[kernel] r14676 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Nov 25 05:03:45 UTC 2009
Author: dannf
Date: Wed Nov 25 05:03:42 2009
New Revision: 14676
Log:
NFSv4: Fix a problem whereby a buggy server can oops the kernel
(CVE-2009-3726)
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsv4-buggy-server-oops.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/21
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Wed Nov 25 05:03:01 2009 (r14675)
+++ dists/lenny/linux-2.6/debian/changelog Wed Nov 25 05:03:42 2009 (r14676)
@@ -20,6 +20,8 @@
* igb: Add 82576 MAC support (Closes: #522922), backport
by Ben Hutchings
* [SCSI] gdth: Prevent negative offsets in ioctl (CVE-2009-3080)
+ * NFSv4: Fix a problem whereby a buggy server can oops the kernel
+ (CVE-2009-3726)
-- Ben Hutchings <ben at decadent.org.uk> Sat, 24 Oct 2009 23:45:45 +0100
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsv4-buggy-server-oops.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsv4-buggy-server-oops.patch Wed Nov 25 05:03:42 2009 (r14676)
@@ -0,0 +1,72 @@
+commit d953126a28f97ec965d23c69fd5795854c048f30
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Tue Jul 21 19:22:38 2009 -0400
+
+ NFSv4: Fix a problem whereby a buggy server can oops the kernel
+
+ We just had a case in which a buggy server occasionally returns the wrong
+ attributes during an OPEN call. While the client does catch this sort of
+ condition in nfs4_open_done(), and causes the nfs4_atomic_open() to return
+ -EISDIR, the logic in nfs_atomic_lookup() is broken, since it causes a
+ fallback to an ordinary lookup instead of just returning the error.
+
+ When the buggy server then returns a regular file for the fallback lookup,
+ the VFS allows the open, and bad things start to happen, since the open
+ file doesn't have any associated NFSv4 state.
+
+ The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and
+ secondly to ensure that we are always careful when dereferencing the
+ nfs_open_context state pointer.
+
+ Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+
+diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
+index 38d42c2..32062c3 100644
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1025,12 +1025,12 @@ static struct dentry *nfs_atomic_lookup(struct inode *dir, struct dentry *dentry
+ res = NULL;
+ goto out;
+ /* This turned out not to be a regular file */
+- case -EISDIR:
+ case -ENOTDIR:
+ goto no_open;
+ case -ELOOP:
+ if (!(nd->intent.open.flags & O_NOFOLLOW))
+ goto no_open;
++ /* case -EISDIR: */
+ /* case -EINVAL: */
+ default:
+ goto out;
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index df24f67..6917311 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4093,15 +4093,23 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request)
+ if (request->fl_start < 0 || request->fl_end < 0)
+ return -EINVAL;
+
+- if (IS_GETLK(cmd))
+- return nfs4_proc_getlk(state, F_GETLK, request);
++ if (IS_GETLK(cmd)) {
++ if (state != NULL)
++ return nfs4_proc_getlk(state, F_GETLK, request);
++ return 0;
++ }
+
+ if (!(IS_SETLK(cmd) || IS_SETLKW(cmd)))
+ return -EINVAL;
+
+- if (request->fl_type == F_UNLCK)
+- return nfs4_proc_unlck(state, cmd, request);
++ if (request->fl_type == F_UNLCK) {
++ if (state != NULL)
++ return nfs4_proc_unlck(state, cmd, request);
++ return 0;
++ }
+
++ if (state == NULL)
++ return -ENOLCK;
+ do {
+ status = nfs4_proc_setlk(state, cmd, request);
+ if ((status != -EAGAIN) || IS_SETLK(cmd))
Modified: dists/lenny/linux-2.6/debian/patches/series/21
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/21 Wed Nov 25 05:03:01 2009 (r14675)
+++ dists/lenny/linux-2.6/debian/patches/series/21 Wed Nov 25 05:03:42 2009 (r14676)
@@ -29,3 +29,4 @@
+ bugfix/all/floppy-request-and-release-only-the-ports-we-actually-use.patch
+ features/all/igb-add-82576-MAC-support.patch
+ bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch
++ bugfix/all/nfsv4-buggy-server-oops.patch
More information about the Kernel-svn-changes
mailing list