[kernel] r16087 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Aug 5 17:30:45 UTC 2010
Author: dannf
Date: Thu Aug 5 17:30:35 2010
New Revision: 16087
Log:
GFS2: rename causes kernel Oops (CVE-2010-2798)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Thu Aug 5 15:17:47 2010 (r16086)
+++ dists/lenny-security/linux-2.6/debian/changelog Thu Aug 5 17:30:35 2010 (r16087)
@@ -5,6 +5,7 @@
* hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
* xfs: prevent swapext from operating on write-only files (CVE-2010-2226)
* nfsd4: bug in read_buf (CVE-2010-2521)
+ * GFS2: rename causes kernel Oops (CVE-2010-2798)
-- dann frazier <dannf at debian.org> Wed, 30 Jun 2010 00:32:02 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch Thu Aug 5 17:30:35 2010 (r16087)
@@ -0,0 +1,61 @@
+commit 85e1e2f8339ecb3329516f5dbd2ef98d012cf3be
+Author: Bob Peterson <rpeterso at redhat.com>
+Date: Wed Jul 14 18:12:26 2010 -0400
+
+ GFS2: rename causes kernel Oops
+
+ This patch fixes a kernel Oops in the GFS2 rename code.
+
+ The problem was in the way the gfs2 directory code was trying
+ to re-use sentinel directory entries.
+
+ In the failing case, gfs2's rename function was renaming a
+ file to another name that had the same non-trivial length.
+ The file being renamed happened to be the first directory
+ entry on the leaf block.
+
+ First, the rename code (gfs2_rename in ops_inode.c) found the
+ original directory entry and decided it could do its job by
+ simply replacing the directory entry with another. Therefore
+ it determined correctly that no block allocations were needed.
+
+ Next, the rename code deleted the old directory entry prior to
+ replacing it with the new name. Therefore, the soon-to-be
+ replaced directory entry was temporarily made into a directory
+ entry "sentinel" or a place holder at the start of a leaf block.
+
+ Lastly, it went to re-add the replacement directory entry in
+ that leaf block. However, when gfs2_dirent_find_space was
+ looking for space in the leaf block, it used the wrong value
+ for the sentinel. That threw off its calculations so later
+ it decides it can't really re-use the sentinel and therefore
+ must allocate a new leaf block. But because it previously decided
+ to re-use the directory entry, it didn't waste the time to
+ grab a new block allocation for the inode. Therefore, the
+ inode's i_alloc pointer was still NULL and it crashes trying to
+ reference it.
+
+ In the case of sentinel directory entries, the entire dirent is
+ reused, not just the "free space" portion of it, and therefore
+ the function gfs2_dirent_find_space should use the value 0
+ rather than GFS2_DIRENT_SIZE(0) for the actual dirent size.
+
+ Fixing this calculation enables the reproducer programs to work
+ properly.
+
+ Signed-off-by: Bob Peterson <rpeterso at redhat.com>
+ Signed-off-by: Steven Whitehouse <swhiteho at redhat.com>
+
+diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c
+index eed040d..4c83653 100644
+--- a/fs/gfs2/dir.c
++++ b/fs/gfs2/dir.c
+@@ -393,7 +393,7 @@ static int gfs2_dirent_find_space(const struct gfs2_dirent *dent,
+ unsigned totlen = be16_to_cpu(dent->de_rec_len);
+
+ if (gfs2_dirent_sentinel(dent))
+- actual = GFS2_DIRENT_SIZE(0);
++ actual = 0;
+ if (totlen - actual >= required)
+ return 1;
+ return 0;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Thu Aug 5 15:17:47 2010 (r16086)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Thu Aug 5 17:30:35 2010 (r16087)
@@ -3,3 +3,4 @@
+ bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch
+ bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
+ bugfix/all/nfsd4-bug-in-read_buf.patch
++ bugfix/all/gfs2-rename-causes-kernel-oops.patch
More information about the Kernel-svn-changes
mailing list