[kernel] r11325 - in dists/etch/linux-2.6.24/debian: . patches/bugfix/all/stable patches/series

Dann Frazier dannf at alioth.debian.org
Wed May 7 22:11:01 UTC 2008 

Author: dannf
Date: Wed May  7 22:11:00 2008
New Revision: 11325

Log:
* Add stable release 2.6.24.7:
  - fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)

Added:
   dists/etch/linux-2.6.24/debian/patches/bugfix/all/stable/2.6.24.7.patch
Modified:
   dists/etch/linux-2.6.24/debian/changelog
   dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.2

Modified: dists/etch/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch/linux-2.6.24/debian/changelog	(original)
+++ dists/etch/linux-2.6.24/debian/changelog	Wed May  7 22:11:00 2008
@@ -14,8 +14,10 @@
     - V4L: cx88: enable radio GPIO correctly
     - ISDN: Do not validate ISDN net device address prior to interface-up
     - Fix dnotify/close race (CVE-2008-1375)
+  * Add stable release 2.6.24.7:
+    - fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)
 
- -- dann frazier <dannf at debian.org>  Mon, 05 May 2008 23:17:17 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 07 May 2008 15:16:24 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.1) stable; urgency=low
 

Added: dists/etch/linux-2.6.24/debian/patches/bugfix/all/stable/2.6.24.7.patch
==============================================================================
--- (empty file)
+++ dists/etch/linux-2.6.24/debian/patches/bugfix/all/stable/2.6.24.7.patch	Wed May  7 22:11:00 2008
@@ -0,0 +1,81 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Tue, 6 May 2008 17:58:34 +0000 (-0400)
+Subject: fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)
+X-Git-Tag: v2.6.24.7~1
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.24.y.git;a=commitdiff_plain;h=0bbbae3bfd732f6c4d6b2a67121d77bf6b1c7f70
+
+fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)
+
+commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9 upstream.
+
+fcntl_setlk()/close() race prevention has a subtle hole - we need to
+make sure that if we *do* have an fcntl/close race on SMP box, the
+access to descriptor table and inode->i_flock won't get reordered.
+
+As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
+STORE descriptor table entry, LOAD inode->i_flock with not a single
+lock in common on both sides.  We do have BKL around the first STORE,
+but check in locks_remove_posix() is outside of BKL and for a good
+reason - we don't want BKL on common path of close(2).
+
+Solution is to hold ->file_lock around fcheck() in there; that orders
+us wrt removal from descriptor table that preceded locks_remove_posix()
+on close path and we either come first (in which case eviction will be
+handled by the close side) or we'll see the effect of close and do
+eviction ourselves.  Note that even though it's read-only access,
+we do need ->file_lock here - rcu_read_lock() won't be enough to
+order the things.
+
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+---
+
+diff --git a/fs/locks.c b/fs/locks.c
+index 2fd29d9..7127620 100644
+--- a/fs/locks.c
++++ b/fs/locks.c
+@@ -1754,6 +1754,7 @@ int fcntl_setlk(unsigned int fd, struct file *filp, unsigned int cmd,
+ 	struct file_lock *file_lock = locks_alloc_lock();
+ 	struct flock flock;
+ 	struct inode *inode;
++	struct file *f;
+ 	int error;
+ 
+ 	if (file_lock == NULL)
+@@ -1826,7 +1827,15 @@ again:
+ 	 * Attempt to detect a close/fcntl race and recover by
+ 	 * releasing the lock that was just acquired.
+ 	 */
+-	if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) {
++	/*
++	 * we need that spin_lock here - it prevents reordering between
++	 * update of inode->i_flock and check for it done in close().
++	 * rcu_read_lock() wouldn't do.
++	 */
++	spin_lock(&current->files->file_lock);
++	f = fcheck(fd);
++	spin_unlock(&current->files->file_lock);
++	if (!error && f != filp && flock.l_type != F_UNLCK) {
+ 		flock.l_type = F_UNLCK;
+ 		goto again;
+ 	}
+@@ -1882,6 +1891,7 @@ int fcntl_setlk64(unsigned int fd, struct file *filp, unsigned int cmd,
+ 	struct file_lock *file_lock = locks_alloc_lock();
+ 	struct flock64 flock;
+ 	struct inode *inode;
++	struct file *f;
+ 	int error;
+ 
+ 	if (file_lock == NULL)
+@@ -1954,7 +1964,10 @@ again:
+ 	 * Attempt to detect a close/fcntl race and recover by
+ 	 * releasing the lock that was just acquired.
+ 	 */
+-	if (!error && fcheck(fd) != filp && flock.l_type != F_UNLCK) {
++	spin_lock(&current->files->file_lock);
++	f = fcheck(fd);
++	spin_unlock(&current->files->file_lock);
++	if (!error && f != filp && flock.l_type != F_UNLCK) {
+ 		flock.l_type = F_UNLCK;
+ 		goto again;
+ 	}

Modified: dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.2
==============================================================================
--- dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.2	(original)
+++ dists/etch/linux-2.6.24/debian/patches/series/6~etchnhalf.2	Wed May  7 22:11:00 2008
@@ -5,3 +5,4 @@
 + features/ich10-lpc,smbus-pci-ids.patch
 + features/ich10-raid-mode-sata-controller-ids.patch
 + bugfix/all/stable/2.6.24.6.patch
++ bugfix/all/stable/2.6.24.7.patch

More information about the Kernel-svn-changes mailing list