[kernel] r13034 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Mar 8 20:47:48 UTC 2009 

Author: dannf
Date: Sun Mar  8 20:47:47 2009
New Revision: 13034

Log:
ext4: Add sanity check to make_indexed_dir (CVE-2009-0746)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/13lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	(original)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Mar  8 20:47:47 2009
@@ -4,8 +4,9 @@
   * skfp: Fix inverted capabilities check logic (CVE-2009-0675)
   * ext4: initialize the new group descriptor when resizing
     (CVE-2009-0745)
+  * ext4: Add sanity check to make_indexed_dir (CVE-2009-0746)
 
- -- dann frazier <dannf at debian.org>  Sun, 08 Mar 2009 14:34:53 -0600
+ -- dann frazier <dannf at debian.org>  Sun, 08 Mar 2009 14:43:08 -0600
 
 linux-2.6 (2.6.26-13lenny1) stable-security; urgency=high
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch	Sun Mar  8 20:47:47 2009
@@ -0,0 +1,64 @@
+commit e6b8bc09ba2075cd91fbffefcd2778b1a00bd76f
+Author: Theodore Ts'o <tytso at mit.edu>
+Date:   Fri Jan 16 11:13:40 2009 -0500
+
+    ext4: Add sanity check to make_indexed_dir
+    
+    Make sure the rec_len field in the '..' entry is sane, lest we overrun
+    the directory block and cause a kernel oops on a purposefully
+    corrupted filesystem.
+    
+    Thanks to Sami Liedes for reporting this bug.
+    
+    http://bugzilla.kernel.org/show_bug.cgi?id=12430
+    
+    Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+    Cc: stable at kernel.org
+
+Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/ext4/namei.c linux-source-2.6.26/fs/ext4/namei.c
+--- linux-source-2.6.26.orig/fs/ext4/namei.c	2009-02-07 16:43:11.000000000 -0700
++++ linux-source-2.6.26/fs/ext4/namei.c	2009-03-08 14:40:32.000000000 -0600
+@@ -1379,7 +1379,7 @@ static int make_indexed_dir(handle_t *ha
+ 	struct fake_dirent *fde;
+ 
+ 	blocksize =  dir->i_sb->s_blocksize;
+-	dxtrace(printk("Creating index\n"));
++	dxtrace(printk("Creating index: inode %lu\n", dir->i_ino));
+ 	retval = ext4_journal_get_write_access(handle, bh);
+ 	if (retval) {
+ 		ext4_std_error(dir->i_sb, retval);
+@@ -1388,6 +1388,20 @@ static int make_indexed_dir(handle_t *ha
+ 	}
+ 	root = (struct dx_root *) bh->b_data;
+ 
++	/* The 0th block becomes the root, move the dirents out */
++	fde = &root->dotdot;
++	de = (struct ext4_dir_entry_2 *)((char *)fde +
++		ext4_rec_len_from_disk(fde->rec_len));
++	if ((char *) de >= (((char *) root) + blocksize)) {
++		ext4_error(dir->i_sb, __func__,
++			   "invalid rec_len for '..' in inode %lu",
++			   dir->i_ino);
++		brelse(bh);
++		return -EIO;
++	}
++	len = ((char *) root) + blocksize - (char *) de;
++
++	/* Allocate new block for the 0th block's dirents */
+ 	bh2 = ext4_append (handle, dir, &block, &retval);
+ 	if (!(bh2)) {
+ 		brelse(bh);
+@@ -1396,11 +1410,6 @@ static int make_indexed_dir(handle_t *ha
+ 	EXT4_I(dir)->i_flags |= EXT4_INDEX_FL;
+ 	data1 = bh2->b_data;
+ 
+-	/* The 0th block becomes the root, move the dirents out */
+-	fde = &root->dotdot;
+-	de = (struct ext4_dir_entry_2 *)((char *)fde +
+-		ext4_rec_len_from_disk(fde->rec_len));
+-	len = ((char *) root) + blocksize - (char *) de;
+ 	memcpy (data1, de, len);
+ 	de = (struct ext4_dir_entry_2 *) data1;
+ 	top = data1 + len;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/13lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/13lenny2	(original)
+++ dists/lenny-security/linux-2.6/debian/patches/series/13lenny2	Sun Mar  8 20:47:47 2009
@@ -4,3 +4,4 @@
 + bugfix/all/CVE-2009-0029/mips-enable-syscall-wrappers.patch
 + bugfix/all/skfp-fix-inverted-cap-logic.patch
 + bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch
++ bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch

More information about the Kernel-svn-changes mailing list