[kernel] r16220 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sun Aug 29 20:10:22 UTC 2010
Author: dannf
Date: Sun Aug 29 20:10:14 2010
New Revision: 16220
Log:
jfs: don't allow os2 xattr namespace overlap with others (CVE-2010-2946)
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/25
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Sun Aug 29 20:09:59 2010 (r16219)
+++ dists/lenny/linux-2.6/debian/changelog Sun Aug 29 20:10:14 2010 (r16220)
@@ -14,6 +14,7 @@
* Add guard page for stacks that grow up, an additional fix for
CVE-2010-2240
* net sched: fix some kernel memory leaks (CVE-2010-2942)
+ * jfs: don't allow os2 xattr namespace overlap with others (CVE-2010-2946)
-- Ben Hutchings <ben at decadent.org.uk> Fri, 02 Jul 2010 01:36:02 +0100
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch Sun Aug 29 20:10:14 2010 (r16220)
@@ -0,0 +1,156 @@
+commit 8bd79a105500c6f1d5e2ae08cd4df0a282ccfe03
+Author: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+Date: Mon Aug 9 15:57:38 2010 -0500
+
+ jfs: don't allow os2 xattr namespace overlap with others
+
+ It's currently possible to bypass xattr namespace access rules by
+ prefixing valid xattr names with "os2.", since the os2 namespace stores
+ extended attributes in a legacy format with no prefix.
+
+ This patch adds checking to deny access to any valid namespace prefix
+ following "os2.".
+
+ Signed-off-by: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
+ Reported-by: Sergey Vlasov <vsu at altlinux.ru>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
+index 9b7f2cd..f35a40b 100644
+--- a/fs/jfs/xattr.c
++++ b/fs/jfs/xattr.c
+@@ -85,46 +85,25 @@ struct ea_buffer {
+ #define EA_MALLOC 0x0008
+
+
++static int is_known_namespace(const char *name)
++{
++ if (strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN) &&
++ strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
++ strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) &&
++ strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
++ return false;
++
++ return true;
++}
++
+ /*
+ * These three routines are used to recognize on-disk extended attributes
+ * that are in a recognized namespace. If the attribute is not recognized,
+ * "os2." is prepended to the name
+ */
+-static inline int is_os2_xattr(struct jfs_ea *ea)
++static int is_os2_xattr(struct jfs_ea *ea)
+ {
+- /*
+- * Check for "system."
+- */
+- if ((ea->namelen >= XATTR_SYSTEM_PREFIX_LEN) &&
+- !strncmp(ea->name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+- return false;
+- /*
+- * Check for "user."
+- */
+- if ((ea->namelen >= XATTR_USER_PREFIX_LEN) &&
+- !strncmp(ea->name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+- return false;
+- /*
+- * Check for "security."
+- */
+- if ((ea->namelen >= XATTR_SECURITY_PREFIX_LEN) &&
+- !strncmp(ea->name, XATTR_SECURITY_PREFIX,
+- XATTR_SECURITY_PREFIX_LEN))
+- return false;
+- /*
+- * Check for "trusted."
+- */
+- if ((ea->namelen >= XATTR_TRUSTED_PREFIX_LEN) &&
+- !strncmp(ea->name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN))
+- return false;
+- /*
+- * Add any other valid namespace prefixes here
+- */
+-
+- /*
+- * We assume it's OS/2's flat namespace
+- */
+- return true;
++ return !is_known_namespace(ea->name);
+ }
+
+ static inline int name_size(struct jfs_ea *ea)
+@@ -768,13 +747,23 @@ static int can_set_xattr(struct inode *inode, const char *name,
+ if (!strncmp(name, XATTR_SYSTEM_PREFIX, XATTR_SYSTEM_PREFIX_LEN))
+ return can_set_system_xattr(inode, name, value, value_len);
+
++ if (!strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN)) {
++ /*
++ * This makes sure that we aren't trying to set an
++ * attribute in a different namespace by prefixing it
++ * with "os2."
++ */
++ if (is_known_namespace(name + XATTR_OS2_PREFIX_LEN))
++ return -EOPNOTSUPP;
++ return 0;
++ }
++
+ /*
+ * Don't allow setting an attribute in an unknown namespace.
+ */
+ if (strncmp(name, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) &&
+ strncmp(name, XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN) &&
+- strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN) &&
+- strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN))
++ strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN))
+ return -EOPNOTSUPP;
+
+ return 0;
+@@ -956,19 +945,8 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data,
+ int xattr_size;
+ ssize_t size;
+ int namelen = strlen(name);
+- char *os2name = NULL;
+ char *value;
+
+- if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) {
+- os2name = kmalloc(namelen - XATTR_OS2_PREFIX_LEN + 1,
+- GFP_KERNEL);
+- if (!os2name)
+- return -ENOMEM;
+- strcpy(os2name, name + XATTR_OS2_PREFIX_LEN);
+- name = os2name;
+- namelen -= XATTR_OS2_PREFIX_LEN;
+- }
+-
+ down_read(&JFS_IP(inode)->xattr_sem);
+
+ xattr_size = ea_get(inode, &ea_buf, 0);
+@@ -1006,8 +984,6 @@ ssize_t __jfs_getxattr(struct inode *inode, const char *name, void *data,
+ out:
+ up_read(&JFS_IP(inode)->xattr_sem);
+
+- kfree(os2name);
+-
+ return size;
+ }
+
+@@ -1016,6 +992,19 @@ ssize_t jfs_getxattr(struct dentry *dentry, const char *name, void *data,
+ {
+ int err;
+
++ if (strncmp(name, XATTR_OS2_PREFIX, XATTR_OS2_PREFIX_LEN) == 0) {
++ /*
++ * skip past "os2." prefix
++ */
++ name += XATTR_OS2_PREFIX_LEN;
++ /*
++ * Don't allow retrieving properly prefixed attributes
++ * by prepending them with "os2."
++ */
++ if (is_known_namespace(name))
++ return -EOPNOTSUPP;
++ }
++
+ err = __jfs_getxattr(dentry->d_inode, name, data, buf_size);
+
+ return err;
Modified: dists/lenny/linux-2.6/debian/patches/series/25
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/25 Sun Aug 29 20:09:59 2010 (r16219)
+++ dists/lenny/linux-2.6/debian/patches/series/25 Sun Aug 29 20:10:14 2010 (r16220)
@@ -6,3 +6,4 @@
+ features/all/e1000e/e1000e-add-support-for-82567LM-3-and-82567LF-3-ICH10.patch
+ bugfix/all/guard-page-for-stacks-that-grow-upwards.patch
+ bugfix/all/net-sched-fix-some-kernel-memory-leaks.patch
++ bugfix/all/jfs-dont-allow-os2-xattr-namespace-overlap-with-others.patch
More information about the Kernel-svn-changes
mailing list