[kernel] r16164 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Aug 18 23:56:04 UTC 2010
Author: dannf
Date: Wed Aug 18 23:56:02 2010
New Revision: 16164
Log:
ext4: fix integer overflows in ext4_ext_{in_cache,get_blocks} (CVE-2010-3015)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Wed Aug 18 23:45:47 2010 (r16163)
+++ dists/lenny-security/linux-2.6/debian/changelog Wed Aug 18 23:56:02 2010 (r16164)
@@ -11,6 +11,8 @@
(CVE-REQUESTED)
* mm: keep a guard page below a grow-down stack segment (CVE-2010-2240)
* drm: stop information leak of old kernel stack (CVE-2010-2803)
+ * ext4: fix integer overflows in ext4_ext_{in_cache,get_blocks}
+ (CVE-2010-3015)
-- dann frazier <dannf at debian.org> Wed, 30 Jun 2010 00:32:02 -0600
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/ext4-consolidate-in_range-definitions.patch Wed Aug 18 23:56:02 2010 (r16164)
@@ -0,0 +1,87 @@
+From 7242d45aa2a0ec7bdaebf10ce2b1b72b6fcb42f2 Mon Sep 17 00:00:00 2001
+From: Akinobu Mita <akinobu.mita at gmail.com>
+Date: Wed, 3 Mar 2010 23:55:01 -0500
+Subject: [PATCH] ext4: consolidate in_range() definitions
+
+[Backported to Debian's 2.6.26 by dann frazier <dannf at debian.org>]
+
+There are duplicate macro definitions of in_range() in mballoc.h and
+balloc.c. This consolidates these two definitions into ext4.h, and
+changes extents.c to use in_range() as well.
+
+Signed-off-by: Akinobu Mita <akinobu.mita at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Cc: Andreas Dilger <adilger at sun.com>
+---
+ fs/ext4/balloc.c | 3 ---
+ fs/ext4/ext4.h | 3 +++
+ fs/ext4/extents.c | 4 ++--
+ fs/ext4/mballoc.h | 2 --
+ 4 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
+index 9cc80b9..bd24882 100644
+--- a/fs/ext4/balloc.c
++++ b/fs/ext4/balloc.c
+@@ -195,9 +195,6 @@ unsigned ext4_init_block_bitmap(struct super_block *sb, struct buffer_head *bh,
+ * when a file system is mounted (see ext4_fill_super).
+ */
+
+-
+-#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
+-
+ /**
+ * ext4_get_group_desc() -- load group descriptor from disk
+ * @sb: super block
+diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
+index 527aba6..f91d153 100644
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1206,6 +1206,9 @@ extern int ext4_get_blocks_wrap(handle_t *handle, struct inode *inode,
+ sector_t block, unsigned long max_blocks,
+ struct buffer_head *bh, int create,
+ int extend_disksize);
++
++#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
++
+ #endif /* __KERNEL__ */
+
+ #endif /* _EXT4_H */
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
+index 47929c4..617b4a3 100644
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -1663,7 +1663,7 @@ ext4_ext_in_cache(struct inode *inode, ext4_lblk_t block,
+
+ BUG_ON(cex->ec_type != EXT4_EXT_CACHE_GAP &&
+ cex->ec_type != EXT4_EXT_CACHE_EXTENT);
+- if (block >= cex->ec_block && block < cex->ec_block + cex->ec_len) {
++ if (in_range(block, cex->ec_block, cex->ec_len)) {
+ ex->ee_block = cpu_to_le32(cex->ec_block);
+ ext4_ext_store_pblock(ex, cex->ec_start);
+ ex->ee_len = cpu_to_le16(cex->ec_len);
+@@ -2590,7 +2590,7 @@ int ext4_ext_get_blocks(handle_t *handle, struct inode *inode,
+ */
+ ee_len = ext4_ext_get_actual_len(ex);
+ /* if found extent covers block, simply return it */
+- if (iblock >= ee_block && iblock < ee_block + ee_len) {
++ if (in_range(iblock, ee_block, ee_len)) {
+ newblock = iblock - ee_block + ee_start;
+ /* number of remaining blocks in the extent */
+ allocated = ee_len - (iblock - ee_block);
+diff --git a/fs/ext4/mballoc.h b/fs/ext4/mballoc.h
+index bfe6add..d85a92c 100644
+--- a/fs/ext4/mballoc.h
++++ b/fs/ext4/mballoc.h
+@@ -249,8 +249,6 @@ static inline void ext4_mb_store_history(struct ext4_allocation_context *ac)
+ static void ext4_mb_store_history(struct ext4_allocation_context *ac);
+ #endif
+
+-#define in_range(b, first, len) ((b) >= (first) && (b) <= (first) + (len) - 1)
+-
+ static struct proc_dir_entry *proc_root_ext4;
+ struct buffer_head *read_block_bitmap(struct super_block *, ext4_group_t);
+
+--
+1.7.1
+
Modified: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Wed Aug 18 23:45:47 2010 (r16163)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1 Wed Aug 18 23:56:02 2010 (r16164)
@@ -13,3 +13,4 @@
+ bugfix/all/proc-fix-vma-display-mismatch-between-proc-pid-maps-smaps.patch
+ bugfix/all/mm-fix-up-some-user-visible-effects-of-the-stack-guard-page.patch
+ bugfix/all/drm-stop-information-leak-of-old-kernel-stack.patch
++ bugfix/all/ext4-consolidate-in_range-definitions.patch
More information about the Kernel-svn-changes
mailing list