[kernel] r16164 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Aug 18 23:56:04 UTC 2010 

Author: dannf
Date: Wed Aug 18 23:56:02 2010
New Revision: 16164

Log:
ext4: fix integer overflows in ext4_ext_{in_cache,get_blocks} (CVE-2010-3015)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Aug 18 23:45:47 2010	(r16163)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Aug 18 23:56:02 2010	(r16164)
@@ -11,6 +11,8 @@
     (CVE-REQUESTED)
   * mm: keep a guard page below a grow-down stack segment (CVE-2010-2240)
   * drm: stop information leak of old kernel stack (CVE-2010-2803)
+  * ext4: fix integer overflows in ext4_ext_{in_cache,get_blocks}
+    (CVE-2010-3015)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch	Wed Aug 18 23:56:02 2010	(r16164)
@@ -0,0 +1,87 @@
+From 7242d45aa2a0ec7bdaebf10ce2b1b72b6fcb42f2 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita at gmail.com>
+Date: Wed, 3 Mar 2010 23:55:01 -0500
+Subject: [PATCH] ext4: consolidate in_range() definitions
+
+[Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+There are duplicate macro definitions of in_range() in mballoc.h and
+balloc.c.  This consolidates these two definitions into ext4.h, and
+changes extents.c to use in_range() as well.
+
+Signed-off-by: Akinobu Mita <akinobu.mita at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Cc: Andreas Dilger <adilger at sun.com>
+---
+ fs/ext4/balloc.c  |    3 ---
+ fs/ext4/ext4.h    |    3 +++
+ fs/ext4/extents.c |    4 ++--
+ fs/ext4/mballoc.h |    2 --
+ 4 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index 9cc80b9..bd24882 100644
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -195,9 +195,6 @@ unsigned ext4_init_block_bitmap(struct super_block *sb, struct buffer_head *bh,
+  * when a file system is mounted (see ext4_fill_super).
+  */
+ 
+-
+-#define in_range(b, first, len)	((b) >= (first) && (b) <= (first) + (len) - 1)
+-
+ /**
+  * ext4_get_group_desc() -- load group descriptor from disk
+  * @sb:			super block
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index 527aba6..f91d153 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1206,6 +1206,9 @@ extern int ext4_get_blocks_wrap(handle_t *handle, struct inode *inode,
+ 			sector_t block, unsigned long max_blocks,
+ 			struct buffer_head *bh, int create,
+ 			int extend_disksize);
++
++#define in_range(b, first, len)	((b) >= (first) && (b) <= (first) + (len) - 1)
++
+ #endif	/* __KERNEL__ */
+ 
+ #endif	/* _EXT4_H */
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 47929c4..617b4a3 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1663,7 +1663,7 @@ ext4_ext_in_cache(struct inode *inode, ext4_lblk_t block,
+ 
+ 	BUG_ON(cex->ec_type != EXT4_EXT_CACHE_GAP &&
+ 			cex->ec_type != EXT4_EXT_CACHE_EXTENT);
+-	if (block >= cex->ec_block && block < cex->ec_block + cex->ec_len) {
++	if (in_range(block, cex->ec_block, cex->ec_len)) {
+ 		ex->ee_block = cpu_to_le32(cex->ec_block);
+ 		ext4_ext_store_pblock(ex, cex->ec_start);
+ 		ex->ee_len = cpu_to_le16(cex->ec_len);
+@@ -2590,7 +2590,7 @@ int ext4_ext_get_blocks(handle_t *handle, struct inode *inode,
+ 		 */
+ 		ee_len = ext4_ext_get_actual_len(ex);
+ 		/* if found extent covers block, simply return it */
+-		if (iblock >= ee_block && iblock < ee_block + ee_len) {
++		if (in_range(iblock, ee_block, ee_len)) {
+ 			newblock = iblock - ee_block + ee_start;
+ 			/* number of remaining blocks in the extent */
+ 			allocated = ee_len - (iblock - ee_block);
+diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
+index bfe6add..d85a92c 100644
+--- a/fs/ext4/mballoc.h
++++ b/fs/ext4/mballoc.h
+@@ -249,8 +249,6 @@ static inline void ext4_mb_store_history(struct ext4_allocation_context *ac)
+ static void ext4_mb_store_history(struct ext4_allocation_context *ac);
+ #endif
+ 
+-#define in_range(b, first, len)	((b) >= (first) && (b) <= (first) + (len) - 1)
+-
+ static struct proc_dir_entry *proc_root_ext4;
+ struct buffer_head *read_block_bitmap(struct super_block *, ext4_group_t);
+ 
+-- 
+1.7.1
+

Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug 18 23:45:47 2010	(r16163)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Aug 18 23:56:02 2010	(r16164)
@@ -13,3 +13,4 @@
 + bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
 + bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
 + bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
++ bugfix/all/ext4-consolidate-in_range-definitions.patch

More information about the Kernel-svn-changes mailing list