[kernel] r17188 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Apr 4 00:15:52 UTC 2011
Author: dannf
Date: Mon Apr 4 00:15:43 2011
New Revision: 17188
Log:
xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
(CVE-2011-0711)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch
- copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
- copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Sun Apr 3 22:42:47 2011 (r17187)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Apr 4 00:15:43 2011 (r17188)
@@ -1,6 +1,8 @@
linux-2.6 (2.6.26-26lenny3) UNRELEASED; urgency=low
* net: clear heap allocations for privileged ethtool actions (CVE-2010-4655)
+ * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
+ (CVE-2011-0711)
-- dann frazier <dannf at debian.org> Wed, 30 Mar 2011 22:46:26 -0600
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch Mon Apr 4 00:15:43 2011 (r17188, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch)
@@ -0,0 +1,33 @@
+commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba
+Author: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Mon Feb 14 13:45:28 2011 +0000
+
+ xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
+
+ The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
+ xfs_fs_geometry() with a version number of 3. This code path does not
+ fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
+ the leaking of four bytes of uninitialized stack data to potentially
+ unprivileged callers.
+
+ v2 switches to memset() to avoid future issues if structure members
+ change, on suggestion of Dave Chinner.
+
+ Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+ Reviewed-by: Eugene Teo <eugeneteo at kernel.org>
+ Signed-off-by: Alex Elder <aelder at sgi.com>
+
+diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c
+index cec89dd..85668ef 100644
+--- a/fs/xfs/xfs_fsops.c
++++ b/fs/xfs/xfs_fsops.c
+@@ -53,6 +53,9 @@ xfs_fs_geometry(
+ xfs_fsop_geom_t *geo,
+ int new_version)
+ {
++
++ memset(geo, 0, sizeof(*geo));
++
+ geo->blocksize = mp->m_sb.sb_blocksize;
+ geo->rtextsize = mp->m_sb.sb_rextsize;
+ geo->agblocks = mp->m_sb.sb_agblocks;
Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch Mon Apr 4 00:15:43 2011 (r17188, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch)
@@ -0,0 +1,64 @@
+commit af24ee9ea8d532e16883251a6684dfa1be8eec29
+Author: Alex Elder <aelder at sgi.com>
+Date: Tue Mar 1 17:50:00 2011 +0000
+
+ xfs: zero proper structure size for geometry calls
+
+ Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
+ xfs_fs_geometry() in order to avoid passing kernel stack data back
+ to user space:
+
+ + memset(geo, 0, sizeof(*geo));
+
+ Unfortunately, one of the callers of that function passes the
+ address of a smaller data type, cast to fit the type that
+ xfs_fs_geometry() requires. As a result, this can happen:
+
+ Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
+ in: f87aca93
+
+ Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
+ Call Trace:
+
+ [<c12991ac>] ? panic+0x50/0x150
+ [<c102ed71>] ? __stack_chk_fail+0x10/0x18
+ [<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
+
+ Fix this by fixing that one caller to pass the right type and then
+ copy out the subset it is interested in.
+
+ Note: This patch is an alternative to one originally proposed by
+ Eric Sandeen.
+
+ Reported-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+ Signed-off-by: Alex Elder <aelder at sgi.com>
+ Reviewed-by: Eric Sandeen <sandeen at redhat.com>
+ Tested-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+
+diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
+index f5e2a19..0ca0e3c 100644
+--- a/fs/xfs/linux-2.6/xfs_ioctl.c
++++ b/fs/xfs/linux-2.6/xfs_ioctl.c
+@@ -695,14 +695,19 @@ xfs_ioc_fsgeometry_v1(
+ xfs_mount_t *mp,
+ void __user *arg)
+ {
+- xfs_fsop_geom_v1_t fsgeo;
++ xfs_fsop_geom_t fsgeo;
+ int error;
+
+- error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3);
++ error = xfs_fs_geometry(mp, &fsgeo, 3);
+ if (error)
+ return -error;
+
+- if (copy_to_user(arg, &fsgeo, sizeof(fsgeo)))
++ /*
++ * Caller should have passed an argument of type
++ * xfs_fsop_geom_v1_t. This is a proper subset of the
++ * xfs_fsop_geom_t that xfs_fs_geometry() fills in.
++ */
++ if (copy_to_user(arg, &fsgeo, sizeof(xfs_fsop_geom_v1_t)))
+ return -XFS_ERROR(EFAULT);
+ return 0;
+ }
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Sun Apr 3 22:42:47 2011 (r17187)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Apr 4 00:15:43 2011 (r17188)
@@ -1 +1,3 @@
+ bugfix/all/net-clear-heap-allocations-for-privileged-ethtool-actions.patch
++ bugfix/all/xfs-prevent-leaking-uninitialized-stack-memory-in-FSGEOMETRY_V1.patch
++ bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
More information about the Kernel-svn-changes
mailing list