[kernel] r14679 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Wed Nov 25 19:34:37 UTC 2009

Author: dannf
Date: Wed Nov 25 19:34:35 2009
New Revision: 14679

Log:
fuse: prevent fuse_put_request on invalid pointer (CVE-2009-4021)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/fuse-prevent-fuse_put_request-on-invalid-pointer.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/21

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================

--- dists/lenny/linux-2.6/debian/changelog	Wed Nov 25 19:27:36 2009	(r14678)
+++ dists/lenny/linux-2.6/debian/changelog	Wed Nov 25 19:34:35 2009	(r14679)
@@ -25,6 +25,7 @@
   * [SCSI] megaraid_sas: remove sysfs dbg_lvl world writeable permissions
     (CVE-2009-3889)
   * isdn: hfc_usb: Fix read buffer overflow (CVE-2009-4005)
+  * fuse: prevent fuse_put_request on invalid pointer (CVE-2009-4021)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 24 Oct 2009 23:45:45 +0100
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/fuse-prevent-fuse_put_request-on-invalid-pointer.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/fuse-prevent-fuse_put_request-on-invalid-pointer.patch	Wed Nov 25 19:34:35 2009	(r14679)
@@ -0,0 +1,29 @@
+commit f60311d5f7670d9539b424e4ed8b5c0872fc9e83
+Author: Anand V. Avati <avati at gluster.com>
+Date:   Thu Oct 22 06:24:52 2009 -0700
+
+    fuse: prevent fuse_put_request on invalid pointer
+    
+    fuse_direct_io() has a loop where requests are allocated in each
+    iteration. if allocation fails, the loop is broken out and follows
+    into an unconditional fuse_put_request() on that invalid pointer.
+    
+    Signed-off-by: Anand V. Avati <avati at gluster.com>
+    Signed-off-by: Miklos Szeredi <mszeredi at suse.cz>
+    Cc: stable at kernel.org
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/fuse/file.c linux-source-2.6.26/fs/fuse/file.c
+--- linux-source-2.6.26.orig/fs/fuse/file.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/fs/fuse/file.c	2009-11-25 12:29:51.000000000 -0700
+@@ -1005,7 +1005,8 @@ static ssize_t fuse_direct_io(struct fil
+ 				break;
+ 		}
+ 	}
+-	fuse_put_request(fc, req);
++	if (!IS_ERR(req))
++		fuse_put_request(fc, req);
+ 	if (res > 0) {
+ 		if (write)
+ 			fuse_write_update_size(inode, pos);

Modified: dists/lenny/linux-2.6/debian/patches/series/21
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/21	Wed Nov 25 19:27:36 2009	(r14678)
+++ dists/lenny/linux-2.6/debian/patches/series/21	Wed Nov 25 19:34:35 2009	(r14679)
@@ -32,3 +32,4 @@
 + bugfix/all/nfsv4-buggy-server-oops.patch
 + bugfix/all/megaraid_sas-fix-sysfs-dbg_lvl-permissions.patch
 + bugfix/all/isdn-hfc_usb-fix-read-buffer-overflow.patch
++ bugfix/all/fuse-prevent-fuse_put_request-on-invalid-pointer.patch

