[kernel] r12380 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Nov 13 01:44:07 UTC 2008
Author: dannf
Date: Thu Nov 13 01:44:06 2008
New Revision: 12380
Log:
* Fix buffer overflow in hfsplus
- bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
See CVE-2008-4933
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/23etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Thu Nov 13 01:44:06 2008
@@ -21,8 +21,11 @@
* Fix oops in SCTP
- bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
See CVE-2008-4576
+ * Fix buffer overflow in hfsplus
+ - bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
+ See CVE-2008-4933
- -- dann frazier <dannf at debian.org> Mon, 10 Nov 2008 16:42:11 -0700
+ -- dann frazier <dannf at debian.org> Wed, 12 Nov 2008 18:39:57 -0700
linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch Thu Nov 13 01:44:06 2008
@@ -0,0 +1,120 @@
+commit efc7ffcb4237f8cb9938909041c4ed38f6e1bf40
+Author: Eric Sesterhenn <snakebyte at gmx.de>
+Date: Wed Oct 15 22:04:08 2008 -0700
+
+ hfsplus: fix Buffer overflow with a corrupted image
+
+ When an hfsplus image gets corrupted it might happen that the catalog
+ namelength field gets b0rked. If we mount such an image the memcpy() in
+ hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name
+ field. Depending on the size of the overwritten data, we either only get
+ memory corruption or also trigger an oops like this:
+
+ [ 221.628020] BUG: unable to handle kernel paging request at c82b0000
+ [ 221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151
+ [ 221.629066] *pde = 0ea29163 *pte = 082b0160
+ [ 221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
+ [ 221.629066] Modules linked in:
+ [ 221.629066]
+ [ 221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)
+ [ 221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0
+ [ 221.629066] EIP is at hfsplus_find_cat+0x10d/0x151
+ [ 221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002
+ [ 221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c
+ [ 221.629066] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
+ [ 221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)
+ [ 221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300
+ [ 221.629066] 01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060
+ [ 221.629066] 00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc
+ [ 221.629066] Call Trace:
+ [ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+ [ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+ [ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+ [ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+ [ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+ [ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
+ [ 221.629066] [<c01302d2>] ? __kernel_text_address+0x1b/0x27
+ [ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
+ [ 221.629066] [<c0109e32>] ? save_stack_address+0x0/0x2c
+ [ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
+ [ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
+ [ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
+ [ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
+ [ 221.629066] [<c013553d>] ? down+0xc/0x2f
+ [ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
+ [ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+ [ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+ [ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+ [ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
+ [ 221.629066] [<c013da5d>] ? mark_held_locks+0x43/0x5a
+ [ 221.629066] [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
+ [ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
+ [ 221.629066] [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58
+ [ 221.629066] [<c013555c>] ? down+0x2b/0x2f
+ [ 221.629066] [<c022aa68>] ? hfsplus_iget+0xa0/0x154
+ [ 221.629066] [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447
+ [ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
+ [ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+ [ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+ [ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
+ [ 221.629066] [<c041c9e4>] ? string+0x2b/0x74
+ [ 221.629066] [<c041cd16>] ? vsnprintf+0x2e9/0x512
+ [ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
+ [ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
+ [ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
+ [ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
+ [ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
+ [ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
+ [ 221.629066] [<c01354d3>] ? up+0xc/0x2f
+ [ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
+ [ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+ [ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
+ [ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+ [ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
+ [ 221.629066] [<c041cfb7>] ? snprintf+0x1b/0x1d
+ [ 221.629066] [<c01ba466>] ? disk_name+0x25/0x67
+ [ 221.629066] [<c0183960>] ? get_sb_bdev+0xcd/0x10b
+ [ 221.629066] [<c016ad92>] ? kstrdup+0x2a/0x4c
+ [ 221.629066] [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
+ [ 221.629066] [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
+ [ 221.629066] [<c0183583>] ? vfs_kern_mount+0x3b/0x76
+ [ 221.629066] [<c0183602>] ? do_kern_mount+0x32/0xba
+ [ 221.629066] [<c01960d4>] ? do_new_mount+0x46/0x74
+ [ 221.629066] [<c0196277>] ? do_mount+0x175/0x193
+ [ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
+ [ 221.629066] [<c01663b2>] ? __get_free_pages+0x1e/0x24
+ [ 221.629066] [<c06ac07b>] ? lock_kernel+0x19/0x8c
+ [ 221.629066] [<c01962e6>] ? sys_mount+0x51/0x9b
+ [ 221.629066] [<c01962f9>] ? sys_mount+0x64/0x9b
+ [ 221.629066] [<c01038bd>] ? sysenter_do_call+0x12/0x31
+ [ 221.629066] =======================
+ [ 221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f
+ [ 221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c
+ [ 221.629066] ---[ end trace e417a1d67f0d0066 ]---
+
+ Since hfsplus_cat_build_key_uni() returns void and only has one callsite,
+ the check is performed at the callsite.
+
+ Signed-off-by: Eric Sesterhenn <snakebyte at gmx.de>
+ Reviewed-by: Pekka Enberg <penberg at cs.helsinki.fi>
+ Cc: Roman Zippel <zippel at linux-m68k.org>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.18.orig/fs/hfsplus/catalog.c linux-source-2.6.18/fs/hfsplus/catalog.c
+--- linux-source-2.6.18.orig/fs/hfsplus/catalog.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/hfsplus/catalog.c 2008-11-12 18:36:13.000000000 -0700
+@@ -169,6 +169,11 @@ int hfsplus_find_cat(struct super_block
+ return -EIO;
+ }
+
++ if (be16_to_cpu(tmp.thread.nodeName.length) > 255) {
++ printk(KERN_ERR "hfs: catalog name length corrupted\n");
++ return -EIO;
++ }
++
+ hfsplus_cat_build_key_uni(fd->search_key, be32_to_cpu(tmp.thread.parentID),
+ &tmp.thread.nodeName);
+ return hfs_brec_find(fd);
Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch1 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1 Thu Nov 13 01:44:06 2008
@@ -5,3 +5,4 @@
+ bugfix/ext2-avoid-corrupted-directory-printk-floods.patch
+ bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
+ bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
++ bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
More information about the Kernel-svn-changes
mailing list