[kernel] r17408 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Mon May 16 00:57:39 2011
New Revision: 17408

Log:
NFSD: memory corruption due to writing beyond the stat array

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/27

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Mon May 16 00:57:30 2011	(r17407)
+++ dists/lenny/linux-2.6/debian/changelog	Mon May 16 00:57:39 2011	(r17408)
@@ -18,6 +18,7 @@
     - [x86] asus_acpi: world-writable procfs files
     - [x86] acer-wmi: world-writable sysfs threeg file
     - [x86] tc1100-wmi: world-writable sysfs wireless and jogdial files
+    - NFSD: memory corruption due to writing beyond the stat array
 
  -- Ben Hutchings <ben at decadent.org.uk>  Mon, 29 Nov 2010 02:01:24 +0000
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch	Mon May 16 00:57:39 2011	(r17408)
@@ -0,0 +1,36 @@
+commit 3bfbc5f759cae3e0c227d627ee76e9e6d5f6fb49
+Author: Konstantin Khorenko <khorenko at parallels.com>
+Date:   Tue Feb 1 17:16:29 2011 +0300
+
+    NFSD: memory corruption due to writing beyond the stat array
+    
+    commit 3aa6e0aa8ab3e64bbfba092c64d42fd1d006b124 upstream.
+    
+    If nfsd fails to find an exported via NFS file in the readahead cache, it
+    should increment corresponding nfsdstats counter (ra_depth[10]), but due to a
+    bug it may instead write to ra_depth[11], corrupting the following field.
+    
+    In a kernel with NFSDv4 compiled in the corruption takes the form of an
+    increment of a counter of the number of NFSv4 operation 0's received; since
+    there is no operation 0, this is harmless.
+    
+    In a kernel with NFSDv4 disabled it corrupts whatever happens to be in the
+    memory beyond nfsdstats.
+    
+    Signed-off-by: Konstantin Khorenko <khorenko at openvz.org>
+    Signed-off-by: J. Bruce Fields <bfields at redhat.com>
+    Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
+index ac31e0c..81284c6 100644
+--- a/fs/nfsd/vfs.c
++++ b/fs/nfsd/vfs.c
+@@ -805,7 +805,7 @@ nfsd_get_raparms(dev_t dev, ino_t ino)
+ 		if (ra->p_count == 0)
+ 			frap = rap;
+ 	}
+-	depth = nfsdstats.ra_size*11/10;
++	depth = nfsdstats.ra_size;
+ 	if (!frap) {	
+ 		spin_unlock(&rab->pb_lock);
+ 		return NULL;

Modified: dists/lenny/linux-2.6/debian/patches/series/27
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/27	Mon May 16 00:57:30 2011	(r17407)
+++ dists/lenny/linux-2.6/debian/patches/series/27	Mon May 16 00:57:39 2011	(r17408)
@@ -9,3 +9,4 @@
 + bugfix/x86/asus_acpi-world-writeable-procfs-files.patch
 + bugfix/x86/acer-wmi-world-writable-sysfs-threeg-file.patch
 + bugfix/x86/tc1100-wmi-world-writable-sysfs-wireless-and-jogdial-files.patch
++ bugfix/all/nfsd-memory-corruption-due-to-writing-beyond-the-stat-array.patch