[kernel] r13443 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Apr 19 00:44:07 UTC 2009
Author: dannf
Date: Sun Apr 19 00:44:06 2009
New Revision: 13443
Log:
* NFS: fix an oops in encode_lookup()
- bugfix/all/nfs-fix-oops-in-encode_lookup.patch
See CVE-2009-1336
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/24etch1
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog Sat Apr 18 21:14:52 2009 (r13442)
+++ dists/etch-security/linux-2.6/debian/changelog Sun Apr 19 00:44:06 2009 (r13443)
@@ -47,6 +47,9 @@
* af_rose/x25: Sanity check the maximum user frame size
- bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
See CVE-2009-1265
+ * NFS: fix an oops in encode_lookup()
+ - bugfix/all/nfs-fix-oops-in-encode_lookup.patch
+ See CVE-2009-1336
-- dann frazier <dannf at debian.org> Tue, 24 Feb 2009 23:49:22 -0700
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch Sun Apr 19 00:44:06 2009 (r13443)
@@ -0,0 +1,56 @@
+commit 54af3bb543c071769141387a42deaaab5074da55
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Fri Sep 28 12:27:41 2007 -0400
+
+ NFS: Fix an Oops in encode_lookup()
+
+ It doesn't look as if the NFS file name limit is being initialised correctly
+ in the struct nfs_server. Make sure that we limit whatever is being set in
+ nfs_probe_fsinfo() and nfs_init_server().
+
+ Also ensure that readdirplus and nfs4_path_walk respect our file name
+ limits.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+Based upon the RHEL4 backport by Sachin Prabhu
+
+diff -urpN linux-source-2.6.18.orig/fs/nfs/dir.c linux-source-2.6.18/fs/nfs/dir.c
+--- linux-source-2.6.18.orig/fs/nfs/dir.c 2008-12-25 14:04:12.000000000 -0700
++++ linux-source-2.6.18/fs/nfs/dir.c 2009-04-18 15:49:55.000000000 -0600
+@@ -1113,6 +1113,8 @@ static struct dentry *nfs_readdir_lookup
+ return dentry;
+ if (!desc->plus || !(entry->fattr->valid & NFS_ATTR_FATTR))
+ return NULL;
++ if (name.len > NFS_SERVER(dir)->namelen)
++ return NULL;
+ /* Note: caller is already holding the dir->i_mutex! */
+ dentry = d_alloc(parent, &name);
+ if (dentry == NULL)
+diff -urpN linux-source-2.6.18.orig/fs/nfs/nfs4proc.c linux-source-2.6.18/fs/nfs/nfs4proc.c
+--- linux-source-2.6.18.orig/fs/nfs/nfs4proc.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfs/nfs4proc.c 2009-04-18 15:53:22.000000000 -0600
+@@ -1437,6 +1437,8 @@ static int nfs4_proc_get_root(struct nfs
+ while (*p && (*p != '/'))
+ p++;
+ q.len = p - q.name;
++ if (q.len > NFS4_MAXNAMLEN)
++ return -ENAMETOOLONG;
+
+ do {
+ nfs_fattr_init(fattr);
+diff -urpN linux-source-2.6.18.orig/fs/nfs/super.c linux-source-2.6.18/fs/nfs/super.c
+--- linux-source-2.6.18.orig/fs/nfs/super.c 2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfs/super.c 2009-04-18 15:52:24.000000000 -0600
+@@ -1254,6 +1254,9 @@ static int nfs4_fill_super(struct super_
+ goto out_fail;
+ }
+
++ if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
++ server->namelen = NFS4_MAXNAMELEN;
++
+ sb->s_time_gran = 1;
+
+ sb->s_op = &nfs4_sops;
Modified: dists/etch-security/linux-2.6/debian/patches/series/24etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/24etch1 Sat Apr 18 21:14:52 2009 (r13442)
+++ dists/etch-security/linux-2.6/debian/patches/series/24etch1 Sun Apr 19 00:44:06 2009 (r13443)
@@ -75,3 +75,4 @@
+ bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
+ bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
+ bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
++ bugfix/all/nfs-fix-oops-in-encode_lookup.patch
More information about the Kernel-svn-changes
mailing list