[kernel] r15589 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Fri Apr 30 06:35:12 UTC 2010 

Author: dannf
Date: Fri Apr 30 06:34:55 2010
New Revision: 15589

Log:
[CIFS] Allow null nd (as nfs server uses) on create (CVE-2010-1148)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/cifs-allow-null-nd-on-create.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/12

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Fri Apr 30 06:04:07 2010	(r15588)
+++ dists/sid/linux-2.6/debian/changelog	Fri Apr 30 06:34:55 2010	(r15589)
@@ -64,6 +64,7 @@
   * Add DRBD backport
   * sctp: Fix skb_over_panic resulting from multiple invalid parameter
     errors (CVE-2010-1173)
+  * [CIFS] Allow null nd (as nfs server uses) on create (CVE-2010-1148)
 
   [ Aurelien Jarno ]
   * [sh4] Add a sh7751r flavour.

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/cifs-allow-null-nd-on-create.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/cifs-allow-null-nd-on-create.patch	Fri Apr 30 06:34:55 2010	(r15589)
@@ -0,0 +1,127 @@
+[CIFS] Allow null nd (as nfs server uses) on create
+
+While creating a file on a server which supports unix extensions
+such as Samba, if a file is being created which does not supply
+nameidata (i.e. nd is null), cifs client can oops when calling
+cifs_posix_open.
+
+Signed-off-by: Shirish Pargaonkar <shirishp at us.ibm.com>
+Signed-off-by: Steve French <sfrench at us.ibm.com>
+---
+
+
+Adjusted to apply to Debian's 2.6.32 by dann frazier <dannf at debian.org>
+
+
+diff -urpN a/fs/cifs/cifsproto.h b/fs/cifs/cifsproto.h
+--- a/fs/cifs/cifsproto.h	2009-12-02 20:51:21.000000000 -0700
++++ b/fs/cifs/cifsproto.h	2010-04-30 00:24:18.000000000 -0600
+@@ -95,8 +95,10 @@ extern struct cifsFileInfo *cifs_new_fil
+ 				__u16 fileHandle, struct file *file,
+ 				struct vfsmount *mnt, unsigned int oflags);
+ extern int cifs_posix_open(char *full_path, struct inode **pinode,
+-			   struct vfsmount *mnt, int mode, int oflags,
+-			   __u32 *poplock, __u16 *pnetfid, int xid);
++				struct vfsmount *mnt,
++				struct super_block *sb,
++				int mode, int oflags,
++				__u32 *poplock, __u16 *pnetfid, int xid);
+ extern void cifs_unix_basic_to_fattr(struct cifs_fattr *fattr,
+ 				     FILE_UNIX_BASIC_INFO *info,
+ 				     struct cifs_sb_info *cifs_sb);
+diff -urpN a/fs/cifs/dir.c b/fs/cifs/dir.c
+--- a/fs/cifs/dir.c	2009-12-02 20:51:21.000000000 -0700
++++ b/fs/cifs/dir.c	2010-04-30 00:24:18.000000000 -0600
+@@ -183,13 +183,14 @@ cifs_new_fileinfo(struct inode *newinode
+ }
+ 
+ int cifs_posix_open(char *full_path, struct inode **pinode,
+-		    struct vfsmount *mnt, int mode, int oflags,
+-		    __u32 *poplock, __u16 *pnetfid, int xid)
++			struct vfsmount *mnt, struct super_block *sb,
++			int mode, int oflags,
++			__u32 *poplock, __u16 *pnetfid, int xid)
+ {
+ 	int rc;
+ 	FILE_UNIX_BASIC_INFO *presp_data;
+ 	__u32 posix_flags = 0;
+-	struct cifs_sb_info *cifs_sb = CIFS_SB(mnt->mnt_sb);
++	struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
+ 	struct cifs_fattr fattr;
+ 
+ 	cFYI(1, ("posix open %s", full_path));
+@@ -241,7 +242,7 @@ int cifs_posix_open(char *full_path, str
+ 
+ 	/* get new inode and set it up */
+ 	if (*pinode == NULL) {
+-		*pinode = cifs_iget(mnt->mnt_sb, &fattr);
++		*pinode = cifs_iget(sb, &fattr);
+ 		if (!*pinode) {
+ 			rc = -ENOMEM;
+ 			goto posix_open_ret;
+@@ -250,7 +251,8 @@ int cifs_posix_open(char *full_path, str
+ 		cifs_fattr_to_inode(*pinode, &fattr);
+ 	}
+ 
+-	cifs_new_fileinfo(*pinode, *pnetfid, NULL, mnt, oflags);
++	if (mnt)
++		cifs_new_fileinfo(*pinode, *pnetfid, NULL, mnt, oflags);
+ 
+ posix_open_ret:
+ 	kfree(presp_data);
+@@ -314,13 +316,14 @@ cifs_create(struct inode *inode, struct
+ 	if (nd && (nd->flags & LOOKUP_OPEN))
+ 		oflags = nd->intent.open.flags;
+ 	else
+-		oflags = FMODE_READ;
++		oflags = FMODE_READ | SMB_O_CREAT;
+ 
+ 	if (tcon->unix_ext && (tcon->ses->capabilities & CAP_UNIX) &&
+ 	    (CIFS_UNIX_POSIX_PATH_OPS_CAP &
+ 			le64_to_cpu(tcon->fsUnixInfo.Capability))) {
+-		rc = cifs_posix_open(full_path, &newinode, nd->path.mnt,
+-				     mode, oflags, &oplock, &fileHandle, xid);
++		rc = cifs_posix_open(full_path, &newinode,
++			nd ? nd->path.mnt : NULL,
++			inode->i_sb, mode, oflags, &oplock, &fileHandle, xid);
+ 		/* EIO could indicate that (posix open) operation is not
+ 		   supported, despite what server claimed in capability
+ 		   negotation.  EREMOTE indicates DFS junction, which is not
+@@ -677,6 +680,7 @@ cifs_lookup(struct inode *parent_dir_ino
+ 		     (nd->flags & LOOKUP_OPEN) && !pTcon->broken_posix_open &&
+ 		     (nd->intent.open.flags & O_CREAT)) {
+ 			rc = cifs_posix_open(full_path, &newInode, nd->path.mnt,
++					parent_dir_inode->i_sb,
+ 					nd->intent.open.create_mode,
+ 					nd->intent.open.flags, &oplock,
+ 					&fileHandle, xid);
+diff -urpN a/fs/cifs/file.c b/fs/cifs/file.c
+--- a/fs/cifs/file.c	2009-12-02 20:51:21.000000000 -0700
++++ b/fs/cifs/file.c	2010-04-30 00:24:18.000000000 -0600
+@@ -295,10 +295,12 @@ int cifs_open(struct inode *inode, struc
+ 	    (CIFS_UNIX_POSIX_PATH_OPS_CAP &
+ 			le64_to_cpu(tcon->fsUnixInfo.Capability))) {
+ 		int oflags = (int) cifs_posix_convert_flags(file->f_flags);
++		oflags |= SMB_O_CREAT;
+ 		/* can not refresh inode info since size could be stale */
+ 		rc = cifs_posix_open(full_path, &inode, file->f_path.mnt,
+-				     cifs_sb->mnt_file_mode /* ignored */,
+-				     oflags, &oplock, &netfid, xid);
++				inode->i_sb,
++				cifs_sb->mnt_file_mode /* ignored */,
++				oflags, &oplock, &netfid, xid);
+ 		if (rc == 0) {
+ 			cFYI(1, ("posix open succeeded"));
+ 			/* no need for special case handling of setting mode
+@@ -510,8 +512,9 @@ reopen_error_exit:
+ 		int oflags = (int) cifs_posix_convert_flags(file->f_flags);
+ 		/* can not refresh inode info since size could be stale */
+ 		rc = cifs_posix_open(full_path, NULL, file->f_path.mnt,
+-				     cifs_sb->mnt_file_mode /* ignored */,
+-				     oflags, &oplock, &netfid, xid);
++				inode->i_sb,
++				cifs_sb->mnt_file_mode /* ignored */,
++				oflags, &oplock, &netfid, xid);
+ 		if (rc == 0) {
+ 			cFYI(1, ("posix reopen succeeded"));
+ 			goto reopen_success;

Modified: dists/sid/linux-2.6/debian/patches/series/12
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/12	Fri Apr 30 06:04:07 2010	(r15588)
+++ dists/sid/linux-2.6/debian/patches/series/12	Fri Apr 30 06:34:55 2010	(r15589)
@@ -60,3 +60,4 @@
 + bugfix/all/revert-percpu-stable-changes.patch 
 + bugfix/all/virtio_net-Make-delayed-refill-more-reliable.patch
 + bugfix/all/sctp-fix-skb_over_panic-resulting-from-multiple-invalid-parameter-errors.patch
++ bugfix/all/cifs-allow-null-nd-on-create.patch

More information about the Kernel-svn-changes mailing list