[kernel] r16080 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Wed Aug  4 03:58:16 2010
New Revision: 16080

Log:
nfsd4: bug in read_buf (CVE-2010-2521)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfsd4-bug-in-read_buf.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Aug  4 03:57:59 2010	(r16079)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Aug  4 03:58:16 2010	(r16080)
@@ -4,6 +4,7 @@
   * Fix race in tty_fasync() properly (CVE-2009-4895)
   * hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
   * xfs: prevent swapext from operating on write-only files (CVE-2010-2226)
+  * nfsd4: bug in read_buf (CVE-2010-2521)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfsd4-bug-in-read_buf.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfsd4-bug-in-read_buf.patch	Wed Aug  4 03:58:16 2010	(r16080)
@@ -0,0 +1,53 @@
+commit 78137ed12e8b641b2e6ffb098b564139cd5b15a9
+Author: Neil Brown <neilb at suse.de>
+Date:   Tue Apr 20 12:16:52 2010 +1000
+
+    nfsd4: bug in read_buf
+    
+    When read_buf is called to move over to the next page in the pagelist
+    of an NFSv4 request, it sets argp->end to essentially a random
+    number, certainly not an address within the page which argp->p now
+    points to.  So subsequent calls to READ_BUF will think there is much
+    more than a page of spare space (the cast to u32 ensures an unsigned
+    comparison) so we can expect to fall off the end of the second
+    page.
+    
+    We never encountered thsi in testing because typically the only
+    operations which use more than two pages are write-like operations,
+    which have their own decoding logic.  Something like a getattr after a
+    write may cross a page boundary, but it would be very unusual for it to
+    cross another boundary after that.
+    
+    Cc: stable at kernel.org
+    Signed-off-by: J. Bruce Fields <bfields at citi.umich.edu>
+
+diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
+index c513bbd..e09adb5 100644
+--- a/fs/nfsd/nfs4xdr.c
++++ b/fs/nfsd/nfs4xdr.c
+@@ -179,10 +179,10 @@ static __be32 *read_buf(struct nfsd4_compoundargs *argp, u32 nbytes)
+ 	argp->p = page_address(argp->pagelist[0]);
+ 	argp->pagelist++;
+ 	if (argp->pagelen < PAGE_SIZE) {
+-		argp->end = p + (argp->pagelen>>2);
++		argp->end = argp->p + (argp->pagelen>>2);
+ 		argp->pagelen = 0;
+ 	} else {
+-		argp->end = p + (PAGE_SIZE>>2);
++		argp->end = argp->p + (PAGE_SIZE>>2);
+ 		argp->pagelen -= PAGE_SIZE;
+ 	}
+ 	memcpy(((char*)p)+avail, argp->p, (nbytes - avail));
+@@ -1047,10 +1047,10 @@ nfsd4_decode_compound(struct nfsd4_compoundargs *argp)
+ 			argp->p = page_address(argp->pagelist[0]);
+ 			argp->pagelist++;
+ 			if (argp->pagelen < PAGE_SIZE) {
+-				argp->end = p + (argp->pagelen>>2);
++				argp->end = argp->p + (argp->pagelen>>2);
+ 				argp->pagelen = 0;
+ 			} else {
+-				argp->end = p + (PAGE_SIZE>>2);
++				argp->end = argp->p + (PAGE_SIZE>>2);
+ 				argp->pagelen -= PAGE_SIZE;
+ 			}
+ 		}

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug  4 03:57:59 2010	(r16079)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug  4 03:58:16 2010	(r16080)
@@ -2,3 +2,4 @@
 + bugfix/all/fix-race-in-tty_fasync-properly.patch
 + bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch
 + bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
++ bugfix/all/nfsd4-bug-in-read_buf.patch