[kernel] r16923 - in dists/sid/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Mon Feb 21 04:28:09 UTC 2011 

Author: benh
Date: Mon Feb 21 04:27:59 2011
New Revision: 16923

Log:
btrfs: Prevent heap corruption in btrfs_ioctl_space_info() (CVE-2011-0699)

Added:
   dists/sid/linux-2.6/debian/patches/bugfix/all/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_i.patch
Modified:
   dists/sid/linux-2.6/debian/changelog
   dists/sid/linux-2.6/debian/patches/series/2

Modified: dists/sid/linux-2.6/debian/changelog
==============================================================================
--- dists/sid/linux-2.6/debian/changelog	Mon Feb 21 04:22:14 2011	(r16922)
+++ dists/sid/linux-2.6/debian/changelog	Mon Feb 21 04:27:59 2011	(r16923)
@@ -31,6 +31,8 @@
       mm_cpumask after switching mm
   * Kbuild: Include localversion file in linux-headers-*; fixes output
     of 'make kernelrelease'
+  * btrfs: Prevent heap corruption in btrfs_ioctl_space_info()
+    (CVE-2011-0699)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 18 Feb 2011 05:46:35 +0000
 

Added: dists/sid/linux-2.6/debian/patches/bugfix/all/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_i.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux-2.6/debian/patches/bugfix/all/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_i.patch	Mon Feb 21 04:27:59 2011	(r16923)
@@ -0,0 +1,79 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Mon, 14 Feb 2011 16:04:23 -0500
+Subject: [PATCH] btrfs: prevent heap corruption in btrfs_ioctl_space_info()
+
+commit 51788b1bdd0d68345bab0af4301e7fa429277228 upstream.
+
+Commit bf5fc093c5b625e4259203f1cee7ca73488a5620 refactored
+btrfs_ioctl_space_info() and introduced several security issues.
+
+space_args.space_slots is an unsigned 64-bit type controlled by a
+possibly unprivileged caller.  The comparison as a signed int type
+allows providing values that are treated as negative and cause the
+subsequent allocation size calculation to wrap, or be truncated to 0.
+By providing a size that's truncated to 0, kmalloc() will return
+ZERO_SIZE_PTR.  It's also possible to provide a value smaller than the
+slot count.  The subsequent loop ignores the allocation size when
+copying data in, resulting in a heap overflow or write to ZERO_SIZE_PTR.
+
+The fix changes the slot count type and comparison typecast to u64,
+which prevents truncation or signedness errors, and also ensures that we
+don't copy more data than we've allocated in the subsequent loop.  Note
+that zero-size allocations are no longer possible since there is already
+an explicit check for space_args.space_slots being 0 and truncation of
+this value is no longer an issue.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Signed-off-by: Josef Bacik <josef at redhat.com>
+Reviewed-by: Josef Bacik <josef at redhat.com>
+Signed-off-by: Chris Mason <chris.mason at oracle.com>
+---
+ fs/btrfs/ioctl.c |   10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
+index 02d224e..be2d4f6 100644
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -2208,7 +2208,7 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
+ 	int num_types = 4;
+ 	int alloc_size;
+ 	int ret = 0;
+-	int slot_count = 0;
++	u64 slot_count = 0;
+ 	int i, c;
+ 
+ 	if (copy_from_user(&space_args,
+@@ -2247,7 +2247,7 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
+ 		goto out;
+ 	}
+ 
+-	slot_count = min_t(int, space_args.space_slots, slot_count);
++	slot_count = min_t(u64, space_args.space_slots, slot_count);
+ 
+ 	alloc_size = sizeof(*dest) * slot_count;
+ 
+@@ -2267,6 +2267,9 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
+ 	for (i = 0; i < num_types; i++) {
+ 		struct btrfs_space_info *tmp;
+ 
++		if (!slot_count)
++			break;
++
+ 		info = NULL;
+ 		rcu_read_lock();
+ 		list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
+@@ -2288,7 +2291,10 @@ long btrfs_ioctl_space_info(struct btrfs_root *root, void __user *arg)
+ 				memcpy(dest, &space, sizeof(space));
+ 				dest++;
+ 				space_args.total_spaces++;
++				slot_count--;
+ 			}
++			if (!slot_count)
++				break;
+ 		}
+ 		up_read(&info->groups_sem);
+ 	}
+-- 
+1.7.4.1
+

Modified: dists/sid/linux-2.6/debian/patches/series/2
==============================================================================
--- dists/sid/linux-2.6/debian/patches/series/2	Mon Feb 21 04:22:14 2011	(r16922)
+++ dists/sid/linux-2.6/debian/patches/series/2	Mon Feb 21 04:27:59 2011	(r16923)
@@ -2,3 +2,4 @@
 - debian/sysrq-mask.patch
 + bugfix/all/stable/2.6.37.1.patch
 + debian/sysrq-mask-2.patch
++ bugfix/all/btrfs-prevent-heap-corruption-in-btrfs_ioctl_space_i.patch

More information about the Kernel-svn-changes mailing list