[kernel] r12081 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Fri Aug 15 20:11:09 UTC 2008 

Author: dannf
Date: Fri Aug 15 20:11:08 2008
New Revision: 12081

Log:
bugfix/vfs-fix-lookup-on-deleted-directory.patch
Fix potential memory leak in lookup path
See CVE-2008-3275

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-fix-lookup-on-deleted-directory.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/22etch2

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Fri Aug 15 20:11:08 2008
@@ -5,8 +5,11 @@
   * bugfix/sound-ensure-device-number-is-valid-in-snd_seq_oss_synth_make_info.patch
     Fix possible information leak in seq_oss_synth.c
     See CVE-2008-3272
+  * bugfix/vfs-fix-lookup-on-deleted-directory.patch
+    Fix potential memory leak in lookup path
+    See CVE-2008-3275
 
- -- dann frazier <dannf at debian.org>  Tue, 12 Aug 2008 02:50:03 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 15 Aug 2008 14:00:29 -0600
 
 linux-2.6 (2.6.18.dfsg.1-22etch1) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-fix-lookup-on-deleted-directory.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/vfs-fix-lookup-on-deleted-directory.patch	Fri Aug 15 20:11:08 2008
@@ -0,0 +1,71 @@
+commit d70b67c8bc72ee23b55381bd6a884f4796692f77
+Author: Miklos Szeredi <mszeredi at suse.cz>
+Date:   Wed Jul 2 21:30:15 2008 +0200
+
+    [patch] vfs: fix lookup on deleted directory
+    
+    Lookup can install a child dentry for a deleted directory.  This keeps
+    the directory dentry alive, and the inode pinned in the cache and on
+    disk, even after all external references have gone away.
+    
+    This isn't a big problem normally, since memory pressure or umount
+    will clear out the directory dentry and its children, releasing the
+    inode.  But for UBIFS this causes problems because its orphan area can
+    overflow.
+    
+    Fix this by returning ENOENT for all lookups on a S_DEAD directory
+    before creating a child dentry.
+    
+    Thanks to Zoltan Sogor for noticing this while testing UBIFS, and
+    Artem for the excellent analysis of the problem and testing.
+    
+    Reported-by: Artem Bityutskiy <Artem.Bityutskiy at nokia.com>
+    Tested-by: Artem Bityutskiy <Artem.Bityutskiy at nokia.com>
+    Signed-off-by: Miklos Szeredi <mszeredi at suse.cz>
+    Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/namei.c linux-source-2.6.18/fs/namei.c
+--- linux-source-2.6.18.orig/fs/namei.c	2008-06-16 16:25:21.000000000 -0600
++++ linux-source-2.6.18/fs/namei.c	2008-08-15 13:51:40.000000000 -0600
+@@ -465,7 +465,14 @@ static struct dentry * real_lookup(struc
+ 	 */
+ 	result = d_lookup(parent, name);
+ 	if (!result) {
+-		struct dentry * dentry = d_alloc(parent, name);
++		struct dentry *dentry;
++
++		/* Don't create child dentry for a dead directory. */
++		result = ERR_PTR(-ENOENT);
++		if (IS_DEADDIR(dir))
++			goto out_unlock;
++
++		dentry = d_alloc(parent, name);
+ 		result = ERR_PTR(-ENOMEM);
+ 		if (dentry) {
+ 			result = dir->i_op->lookup(dir, dentry, nd);
+@@ -474,6 +481,7 @@ static struct dentry * real_lookup(struc
+ 			else
+ 				result = dentry;
+ 		}
++out_unlock:
+ 		mutex_unlock(&dir->i_mutex);
+ 		return result;
+ 	}
+@@ -1248,7 +1256,14 @@ static struct dentry * __lookup_hash(str
+ 
+ 	dentry = cached_lookup(base, name, nd);
+ 	if (!dentry) {
+-		struct dentry *new = d_alloc(base, name);
++		struct dentry *new;
++
++		/* Don't create child dentry for a dead directory. */
++		dentry = ERR_PTR(-ENOENT);
++		if (IS_DEADDIR(inode))
++			goto out;
++
++		new = d_alloc(base, name);
+ 		dentry = ERR_PTR(-ENOMEM);
+ 		if (!new)
+ 			goto out;

Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch2	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch2	Fri Aug 15 20:11:08 2008
@@ -1,2 +1,3 @@
 + bugfix/x86-wrong-register-was-used-in-align-macro.patch
 + bugfix/sound-ensure-device-number-is-valid-in-snd_seq_oss_synth_make_info.patch
++ bugfix/vfs-fix-lookup-on-deleted-directory.patch

More information about the Kernel-svn-changes mailing list