[kernel] r18463 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Sun Jan 8 10:33:58 UTC 2012

Author: dannf
Date: Sun Jan  8 10:33:57 2012
New Revision: 18463

Log:
xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze3

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Jan  8 10:33:51 2012	(r18462)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Jan  8 10:33:57 2012	(r18463)
@@ -1,6 +1,7 @@
 linux-2.6 (2.6.32-35squeeze3) UNRELEASED; urgency=low
 
   * Restrict ioctl forwarding on partitions and logical volumes (CVE-2011-4127)
+  * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)
 
  -- dann frazier <dannf at debian.org>  Fri, 06 Jan 2012 18:46:21 -0700
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch	Sun Jan  8 10:33:57 2012	(r18463)
@@ -0,0 +1,65 @@
+commit b52a360b2aa1c59ba9970fb0f52bbb093fcc7a24
+Author: Carlos Maiolino <cmaiolino at redhat.com>
+Date:   Mon Nov 7 16:10:24 2011 +0000
+
+    xfs: Fix possible memory corruption in xfs_readlink
+    
+    Fixes a possible memory corruption when the link is larger than
+    MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
+    S_ISLNK assert, since the inode mode is checked previously in
+    xfs_readlink_by_handle() and via VFS.
+    
+    Updated to address concerns raised by Ben Hutchings about the loose
+    attention paid to 32- vs 64-bit values, and the lack of handling a
+    potentially negative pathlen value:
+     - Changed type of "pathlen" to be xfs_fsize_t, to match that of
+       ip->i_d.di_size
+     - Added checking for a negative pathlen to the too-long pathlen
+       test, and generalized the message that gets reported in that case
+       to reflect the change
+    As a result, if a negative pathlen were encountered, this function
+    would return EFSCORRUPTED (and would fail an assertion for a debug
+    build)--just as would a too-long pathlen.
+    
+    Signed-off-by: Alex Elder <aelder at sgi.com>
+    Signed-off-by: Carlos Maiolino <cmaiolino at redhat.com>
+    Reviewed-by: Christoph Hellwig <hch at lst.de>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
+index 8f32f50..1638884 100644
+--- a/fs/xfs/xfs_vnodeops.c
++++ b/fs/xfs/xfs_vnodeops.c
+@@ -554,7 +554,7 @@ xfs_readlink(
+ 	char		*link)
+ {
+ 	xfs_mount_t	*mp = ip->i_mount;
+-	int		pathlen;
++	xfs_fsize_t	pathlen;
+ 	int		error = 0;
+ 
+ 	xfs_itrace_entry(ip);
+@@ -564,13 +564,20 @@ xfs_readlink(
+ 
+ 	xfs_ilock(ip, XFS_ILOCK_SHARED);
+ 
+-	ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
+-	ASSERT(ip->i_d.di_size <= MAXPATHLEN);
+-
+ 	pathlen = ip->i_d.di_size;
+ 	if (!pathlen)
+ 		goto out;
+ 
++	if (pathlen < 0 || pathlen > MAXPATHLEN) {
++		xfs_fs_cmn_err(CE_ALERT, mp,
++			 "%s: inode (%llu) bad symlink length (%lld)",
++			 __func__, (unsigned long long) ip->i_ino,
++			 (long long) pathlen);
++		ASSERT(0);
++		return XFS_ERROR(EFSCORRUPTED);
++	}
++
++
+ 	if (ip->i_df.if_flags & XFS_IFINLINE) {
+ 		memcpy(link, ip->i_df.if_u1.if_data, pathlen);
+ 		link[pathlen] = '\0';

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze3
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze3	Sun Jan  8 10:33:51 2012	(r18462)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/35squeeze3	Sun Jan  8 10:33:57 2012	(r18463)
@@ -1,3 +1,4 @@
 + bugfix/all/add-scsi_cmd_blk_ioctl-wrapper.patch
 + bugfix/all/limit-ioctls-forwarded-to-non-scsi-devices.patch
 + bugfix/all/treat-lvs-on-one-pv-like-a-partition.patch
++ bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch

