[kernel] r12186 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix patches/series

Fri Sep 5 17:14:23 UTC 2008

Author: dannf
Date: Fri Sep  5 17:14:19 2008
New Revision: 12186

Log:
Fix off-by-one error in iov_iter_advance() (CVE-2008-3535)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/iov_iter_advance-off-by-one.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	(original)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Fri Sep  5 17:14:19 2008
@@ -9,8 +9,9 @@
   * Fix potential memory leak in lookup path (CVE-2008-3275)
   * Fix overflow condition in sctp_setsockopt_auth_key (CVE-2008-3526)
   * Fix kernel BUG in tmpfs (CVE-2008-3534)
+  * Fix off-by-one error in iov_iter_advance() (CVE-2008-3535)
 
- -- dann frazier <dannf at debian.org>  Fri, 05 Sep 2008 10:52:43 -0600
+ -- dann frazier <dannf at debian.org>  Fri, 05 Sep 2008 11:11:02 -0600
 
 linux-2.6.24 (2.6.24-6~etchnhalf.4) stable; urgency=low
 

Added: dists/etch-security/linux-2.6.24/debian/patches/bugfix/iov_iter_advance-off-by-one.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/iov_iter_advance-off-by-one.patch	Fri Sep  5 17:14:19 2008
@@ -0,0 +1,37 @@
+commit 94ad374a0751f40d25e22e036c37f7263569d24c
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Wed Jul 30 14:45:12 2008 -0700
+
+    Fix off-by-one error in iov_iter_advance()
+    
+    The iov_iter_advance() function would look at the iov->iov_len entry
+    even though it might have iterated over the whole array, and iov was
+    pointing past the end.  This would cause DEBUG_PAGEALLOC to trigger a
+    kernel page fault if the allocation was at the end of a page, and the
+    next page was unallocated.
+    
+    The quick fix is to just change the order of the tests: check that there
+    is any iovec data left before we check the iov entry itself.
+    
+    Thanks to Alexey Dobriyan for finding this case, and testing the fix.
+    
+    Reported-and-tested-by: Alexey Dobriyan <adobriyan at gmail.com>
+    Cc: Nick Piggin <npiggin at suse.de>
+    Cc: Andrew Morton <akpm at linux-foundation.org>
+    Cc: <stable at kernel.org> [2.6.25.x, 2.6.26.x]
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Adjusted to apply to Debian's 2.6.24 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.24.orig/mm/filemap.c linux-source-2.6.24/mm/filemap.c
+--- linux-source-2.6.24.orig/mm/filemap.c	2008-05-07 16:34:46.000000000 -0600
++++ linux-source-2.6.24/mm/filemap.c	2008-09-05 11:07:57.000000000 -0600
+@@ -1740,7 +1740,7 @@ void iov_iter_advance(struct iov_iter *i
+ 		 * The !iov->iov_len check ensures we skip over unlikely
+ 		 * zero-length segments (without overruning the iovec).
+ 		 */
+-		while (bytes || unlikely(!iov->iov_len && i->count)) {
++		while (bytes || unlikely(i->count && !iov->iov_len)) {
+ 			int copy;
+ 
+ 			copy = min(bytes, iov->iov_len - base);

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	(original)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.5	Fri Sep  5 17:14:19 2008
@@ -6,3 +6,4 @@
 + bugfix/vfs-fix-lookup-on-deleted-directory.patch
 + bugfix/sctp-auth-key-length-check.patch
 + bugfix/tmpfs-fix-kernel-bug-in-shmem_delete_inode.patch
++ bugfix/iov_iter_advance-off-by-one.patch

