[kernel] r8412 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Sat Mar 31 22:29:06 UTC 2007 

Author: dannf
Date: Sat Mar 31 22:29:06 2007
New Revision: 8412

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hfs-no-root-inode.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* hfs-no-root-inode.dpatch
  [SECURITY] Fix bug in HFS where hfs_fill_super returns success even
  if no root inode is found. On an SELinux-enabled system, this can
  be used to trigger a local DoS. Debian does not enable SELinux by
  default.

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Sat Mar 31 22:29:06 2007
@@ -47,8 +47,13 @@
     [SECURITY] Fix a DoS vulnerability that can be triggered by a local
     user with the ability to mount a corrupted ext3 filesystem
     See CVE-2006-6053
+  * hfs-no-root-inode.dpatch
+    [SECURITY] Fix bug in HFS where hfs_fill_super returns success even
+    if no root inode is found. On an SELinux-enabled system, this can
+    be used to trigger a local DoS. Debian does not enable SELinux by
+    default.
 
- -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 15:43:28 -0600
+ -- dann frazier <dannf at debian.org>  Sat, 31 Mar 2007 16:26:49 -0600
 
 kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hfs-no-root-inode.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/hfs-no-root-inode.dpatch	Sat Mar 31 22:29:06 2007
@@ -0,0 +1,63 @@
+From: Eric Sandeen <sandeen at redhat.com>
+Date: Thu, 16 Nov 2006 09:19:22 +0000 (-0800)
+Subject: [PATCH] hfs_fill_super returns success even if no root inode
+X-Git-Tag: v2.6.19~97
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=d6ddf55440833fd9404138026af246c51ebeef22
+
+[PATCH] hfs_fill_super returns success even if no root inode
+
+http://kernelfun.blogspot.com/2006/11/mokb-14-11-2006-linux-26x-selinux.html
+
+mount that image...
+fs: filesystem was not cleanly unmounted, running fsck.hfs is recommended.  mounting read-only.
+hfs: get root inode failed.
+BUG: unable to handle kernel NULL pointer dereference at virtual address 00000018
+ printing eip
+...
+EIP is at superblock_doinit+0x21/0x767
+...
+ [] selinux_sb_kern_mount+0xc/0x4b
+ [] vfs_kern_mount+0x99/0xf6
+ [] do_kern_mount+0x2d/0x3e
+ [] do_mount+0x5fa/0x66d
+ [] sys_mount+0x77/0xae
+ [] syscall_call+0x7/0xb
+DWARF2 unwinder stuck at syscall_call+0x7/0xb
+
+hfs_fill_super() returns success even if
+  root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+or
+  sb->s_root = d_alloc_root(root_inode);
+
+fails.  This superblock finds its way to superblock_doinit() which does:
+
+        struct dentry *root = sb->s_root;
+        struct inode *inode = root->d_inode;
+
+and boom.  Need to make sure the error cases return an error, I think.
+
+[akpm at osdl.org: return -ENOMEM on oom]
+Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+Cc: Roman Zippel <zippel at linux-m68k.org>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+diff --git a/fs/hfs/super.c b/fs/hfs/super.c
+index d43b4fc..85b17b3 100644
+--- a/fs/hfs/super.c
++++ b/fs/hfs/super.c
+@@ -390,11 +390,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent)
+ 		hfs_find_exit(&fd);
+ 		goto bail_no_root;
+ 	}
++	res = -EINVAL;
+ 	root_inode = hfs_iget(sb, &fd.search_key->cat, &rec);
+ 	hfs_find_exit(&fd);
+ 	if (!root_inode)
+ 		goto bail_no_root;
+ 
++	res = -ENOMEM;
+ 	sb->s_root = d_alloc_root(root_inode);
+ 	if (!sb->s_root)
+ 		goto bail_iput;

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	Sat Mar 31 22:29:06 2007
@@ -9,3 +9,4 @@
 + aio-fix-nr_pages-init.dpatch
 + unmap_hugepage_area-check-null-pte.dpatch
 + ext3-fsfuzz.dpatch
++ hfs-no-root-inode.dpatch

More information about the Kernel-svn-changes mailing list