[kernel] r17195 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Apr 4 02:03:07 UTC 2011


Author: dannf
Date: Mon Apr  4 02:03:03 2011
New Revision: 17195

Log:
nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
(CVE-2011-1090)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
      - copied, changed from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
      - copied, changed from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 01:28:43 2011	(r17194)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 02:03:03 2011	(r17195)
@@ -9,6 +9,8 @@
   * Bluetooth: sco: fix information leak to userspace (CVE-2011-1078)
   * Bluetooth: bnep: fix buffer overflow (CVE-2011-1079)
   * bridge: netfilter: fix information leak (CVE-2011-1080)
+  * nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
+    (CVE-2011-1090)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 

Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch)
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch	Sun Apr  3 22:42:47 2011	(r17187, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch	Mon Apr  4 02:03:03 2011	(r17195)
@@ -9,12 +9,13 @@
     
     Signed-off-by: Jovi Zhang <bookjovi at gmail.com>
     Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+    [dannf: backported to Debian's 2.6.26]
 
 diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
-index d1ed671..b07d4e2 100644
+index b295e70..096a8b6 100644
 --- a/fs/nfs/nfs4proc.c
 +++ b/fs/nfs/nfs4proc.c
-@@ -3262,7 +3262,7 @@ static int buf_to_pages_noslab(const void *buf, size_t buflen,
+@@ -2572,7 +2572,7 @@ static int buf_to_pages_noslab(const void *buf, size_t buflen,
  	spages = pages;
  
  	do {

Copied and modified: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch)
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch	Sun Apr  3 22:42:47 2011	(r17187, copy source)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch	Mon Apr  4 02:03:03 2011	(r17195)
@@ -74,12 +74,13 @@
     CC: security at kernel.org
     CC: Jeff Layton <jlayton at redhat.com>
     Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
-    [dannf: backported to Debian's 2.6.32]
+    [dannf: backported to Debian's 2.6.26]
 
-diff -urpN linux-source-2.6.32.orig/fs/nfs/nfs4proc.c linux-source-2.6.32/fs/nfs/nfs4proc.c
---- linux-source-2.6.32.orig/fs/nfs/nfs4proc.c	2011-03-06 19:33:19.000000000 -0700
-+++ linux-source-2.6.32/fs/nfs/nfs4proc.c	2011-03-27 16:27:32.864330334 -0600
-@@ -3133,6 +3133,35 @@ static void buf_to_pages(const void *buf
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index be4fe7b..b295e70 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -2563,6 +2563,35 @@ static void buf_to_pages(const void *buf, size_t buflen,
  	}
  }
  
@@ -115,9 +116,9 @@
  struct nfs4_cached_acl {
  	int cached;
  	size_t len;
-@@ -3299,13 +3328,23 @@ static int __nfs4_proc_set_acl(struct in
+@@ -2728,13 +2757,23 @@ static int __nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t bufl
  		.rpc_argp	= &arg,
- 		.rpc_resp	= &res,
+ 		.rpc_resp	= NULL,
  	};
 -	int ret;
 +	int ret, i;
@@ -129,7 +130,7 @@
 +		return i;
  	nfs_inode_return_delegation(inode);
 -	buf_to_pages(buf, buflen, arg.acl_pages, &arg.acl_pgbase);
- 	ret = nfs4_call_sync(server, &msg, &arg, &res, 1);
+ 	ret = rpc_call_sync(NFS_CLIENT(inode), &msg, 0);
 +
 +	/*
 +	 * Free each page after tx, so the only ref left is

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 01:28:43 2011	(r17194)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 02:03:03 2011	(r17195)
@@ -7,3 +7,5 @@
 + bugfix/all/bluetooth-sco-fix-information-leak-to-userspace.patch
 + bugfix/all/bluetooth-bnep-fix-buffer-overflow.patch
 + bugfix/all/bridge-netfilter-fix-information-leak.patch
++ bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
++ bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch



More information about the Kernel-svn-changes mailing list