[kernel] r10444 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Fri Feb 8 21:55:20 UTC 2008 

Author: dannf
Date: Fri Feb  8 21:55:19 2008
New Revision: 10444

Log:
* minixfs-printk-hang.dpatch
  [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
  filesystem that would otherwise cause a system to hang (printk storm)
  See CVE-2006-6058

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Fri Feb  8 21:55:19 2008
@@ -34,8 +34,12 @@
     [SECURITY] Add some sanity checking for a corrupted i_size in
     ext2_find_entry()
     See CVE-2006-6054
+  * minixfs-printk-hang.dpatch
+    [SECURITY] Rate-limit printks caused by accessing a corrupted minixfs
+    filesystem that would otherwise cause a system to hang (printk storm)
+    See CVE-2006-6058
 
- -- dann frazier <dannf at debian.org>  Fri, 08 Feb 2008 14:22:01 -0700
+ -- dann frazier <dannf at debian.org>  Fri, 08 Feb 2008 14:54:19 -0700
 
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/minixfs-printk-hang.dpatch	Fri Feb  8 21:55:19 2008
@@ -0,0 +1,69 @@
+commit f44ec6f3f89889a469773b1fd894f8fcc07c29cf
+Author: Eric Sandeen <sandeen at redhat.com>
+Date:   Tue Oct 16 23:27:15 2007 -0700
+
+    limit minixfs printks on corrupted dir i_size
+    
+    This attempts to address CVE-2006-6058
+    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058
+    
+    first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html
+    
+    Essentially a corrupted minix dir inode reporting a very large
+    i_size will loop for a very long time in minix_readdir, minix_find_entry,
+    etc, because on EIO they just move on to try the next page.  This is
+    under the BKL, printk-storming as well.  This can lock up the machine
+    for a very long time.  Simply ratelimiting the printks gets things back
+    under control.  Make the message a bit more informative while we're here.
+    
+    Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+    Cc: Bodo Eggert <7eggert at gmx.de>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.8 by dann frazier <dannf at hp.com>
+
+diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v1.c kernel-source-2.6.8/fs/minix/itree_v1.c
+--- kernel-source-2.6.8.orig/fs/minix/itree_v1.c	2004-08-13 23:38:10.000000000 -0600
++++ kernel-source-2.6.8/fs/minix/itree_v1.c	2008-02-08 14:33:09.000000000 -0700
+@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ 	int n = 0;
++	char b[BDEVNAME_SIZE];
+ 
+ 	if (block < 0) {
+-		printk("minix_bmap: block<0");
++		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++			block, bdevname(inode->i_sb->s_bdev, b));
+ 	} else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+-		printk("minix_bmap: block>big");
++		if (printk_ratelimit())
++			printk("MINIX-fs: block_to_path: "
++			       "block %ld too big on dev %s\n",
++				block, bdevname(inode->i_sb->s_bdev, b));
+ 	} else if (block < 7) {
+ 		offsets[n++] = block;
+ 	} else if ((block -= 7) < 512) {
+diff -urpN kernel-source-2.6.8.orig/fs/minix/itree_v2.c kernel-source-2.6.8/fs/minix/itree_v2.c
+--- kernel-source-2.6.8.orig/fs/minix/itree_v2.c	2004-08-13 23:37:39.000000000 -0600
++++ kernel-source-2.6.8/fs/minix/itree_v2.c	2008-02-08 14:33:56.000000000 -0700
+@@ -23,11 +23,16 @@ static inline block_t *i_data(struct ino
+ static int block_to_path(struct inode * inode, long block, int offsets[DEPTH])
+ {
+ 	int n = 0;
++	char b[BDEVNAME_SIZE];
+ 
+ 	if (block < 0) {
+-		printk("minix_bmap: block<0");
++		printk("MINIX-fs: block_to_path: block %ld < 0 on dev %s\n",
++			block, bdevname(sb->s_bdev, b));
+ 	} else if (block >= (minix_sb(inode->i_sb)->s_max_size/BLOCK_SIZE)) {
+-		printk("minix_bmap: block>big");
++		if (printk_ratelimit())
++			printk("MINIX-fs: block_to_path: "
++			       "block %ld too big on dev %s\n",
++				block, bdevname(sb->s_bdev, b));
+ 	} else if (block < 7) {
+ 		offsets[n++] = block;
+ 	} else if ((block -= 7) < 256) {

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1	Fri Feb  8 21:55:19 2008
@@ -9,3 +9,4 @@
 + i4l-isdn_ioctl-mem-overrun.dpatch
 + cramfs-check-block-length.dpatch
 + ext2-skip-pages-past-num-blocks.dpatch
++ minixfs-printk-hang.dpatch

More information about the Kernel-svn-changes mailing list