ddf55440833fd9404138026af246c51ebeef22
+
+[PATCH] hfs_fill_super returns success even if no root inode
+
+http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html
+
+mount that image...
+fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended. mounting read-only.
+hfs: get root inode failed.
+BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
+ printing eip
+...
+EIP is at superblock_doinit+0x21/0x767
+...
+ [] selinux_sb_kern_mount+0xc/0x4b
+ [] vfs_kern_mount+0x99/0xf6
+ [] do_kern_mount+0x2d/0x3e
+ [] do_mount+0x5fa/0x66d
+ [] sys_mount+0x77/0xae
+ [] syscall_call+0x7/0xb
+DWARF2 unwinder stuck at syscall_call+0x7/0xb
+
+hfs_fill_super() returns success even if
+ root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+or
+ sb->s_root = d_alloc_root(root_inode);
+
+fails. This superblock finds its way to superblock_doinit() which does:
+
+ struct dentry *root = sb->s_root;
+ struct inode *inode = root->d_inode;
+
+and boom. Need to make sure the error cases return an error, I think.
+
+[akpm at osdl.org: return -ENOMEM on oom]
+Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+Cc: Roman Zippel <zippel at linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+diff --git a/fs/hfs/super.c b/fs/hfs/super.c
+index d43b4fc..85b17b3 100644
+--- a/fs/hfs/super.c
++++ b/fs/hfs/super.c
+@@ -390,11 +390,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent)
+ hfs_find_exit(&fd);
+ goto bail_no_root;
+ }
++ res = -EINVAL;
+ root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+ hfs_find_exit(&fd);
+ if (!root_inode)
+ goto bail_no_root;
+
++ res = -ENOMEM;
+ sb->s_root = d_alloc_root(root_inode);
+ if (!sb->s_root)
+ goto bail_iput;
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7 Sat Mar 31 22:29:06 2007
@@ -9,3 +9,4 @@
+ aio-fix-nr_pages-init.dpatch
+ unmap_hugepage_area-check-null-pte.dpatch
+ ext3-fsfuzz.dpatch
++ hfs-no-root-inode.dpatch
More information about the Kernel-svn-changes
mailing list