[kernel] r14353 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Oct 8 06:30:34 UTC 2009 

Author: dannf
Date: Thu Oct  8 06:30:33 2009
New Revision: 14353

Log:
eCryptfs: Prevent lower dentry from going negative during unlink
(CVE-2009-2908)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/19lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Oct  8 06:23:50 2009	(r14352)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Oct  8 06:30:33 2009	(r14353)
@@ -9,6 +9,8 @@
   * fix information leak in llc_ui_getname (CVE-2009-3001)
   * net: fix information leak due to uninitialized structures in
     getname functions (CVE-2009-3002)
+  * eCryptfs: Prevent lower dentry from going negative during unlink
+    (CVE-2009-2908)
 
  -- dann frazier <dannf at debian.org>  Tue, 15 Sep 2009 22:54:06 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch	Thu Oct  8 06:30:33 2009	(r14353)
@@ -0,0 +1,53 @@
+commit 9c2d2056647790c5034d722bd24e9d913ebca73c
+Author: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+Date:   Tue Sep 22 12:52:17 2009 -0500
+
+    eCryptfs: Prevent lower dentry from going negative during unlink
+    
+    When calling vfs_unlink() on the lower dentry, d_delete() turns the
+    dentry into a negative dentry when the d_count is 1.  This eventually
+    caused a NULL pointer deref when a read() or write() was done and the
+    negative dentry's d_inode was dereferenced in
+    ecryptfs_read_update_atime() or ecryptfs_getxattr().
+    
+    Placing mutt's tmpdir in an eCryptfs mount is what initially triggered
+    the oops and I was able to reproduce it with the following sequence:
+    
+    open("/tmp/upper/foo", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600) = 3
+    link("/tmp/upper/foo", "/tmp/upper/bar") = 0
+    unlink("/tmp/upper/foo")                = 0
+    open("/tmp/upper/bar", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 4
+    unlink("/tmp/upper/bar")                = 0
+    write(4, "eCryptfs test\n"..., 14 <unfinished ...>
+    +++ killed by SIGKILL +++
+    
+    https://bugs.launchpad.net/ecryptfs/+bug/387073
+    
+    Reported-by: Loïc Minier <loic.minier at canonical.com>
+    Cc: Serge Hallyn <serue at us.ibm.com>
+    Cc: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+    Cc: ecryptfs-devel at lists.launchpad.net
+    Cc: stable <stable at kernel.org>
+    Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/ecryptfs/inode.c linux-source-2.6.26/fs/ecryptfs/inode.c
+--- linux-source-2.6.26.orig/fs/ecryptfs/inode.c	2009-08-18 23:15:12.000000000 -0600
++++ linux-source-2.6.26/fs/ecryptfs/inode.c	2009-10-08 00:26:22.000000000 -0600
+@@ -422,6 +422,7 @@ static int ecryptfs_unlink(struct inode 
+ 	struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir);
+ 	struct dentry *lower_dir_dentry;
+ 
++	dget(lower_dentry);
+ 	lower_dir_dentry = lock_parent(lower_dentry);
+ 	rc = vfs_unlink(lower_dir_inode, lower_dentry);
+ 	if (rc) {
+@@ -435,6 +436,7 @@ static int ecryptfs_unlink(struct inode 
+ 	d_drop(dentry);
+ out_unlock:
+ 	unlock_dir(lower_dir_dentry);
++	dput(lower_dentry);
+ 	return rc;
+ }
+ 

Modified: dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/19lenny1	Thu Oct  8 06:23:50 2009	(r14352)
+++ dists/lenny-security/linux-2.6/debian/patches/series/19lenny1	Thu Oct  8 06:30:33 2009	(r14353)
@@ -12,3 +12,4 @@
 + bugfix/all/econet-fix-econet_getname-leak.patch
 + bugfix/all/can-fix-raw_getname-leak.patch
 + bugfix/all/netrom-fix-nr_getname-leak.patch
++ bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch

More information about the Kernel-svn-changes mailing list