[kernel] r16079 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Wed Aug  4 03:57:59 2010
New Revision: 16079

Log:
xfs: prevent swapext from operating on write-only files (CVE-2010-2226)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Aug  4 01:40:17 2010	(r16078)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Aug  4 03:57:59 2010	(r16079)
@@ -3,6 +3,7 @@
   * cifs: Fix a kernel BUG with remote OS/2 server (CVE-2010-2248)
   * Fix race in tty_fasync() properly (CVE-2009-4895)
   * hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
+  * xfs: prevent swapext from operating on write-only files (CVE-2010-2226)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch	Wed Aug  4 03:57:59 2010	(r16079)
@@ -0,0 +1,39 @@
+commit cd84df2d7a4a5d8a4245484f97cbc3526c377ba3
+Author: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+Date:   Thu Jun 24 12:07:47 2010 +1000
+
+    xfs: prevent swapext from operating on write-only files
+    
+    [Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+    
+    This patch prevents user "foo" from using the SWAPEXT ioctl to swap
+    a write-only file owned by user "bar" into a file owned by "foo" and
+    subsequently reading it.  It does so by checking that the file
+    descriptors passed to the ioctl are also opened for reading.
+    
+    Signed-off-by: Dan Rosenberg <dan.j.rosenberg at gmail.com>
+    Reviewed-by: Christoph Hellwig <hch at lst.de>
+
+diff --git a/fs/xfs/xfs_dfrag.c b/fs/xfs/xfs_dfrag.c
+index 5f3647c..39c8805 100644
+--- a/fs/xfs/xfs_dfrag.c
++++ b/fs/xfs/xfs_dfrag.c
+@@ -74,7 +74,9 @@ xfs_swapext(
+ 		goto out_free_sxp;
+ 	}
+ 
+-	if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND)) {
++	if (!(file->f_mode & FMODE_WRITE) ||
++	    !(file->f_mode & FMODE_READ) ||
++	    (file->f_flags & O_APPEND)) {
+ 		error = XFS_ERROR(EBADF);
+ 		goto out_put_file;
+ 	}
+@@ -86,6 +88,7 @@ xfs_swapext(
+ 	}
+ 
+ 	if (!(target_file->f_mode & FMODE_WRITE) ||
++	    !(target_file->f_mode & FMODE_READ) ||
+ 	    (target_file->f_flags & O_APPEND)) {
+ 		error = XFS_ERROR(EBADF);
+ 		goto out_put_target_file;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug  4 01:40:17 2010	(r16078)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug  4 03:57:59 2010	(r16079)
@@ -1,3 +1,4 @@
 + bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch
 + bugfix/all/fix-race-in-tty_fasync-properly.patch
 + bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch
++ bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch