[kernel] r16923 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series
Ben Hutchings
benh at alioth.debian.org
Mon Feb 21 04:28:09 UTC 2011
Author: benh
Date: Mon Feb 21 04:27:59 2011
New Revision: 16923
Log:
btrfs: Prevent heap corruption in btrfs_ioctl_space_info() (CVE-2011-0699)
Added:
dists/sid/linux-2.6/debian/patches/bugfix/all/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_i.patch
Modified:
dists/sid/linux-2.6/debian/changelog
dists/sid/linux-2.6/debian/patches/series/2
Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog Mon Feb 21 04:22:14 2011 (r16922)
+++ dists/sid/linux-2.6/debian/changelog Mon Feb 21 04:27:59 2011 (r16923)
@@ -31,6 +31,8 @@
mm_cpumask after switching mm
* Kbuild: Include localversion file in linux-headers-*; fixes output
of 'make kernelrelease'
+ * btrfs: Prevent heap corruption in btrfs_ioctl_space_info()
+ (CVE-2011-0699)
-- Ben Hutchings <ben at decadent.org.uk> Fri, 18 Feb 2011 05:46:35 +0000
Added: dists/sid/linux-2.6/debian/patches/bugfix/all/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_i.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_i.patch Mon Feb 21 04:27:59 2011 (r16923)
@@ -0,0 +1,79 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Mon, 14 Feb 2011 16:04:23 -0500
+Subject: [PATCH] btrfs: prevent heap corruption in btrfs_ioctl_space_info()
+
+commit 51788b1bdd0d68345bab0af4301e7fa429277228 upstream.
+
+Commit bf5fc093c5b625e4259203f1cee7ca73488a5620 refactored
+btrfs_ioctl_space_info() and introduced several security issues.
+
+space_args.space_slots is an unsigned 64-bit type controlled by a
+possibly unprivileged caller. The comparison as a signed int type
+allows providing values that are treated as negative and cause the
+subsequent allocation size calculation to wrap, or be truncated to 0.
+By providing a size that's truncated to 0, kmalloc() will return
+ZERO_SIZE_PTR. It's also possible to provide a value smaller than the
+slot count. The subsequent loop ignores the allocation size when
+copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR.
+
+The fix changes the slot count type and comparison typecast to u64,
+which prevents truncation or signedness errors, and also ensures that we
+don't copy more data than we've allocated in the subsequent loop. Note
+that zero-size allocations are no longer possible since there is already
+an explicit check for space_args.space_slots being 0 and truncation of
+this value is no longer an issue.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: Josef Bacik <josef at redhat.com>
+Reviewed-by: Josef Bacik <josef at redhat.com>
+Signed-off-by: Chris Mason <chris.mason at oracle.com>
+---
+ fs/btrfs/ioctl.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 02d224e..be2d4f6 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2208,7 +2208,7 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
+ int num_types = 4;
+ int alloc_size;
+ int ret = 0;
+- int slot_count = 0;
++ u64 slot_count = 0;
+ int i, c;
+
+ if (copy_from_user(&space_args,
+@@ -2247,7 +2247,7 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
+ goto out;
+ }
+
+- slot_count = min_t(int, space_args.space_slots, slot_count);
++ slot_count = min_t(u64, space_args.space_slots, slot_count);
+
+ alloc_size = sizeof(*dest) * slot_count;
+
+@@ -2267,6 +2267,9 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
+ for (i = 0; i < num_types; i++) {
+ struct btrfs_space_info *tmp;
+
++ if (!slot_count)
++ break;
++
+ info = NULL;
+ rcu_read_lock();
+ list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
+@@ -2288,7 +2291,10 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
+ memcpy(dest, &space, sizeof(space));
+ dest++;
+ space_args.total_spaces++;
++ slot_count--;
+ }
++ if (!slot_count)
++ break;
+ }
+ up_read(&info->groups_sem);
+ }
+--
+1.7.4.1
+
Modified: dists/sid/linux-2.6/debian/patches/series/2
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/2 Mon Feb 21 04:22:14 2011 (r16922)
+++ dists/sid/linux-2.6/debian/patches/series/2 Mon Feb 21 04:27:59 2011 (r16923)
@@ -2,3 +2,4 @@
- debian/sysrq-mask.patch
+ bugfix/all/stable/2.6.37.1.patch
+ debian/sysrq-mask-2.patch
++ bugfix/all/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_i.patch
More information about the Kernel-svn-changes
mailing list