[kernel] r13443 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Apr 19 00:44:07 UTC 2009 

Author: dannf
Date: Sun Apr 19 00:44:06 2009
New Revision: 13443

Log:
* NFS: fix an oops in encode_lookup()
   - bugfix/all/nfs-fix-oops-in-encode_lookup.patch
  See CVE-2009-1336

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/24etch1

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	Sat Apr 18 21:14:52 2009	(r13442)
+++ dists/etch-security/linux-2.6/debian/changelog	Sun Apr 19 00:44:06 2009	(r13443)
@@ -47,6 +47,9 @@
   * af_rose/x25: Sanity check the maximum user frame size
      - bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
     See CVE-2009-1265
+  * NFS: fix an oops in encode_lookup()
+     - bugfix/all/nfs-fix-oops-in-encode_lookup.patch
+    See CVE-2009-1336
 
  -- dann frazier <dannf at debian.org>  Tue, 24 Feb 2009 23:49:22 -0700
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfs-fix-oops-in-encode_lookup.patch	Sun Apr 19 00:44:06 2009	(r13443)
@@ -0,0 +1,56 @@
+commit 54af3bb543c071769141387a42deaaab5074da55
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date:   Fri Sep 28 12:27:41 2007 -0400
+
+    NFS: Fix an Oops in encode_lookup()
+    
+    It doesn't look as if the NFS file name limit is being initialised correctly
+    in the struct nfs_server. Make sure that we limit whatever is being set in
+    nfs_probe_fsinfo() and nfs_init_server().
+    
+    Also ensure that readdirplus and nfs4_path_walk respect our file name
+    limits.
+    
+    Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+Backported to Debian's 2.6.18 by dann frazier <dannf at debian.org>
+Based upon the RHEL4 backport by Sachin Prabhu
+
+diff -urpN linux-source-2.6.18.orig/fs/nfs/dir.c linux-source-2.6.18/fs/nfs/dir.c
+--- linux-source-2.6.18.orig/fs/nfs/dir.c	2008-12-25 14:04:12.000000000 -0700
++++ linux-source-2.6.18/fs/nfs/dir.c	2009-04-18 15:49:55.000000000 -0600
+@@ -1113,6 +1113,8 @@ static struct dentry *nfs_readdir_lookup
+ 		return dentry;
+ 	if (!desc->plus || !(entry->fattr->valid & NFS_ATTR_FATTR))
+ 		return NULL;
++	if (name.len > NFS_SERVER(dir)->namelen)
++		return NULL;
+ 	/* Note: caller is already holding the dir->i_mutex! */
+ 	dentry = d_alloc(parent, &name);
+ 	if (dentry == NULL)
+diff -urpN linux-source-2.6.18.orig/fs/nfs/nfs4proc.c linux-source-2.6.18/fs/nfs/nfs4proc.c
+--- linux-source-2.6.18.orig/fs/nfs/nfs4proc.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfs/nfs4proc.c	2009-04-18 15:53:22.000000000 -0600
+@@ -1437,6 +1437,8 @@ static int nfs4_proc_get_root(struct nfs
+ 		while (*p && (*p != '/'))
+ 			p++;
+ 		q.len = p - q.name;
++		if (q.len > NFS4_MAXNAMLEN)
++			return -ENAMETOOLONG;
+ 
+ 		do {
+ 			nfs_fattr_init(fattr);
+diff -urpN linux-source-2.6.18.orig/fs/nfs/super.c linux-source-2.6.18/fs/nfs/super.c
+--- linux-source-2.6.18.orig/fs/nfs/super.c	2006-09-19 21:42:06.000000000 -0600
++++ linux-source-2.6.18/fs/nfs/super.c	2009-04-18 15:52:24.000000000 -0600
+@@ -1254,6 +1254,9 @@ static int nfs4_fill_super(struct super_
+ 			goto out_fail;
+ 	}
+ 
++	if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN)
++		server->namelen = NFS4_MAXNAMELEN;
++
+ 	sb->s_time_gran = 1;
+ 
+ 	sb->s_op = &nfs4_sops;

Modified: dists/etch-security/linux-2.6/debian/patches/series/24etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/24etch1	Sat Apr 18 21:14:52 2009	(r13442)
+++ dists/etch-security/linux-2.6/debian/patches/series/24etch1	Sun Apr 19 00:44:06 2009	(r13443)
@@ -75,3 +75,4 @@
 + bugfix/all/shm-fix-shmctl-SHM_INFO-lockup-without-CONFIG_SHMEM.patch
 + bugfix/all/copy_process-fix-CLONE_PARENT-and-parent_exec_id-interaction.patch
 + bugfix/all/af_rose+x25-sanity-check-the-max-user-frame-size.patch
++ bugfix/all/nfs-fix-oops-in-encode_lookup.patch

More information about the Kernel-svn-changes mailing list