[kernel] r12381 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Thu Nov 13 01:50:56 UTC 2008 

Author: dannf
Date: Thu Nov 13 01:50:55 2008
New Revision: 12381

Log:
* Fix BUG() in hfsplus
   - bugfix/hfsplus-check_read_mapping_page-return-value.patch
  See CVE-2008-4934

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/hfsplus-check_read_mapping_page-return-value.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/23etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Thu Nov 13 01:50:55 2008
@@ -24,8 +24,11 @@
   * Fix buffer overflow in hfsplus
      - bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
     See CVE-2008-4933
+  * Fix BUG() in hfsplus
+     - bugfix/hfsplus-check_read_mapping_page-return-value.patch
+    See CVE-2008-4934
 
- -- dann frazier <dannf at debian.org>  Wed, 12 Nov 2008 18:39:57 -0700
+ -- dann frazier <dannf at debian.org>  Wed, 12 Nov 2008 18:43:35 -0700
 
 linux-2.6 (2.6.18.dfsg.1-23) stable; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/hfsplus-check_read_mapping_page-return-value.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/hfsplus-check_read_mapping_page-return-value.patch	Thu Nov 13 01:50:55 2008
@@ -0,0 +1,102 @@
+commit 649f1ee6c705aab644035a7998d7b574193a598a
+Author: Eric Sesterhenn <snakebyte at gmx.de>
+Date:   Wed Oct 15 22:04:10 2008 -0700
+
+    hfsplus: check read_mapping_page() return value
+    
+    While testing more corrupted images with hfsplus, i came across
+    one which triggered the following bug:
+    
+    [15840.675016] BUG: unable to handle kernel paging request at fffffffb
+    [15840.675016] IP: [<c0116a4f>] kmap+0x15/0x56
+    [15840.675016] *pde = 00008067 *pte = 00000000
+    [15840.675016] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
+    [15840.675016] Modules linked in:
+    [15840.675016]
+    [15840.675016] Pid: 11575, comm: ln Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #29)
+    [15840.675016] EIP: 0060:[<c0116a4f>] EFLAGS: 00010202 CPU: 0
+    [15840.675016] EIP is at kmap+0x15/0x56
+    [15840.675016] EAX: 00000246 EBX: fffffffb ECX: 00000000 EDX: cab919c0
+    [15840.675016] ESI: 000007dd EDI: cab0bcf4 EBP: cab0bc98 ESP: cab0bc94
+    [15840.675016]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
+    [15840.675016] Process ln (pid: 11575, ti=cab0b000 task=cab919c0 task.ti=cab0b000)
+    [15840.675016] Stack: 00000000 cab0bcdc c0231cfb 00000000 cab0bce0 00000800 ca9290c0 fffffffb
+    [15840.675016]        cab145d0 cab919c0 cab15998 22222222 22222222 22222222 00000001 cab15960
+    [15840.675016]        000007dd cab0bcf4 cab0bd04 c022cb3a cab0bcf4 cab15a6c ca9290c0 00000000
+    [15840.675016] Call Trace:
+    [15840.675016]  [<c0231cfb>] ? hfsplus_block_allocate+0x6f/0x2d3
+    [15840.675016]  [<c022cb3a>] ? hfsplus_file_extend+0xc4/0x1db
+    [15840.675016]  [<c022ce41>] ? hfsplus_get_block+0x8c/0x19d
+    [15840.675016]  [<c06adde4>] ? sub_preempt_count+0x9d/0xab
+    [15840.675016]  [<c019ece6>] ? __block_prepare_write+0x147/0x311
+    [15840.675016]  [<c0161934>] ? __grab_cache_page+0x52/0x73
+    [15840.675016]  [<c019ef4f>] ? block_write_begin+0x79/0xd5
+    [15840.675016]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
+    [15840.675016]  [<c019f22a>] ? cont_write_begin+0x27f/0x2af
+    [15840.675016]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
+    [15840.675016]  [<c0139ebe>] ? tick_program_event+0x28/0x4c
+    [15840.675016]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
+    [15840.675016]  [<c022b723>] ? hfsplus_write_begin+0x2d/0x32
+    [15840.675016]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
+    [15840.675016]  [<c0161988>] ? pagecache_write_begin+0x33/0x107
+    [15840.675016]  [<c01879e5>] ? __page_symlink+0x3c/0xae
+    [15840.675016]  [<c019ad34>] ? __mark_inode_dirty+0x12f/0x137
+    [15840.675016]  [<c0187a70>] ? page_symlink+0x19/0x1e
+    [15840.675016]  [<c022e6eb>] ? hfsplus_symlink+0x41/0xa6
+    [15840.675016]  [<c01886a9>] ? vfs_symlink+0x99/0x101
+    [15840.675016]  [<c018a2f6>] ? sys_symlinkat+0x6b/0xad
+    [15840.675016]  [<c018a348>] ? sys_symlink+0x10/0x12
+    [15840.675016]  [<c01038bd>] ? sysenter_do_call+0x12/0x31
+    [15840.675016]  =======================
+    [15840.675016] Code: 00 00 75 10 83 3d 88 2f ec c0 02 75 07 89 d0 e8 12 56 05 00 5d c3 55 ba 06 00 00 00 89 e5 53 89 c3 b8 3d eb 7e c0 e8 16 74 00 00 <8b> 03 c1 e8 1e 69 c0 d8 02 00 00 05 b8 69 8e c0 2b 80 c4 02 00
+    [15840.675016] EIP: [<c0116a4f>] kmap+0x15/0x56 SS:ESP 0068:cab0bc94
+    [15840.675016] ---[ end trace 4fea40dad6b70e5f ]---
+    
+    This happens because the return value of read_mapping_page() is passed on
+    to kmap unchecked.  The bug is triggered after the first
+    read_mapping_page() in hfsplus_block_allocate(), this patch fixes all
+    three usages in this functions but leaves the ones further down in the
+    file unchanged.
+    
+    Signed-off-by: Eric Sesterhenn <snakebyte at gmx.de>
+    Cc: Roman Zippel <zippel at linux-m68k.org>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/hfsplus/bitmap.c b/fs/hfsplus/bitmap.c
+index d128a25..ea30afc 100644
+--- a/fs/hfsplus/bitmap.c
++++ b/fs/hfsplus/bitmap.c
+@@ -32,6 +32,10 @@ int hfsplus_block_allocate(struct super_block *sb, u32 size, u32 offset, u32 *ma
+ 	mutex_lock(&HFSPLUS_SB(sb).alloc_file->i_mutex);
+ 	mapping = HFSPLUS_SB(sb).alloc_file->i_mapping;
+ 	page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, NULL);
++	if (IS_ERR(page)) {
++		start = size;
++		goto out;
++	}
+ 	pptr = kmap(page);
+ 	curr = pptr + (offset & (PAGE_CACHE_BITS - 1)) / 32;
+ 	i = offset % 32;
+@@ -73,6 +77,10 @@ int hfsplus_block_allocate(struct super_block *sb, u32 size, u32 offset, u32 *ma
+ 			break;
+ 		page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
+ 					 NULL);
++		if (IS_ERR(page)) {
++			start = size;
++			goto out;
++		}
+ 		curr = pptr = kmap(page);
+ 		if ((size ^ offset) / PAGE_CACHE_BITS)
+ 			end = pptr + PAGE_CACHE_BITS / 32;
+@@ -120,6 +128,10 @@ found:
+ 		offset += PAGE_CACHE_BITS;
+ 		page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
+ 					 NULL);
++		if (IS_ERR(page)) {
++			start = size;
++			goto out;
++		}
+ 		pptr = kmap(page);
+ 		curr = pptr;
+ 		end = pptr + PAGE_CACHE_BITS / 32;

Modified: dists/etch-security/linux-2.6/debian/patches/series/23etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/23etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/23etch1	Thu Nov 13 01:50:55 2008
@@ -6,3 +6,4 @@
 + bugfix/ext3-avoid-corrupted-directory-printk-floods.patch
 + bugfix/sctp-fix-oops-when-INIT-ACK-indicates-that-peer-doesnt-support-AUTH.patch
 + bugfix/hfsplus-fix-Buffer-overflow-with-a-corrupted-image.patch
++ bugfix/hfsplus-check_read_mapping_page-return-value.patch

More information about the Kernel-svn-changes mailing list