[kernel] r10441 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Fri Feb 8 21:09:23 UTC 2008 

Author: dannf
Date: Fri Feb  8 21:09:22 2008
New Revision: 10441

Log:
* cramfs-check-block-length.dpatch
  [SECURITY] Add a sanity check of the block length in cramfs_readpage to
  avoid a potential oops condition
  See CVE-2006-5823

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Fri Feb  8 21:09:22 2008
@@ -26,8 +26,12 @@
   * i4l-isdn_ioctl-mem-overrun.dpatch
     [SECURITY] Fix potential isdn ioctl memory overrun
     See CVE-2007-6151
+  * cramfs-check-block-length.dpatch
+    [SECURITY] Add a sanity check of the block length in cramfs_readpage to
+    avoid a potential oops condition
+    See CVE-2006-5823
 
- -- dann frazier <dannf at debian.org>  Sat, 05 Jan 2008 18:10:05 -0700
+ -- dann frazier <dannf at debian.org>  Fri, 08 Feb 2008 14:08:04 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch	Fri Feb  8 21:09:22 2008
@@ -0,0 +1,39 @@
+From: Phillip Lougher <phillip at lougher.org.uk>
+Date: Thu, 7 Dec 2006 04:37:20 +0000 (-0800)
+Subject: [PATCH] corrupted cramfs filesystems cause kernel oops
+X-Git-Tag: v2.6.20-rc1~15^2~14^2~175
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=8bb0269160df2a60764013994d0bc5165406cf4a;hp=2e591bbc0d563e12f5a260fbbca0df7d5810910e
+
+[PATCH] corrupted cramfs filesystems cause kernel oops
+
+Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
+fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
+Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
+is an unchecked corrupted block length field read by cramfs_readpage().
+
+This patch adds a sanity check to cramfs_readpage() which checks that the
+block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
+intentional, even though the uncompressed data is not going to be larger
+than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
+the original source data.  Mkcramfs checks that the compressed size is
+always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
+use the original uncompressed data in this case, but it doesn't.
+
+Signed-off-by: Phillip Lougher <phillip at lougher.org.uk>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
+index a624c3e..0509ced 100644
+--- a/fs/cramfs/inode.c
++++ b/fs/cramfs/inode.c
+@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page * page)
+ 		pgdata = kmap(page);
+ 		if (compr_len == 0)
+ 			; /* hole */
++		else if (compr_len > (PAGE_CACHE_SIZE << 1))
++			printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
+ 		else {
+ 			mutex_lock(&read_mutex);
+ 			bytes_filled = cramfs_uncompress_block(pgdata,

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Fri Feb  8 21:09:22 2008
@@ -7,3 +7,4 @@
 + bluetooth-l2cap-hci-info-leaks.dpatch
 + coredump-only-to-same-uid.dpatch
 + i4l-isdn_ioctl-mem-overrun.dpatch
++ cramfs-check-block-length.dpatch

More information about the Kernel-svn-changes mailing list