[kernel] r12283 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

[Dann Frazier]

Author: dannf
Date: Fri Oct  3 23:21:39 2008
New Revision: 12283

Log:
bugfix/splice-fix-bad-unlock_page-in-error-case.patch
Don't attempt to unlock a page if add_to_page_cache_lru fails
See CVE-2008-4302

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/splice-fix-bad-unlock_page-in-error-case.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/22etch3

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Fri Oct  3 23:21:39 2008
@@ -12,8 +12,11 @@
   * bugfix/open-allows-sgid-in-sgid-directory.patch
     Prevent open() creating file with wrong permissions
     See CVE-2008-4210
+  * bugfix/splice-fix-bad-unlock_page-in-error-case.patch
+    Don't attempt to unlock a page if add_to_page_cache_lru fails
+    See CVE-2008-4302
 
- -- dann frazier <dannf at debian.org>  Fri, 27 Sep 2008 11:03:22 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 03 Oct 2008 16:51:58 -0600
 
 linux-2.6 (2.6.18.dfsg.1-22etch2) stable-security; urgency=high
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/splice-fix-bad-unlock_page-in-error-case.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/splice-fix-bad-unlock_page-in-error-case.patch	Fri Oct  3 23:21:39 2008
@@ -0,0 +1,41 @@
+commit 6a860c979b35469e4d77da781a96bdb2ca05ae64
+Author: Jens Axboe <jens.axboe at oracle.com>
+Date:   Fri Jul 20 15:18:12 2007 +0200
+
+    splice: fix bad unlock_page() in error case
+    
+    If add_to_page_cache_lru() fails, the page will not be locked. But
+    splice jumps to an error path that does a page release and unlock,
+    causing a BUG() in unlock_page().
+    
+    Fix this by adding one more label that just releases the page. This bug
+    was actually triggered on EL5 by gurudas pai <gurudas.pai at oracle.com>
+    using fio.
+    
+    Signed-off-by: Jens Axboe <jens.axboe at oracle.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at hp.com>
+
+--- linux-source-2.6.18/fs/splice.c.orig	2008-06-16 16:25:21.000000000 -0600
++++ linux-source-2.6.18/fs/splice.c	2008-10-02 18:23:16.000000000 -0600
+@@ -615,7 +615,7 @@
+ 			ret = add_to_page_cache_lru(page, mapping, index,
+ 						    gfp_mask);
+ 			if (unlikely(ret))
+-				goto out;
++				goto out_release;
+ 		}
+ 
+ 		/*
+@@ -696,8 +696,9 @@
+ 		goto find_page;
+ 	}
+ out:
+-	page_cache_release(page);
+ 	unlock_page(page);
++out_release:
++	page_cache_release(page);
+ out_ret:
+ 	return ret;
+ }

Modified: dists/etch-security/linux-2.6/debian/patches/series/22etch3
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/22etch3	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/22etch3	Fri Oct  3 23:21:39 2008
@@ -3,3 +3,4 @@
 + bugfix/wan-sbni_ioctl-cap-checks.patch
 + bugfix/lockless-helpers-for-remove_suid.patch
 + bugfix/open-allows-sgid-in-sgid-directory.patch
++ bugfix/splice-fix-bad-unlock_page-in-error-case.patch