[kernel] r13342 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Apr 6 04:33:30 UTC 2009 

Author: dannf
Date: Mon Apr  6 04:33:28 2009
New Revision: 13342

Log:
ext4: Add sanity check to make_indexed_dir (CVE-2009-0746)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch
      - copied unchanged from r13322, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog	Mon Apr  6 04:15:32 2009	(r13341)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Apr  6 04:33:28 2009	(r13342)
@@ -20,6 +20,7 @@
   * skfp: Fix inverted capabilities check logic (CVE-2009-0675)
   * ext4: initialize the new group descriptor when resizing
     (CVE-2009-0745)
+  * ext4: Add sanity check to make_indexed_dir (CVE-2009-0746)
 
  -- dann frazier <dannf at debian.org>  Tue, 24 Feb 2009 23:25:36 -0700
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch (from r13322, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch	Mon Apr  6 04:33:28 2009	(r13342, copy of r13322, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch)
@@ -0,0 +1,64 @@
+commit e6b8bc09ba2075cd91fbffefcd2778b1a00bd76f
+Author: Theodore Ts'o <tytso at mit.edu>
+Date:   Fri Jan 16 11:13:40 2009 -0500
+
+    ext4: Add sanity check to make_indexed_dir
+    
+    Make sure the rec_len field in the '..' entry is sane, lest we overrun
+    the directory block and cause a kernel oops on a purposefully
+    corrupted filesystem.
+    
+    Thanks to Sami Liedes for reporting this bug.
+    
+    http://bugzilla.kernel.org/show_bug.cgi?id=12430
+    
+    Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+    Cc: stable at kernel.org
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/ext4/namei.c linux-source-2.6.26/fs/ext4/namei.c
+--- linux-source-2.6.26.orig/fs/ext4/namei.c	2009-02-07 16:43:11.000000000 -0700
++++ linux-source-2.6.26/fs/ext4/namei.c	2009-03-08 14:40:32.000000000 -0600
+@@ -1379,7 +1379,7 @@ static int make_indexed_dir(handle_t *ha
+ 	struct fake_dirent *fde;
+ 
+ 	blocksize =  dir->i_sb->s_blocksize;
+-	dxtrace(printk("Creating index\n"));
++	dxtrace(printk("Creating index: inode %lu\n", dir->i_ino));
+ 	retval = ext4_journal_get_write_access(handle, bh);
+ 	if (retval) {
+ 		ext4_std_error(dir->i_sb, retval);
+@@ -1388,6 +1388,20 @@ static int make_indexed_dir(handle_t *ha
+ 	}
+ 	root = (struct dx_root *) bh->b_data;
+ 
++	/* The 0th block becomes the root, move the dirents out */
++	fde = &root->dotdot;
++	de = (struct ext4_dir_entry_2 *)((char *)fde +
++		ext4_rec_len_from_disk(fde->rec_len));
++	if ((char *) de >= (((char *) root) + blocksize)) {
++		ext4_error(dir->i_sb, __func__,
++			   "invalid rec_len for '..' in inode %lu",
++			   dir->i_ino);
++		brelse(bh);
++		return -EIO;
++	}
++	len = ((char *) root) + blocksize - (char *) de;
++
++	/* Allocate new block for the 0th block's dirents */
+ 	bh2 = ext4_append (handle, dir, &block, &retval);
+ 	if (!(bh2)) {
+ 		brelse(bh);
+@@ -1396,11 +1410,6 @@ static int make_indexed_dir(handle_t *ha
+ 	EXT4_I(dir)->i_flags |= EXT4_INDEX_FL;
+ 	data1 = bh2->b_data;
+ 
+-	/* The 0th block becomes the root, move the dirents out */
+-	fde = &root->dotdot;
+-	de = (struct ext4_dir_entry_2 *)((char *)fde +
+-		ext4_rec_len_from_disk(fde->rec_len));
+-	len = ((char *) root) + blocksize - (char *) de;
+ 	memcpy (data1, de, len);
+ 	de = (struct ext4_dir_entry_2 *) data1;
+ 	top = data1 + len;

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1	Mon Apr  6 04:15:32 2009	(r13341)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch1	Mon Apr  6 04:33:28 2009	(r13342)
@@ -74,3 +74,4 @@
 + bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
 + bugfix/all/skfp-fix-inverted-cap-logic.patch
 + bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch
++ bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch

More information about the Kernel-svn-changes mailing list