[kernel] r16220 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Aug 29 20:10:22 UTC 2010 

Author: dannf
Date: Sun Aug 29 20:10:14 2010
New Revision: 16220

Log:
jfs: don't allow os2 xattr namespace overlap with others (CVE-2010-2946)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/25

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Sun Aug 29 20:09:59 2010	(r16219)
+++ dists/lenny/linux-2.6/debian/changelog	Sun Aug 29 20:10:14 2010	(r16220)
@@ -14,6 +14,7 @@
   * Add guard page for stacks that grow up, an additional fix for
     CVE-2010-2240
   * net sched: fix some kernel memory leaks (CVE-2010-2942)
+  * jfs: don't allow os2 xattr namespace overlap with others (CVE-2010-2946)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 02 Jul 2010 01:36:02 +0100
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch	Sun Aug 29 20:10:14 2010	(r16220)
@@ -0,0 +1,156 @@
+commit 8bd79a105500c6f1d5e2ae08cd4df0a282ccfe03
+Author: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+Date:   Mon Aug 9 15:57:38 2010 -0500
+
+    jfs: don't allow os2 xattr namespace overlap with others
+    
+    It's currently possible to bypass xattr namespace access rules by
+    prefixing valid xattr names with "os2.", since the os2 namespace stores
+    extended attributes in a legacy format with no prefix.
+    
+    This patch adds checking to deny access to any valid namespace prefix
+    following "os2.".
+    
+    Signed-off-by: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+    Reported-by: Sergey Vlasov <vsu at altlinux.ru>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
+index 9b7f2cd..f35a40b 100644
+--- a/fs/jfs/xattr.c
++++ b/fs/jfs/xattr.c
+@@ -85,46 +85,25 @@ struct ea_buffer {
+ #define EA_MALLOC	0x0008
+ 
+ 
++static int is_known_namespace(const char *name)
++{
++	if (strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) &&
++	    strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
++	    strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) &&
++	    strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
++		return false;
++
++	return true;
++}
++
+ /*
+  * These three routines are used to recognize on-disk extended attributes
+  * that are in a recognized namespace.  If the attribute is not recognized,
+  * "os2." is prepended to the name
+  */
+-static inline int is_os2_xattr(struct jfs_ea *ea)
++static int is_os2_xattr(struct jfs_ea *ea)
+ {
+-	/*
+-	 * Check for "system."
+-	 */
+-	if ((ea->namelen >= XATTR_SYSTEM_PREFIX_LEN) &&
+-	    !strncmp(ea->name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+-		return false;
+-	/*
+-	 * Check for "user."
+-	 */
+-	if ((ea->namelen >= XATTR_USER_PREFIX_LEN) &&
+-	    !strncmp(ea->name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+-		return false;
+-	/*
+-	 * Check for "security."
+-	 */
+-	if ((ea->namelen >= XATTR_SECURITY_PREFIX_LEN) &&
+-	    !strncmp(ea->name, XATTR_SECURITY_PREFIX,
+-		     XATTR_SECURITY_PREFIX_LEN))
+-		return false;
+-	/*
+-	 * Check for "trusted."
+-	 */
+-	if ((ea->namelen >= XATTR_TRUSTED_PREFIX_LEN) &&
+-	    !strncmp(ea->name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
+-		return false;
+-	/*
+-	 * Add any other valid namespace prefixes here
+-	 */
+-
+-	/*
+-	 * We assume it's OS/2's flat namespace
+-	 */
+-	return true;
++	return !is_known_namespace(ea->name);
+ }
+ 
+ static inline int name_size(struct jfs_ea *ea)
+@@ -768,13 +747,23 @@ static int can_set_xattr(struct inode *inode, const char *name,
+ 	if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ 		return can_set_system_xattr(inode, name, value, value_len);
+ 
++	if (!strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN)) {
++		/*
++		 * This makes sure that we aren't trying to set an
++		 * attribute in a different namespace by prefixing it
++		 * with "os2."
++		 */
++		if (is_known_namespace(name + XATTR_OS2_PREFIX_LEN))
++				return -EOPNOTSUPP;
++		return 0;
++	}
++
+ 	/*
+ 	 * Don't allow setting an attribute in an unknown namespace.
+ 	 */
+ 	if (strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) &&
+ 	    strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) &&
+-	    strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
+-	    strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN))
++	    strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+ 		return -EOPNOTSUPP;
+ 
+ 	return 0;
+@@ -956,19 +945,8 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data,
+ 	int xattr_size;
+ 	ssize_t size;
+ 	int namelen = strlen(name);
+-	char *os2name = NULL;
+ 	char *value;
+ 
+-	if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) {
+-		os2name = kmalloc(namelen - XATTR_OS2_PREFIX_LEN + 1,
+-				  GFP_KERNEL);
+-		if (!os2name)
+-			return -ENOMEM;
+-		strcpy(os2name, name + XATTR_OS2_PREFIX_LEN);
+-		name = os2name;
+-		namelen -= XATTR_OS2_PREFIX_LEN;
+-	}
+-
+ 	down_read(&JFS_IP(inode)->xattr_sem);
+ 
+ 	xattr_size = ea_get(inode, &ea_buf, 0);
+@@ -1006,8 +984,6 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data,
+       out:
+ 	up_read(&JFS_IP(inode)->xattr_sem);
+ 
+-	kfree(os2name);
+-
+ 	return size;
+ }
+ 
+@@ -1016,6 +992,19 @@ ssize_t jfs_getxattr(struct dentry *dentry, const char *name, void *data,
+ {
+ 	int err;
+ 
++	if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) {
++		/*
++		 * skip past "os2." prefix
++		 */
++		name += XATTR_OS2_PREFIX_LEN;
++		/*
++		 * Don't allow retrieving properly prefixed attributes
++		 * by prepending them with "os2."
++		 */
++		if (is_known_namespace(name))
++			return -EOPNOTSUPP;
++	}
++
+ 	err = __jfs_getxattr(dentry->d_inode, name, data, buf_size);
+ 
+ 	return err;

Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25	Sun Aug 29 20:09:59 2010	(r16219)
+++ dists/lenny/linux-2.6/debian/patches/series/25	Sun Aug 29 20:10:14 2010	(r16220)
@@ -6,3 +6,4 @@
 + features/all/e1000e/e1000e-add-support-for-82567LM-3-and-82567LF-3-ICH10.patch
 + bugfix/all/guard-page-for-stacks-that-grow-upwards.patch
 + bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch
++ bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch

More information about the Kernel-svn-changes mailing list