[kernel] r12378 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Nov 10 22:44:22 UTC 2008
Author: dannf
Date: Mon Nov 10 22:44:21 2008
New Revision: 12378
Log:
* Avoid printk floods when reading corrupted ext[2,3] directories
- bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
- bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
See CVE-2008-3528
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
dists/etch-security/linux-2.6/debian/patches/bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/23etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Mon Nov 10 22:44:21 2008
@@ -1,4 +1,4 @@
-linux-2.6 (2.6.18.dfsg.1-23etch1) stable-security; urgency=high
+linux-2.6 (2.6.18.dfsg.1-23etch1) UNRELEASED; urgency=high
* Fix missing boundary checks in syscall/syscall32_nopage():
- bugfix/add-install_special_mapping.patch
@@ -14,8 +14,12 @@
* Don't allow splicing to files opened with O_APPEND:
- bugfix/dont-allow-splice-to-files-opened-with-O_APPEND.patch
See CVE-2008-4554
+ * Avoid printk floods when reading corrupted ext[2,3] directories
+ - bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
+ - bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
+ See CVE-2008-3528
- -- dann frazier <dannf at debian.org> Wed, 05 Nov 2008 00:05:08 -0700
+ -- dann frazier <dannf at debian.org> Mon, 10 Nov 2008 14:31:39 -0700
linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/ext2-avoid-corrupted-directory-printk-floods.patch Mon Nov 10 22:44:21 2008
@@ -0,0 +1,177 @@
+commit bd39597cbd42a784105a04010100e27267481c67
+Author: Eric Sandeen <sandeen at redhat.com>
+Date: Wed Oct 15 22:04:02 2008 -0700
+
+ ext2: avoid printk floods in the face of directory corruption
+
+ A very large directory with many read failures (either due to storage
+ problems, or due to invalid size & blocks from corruption) will generate a
+ printk storm as the filesystem continues to try to read all the blocks.
+ This flood of messages can tie up the box until it is complete - which may
+ be a very long time, especially for very large corrupted values.
+
+ This is fixed by only reporting the corruption once each time we try to
+ read the directory.
+
+ [akpm at linux-foundation.org: coding-style fixes]
+ Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+ Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+ Cc: Eugene Teo <eugeneteo at kernel.sg>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/fs/ext2/dir.c linux-source-2.6.18/fs/ext2/dir.c
+--- linux-source-2.6.18.orig/fs/ext2/dir.c 2008-10-13 09:28:32.000000000 -0600
++++ linux-source-2.6.18/fs/ext2/dir.c 2008-11-10 14:23:54.000000000 -0700
+@@ -75,7 +75,7 @@ static int ext2_commit_chunk(struct page
+ return err;
+ }
+
+-static void ext2_check_page(struct page *page)
++static void ext2_check_page(struct page *page, int quiet)
+ {
+ struct inode *dir = page->mapping->host;
+ struct super_block *sb = dir->i_sb;
+@@ -118,10 +118,10 @@ out:
+ /* Too bad, we had an error */
+
+ Ebadsize:
+- ext2_error(sb, "ext2_check_page",
+- "size of directory #%lu is not a multiple of chunk size",
+- dir->i_ino
+- );
++ if (!quiet)
++ ext2_error(sb, __func__,
++ "size of directory #%lu is not a multiple "
++ "of chunk size", dir->i_ino);
+ goto fail;
+ Eshort:
+ error = "rec_len is smaller than minimal";
+@@ -138,25 +138,29 @@ Espan:
+ Einumber:
+ error = "inode out of bounds";
+ bad_entry:
+- ext2_error (sb, "ext2_check_page", "bad entry in directory #%lu: %s - "
+- "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
+- dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
+- (unsigned long) le32_to_cpu(p->inode),
+- rec_len, p->name_len);
++ if (!quiet)
++ ext2_error(sb, __func__, "bad entry in directory #%lu: : %s - "
++ "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
++ dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
++ (unsigned long) le32_to_cpu(p->inode),
++ rec_len, p->name_len);
+ goto fail;
+ Eend:
+- p = (ext2_dirent *)(kaddr + offs);
+- ext2_error (sb, "ext2_check_page",
+- "entry in directory #%lu spans the page boundary"
+- "offset=%lu, inode=%lu",
+- dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
+- (unsigned long) le32_to_cpu(p->inode));
++ if (!quiet) {
++ p = (ext2_dirent *)(kaddr + offs);
++ ext2_error(sb, "ext2_check_page",
++ "entry in directory #%lu spans the page boundary"
++ "offset=%lu, inode=%lu",
++ dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
++ (unsigned long) le32_to_cpu(p->inode));
++ }
+ fail:
+ SetPageChecked(page);
+ SetPageError(page);
+ }
+
+-static struct page * ext2_get_page(struct inode *dir, unsigned long n)
++static struct page * ext2_get_page(struct inode *dir, unsigned long n,
++ int quiet)
+ {
+ struct address_space *mapping = dir->i_mapping;
+ struct page *page = read_mapping_page(mapping, n, NULL);
+@@ -166,7 +170,7 @@ static struct page * ext2_get_page(struc
+ if (!PageUptodate(page))
+ goto fail;
+ if (!PageChecked(page))
+- ext2_check_page(page);
++ ext2_check_page(page, quiet);
+ if (PageError(page))
+ goto fail;
+ }
+@@ -266,7 +270,7 @@ ext2_readdir (struct file * filp, void *
+ for ( ; n < npages; n++, offset = 0) {
+ char *kaddr, *limit;
+ ext2_dirent *de;
+- struct page *page = ext2_get_page(inode, n);
++ struct page *page = ext2_get_page(inode, n, 0);
+
+ if (IS_ERR(page)) {
+ ext2_error(sb, __FUNCTION__,
+@@ -335,6 +339,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
+ struct page *page = NULL;
+ struct ext2_inode_info *ei = EXT2_I(dir);
+ ext2_dirent * de;
++ int dir_has_error = 0;
+
+ if (npages == 0)
+ goto out;
+@@ -348,7 +353,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
+ n = start;
+ do {
+ char *kaddr;
+- page = ext2_get_page(dir, n);
++ page = ext2_get_page(dir, n, dir_has_error);
+ if (!IS_ERR(page)) {
+ kaddr = page_address(page);
+ de = (ext2_dirent *) kaddr;
+@@ -365,7 +370,9 @@ struct ext2_dir_entry_2 * ext2_find_entr
+ de = ext2_next_entry(de);
+ }
+ ext2_put_page(page);
+- }
++ } else
++ dir_has_error = 1;
++
+ if (++n >= npages)
+ n = 0;
+ /* next page is past the blocks we've got */
+@@ -388,7 +395,7 @@ found:
+
+ struct ext2_dir_entry_2 * ext2_dotdot (struct inode *dir, struct page **p)
+ {
+- struct page *page = ext2_get_page(dir, 0);
++ struct page *page = ext2_get_page(dir, 0, 0);
+ ext2_dirent *de = NULL;
+
+ if (!IS_ERR(page)) {
+@@ -459,7 +466,7 @@ int ext2_add_link (struct dentry *dentry
+ for (n = 0; n <= npages; n++) {
+ char *dir_end;
+
+- page = ext2_get_page(dir, n);
++ page = ext2_get_page(dir, n, 0);
+ err = PTR_ERR(page);
+ if (IS_ERR(page))
+ goto out;
+@@ -620,14 +627,17 @@ int ext2_empty_dir (struct inode * inode
+ {
+ struct page *page = NULL;
+ unsigned long i, npages = dir_pages(inode);
++ int dir_has_error = 0;
+
+ for (i = 0; i < npages; i++) {
+ char *kaddr;
+ ext2_dirent * de;
+- page = ext2_get_page(inode, i);
++ page = ext2_get_page(inode, i, dir_has_error);
+
+- if (IS_ERR(page))
++ if (IS_ERR(page)) {
++ dir_has_error = 1;
+ continue;
++ }
+
+ kaddr = page_address(page);
+ de = (ext2_dirent *)kaddr;
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/ext3-avoid-corrupted-directory-printk-floods.patch Mon Nov 10 22:44:21 2008
@@ -0,0 +1,50 @@
+commit cdbf6dba28e8e6268c8420857696309470009fd9
+Author: Eric Sandeen <sandeen at redhat.com>
+Date: Sat Oct 18 20:28:00 2008 -0700
+
+ ext3: avoid printk floods in the face of directory corruption
+
+ A very large directory with many read failures (either due to storage
+ problems, or due to invalid size & blocks from corruption) will generate a
+ printk storm as the filesystem continues to try to read all the blocks.
+ This flood of messages can tie up the box until it is complete - which may
+ be a very long time, especially for very large corrupted values.
+
+ This is fixed by only reporting the corruption once each time we try to
+ read the directory.
+
+ Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+ Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+ Cc: Eugene Teo <eugeneteo at kernel.sg>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+diff -urpN linux-source-2.6.18.orig/fs/ext3/dir.c linux-source-2.6.18/fs/ext3/dir.c
+--- linux-source-2.6.18.orig/fs/ext3/dir.c 2008-10-13 09:28:32.000000000 -0600
++++ linux-source-2.6.18/fs/ext3/dir.c 2008-11-10 14:27:24.000000000 -0700
+@@ -102,6 +102,7 @@ static int ext3_readdir(struct file * fi
+ int err;
+ struct inode *inode = filp->f_dentry->d_inode;
+ int ret = 0;
++ int dir_has_error = 0;
+
+ sb = inode->i_sb;
+
+@@ -148,9 +149,12 @@ static int ext3_readdir(struct file * fi
+ * of recovering data when there's a bad sector
+ */
+ if (!bh) {
+- ext3_error (sb, "ext3_readdir",
+- "directory #%lu contains a hole at offset %lu",
+- inode->i_ino, (unsigned long)filp->f_pos);
++ if (!dir_has_error) {
++ ext3_error(sb, __func__, "directory #%lu "
++ "contains a hole at offset %lld",
++ inode->i_ino, filp->f_pos);
++ dir_has_error = 1;
++ }
+ /* corrupt size? Maybe no more blocks to read */
+ if (filp->f_pos > inode->i_blocks << 9)
+ break;
Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1 Mon Nov 10 22:44:21 2008
@@ -2,3 +2,5 @@
+ bugfix/i386-vdso-use_install_special_mapping.patch
+ bugfix/x86_64-ia32-vDSO-use-install_special_mapping.patch
+ bugfix/dont-allow-splice-to-files-opened-with-O_APPEND.patch
++ bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
++ bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
More information about the Kernel-svn-changes
mailing list