[kernel] r15158 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series

Tue Feb 16 01:52:20 UTC 2010

Author: dannf
Date: Tue Feb 16 01:52:17 2010
New Revision: 15158

Log:
NFSv4: Fix a problem whereby a buggy server can oops the kernel
(CVE-2009-3726)

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsv4-buggy-server-oops.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/26etch2

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6/debian/changelog	Tue Feb 16 01:33:25 2010	(r15157)
+++ dists/etch-security/linux-2.6/debian/changelog	Tue Feb 16 01:52:17 2010	(r15158)
@@ -1,6 +1,8 @@
 linux-2.6 (2.6.18.dfsg.1-26etch2) UNRELEASED; urgency=low
 
   * [SCSI] gdth: Prevent negative offsets in ioctl (CVE-2009-3080)
+  * NFSv4: Fix a problem whereby a buggy server can oops the kernel
+    (CVE-2009-3726)
 
  -- dann frazier <dannf at debian.org>  Mon, 15 Feb 2010 18:32:14 -0700
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsv4-buggy-server-oops.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/nfsv4-buggy-server-oops.patch	Tue Feb 16 01:52:17 2010	(r15158)
@@ -0,0 +1,61 @@
+commit 6d05a5e558374688ae02649af4e9e66113a982e8
+Author: dann frazier <dannf at hp.com>
+Date:   Mon Feb 15 18:44:49 2010 -0700
+
+    [Adjusted to apply to Debian's 2.6.18]
+    commit d953126a28f97ec965d23c69fd5795854c048f30
+    Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+    Date:   Tue Jul 21 19:22:38 2009 -0400
+    
+        NFSv4: Fix a problem whereby a buggy server can oops the kernel
+
+diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
+index c63c297..6b52ffd 100644
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1015,12 +1015,12 @@ static struct dentry *nfs_atomic_lookup(struct inode *dir, struct dentry *dentry
+ 				res = NULL;
+ 				goto out;
+ 			/* This turned out not to be a regular file */
+-			case -EISDIR:
+ 			case -ENOTDIR:
+ 				goto no_open;
+ 			case -ELOOP:
+ 				if (!(nd->intent.open.flags & O_NOFOLLOW))
+ 					goto no_open;
++			/* case -EISDIR: */
+ 			/* case -EINVAL: */
+ 			default:
+ 				goto out;
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index c18f10f..b29f33b 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3583,15 +3583,23 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request)
+ 	if (request->fl_start < 0 || request->fl_end < 0)
+ 		return -EINVAL;
+ 
+-	if (IS_GETLK(cmd))
+-		return nfs4_proc_getlk(state, F_GETLK, request);
++	if (IS_GETLK(cmd)) {
++		if (state != NULL)
++			return nfs4_proc_getlk(state, F_GETLK, request);
++		return 0;
++	}
+ 
+ 	if (!(IS_SETLK(cmd) || IS_SETLKW(cmd)))
+ 		return -EINVAL;
+ 
+-	if (request->fl_type == F_UNLCK)
+-		return nfs4_proc_unlck(state, cmd, request);
++	if (request->fl_type == F_UNLCK) {
++		if (state != NULL)
++			return nfs4_proc_unlck(state, cmd, request);
++		return 0;
++	}
+ 
++	if (state == NULL)
++		return -ENOLCK;
+ 	do {
+ 		status = nfs4_proc_setlk(state, cmd, request);
+ 		if ((status != -EAGAIN) || IS_SETLK(cmd))

Modified: dists/etch-security/linux-2.6/debian/patches/series/26etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/26etch2	Tue Feb 16 01:33:25 2010	(r15157)
+++ dists/etch-security/linux-2.6/debian/patches/series/26etch2	Tue Feb 16 01:52:17 2010	(r15158)
@@ -1 +1,2 @@
 + bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch
++ bugfix/all/nfsv4-buggy-server-oops.patch

