[kernel] r10157 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jan 21 07:53:10 UTC 2008 

Author: dannf
Date: Mon Jan 21 07:53:09 2008
New Revision: 10157

Log:
* 254_cramfs-check-block-length.diff
  [SECURITY] Add a sanity check of the block length in cramfs_readpage to
  avoid a potential oops condition
  See CVE-2006-5823

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Mon Jan 21 07:53:09 2008
@@ -45,8 +45,12 @@
     [SECURITY] Fix an issue where core dumping over a file that
     already exists retains the ownership of the original file
     See CVE-2007-6206
+  * 254_cramfs-check-block-length.diff
+    [SECURITY] Add a sanity check of the block length in cramfs_readpage to
+    avoid a potential oops condition
+    See CVE-2006-5823
 
- -- dann frazier <dannf at debian.org>  Mon, 12 Nov 2007 16:29:16 -0700
+ -- dann frazier <dannf at debian.org>  Mon, 21 Jan 2008 00:48:39 -0700
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff	Mon Jan 21 07:53:09 2008
@@ -0,0 +1,51 @@
+From: Moritz Muehlenhoff <jmm at inutil.org>
+Date: Sun, 11 Nov 2007 17:02:24 +0000 (+0100)
+Subject: [PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
+X-Git-Tag: v2.4.36-pre2~3
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=bf45d0bda54148841426979209d5f1df4f4d34e0
+
+[PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
+
+From http://projects.info-pull.com/mokb/MOKB-07-11-2006.html :
+
+| The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a
+| denial of service (crash) via a malformed filesystem that uses zlib
+| compression that triggers memory corruption, as demonstrated using cramfs.
+
+We could reproduce this with 2.4.27, since there aren't any changes to git
+for cramfs since initial import this is likely unfixed in 2.4.35 too.
+2.6 patch below.
+
+http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8bb0269160df2a60764013994d0bc5165406cf4a
+
+| Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
+| fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
+| Cramfs to kernel oops in cramfs_uncompress_block().  The cause of the oops
+| is an unchecked corrupted block length field read by cramfs_readpage().
+|
+| This patch adds a sanity check to cramfs_readpage() which checks that the
+| block length field is sensible.  The (PAGE_CACHE_SIZE << 1) size check is
+| intentional, even though the uncompressed data is not going to be larger
+| than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
+| the original source data.  Mkcramfs checks that the compressed size is
+| always less than or equal to PAGE_CACHE_SIZE << 1.  Of course Cramfs could
+| use the original uncompressed data in this case, but it doesn't.
+|
+| Signed-off-by: Phillip Lougher <phillip at lougher.org.uk>
+| Signed-off-by: Andrew Morton <akpm at osdl.org>
+| Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
+index 8fb1e70..71495ac 100644
+--- a/fs/cramfs/inode.c
++++ b/fs/cramfs/inode.c
+@@ -404,6 +404,8 @@ static int cramfs_readpage(struct file *file, struct page * page)
+ 		pgdata = kmap(page);
+ 		if (compr_len == 0)
+ 			; /* hole */
++		else if (compr_len > (PAGE_CACHE_SIZE << 1))
++			printk(KERN_ERR "cramfs: bad compressed blocksize %u\n", compr_len);
+ 		else {
+ 			down(&read_mutex);
+ 			bytes_filled = cramfs_uncompress_block(pgdata,

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	Mon Jan 21 07:53:09 2008
@@ -13,3 +13,4 @@
 + 251_openpromfs-checks-2.diff
 + 252_openpromfs-checks-3.diff
 + 253_coredump-only-to-same-uid.diff
++ 254_cramfs-check-block-length.diff

More information about the Kernel-svn-changes mailing list