[kernel] r17195 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Apr 4 02:03:07 UTC 2011
Author: dannf
Date: Mon Apr 4 02:03:03 2011
New Revision: 17195
Log:
nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
(CVE-2011-1090)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
- copied, changed from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
- copied, changed from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Apr 4 01:28:43 2011 (r17194)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Apr 4 02:03:03 2011 (r17195)
@@ -9,6 +9,8 @@
* Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
* Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
* bridge: netfilter: fix information leak (CVE-2011-1080)
+ * nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
+ (CVE-2011-1090)
-- dann frazier <dannf at debian.org> Wed, 30 Mar 2011 22:46:26 -0600
Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch)
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch Sun Apr 3 22:42:47 2011 (r17187, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch Mon Apr 4 02:03:03 2011 (r17195)
@@ -9,12 +9,13 @@
Signed-off-by: Jovi Zhang <bookjovi at gmail.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+ [dannf: backported to Debian's 2.6.26]
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index d1ed671..b07d4e2 100644
+index b295e70..096a8b6 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
-@@ -3262,7 +3262,7 @@ static int buf_to_pages_noslab(const void *buf, size_t buflen,
+@@ -2572,7 +2572,7 @@ static int buf_to_pages_noslab(const void *buf, size_t buflen,
spages = pages;
do {
Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch)
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch Sun Apr 3 22:42:47 2011 (r17187, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch Mon Apr 4 02:03:03 2011 (r17195)
@@ -74,12 +74,13 @@
CC: security at kernel.org
CC: Jeff Layton <jlayton at redhat.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
- [dannf: backported to Debian's 2.6.32]
+ [dannf: backported to Debian's 2.6.26]
-diff -urpN linux-source-2.6.32.orig/fs/nfs/nfs4proc.c linux-source-2.6.32/fs/nfs/nfs4proc.c
---- linux-source-2.6.32.orig/fs/nfs/nfs4proc.c 2011-03-06 19:33:19.000000000 -0700
-+++ linux-source-2.6.32/fs/nfs/nfs4proc.c 2011-03-27 16:27:32.864330334 -0600
-@@ -3133,6 +3133,35 @@ static void buf_to_pages(const void *buf
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index be4fe7b..b295e70 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2563,6 +2563,35 @@ static void buf_to_pages(const void *buf, size_t buflen,
}
}
@@ -115,9 +116,9 @@
struct nfs4_cached_acl {
int cached;
size_t len;
-@@ -3299,13 +3328,23 @@ static int __nfs4_proc_set_acl(struct in
+@@ -2728,13 +2757,23 @@ static int __nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t bufl
.rpc_argp = &arg,
- .rpc_resp = &res,
+ .rpc_resp = NULL,
};
- int ret;
+ int ret, i;
@@ -129,7 +130,7 @@
+ return i;
nfs_inode_return_delegation(inode);
- buf_to_pages(buf, buflen, arg.acl_pages, &arg.acl_pgbase);
- ret = nfs4_call_sync(server, &msg, &arg, &res, 1);
+ ret = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
+
+ /*
+ * Free each page after tx, so the only ref left is
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Apr 4 01:28:43 2011 (r17194)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Apr 4 02:03:03 2011 (r17195)
@@ -7,3 +7,5 @@
+ bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
+ bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
+ bugfix/all/bridge-netfilter-fix-information-leak.patch
++ bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
++ bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
More information about the Kernel-svn-changes
mailing list