[kernel] r17168 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Thu Mar 31 22:47:33 UTC 2011 

Author: dannf
Date: Thu Mar 31 22:47:31 2011
New Revision: 17168

Log:
xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
This fixes a panic caused by a regression introduced by the fix
for CVE-2011-0711.

Added:
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
Modified:
   dists/squeeze/linux-2.6/debian/changelog
   dists/squeeze/linux-2.6/debian/patches/series/33

Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog	Thu Mar 31 02:39:44 2011	(r17167)
+++ dists/squeeze/linux-2.6/debian/changelog	Thu Mar 31 22:47:31 2011	(r17168)
@@ -12,6 +12,11 @@
   * via-ircc: Fix device list management and DMA buffer allocation
     (Closes: #619450)
 
+  [ dann frazier ]
+  * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
+    This fixes a panic caused by a regression introduced by the fix
+    for CVE-2011-0711.
+
  -- maximilian attems <maks at debian.org>  Tue, 29 Mar 2011 18:56:55 +0200
 
 linux-2.6 (2.6.32-32) stable; urgency=high

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch	Thu Mar 31 22:47:31 2011	(r17168)
@@ -0,0 +1,64 @@
+commit af24ee9ea8d532e16883251a6684dfa1be8eec29
+Author: Alex Elder <aelder at sgi.com>
+Date:   Tue Mar 1 17:50:00 2011 +0000
+
+    xfs: zero proper structure size for geometry calls
+    
+    Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
+    xfs_fs_geometry() in order to avoid passing kernel stack data back
+    to user space:
+    
+    +       memset(geo, 0, sizeof(*geo));
+    
+    Unfortunately, one of the callers of that function passes the
+    address of a smaller data type, cast to fit the type that
+    xfs_fs_geometry() requires.  As a result, this can happen:
+    
+    Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
+    in: f87aca93
+    
+    Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
+    Call Trace:
+    
+    [<c12991ac>] ? panic+0x50/0x150
+    [<c102ed71>] ? __stack_chk_fail+0x10/0x18
+    [<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
+    
+    Fix this by fixing that one caller to pass the right type and then
+    copy out the subset it is interested in.
+    
+    Note: This patch is an alternative to one originally proposed by
+    Eric Sandeen.
+    
+    Reported-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+    Signed-off-by: Alex Elder <aelder at sgi.com>
+    Reviewed-by: Eric Sandeen <sandeen at redhat.com>
+    Tested-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+
+diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
+index f5e2a19..0ca0e3c 100644
+--- a/fs/xfs/linux-2.6/xfs_ioctl.c
++++ b/fs/xfs/linux-2.6/xfs_ioctl.c
+@@ -695,14 +695,19 @@ xfs_ioc_fsgeometry_v1(
+ 	xfs_mount_t		*mp,
+ 	void			__user *arg)
+ {
+-	xfs_fsop_geom_v1_t	fsgeo;
++	xfs_fsop_geom_t         fsgeo;
+ 	int			error;
+ 
+-	error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3);
++	error = xfs_fs_geometry(mp, &fsgeo, 3);
+ 	if (error)
+ 		return -error;
+ 
+-	if (copy_to_user(arg, &fsgeo, sizeof(fsgeo)))
++	/*
++	 * Caller should have passed an argument of type
++	 * xfs_fsop_geom_v1_t.  This is a proper subset of the
++	 * xfs_fsop_geom_t that xfs_fs_geometry() fills in.
++	 */
++	if (copy_to_user(arg, &fsgeo, sizeof(xfs_fsop_geom_v1_t)))
+ 		return -XFS_ERROR(EFAULT);
+ 	return 0;
+ }

Modified: dists/squeeze/linux-2.6/debian/patches/series/33
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/33	Thu Mar 31 02:39:44 2011	(r17167)
+++ dists/squeeze/linux-2.6/debian/patches/series/33	Thu Mar 31 22:47:31 2011	(r17168)
@@ -3,3 +3,4 @@
 + bugfix/powerpc/powerpc-Fix-default_machine_crash_shutdown-not-SMP.patch
 + bugfix/all/via-ircc-Use-pci_-get-set-_drvdata-instead-of-static.patch
 + bugfix/all/via-ircc-Pass-PCI-device-pointer-to-dma_-alloc-free-.patch
++ bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch

More information about the Kernel-svn-changes mailing list