[kernel] r14353 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Oct 8 06:30:34 UTC 2009
Author: dannf
Date: Thu Oct 8 06:30:33 2009
New Revision: 14353
Log:
eCryptfs: Prevent lower dentry from going negative during unlink
(CVE-2009-2908)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Oct 8 06:23:50 2009 (r14352)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Oct 8 06:30:33 2009 (r14353)
@@ -9,6 +9,8 @@
* fix information leak in llc_ui_getname (CVE-2009-3001)
* net: fix information leak due to uninitialized structures in
getname functions (CVE-2009-3002)
+ * eCryptfs: Prevent lower dentry from going negative during unlink
+ (CVE-2009-2908)
-- dann frazier <dannf at debian.org> Tue, 15 Sep 2009 22:54:06 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch Thu Oct 8 06:30:33 2009 (r14353)
@@ -0,0 +1,53 @@
+commit 9c2d2056647790c5034d722bd24e9d913ebca73c
+Author: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+Date: Tue Sep 22 12:52:17 2009 -0500
+
+ eCryptfs: Prevent lower dentry from going negative during unlink
+
+ When calling vfs_unlink() on the lower dentry, d_delete() turns the
+ dentry into a negative dentry when the d_count is 1. This eventually
+ caused a NULL pointer deref when a read() or write() was done and the
+ negative dentry's d_inode was dereferenced in
+ ecryptfs_read_update_atime() or ecryptfs_getxattr().
+
+ Placing mutt's tmpdir in an eCryptfs mount is what initially triggered
+ the oops and I was able to reproduce it with the following sequence:
+
+ open("/tmp/upper/foo", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600) = 3
+ link("/tmp/upper/foo", "/tmp/upper/bar") = 0
+ unlink("/tmp/upper/foo") = 0
+ open("/tmp/upper/bar", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 4
+ unlink("/tmp/upper/bar") = 0
+ write(4, "eCryptfs test\n"..., 14 <unfinished ...>
+ +++ killed by SIGKILL +++
+
+ https://bugs.launchpad.net/ecryptfs/+bug/387073
+
+ Reported-by: Loïc Minier <loic.minier at canonical.com>
+ Cc: Serge Hallyn <serue at us.ibm.com>
+ Cc: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+ Cc: ecryptfs-devel at lists.launchpad.net
+ Cc: stable <stable at kernel.org>
+ Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
+
+Adjusted to apply to Debian's 2.6.26 by dann frazier <dannf at debian.org>
+
+diff -urpN linux-source-2.6.26.orig/fs/ecryptfs/inode.c linux-source-2.6.26/fs/ecryptfs/inode.c
+--- linux-source-2.6.26.orig/fs/ecryptfs/inode.c 2009-08-18 23:15:12.000000000 -0600
++++ linux-source-2.6.26/fs/ecryptfs/inode.c 2009-10-08 00:26:22.000000000 -0600
+@@ -422,6 +422,7 @@ static int ecryptfs_unlink(struct inode
+ struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir);
+ struct dentry *lower_dir_dentry;
+
++ dget(lower_dentry);
+ lower_dir_dentry = lock_parent(lower_dentry);
+ rc = vfs_unlink(lower_dir_inode, lower_dentry);
+ if (rc) {
+@@ -435,6 +436,7 @@ static int ecryptfs_unlink(struct inode
+ d_drop(dentry);
+ out_unlock:
+ unlock_dir(lower_dir_dentry);
++ dput(lower_dentry);
+ return rc;
+ }
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/19lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/19lenny1 Thu Oct 8 06:23:50 2009 (r14352)
+++ dists/lenny-security/linux-2.6/debian/patches/series/19lenny1 Thu Oct 8 06:30:33 2009 (r14353)
@@ -12,3 +12,4 @@
+ bugfix/all/econet-fix-econet_getname-leak.patch
+ bugfix/all/can-fix-raw_getname-leak.patch
+ bugfix/all/netrom-fix-nr_getname-leak.patch
++ bugfix/all/ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
More information about the Kernel-svn-changes
mailing list