[kernel] r18468 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sun Jan 8 10:34:17 UTC 2012 

Author: dannf
Date: Sun Jan  8 10:34:16 2012
New Revision: 18468

Log:
xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/27lenny1

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Sun Jan  8 10:34:13 2012	(r18467)
+++ dists/lenny-security/linux-2.6/debian/changelog	Sun Jan  8 10:34:16 2012	(r18468)
@@ -1,6 +1,7 @@
 linux-2.6 (2.6.26-27lenny1) UNRELEASED; urgency=high
 
   * hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops (CVE-2011-2203)
+  * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077)
 
  -- dann frazier <dannf at debian.org>  Fri, 06 Jan 2012 21:15:07 -0700
 

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch	Sun Jan  8 10:34:16 2012	(r18468)
@@ -0,0 +1,65 @@
+commit b52a360b2aa1c59ba9970fb0f52bbb093fcc7a24
+Author: Carlos Maiolino <cmaiolino at redhat.com>
+Date:   Mon Nov 7 16:10:24 2011 +0000
+
+    xfs: Fix possible memory corruption in xfs_readlink
+    
+    Fixes a possible memory corruption when the link is larger than
+    MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
+    S_ISLNK assert, since the inode mode is checked previously in
+    xfs_readlink_by_handle() and via VFS.
+    
+    Updated to address concerns raised by Ben Hutchings about the loose
+    attention paid to 32- vs 64-bit values, and the lack of handling a
+    potentially negative pathlen value:
+     - Changed type of "pathlen" to be xfs_fsize_t, to match that of
+       ip->i_d.di_size
+     - Added checking for a negative pathlen to the too-long pathlen
+       test, and generalized the message that gets reported in that case
+       to reflect the change
+    As a result, if a negative pathlen were encountered, this function
+    would return EFSCORRUPTED (and would fail an assertion for a debug
+    build)--just as would a too-long pathlen.
+    
+    Signed-off-by: Alex Elder <aelder at sgi.com>
+    Signed-off-by: Carlos Maiolino <cmaiolino at redhat.com>
+    Reviewed-by: Christoph Hellwig <hch at lst.de>
+    [dannf: backported to Debian's 2.6.26]
+
+diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
+index e475e37..a2c80b7 100644
+--- a/fs/xfs/xfs_vnodeops.c
++++ b/fs/xfs/xfs_vnodeops.c
+@@ -824,7 +824,7 @@ xfs_readlink(
+ 	char		*link)
+ {
+ 	xfs_mount_t	*mp = ip->i_mount;
+-	int		pathlen;
++	xfs_fsize_t	pathlen;
+ 	int		error = 0;
+ 
+ 	xfs_itrace_entry(ip);
+@@ -834,13 +834,20 @@ xfs_readlink(
+ 
+ 	xfs_ilock(ip, XFS_ILOCK_SHARED);
+ 
+-	ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
+-	ASSERT(ip->i_d.di_size <= MAXPATHLEN);
+-
+ 	pathlen = ip->i_d.di_size;
+ 	if (!pathlen)
+ 		goto out;
+ 
++	if (pathlen < 0 || pathlen > MAXPATHLEN) {
++		xfs_fs_cmn_err(CE_ALERT, mp,
++			 "%s: inode (%llu) bad symlink length (%lld)",
++			 __func__, (unsigned long long) ip->i_ino,
++			 (long long) pathlen);
++		ASSERT(0);
++		return XFS_ERROR(EFSCORRUPTED);
++	}
++
++
+ 	if (ip->i_df.if_flags & XFS_IFINLINE) {
+ 		memcpy(link, ip->i_df.if_u1.if_data, pathlen);
+ 		link[pathlen] = '\0';

Modified: dists/lenny-security/linux-2.6/debian/patches/series/27lenny1
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/27lenny1	Sun Jan  8 10:34:13 2012	(r18467)
+++ dists/lenny-security/linux-2.6/debian/patches/series/27lenny1	Sun Jan  8 10:34:16 2012	(r18468)
@@ -1 +1,2 @@
 + bugfix/all/hfs-fix-hfs_find_init-ext_tree-NULL-ptr-oops.patch
++ bugfix/all/xfs-fix-possible-memory-corruption-in-xfs_readlink.patch

More information about the Kernel-svn-changes mailing list