[kernel] r13035 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Mar 8 20:53:45 UTC 2009 

Author: dannf
Date: Sun Mar  8 20:53:44 2009
New Revision: 13035

Log:
ext4: only use i_size_high for regular files (CVE-2009-0747)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-only-use-i_size_high-for-regular-files.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/13lenny2

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	(original)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Mar  8 20:53:44 2009
@@ -5,8 +5,9 @@
   * ext4: initialize the new group descriptor when resizing
     (CVE-2009-0745)
   * ext4: Add sanity check to make_indexed_dir (CVE-2009-0746)
+  * ext4: only use i_size_high for regular files (CVE-2009-0747)
 
- -- dann frazier <dannf at debian.org>  Sun, 08 Mar 2009 14:43:08 -0600
+ -- dann frazier <dannf at debian.org>  Sun, 08 Mar 2009 14:51:51 -0600
 
 linux-2.6 (2.6.26-13lenny1) stable-security; urgency=high
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-only-use-i_size_high-for-regular-files.patch
==============================================================================
--- (empty file)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-only-use-i_size_high-for-regular-files.patch	Sun Mar  8 20:53:44 2009
@@ -0,0 +1,59 @@
+commit 06a279d636734da32bb62dd2f7b0ade666f65d7c
+Author: Theodore Ts'o <tytso at mit.edu>
+Date:   Sat Jan 17 18:41:37 2009 -0500
+
+    ext4: only use i_size_high for regular files
+    
+    Directories are not allowed to be bigger than 2GB, so don't use
+    i_size_high for anything other than regular files.  E2fsck should
+    complain about these inodes, but the simplest thing to do for the
+    kernel is to only use i_size_high for regular files.
+    
+    This prevents an intentially corrupted filesystem from causing the
+    kernel to burn a huge amount of CPU and issuing error messages such
+    as:
+    
+    EXT4-fs warning (device loop0): ext4_block_to_path: block 135090028 > max
+    
+    Thanks to David Maciejak from Fortinet's FortiGuard Global Security
+    Research Team for reporting this issue.
+    
+    http://bugzilla.kernel.org/show_bug.cgi?id=12375
+    
+    Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+    Cc: stable at kernel.org
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/ext4/ext4.h linux-source-2.6.26/fs/ext4/ext4.h
+--- linux-source-2.6.26.orig/fs/ext4/ext4.h	2009-02-07 16:43:11.000000000 -0700
++++ linux-source-2.6.26/fs/ext4/ext4.h	2009-03-08 14:49:23.000000000 -0600
+@@ -1139,8 +1139,11 @@ static inline void ext4_r_blocks_count_s
+ 
+ static inline loff_t ext4_isize(struct ext4_inode *raw_inode)
+ {
+-	return ((loff_t)le32_to_cpu(raw_inode->i_size_high) << 32) |
+-		le32_to_cpu(raw_inode->i_size_lo);
++	if (S_ISREG(le16_to_cpu(raw_inode->i_mode)))
++		return ((loff_t)le32_to_cpu(raw_inode->i_size_high) << 32) |
++			le32_to_cpu(raw_inode->i_size_lo);
++	else
++		return (loff_t) le32_to_cpu(raw_inode->i_size_lo);
+ }
+ 
+ static inline void ext4_isize_set(struct ext4_inode *raw_inode, loff_t i_size)
+diff -urpN linux-source-2.6.26.orig/fs/ext4/inode.c linux-source-2.6.26/fs/ext4/inode.c
+--- linux-source-2.6.26.orig/fs/ext4/inode.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/ext4/inode.c	2009-03-08 14:49:23.000000000 -0600
+@@ -308,9 +308,9 @@ static int ext4_block_to_path(struct ino
+ 		final = ptrs;
+ 	} else {
+ 		ext4_warning(inode->i_sb, "ext4_block_to_path",
+-				"block %lu > max",
++				"block %lu > max in inode %lu",
+ 				i_block + direct_blocks +
+-				indirect_blocks + double_blocks);
++				indirect_blocks + double_blocks, inode->i_ino);
+ 	}
+ 	if (boundary)
+ 		*boundary = final - 1 - (i_block & (ptrs - 1));

Modified: dists/lenny-security/linux-2.6/debian/patches/series/13lenny2
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/13lenny2	(original)
+++ dists/lenny-security/linux-2.6/debian/patches/series/13lenny2	Sun Mar  8 20:53:44 2009
@@ -5,3 +5,4 @@
 + bugfix/all/skfp-fix-inverted-cap-logic.patch
 + bugfix/all/ext4-initialize-the-new-group-descriptor-when-resizing-the-filesystem.patch
 + bugfix/all/ext4-add-sanity-check-to-make_indexed_dir.patch
++ bugfix/all/ext4-only-use-i_size_high-for-regular-files.patch

More information about the Kernel-svn-changes mailing list