[kernel] r12283 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series
Dann Frazier
dannf at alioth.debian.org
Fri Oct 3 23:21:40 UTC 2008
Author: dannf
Date: Fri Oct 3 23:21:39 2008
New Revision: 12283
Log:
bugfix/splice-fix-bad-unlock_page-in-error-case.patch
Don't attempt to unlock a page if add_to_page_cache_lru fails
See CVE-2008-4302
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/splice-fix-bad-unlock_page-in-error-case.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/22etch3
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog (original)
+++ dists/etch-security/linux-2.6/debian/changelog Fri Oct 3 23:21:39 2008
@@ -12,8 +12,11 @@
* bugfix/open-allows-sgid-in-sgid-directory.patch
Prevent open() creating file with wrong permissions
See CVE-2008-4210
+ * bugfix/splice-fix-bad-unlock_page-in-error-case.patch
+ Don't attempt to unlock a page if add_to_page_cache_lru fails
+ See CVE-2008-4302
- -- dann frazier <dannf at debian.org> Fri, 27 Sep 2008 11:03:22 -0600
+ -- dann frazier <dannf at debian.org> Fri, 03 Oct 2008 16:51:58 -0600
linux-2.6 (2.6.18.dfsg.1-22etch2) stable-security; urgency=high
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/splice-fix-bad-unlock_page-in-error-case.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/splice-fix-bad-unlock_page-in-error-case.patch Fri Oct 3 23:21:39 2008
@@ -0,0 +1,41 @@
+commit 6a860c979b35469e4d77da781a96bdb2ca05ae64
+Author: Jens Axboe <jens.axboe at oracle.com>
+Date: Fri Jul 20 15:18:12 2007 +0200
+
+ splice: fix bad unlock_page() in error case
+
+ If add_to_page_cache_lru() fails, the page will not be locked. But
+ splice jumps to an error path that does a page release and unlock,
+ causing a BUG() in unlock_page().
+
+ Fix this by adding one more label that just releases the page. This bug
+ was actually triggered on EL5 by gurudas pai <gurudas.pai at oracle.com>
+ using fio.
+
+ Signed-off-by: Jens Axboe <jens.axboe at oracle.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+--- linux-source-2.6.18/fs/splice.c.orig 2008-06-16 16:25:21.000000000 -0600
++++ linux-source-2.6.18/fs/splice.c 2008-10-02 18:23:16.000000000 -0600
+@@ -615,7 +615,7 @@
+ ret = add_to_page_cache_lru(page, mapping, index,
+ gfp_mask);
+ if (unlikely(ret))
+- goto out;
++ goto out_release;
+ }
+
+ /*
+@@ -696,8 +696,9 @@
+ goto find_page;
+ }
+ out:
+- page_cache_release(page);
+ unlock_page(page);
++out_release:
++ page_cache_release(page);
+ out_ret:
+ return ret;
+ }
Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch3 (original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch3 Fri Oct 3 23:21:39 2008
@@ -3,3 +3,4 @@
+ bugfix/wan-sbni_ioctl-cap-checks.patch
+ bugfix/lockless-helpers-for-remove_suid.patch
+ bugfix/open-allows-sgid-in-sgid-directory.patch
++ bugfix/splice-fix-bad-unlock_page-in-error-case.patch
More information about the Kernel-svn-changes
mailing list