[kernel] r16087 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Aug 5 17:30:45 UTC 2010 

Author: dannf
Date: Thu Aug  5 17:30:35 2010
New Revision: 16087

Log:
GFS2: rename causes kernel Oops (CVE-2010-2798)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Thu Aug  5 15:17:47 2010	(r16086)
+++ dists/lenny-security/linux-2.6/debian/changelog	Thu Aug  5 17:30:35 2010	(r16087)
@@ -5,6 +5,7 @@
   * hvc_console: Fix race between hvc_close and hvc_remove (CVE-2010-2653)
   * xfs: prevent swapext from operating on write-only files (CVE-2010-2226)
   * nfsd4: bug in read_buf (CVE-2010-2521)
+  * GFS2: rename causes kernel Oops (CVE-2010-2798)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/gfs2-rename-causes-kernel-oops.patch	Thu Aug  5 17:30:35 2010	(r16087)
@@ -0,0 +1,61 @@
+commit 85e1e2f8339ecb3329516f5dbd2ef98d012cf3be
+Author: Bob Peterson <rpeterso at redhat.com>
+Date:   Wed Jul 14 18:12:26 2010 -0400
+
+    GFS2: rename causes kernel Oops
+    
+    This patch fixes a kernel Oops in the GFS2 rename code.
+    
+    The problem was in the way the gfs2 directory code was trying
+    to re-use sentinel directory entries.
+    
+    In the failing case, gfs2's rename function was renaming a
+    file to another name that had the same non-trivial length.
+    The file being renamed happened to be the first directory
+    entry on the leaf block.
+    
+    First, the rename code (gfs2_rename in ops_inode.c) found the
+    original directory entry and decided it could do its job by
+    simply replacing the directory entry with another.  Therefore
+    it determined correctly that no block allocations were needed.
+    
+    Next, the rename code deleted the old directory entry prior to
+    replacing it with the new name.  Therefore, the soon-to-be
+    replaced directory entry was temporarily made into a directory
+    entry "sentinel" or a place holder at the start of a leaf block.
+    
+    Lastly, it went to re-add the replacement directory entry in
+    that leaf block.  However, when gfs2_dirent_find_space was
+    looking for space in the leaf block, it used the wrong value
+    for the sentinel.  That threw off its calculations so later
+    it decides it can't really re-use the sentinel and therefore
+    must allocate a new leaf block.  But because it previously decided
+    to re-use the directory entry, it didn't waste the time to
+    grab a new block allocation for the inode.  Therefore, the
+    inode's i_alloc pointer was still NULL and it crashes trying to
+    reference it.
+    
+    In the case of sentinel directory entries, the entire dirent is
+    reused, not just the "free space" portion of it, and therefore
+    the function gfs2_dirent_find_space should use the value 0
+    rather than GFS2_DIRENT_SIZE(0) for the actual dirent size.
+    
+    Fixing this calculation enables the reproducer programs to work
+    properly.
+    
+    Signed-off-by: Bob Peterson <rpeterso at redhat.com>
+    Signed-off-by: Steven Whitehouse <swhiteho at redhat.com>
+
+diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c
+index eed040d..4c83653 100644
+--- a/fs/gfs2/dir.c
++++ b/fs/gfs2/dir.c
+@@ -393,7 +393,7 @@ static int gfs2_dirent_find_space(const struct gfs2_dirent *dent,
+ 	unsigned totlen = be16_to_cpu(dent->de_rec_len);
+ 
+ 	if (gfs2_dirent_sentinel(dent))
+-		actual = GFS2_DIRENT_SIZE(0);
++		actual = 0;
+ 	if (totlen - actual >= required)
+ 		return 1;
+ 	return 0;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Thu Aug  5 15:17:47 2010	(r16086)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Thu Aug  5 17:30:35 2010	(r16087)
@@ -3,3 +3,4 @@
 + bugfix/all/hvc_console-fix-race-between-hvc_close-and-hvc_remove.patch
 + bugfix/all/xfs-prevent-swapext-from-operating-on-write-only-files.patch
 + bugfix/all/nfsd4-bug-in-read_buf.patch
++ bugfix/all/gfs2-rename-causes-kernel-oops.patch

More information about the Kernel-svn-changes mailing list