[kernel] r18467 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Jan 8 10:34:14 UTC 2012 

Author: dannf
Date: Sun Jan  8 10:34:13 2012
New Revision: 18467

Log:
hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops (CVE-2011-2203)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/hfs-fix-hfs_find_init-ext_tree-NULL-ptr-oops.patch
   dists/lenny-security/linux-2.6/debian/patches/series/27lenny1
Modified:
   dists/lenny-security/linux-2.6/debian/changelog

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Jan  8 10:34:10 2012	(r18466)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Jan  8 10:34:13 2012	(r18467)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.26-27lenny1) UNRELEASED; urgency=high
+
+  * hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops (CVE-2011-2203)
+
+ -- dann frazier <dannf at debian.org>  Fri, 06 Jan 2012 21:15:07 -0700
+
 linux-2.6 (2.6.26-26lenny4) oldstable-security; urgency=high
 
   [ dann frazier ]

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/hfs-fix-hfs_find_init-ext_tree-NULL-ptr-oops.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/hfs-fix-hfs_find_init-ext_tree-NULL-ptr-oops.patch	Sun Jan  8 10:34:13 2012	(r18467)
@@ -0,0 +1,72 @@
+commit 434a964daa14b9db083ce20404a4a2add54d037a
+Author: Phillip Lougher <plougher at redhat.com>
+Date:   Wed Nov 2 13:38:01 2011 -0700
+
+    hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops
+    
+    Clement Lecigne reports a filesystem which causes a kernel oops in
+    hfs_find_init() trying to dereference sb->ext_tree which is NULL.
+    
+    This proves to be because the filesystem has a corrupted MDB extent
+    record, where the extents file does not fit into the first three extents
+    in the file record (the first blocks).
+    
+    In hfs_get_block() when looking up the blocks for the extent file
+    (HFS_EXT_CNID), it fails the first blocks special case, and falls
+    through to the extent code (which ultimately calls hfs_find_init())
+    which is in the process of being initialised.
+    
+    Hfs avoids this scenario by always having the extents b-tree fitting
+    into the first blocks (the extents B-tree can't have overflow extents).
+    
+    The fix is to check at mount time that the B-tree fits into first
+    blocks, i.e.  fail if HFS_I(inode)->alloc_blocks >=
+    HFS_I(inode)->first_blocks
+    
+    Note, the existing commit 47f365eb57573 ("hfs: fix oops on mount with
+    corrupted btree extent records") becomes subsumed into this as a special
+    case, but only for the extents B-tree (HFS_EXT_CNID), it is perfectly
+    acceptable for the catalog B-Tree file to grow beyond three extents,
+    with the remaining extent descriptors in the extents overfow.
+    
+    This fixes CVE-2011-2203
+    
+    Reported-by: Clement LECIGNE <clement.lecigne at netasq.com>
+    Signed-off-by: Phillip Lougher <plougher at redhat.com>
+    Cc: Jeff Mahoney <jeffm at suse.com>
+    Cc: Christoph Hellwig <hch at lst.de>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
+index f6621a7..bf8f803 100644
+--- a/fs/hfs/btree.c
++++ b/fs/hfs/btree.c
+@@ -45,11 +45,26 @@ struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id, btree_keycmp ke
+ 	case HFS_EXT_CNID:
+ 		hfs_inode_read_fork(tree->inode, mdb->drXTExtRec, mdb->drXTFlSize,
+ 				    mdb->drXTFlSize, be32_to_cpu(mdb->drXTClpSiz));
++		if (HFS_I(tree->inode)->alloc_blocks >
++					HFS_I(tree->inode)->first_blocks) {
++			printk(KERN_ERR "hfs: invalid btree extent records\n");
++			unlock_new_inode(tree->inode);
++			goto free_inode;
++		}
++
+ 		tree->inode->i_mapping->a_ops = &hfs_btree_aops;
+ 		break;
+ 	case HFS_CAT_CNID:
+ 		hfs_inode_read_fork(tree->inode, mdb->drCTExtRec, mdb->drCTFlSize,
+ 				    mdb->drCTFlSize, be32_to_cpu(mdb->drCTClpSiz));
++
++		if (!HFS_I(tree->inode)->first_blocks) {
++			printk(KERN_ERR "hfs: invalid btree extent records "
++								"(0 size).\n");
++			unlock_new_inode(tree->inode);
++			goto free_inode;
++		}
++
+ 		tree->inode->i_mapping->a_ops = &hfs_btree_aops;
+ 		break;
+ 	default:

Added: dists/lenny-security/linux-2.6/debian/patches/series/27lenny1
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/series/27lenny1	Sun Jan  8 10:34:13 2012	(r18467)
@@ -0,0 +1 @@
++ bugfix/all/hfs-fix-hfs_find_init-ext_tree-NULL-ptr-oops.patch

More information about the Kernel-svn-changes mailing list