[kernel] r10441 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Feb 8 21:09:23 UTC 2008
Author: dannf
Date: Fri Feb 8 21:09:22 2008
New Revision: 10441
Log:
* cramfs-check-block-length.dpatch
[SECURITY] Add a sanity check of the block length in cramfs_readpage to
avoid a potential oops condition
See CVE-2006-5823
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog Fri Feb 8 21:09:22 2008
@@ -26,8 +26,12 @@
* i4l-isdn_ioctl-mem-overrun.dpatch
[SECURITY] Fix potential isdn ioctl memory overrun
See CVE-2007-6151
+ * cramfs-check-block-length.dpatch
+ [SECURITY] Add a sanity check of the block length in cramfs_readpage to
+ avoid a potential oops condition
+ See CVE-2006-5823
- -- dann frazier <dannf at debian.org> Sat, 05 Jan 2008 18:10:05 -0700
+ -- dann frazier <dannf at debian.org> Fri, 08 Feb 2008 14:08:04 -0700
kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/cramfs-check-block-length.dpatch Fri Feb 8 21:09:22 2008
@@ -0,0 +1,39 @@
+From: Phillip Lougher <phillip at lougher.org.uk>
+Date: Thu, 7 Dec 2006 04:37:20 +0000 (-0800)
+Subject: [PATCH] corrupted cramfs filesystems cause kernel oops
+X-Git-Tag: v2.6.20-rc1~15^2~14^2~175
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=8bb0269160df2a60764013994d0bc5165406cf4a;hp=2e591bbc0d563e12f5a260fbbca0df7d5810910e
+
+[PATCH] corrupted cramfs filesystems cause kernel oops
+
+Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
+fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
+Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops
+is an unchecked corrupted block length field read by cramfs_readpage().
+
+This patch adds a sanity check to cramfs_readpage() which checks that the
+block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is
+intentional, even though the uncompressed data is not going to be larger
+than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
+the original source data. Mkcramfs checks that the compressed size is
+always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could
+use the original uncompressed data in this case, but it doesn't.
+
+Signed-off-by: Phillip Lougher <phillip at lougher.org.uk>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
+index a624c3e..0509ced 100644
+--- a/fs/cramfs/inode.c
++++ b/fs/cramfs/inode.c
+@@ -481,6 +481,8 @@ static int cramfs_readpage(struct file *file, struct page * page)
+ pgdata = kmap(page);
+ if (compr_len == 0)
+ ; /* hole */
++ else if (compr_len > (PAGE_CACHE_SIZE << 1))
++ printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
+ else {
+ mutex_lock(&read_mutex);
+ bytes_filled = cramfs_uncompress_block(pgdata,
Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 (original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1 Fri Feb 8 21:09:22 2008
@@ -7,3 +7,4 @@
+ bluetooth-l2cap-hci-info-leaks.dpatch
+ coredump-only-to-same-uid.dpatch
+ i4l-isdn_ioctl-mem-overrun.dpatch
++ cramfs-check-block-length.dpatch
More information about the Kernel-svn-changes
mailing list