[kernel] r15918 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Wed Jun 30 06:48:16 2010
New Revision: 15918

Log:
cifs: Fix a kernel BUG with remote OS/2 server (CVE-2010-2248)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch
   dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
Modified:
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Jun 30 06:27:18 2010	(r15917)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Jun 30 06:48:16 2010	(r15918)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.26-24lenny1) UNRELEASED; urgency=high
+
+  * cifs: Fix a kernel BUG with remote OS/2 server (CVE-2010-2248)
+
+ -- dann frazier <dannf at debian.org>  Wed, 30 Jun 2010 00:32:02 -0600
+
 linux-2.6 (2.6.26-24) stable; urgency=high
 
   [ Ben Hutchings ]

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch	Wed Jun 30 06:48:16 2010	(r15918)
@@ -0,0 +1,62 @@
+commit d6ade89ce3c3ee683d7dd4ab0ed080e66dda3a6f
+Author: Suresh Jayaraman <sjayaraman at suse.de>
+Date:   Wed Mar 31 12:00:03 2010 +0530
+
+    cifs: Fix a kernel BUG with remote OS/2 server (try #3)
+    
+    While chasing a bug report involving a OS/2 server, I noticed the server sets
+    pSMBr->CountHigh to a incorrect value even in case of normal writes. This
+    results in 'nbytes' being computed wrongly and triggers a kernel BUG at
+    mm/filemap.c.
+    
+    void iov_iter_advance(struct iov_iter *i, size_t bytes)
+    {
+            BUG_ON(i->count < bytes);    <--- BUG here
+    
+    Why the server is setting 'CountHigh' is not clear but only does so after
+    writing 64k bytes. Though this looks like the server bug, the client side
+    crash may not be acceptable.
+    
+    The workaround is to mask off high 16 bits if the number of bytes written as
+    returned by the server is greater than the bytes requested by the client as
+    suggested by Jeff Layton.
+    
+    CC: Stable <stable at kernel.org>
+    Reviewed-by: Jeff Layton <jlayton at samba.org>
+    Signed-off-by: Suresh Jayaraman <sjayaraman at suse.de>
+    Signed-off-by: Steve French <sfrench at us.ibm.com>
+
+diff --git a/fs/cifs/cifssmb.c b/fs/cifs/cifssmb.c
+index aec7014..7a11be4 100644
+--- a/fs/cifs/cifssmb.c
++++ b/fs/cifs/cifssmb.c
+@@ -1620,6 +1620,14 @@ CIFSSMBWrite(const int xid, struct cifsTconInfo *tcon,
+ 		*nbytes = le16_to_cpu(pSMBr->CountHigh);
+ 		*nbytes = (*nbytes) << 16;
+ 		*nbytes += le16_to_cpu(pSMBr->Count);
++
++		/*
++		 * Mask off high 16 bits when bytes written as returned by the
++		 * server is greater than bytes requested by the client. Some
++		 * OS/2 servers are known to set incorrect CountHigh values.
++		 */
++		if (*nbytes > count)
++			*nbytes &= 0xFFFF;
+ 	}
+ 
+ 	cifs_buf_release(pSMB);
+@@ -1705,6 +1713,14 @@ CIFSSMBWrite2(const int xid, struct cifsTconInfo *tcon,
+ 		*nbytes = le16_to_cpu(pSMBr->CountHigh);
+ 		*nbytes = (*nbytes) << 16;
+ 		*nbytes += le16_to_cpu(pSMBr->Count);
++
++		/*
++		 * Mask off high 16 bits when bytes written as returned by the
++		 * server is greater than bytes requested by the client. OS/2
++		 * servers are known to set incorrect CountHigh values.
++		 */
++		if (*nbytes > count)
++			*nbytes &= 0xFFFF;
+ 	}
+ 
+ /*	cifs_small_buf_release(pSMB); */ /* Freed earlier now in SendReceive2 */

Added: dists/lenny-security/linux-2.6/debian/patches/series/24lenny1
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/24lenny1	Wed Jun 30 06:48:16 2010	(r15918)
@@ -0,0 +1 @@
++ bugfix/all/cifs-fix-a-kernel-bug-with-remote-os-2-server-try-3.patch