[kernel] r12148 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Fri Aug 29 06:24:26 UTC 2008 

Author: dannf
Date: Fri Aug 29 06:24:25 2008
New Revision: 12148

Log:
Fix potential memory leak in lookup path (CVE-2008-3275)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/vfs-fix-lookup-on-deleted-directory.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Fri Aug 29 06:24:25 2008
@@ -6,8 +6,9 @@
     (CVE-2008-3272)
   * Fix regression introduced upstream by the fixes for CVE-2008-1673
   * Fix integer overflow in dccp_setsockopt_change() (CVE-2008-3276)
+  * Fix potential memory leak in lookup path (CVE-2008-3275)
 
- -- dann frazier <dannf at debian.org>  Tue, 26 Aug 2008 16:29:23 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 29 Aug 2008 00:22:57 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.4) stable; urgency=low
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/vfs-fix-lookup-on-deleted-directory.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/vfs-fix-lookup-on-deleted-directory.patch	Fri Aug 29 06:24:25 2008
@@ -0,0 +1,70 @@
+commit d70b67c8bc72ee23b55381bd6a884f4796692f77
+Author: Miklos Szeredi <mszeredi at suse.cz>
+Date:   Wed Jul 2 21:30:15 2008 +0200
+
+    [patch] vfs: fix lookup on deleted directory
+    
+    Lookup can install a child dentry for a deleted directory.  This keeps
+    the directory dentry alive, and the inode pinned in the cache and on
+    disk, even after all external references have gone away.
+    
+    This isn't a big problem normally, since memory pressure or umount
+    will clear out the directory dentry and its children, releasing the
+    inode.  But for UBIFS this causes problems because its orphan area can
+    overflow.
+    
+    Fix this by returning ENOENT for all lookups on a S_DEAD directory
+    before creating a child dentry.
+    
+    Thanks to Zoltan Sogor for noticing this while testing UBIFS, and
+    Artem for the excellent analysis of the problem and testing.
+    
+    Reported-by: Artem Bityutskiy <Artem.Bityutskiy at nokia.com>
+    Tested-by: Artem Bityutskiy <Artem.Bityutskiy at nokia.com>
+    Signed-off-by: Miklos Szeredi <mszeredi at suse.cz>
+    Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+
+diff --git a/fs/namei.c b/fs/namei.c
+index 01e67dd..3b26a24 100644
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -519,7 +519,14 @@ static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, s
+ 	 */
+ 	result = d_lookup(parent, name);
+ 	if (!result) {
+-		struct dentry * dentry = d_alloc(parent, name);
++		struct dentry *dentry;
++
++		/* Don't create child dentry for a dead directory. */
++		result = ERR_PTR(-ENOENT);
++		if (IS_DEADDIR(dir))
++			goto out_unlock;
++
++		dentry = d_alloc(parent, name);
+ 		result = ERR_PTR(-ENOMEM);
+ 		if (dentry) {
+ 			result = dir->i_op->lookup(dir, dentry, nd);
+@@ -528,6 +535,7 @@ static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, s
+ 			else
+ 				result = dentry;
+ 		}
++out_unlock:
+ 		mutex_unlock(&dir->i_mutex);
+ 		return result;
+ 	}
+@@ -1317,7 +1325,14 @@ static struct dentry *__lookup_hash(struct qstr *name,
+ 
+ 	dentry = cached_lookup(base, name, nd);
+ 	if (!dentry) {
+-		struct dentry *new = d_alloc(base, name);
++		struct dentry *new;
++
++		/* Don't create child dentry for a dead directory. */
++		dentry = ERR_PTR(-ENOENT);
++		if (IS_DEADDIR(inode))
++			goto out;
++
++		new = d_alloc(base, name);
+ 		dentry = ERR_PTR(-ENOMEM);
+ 		if (!new)
+ 			goto out;

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	Fri Aug 29 06:24:25 2008
@@ -3,3 +3,4 @@
 + bugfix/cifs-fix-compiler-warning.patch
 + bugfix/netfilter-nf_nat_snmp_basic-fix-range-check.patch
 + bugfix/dccp-change-l-r-must-have-at-least-one-byte-in-the-dccpsf_val-field.patch
++ bugfix/vfs-fix-lookup-on-deleted-directory.patch

More information about the Kernel-svn-changes mailing list