[kernel] r17168 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Thu Mar 31 22:47:33 UTC 2011
Author: dannf
Date: Thu Mar 31 22:47:31 2011
New Revision: 17168
Log:
xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
This fixes a panic caused by a regression introduced by the fix
for CVE-2011-0711.
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
Modified:
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/33
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Thu Mar 31 02:39:44 2011 (r17167)
+++ dists/squeeze/linux-2.6/debian/changelog Thu Mar 31 22:47:31 2011 (r17168)
@@ -12,6 +12,11 @@
* via-ircc: Fix device list management and DMA buffer allocation
(Closes: #619450)
+ [ dann frazier ]
+ * xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
+ This fixes a panic caused by a regression introduced by the fix
+ for CVE-2011-0711.
+
-- maximilian attems <maks at debian.org> Tue, 29 Mar 2011 18:56:55 +0200
linux-2.6 (2.6.32-32) stable; urgency=high
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch Thu Mar 31 22:47:31 2011 (r17168)
@@ -0,0 +1,64 @@
+commit af24ee9ea8d532e16883251a6684dfa1be8eec29
+Author: Alex Elder <aelder at sgi.com>
+Date: Tue Mar 1 17:50:00 2011 +0000
+
+ xfs: zero proper structure size for geometry calls
+
+ Commit 493f3358cb289ccf716c5a14fa5bb52ab75943e5 added this call to
+ xfs_fs_geometry() in order to avoid passing kernel stack data back
+ to user space:
+
+ + memset(geo, 0, sizeof(*geo));
+
+ Unfortunately, one of the callers of that function passes the
+ address of a smaller data type, cast to fit the type that
+ xfs_fs_geometry() requires. As a result, this can happen:
+
+ Kernel panic - not syncing: stack-protector: Kernel stack is corrupted
+ in: f87aca93
+
+ Pid: 262, comm: xfs_fsr Not tainted 2.6.38-rc6-493f3358cb2+ #1
+ Call Trace:
+
+ [<c12991ac>] ? panic+0x50/0x150
+ [<c102ed71>] ? __stack_chk_fail+0x10/0x18
+ [<f87aca93>] ? xfs_ioc_fsgeometry_v1+0x56/0x5d [xfs]
+
+ Fix this by fixing that one caller to pass the right type and then
+ copy out the subset it is interested in.
+
+ Note: This patch is an alternative to one originally proposed by
+ Eric Sandeen.
+
+ Reported-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+ Signed-off-by: Alex Elder <aelder at sgi.com>
+ Reviewed-by: Eric Sandeen <sandeen at redhat.com>
+ Tested-by: Jeffrey Hundstad <jeffrey.hundstad at mnsu.edu>
+
+diff --git a/fs/xfs/linux-2.6/xfs_ioctl.c b/fs/xfs/linux-2.6/xfs_ioctl.c
+index f5e2a19..0ca0e3c 100644
+--- a/fs/xfs/linux-2.6/xfs_ioctl.c
++++ b/fs/xfs/linux-2.6/xfs_ioctl.c
+@@ -695,14 +695,19 @@ xfs_ioc_fsgeometry_v1(
+ xfs_mount_t *mp,
+ void __user *arg)
+ {
+- xfs_fsop_geom_v1_t fsgeo;
++ xfs_fsop_geom_t fsgeo;
+ int error;
+
+- error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3);
++ error = xfs_fs_geometry(mp, &fsgeo, 3);
+ if (error)
+ return -error;
+
+- if (copy_to_user(arg, &fsgeo, sizeof(fsgeo)))
++ /*
++ * Caller should have passed an argument of type
++ * xfs_fsop_geom_v1_t. This is a proper subset of the
++ * xfs_fsop_geom_t that xfs_fs_geometry() fills in.
++ */
++ if (copy_to_user(arg, &fsgeo, sizeof(xfs_fsop_geom_v1_t)))
+ return -XFS_ERROR(EFAULT);
+ return 0;
+ }
Modified: dists/squeeze/linux-2.6/debian/patches/series/33
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/33 Thu Mar 31 02:39:44 2011 (r17167)
+++ dists/squeeze/linux-2.6/debian/patches/series/33 Thu Mar 31 22:47:31 2011 (r17168)
@@ -3,3 +3,4 @@
+ bugfix/powerpc/powerpc-Fix-default_machine_crash_shutdown-not-SMP.patch
+ bugfix/all/via-ircc-Use-pci_-get-set-_drvdata-instead-of-static.patch
+ bugfix/all/via-ircc-Pass-PCI-device-pointer-to-dma_-alloc-free-.patch
++ bugfix/all/xfs-zero-proper-structure-size-for-geometry-calls.patch
More information about the Kernel-svn-changes
mailing list