[kernel] r14546 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Nov 4 20:07:52 UTC 2009
Author: dannf
Date: Wed Nov 4 20:07:46 2009
New Revision: 14546
Log:
fs: pipe.c null pointer dereference (CVE-2009-3547)
Added:
dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch
- copied unchanged from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch
Modified:
dists/etch-security/linux-2.6.24/debian/changelog
dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/changelog Wed Nov 4 19:36:24 2009 (r14545)
+++ dists/etch-security/linux-2.6.24/debian/changelog Wed Nov 4 20:07:46 2009 (r14546)
@@ -10,6 +10,7 @@
(CVE-2009-2903)
* eCryptfs: Prevent lower dentry from going negative during unlink
(CVE-2009-2908)
+ * fs: pipe.c null pointer dereference (CVE-2009-3547)
-- dann frazier <dannf at debian.org> Tue, 27 Oct 2009 22:41:25 -0600
Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch (from r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch Wed Nov 4 20:07:46 2009 (r14546, copy of r14544, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fs-pipe-null-pointer-dereference.patch)
@@ -0,0 +1,130 @@
+commit ad3960243e55320d74195fb85c975e0a8cc4466c
+Author: Earl Chew <earl_chew at agilent.com>
+Date: Mon Oct 19 15:55:41 2009 -0700
+
+ fs: pipe.c null pointer dereference
+
+ This patch fixes a null pointer exception in pipe_rdwr_open() which
+ generates the stack trace:
+
+ > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
+ > [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
+ > [<ffffffff8028125c>] __dentry_open+0x13c/0x230
+ > [<ffffffff8028143d>] do_filp_open+0x2d/0x40
+ > [<ffffffff802814aa>] do_sys_open+0x5a/0x100
+ > [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
+
+ The failure mode is triggered by an attempt to open an anonymous
+ pipe via /proc/pid/fd/* as exemplified by this script:
+
+ =============================================================
+ while : ; do
+ { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
+ PID=$!
+ OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
+ { read PID REST ; echo $PID; } )
+ OUT="${OUT%% *}"
+ DELAY=$((RANDOM * 1000 / 32768))
+ usleep $((DELAY * 1000 + RANDOM % 1000 ))
+ echo n > /proc/$OUT/fd/1 # Trigger defect
+ done
+ =============================================================
+
+ Note that the failure window is quite small and I could only
+ reliably reproduce the defect by inserting a small delay
+ in pipe_rdwr_open(). For example:
+
+ static int
+ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
+ msleep(100);
+ mutex_lock(&inode->i_mutex);
+
+ Although the defect was observed in pipe_rdwr_open(), I think it
+ makes sense to replicate the change through all the pipe_*_open()
+ functions.
+
+ The core of the change is to verify that inode->i_pipe has not
+ been released before attempting to manipulate it. If inode->i_pipe
+ is no longer present, return ENOENT to indicate so.
+
+ The comment about potentially using atomic_t for i_pipe->readers
+ and i_pipe->writers has also been removed because it is no longer
+ relevant in this context. The inode->i_mutex lock must be used so
+ that inode->i_pipe can be dealt with correctly.
+
+ Signed-off-by: Earl Chew <earl_chew at agilent.com>
+ Cc: stable at kernel.org
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 52c4151..ae17d02 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -777,36 +777,55 @@ pipe_rdwr_release(struct inode *inode, struct file *filp)
+ static int
+ pipe_read_open(struct inode *inode, struct file *filp)
+ {
+- /* We could have perhaps used atomic_t, but this and friends
+- below are the only places. So it doesn't seem worthwhile. */
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- inode->i_pipe->readers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ inode->i_pipe->readers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+ pipe_write_open(struct inode *inode, struct file *filp)
+ {
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- inode->i_pipe->writers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ inode->i_pipe->writers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ static int
+ pipe_rdwr_open(struct inode *inode, struct file *filp)
+ {
++ int ret = -ENOENT;
++
+ mutex_lock(&inode->i_mutex);
+- if (filp->f_mode & FMODE_READ)
+- inode->i_pipe->readers++;
+- if (filp->f_mode & FMODE_WRITE)
+- inode->i_pipe->writers++;
++
++ if (inode->i_pipe) {
++ ret = 0;
++ if (filp->f_mode & FMODE_READ)
++ inode->i_pipe->readers++;
++ if (filp->f_mode & FMODE_WRITE)
++ inode->i_pipe->writers++;
++ }
++
+ mutex_unlock(&inode->i_mutex);
+
+- return 0;
++ return ret;
+ }
+
+ /*
Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4 Wed Nov 4 19:36:24 2009 (r14545)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.8etch4 Wed Nov 4 20:07:46 2009 (r14546)
@@ -5,3 +5,4 @@
+ bugfix/all/appletalk-use-correct-returns-for-atalk_rcv.patch
+ bugfix/all/appletalk-fix-skb-leak-when-ipddp-interface-is-not-loaded.patch
+ bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
++ bugfix/all/fs-pipe-null-pointer-dereference.patch
More information about the Kernel-svn-changes
mailing list