[kernel] r17188 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Apr 4 00:15:52 UTC 2011 

Author: dannf
Date: Mon Apr  4 00:15:43 2011
New Revision: 17188

Log:
xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
(CVE-2011-0711)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch
      - copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
      - copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Apr  3 22:42:47 2011	(r17187)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 00:15:43 2011	(r17188)
@@ -1,6 +1,8 @@
 linux-2.6 (2.6.26-26lenny3) UNRELEASED; urgency=low
 
   * net: clear heap allocations for privileged ethtool actions (CVE-2010-4655)
+  * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
+    (CVE-2011-0711)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch	Mon Apr  4 00:15:43 2011	(r17188, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch)
@@ -0,0 +1,33 @@
+commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date:   Mon Feb 14 13:45:28 2011 +0000
+
+    xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
+    
+    The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
+    xfs_fs_geometry() with a version number of 3.  This code path does not
+    fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
+    the leaking of four bytes of uninitialized stack data to potentially
+    unprivileged callers.
+    
+    v2 switches to memset() to avoid future issues if structure members
+    change, on suggestion of Dave Chinner.
+    
+    Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+    Reviewed-by: Eugene Teo <eugeneteo at kernel.org>
+    Signed-off-by: Alex Elder <aelder at sgi.com>
+
+diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c
+index cec89dd..85668ef 100644
+--- a/fs/xfs/xfs_fsops.c
++++ b/fs/xfs/xfs_fsops.c
+@@ -53,6 +53,9 @@ xfs_fs_geometry(
+ 	xfs_fsop_geom_t		*geo,
+ 	int			new_version)
+ {
++
++	memset(geo, 0, sizeof(*geo));
++
+ 	geo->blocksize = mp->m_sb.sb_blocksize;
+ 	geo->rtextsize = mp->m_sb.sb_rextsize;
+ 	geo->agblocks = mp->m_sb.sb_agblocks;

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch	Mon Apr  4 00:15:43 2011	(r17188, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch)
@@ -0,0 +1,64 @@
+commit af24ee9ea8d532e16883251a6684dfa1be8eec29
+Author: Alex Elder <aelder at sgi.com>
+Date:   Tue Mar 1 17:50:00 2011 +0000
+
+    xfs: zero proper structure size for geometry calls
+    
+    Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
+    xfs_fs_geometry() in order to avoid passing kernel stack data back
+    to user space:
+    
+    +       memset(geo, 0, sizeof(*geo));
+    
+    Unfortunately, one of the callers of that function passes the
+    address of a smaller data type, cast to fit the type that
+    xfs_fs_geometry() requires.  As a result, this can happen:
+    
+    Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
+    in: f87aca93
+    
+    Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
+    Call Trace:
+    
+    [<c12991ac>] ? panic+0x50/0x150
+    [<c102ed71>] ? __stack_chk_fail+0x10/0x18
+    [<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
+    
+    Fix this by fixing that one caller to pass the right type and then
+    copy out the subset it is interested in.
+    
+    Note: This patch is an alternative to one originally proposed by
+    Eric Sandeen.
+    
+    Reported-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+    Signed-off-by: Alex Elder <aelder at sgi.com>
+    Reviewed-by: Eric Sandeen <sandeen at redhat.com>
+    Tested-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+
+diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
+index f5e2a19..0ca0e3c 100644
+--- a/fs/xfs/linux-2.6/xfs_ioctl.c
++++ b/fs/xfs/linux-2.6/xfs_ioctl.c
+@@ -695,14 +695,19 @@ xfs_ioc_fsgeometry_v1(
+ 	xfs_mount_t		*mp,
+ 	void			__user *arg)
+ {
+-	xfs_fsop_geom_v1_t	fsgeo;
++	xfs_fsop_geom_t         fsgeo;
+ 	int			error;
+ 
+-	error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3);
++	error = xfs_fs_geometry(mp, &fsgeo, 3);
+ 	if (error)
+ 		return -error;
+ 
+-	if (copy_to_user(arg, &fsgeo, sizeof(fsgeo)))
++	/*
++	 * Caller should have passed an argument of type
++	 * xfs_fsop_geom_v1_t.  This is a proper subset of the
++	 * xfs_fsop_geom_t that xfs_fs_geometry() fills in.
++	 */
++	if (copy_to_user(arg, &fsgeo, sizeof(xfs_fsop_geom_v1_t)))
+ 		return -XFS_ERROR(EFAULT);
+ 	return 0;
+ }

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Sun Apr  3 22:42:47 2011	(r17187)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 00:15:43 2011	(r17188)
@@ -1 +1,3 @@
 + bugfix/all/net-clear-heap-allocations-for-privileged-ethtool-actions.patch
++ bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch
++ bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch

More information about the Kernel-svn-changes mailing list