[kernel] r12081 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Aug 15 20:11:09 UTC 2008
Author: dannf
Date: Fri Aug 15 20:11:08 2008
New Revision: 12081
Log:
bugfix/vfs-fix-lookup-on-deleted-directory.patch
Fix potential memory leak in lookup path
See CVE-2008-3275
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-fix-lookup-on-deleted-directory.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/22etch2
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Fri Aug 15 20:11:08 2008
@@ -5,8 +5,11 @@
* bugfix/sound-ensure-device-number-is-valid-in-snd_seq_oss_synth_make_info.patch
Fix possible information leak in seq_oss_synth.c
See CVE-2008-3272
+ * bugfix/vfs-fix-lookup-on-deleted-directory.patch
+ Fix potential memory leak in lookup path
+ See CVE-2008-3275
- -- dann frazier <dannf at debian.org> Tue, 12 Aug 2008 02:50:03 -0600
+ -- dann frazier <dannf at debian.org> Fri, 15 Aug 2008 14:00:29 -0600
linux-2.6 (2.6.18.dfsg.1-22etch1) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-fix-lookup-on-deleted-directory.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-fix-lookup-on-deleted-directory.patch Fri Aug 15 20:11:08 2008
@@ -0,0 +1,71 @@
+commit d70b67c8bc72ee23b55381bd6a884f4796692f77
+Author: Miklos Szeredi <mszeredi at suse.cz>
+Date: Wed Jul 2 21:30:15 2008 +0200
+
+ [patch] vfs: fix lookup on deleted directory
+
+ Lookup can install a child dentry for a deleted directory. This keeps
+ the directory dentry alive, and the inode pinned in the cache and on
+ disk, even after all external references have gone away.
+
+ This isn't a big problem normally, since memory pressure or umount
+ will clear out the directory dentry and its children, releasing the
+ inode. But for UBIFS this causes problems because its orphan area can
+ overflow.
+
+ Fix this by returning ENOENT for all lookups on a S_DEAD directory
+ before creating a child dentry.
+
+ Thanks to Zoltan Sogor for noticing this while testing UBIFS, and
+ Artem for the excellent analysis of the problem and testing.
+
+ Reported-by: Artem Bityutskiy <Artem.Bityutskiy at nokia.com>
+ Tested-by: Artem Bityutskiy <Artem.Bityutskiy at nokia.com>
+ Signed-off-by: Miklos Szeredi <mszeredi at suse.cz>
+ Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/namei.c linux-source-2.6.18/fs/namei.c
+--- linux-source-2.6.18.orig/fs/namei.c 2008-06-16 16:25:21.000000000 -0600
++++ linux-source-2.6.18/fs/namei.c 2008-08-15 13:51:40.000000000 -0600
+@@ -465,7 +465,14 @@ static struct dentry * real_lookup(struc
+ */
+ result = d_lookup(parent, name);
+ if (!result) {
+- struct dentry * dentry = d_alloc(parent, name);
++ struct dentry *dentry;
++
++ /* Don't create child dentry for a dead directory. */
++ result = ERR_PTR(-ENOENT);
++ if (IS_DEADDIR(dir))
++ goto out_unlock;
++
++ dentry = d_alloc(parent, name);
+ result = ERR_PTR(-ENOMEM);
+ if (dentry) {
+ result = dir->i_op->lookup(dir, dentry, nd);
+@@ -474,6 +481,7 @@ static struct dentry * real_lookup(struc
+ else
+ result = dentry;
+ }
++out_unlock:
+ mutex_unlock(&dir->i_mutex);
+ return result;
+ }
+@@ -1248,7 +1256,14 @@ static struct dentry * __lookup_hash(str
+
+ dentry = cached_lookup(base, name, nd);
+ if (!dentry) {
+- struct dentry *new = d_alloc(base, name);
++ struct dentry *new;
++
++ /* Don't create child dentry for a dead directory. */
++ dentry = ERR_PTR(-ENOENT);
++ if (IS_DEADDIR(inode))
++ goto out;
++
++ new = d_alloc(base, name);
+ dentry = ERR_PTR(-ENOMEM);
+ if (!new)
+ goto out;
Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch2 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch2 Fri Aug 15 20:11:08 2008
@@ -1,2 +1,3 @@
+ bugfix/x86-wrong-register-was-used-in-align-macro.patch
+ bugfix/sound-ensure-device-number-is-valid-in-snd_seq_oss_synth_make_info.patch
++ bugfix/vfs-fix-lookup-on-deleted-directory.patch
More information about the Kernel-svn-changes
mailing list