[kernel] r17408 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon May 16 00:57:40 UTC 2011
Author: dannf
Date: Mon May 16 00:57:39 2011
New Revision: 17408
Log:
NFSD: memory corruption due to writing beyond the stat array
Added:
dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch
Modified:
dists/lenny/linux-2.6/debian/changelog
dists/lenny/linux-2.6/debian/patches/series/27
Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog Mon May 16 00:57:30 2011 (r17407)
+++ dists/lenny/linux-2.6/debian/changelog Mon May 16 00:57:39 2011 (r17408)
@@ -18,6 +18,7 @@
- [x86] asus_acpi: world-writable procfs files
- [x86] acer-wmi: world-writable sysfs threeg file
- [x86] tc1100-wmi: world-writable sysfs wireless and jogdial files
+ - NFSD: memory corruption due to writing beyond the stat array
-- Ben Hutchings <ben at decadent.org.uk> Mon, 29 Nov 2010 02:01:24 +0000
Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch Mon May 16 00:57:39 2011 (r17408)
@@ -0,0 +1,36 @@
+commit 3bfbc5f759cae3e0c227d627ee76e9e6d5f6fb49
+Author: Konstantin Khorenko <khorenko at parallels.com>
+Date: Tue Feb 1 17:16:29 2011 +0300
+
+ NFSD: memory corruption due to writing beyond the stat array
+
+ commit 3aa6e0aa8ab3e64bbfba092c64d42fd1d006b124 upstream.
+
+ If nfsd fails to find an exported via NFS file in the readahead cache, it
+ should increment corresponding nfsdstats counter (ra_depth[10]), but due to a
+ bug it may instead write to ra_depth[11], corrupting the following field.
+
+ In a kernel with NFSDv4 compiled in the corruption takes the form of an
+ increment of a counter of the number of NFSv4 operation 0's received; since
+ there is no operation 0, this is harmless.
+
+ In a kernel with NFSDv4 disabled it corrupts whatever happens to be in the
+ memory beyond nfsdstats.
+
+ Signed-off-by: Konstantin Khorenko <khorenko at openvz.org>
+ Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+ Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index ac31e0c..81284c6 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -805,7 +805,7 @@ nfsd_get_raparms(dev_t dev, ino_t ino)
+ if (ra->p_count == 0)
+ frap = rap;
+ }
+- depth = nfsdstats.ra_size*11/10;
++ depth = nfsdstats.ra_size;
+ if (!frap) {
+ spin_unlock(&rab->pb_lock);
+ return NULL;
Modified: dists/lenny/linux-2.6/debian/patches/series/27
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/27 Mon May 16 00:57:30 2011 (r17407)
+++ dists/lenny/linux-2.6/debian/patches/series/27 Mon May 16 00:57:39 2011 (r17408)
@@ -9,3 +9,4 @@
+ bugfix/x86/asus_acpi-world-writeable-procfs-files.patch
+ bugfix/x86/acer-wmi-world-writable-sysfs-threeg-file.patch
+ bugfix/x86/tc1100-wmi-world-writable-sysfs-wireless-and-jogdial-files.patch
++ bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch
More information about the Kernel-svn-changes
mailing list