[kernel] r18839 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Mar 14 01:17:29 UTC 2012 

Author: dannf
Date: Wed Mar 14 01:17:27 2012
New Revision: 18839

Log:
ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
   dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed Mar 14 00:08:46 2012	(r18838)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed Mar 14 01:17:27 2012	(r18839)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.32-41squeeze1) UNRELEASED; urgency=high
+
+  * ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307)
+
+ -- dann frazier <dannf at debian.org>  Tue, 13 Mar 2012 19:04:18 -0600
+
 linux-2.6 (2.6.32-41) stable; urgency=low
 
   [ Ben Hutchings ]

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch	Wed Mar 14 01:17:27 2012	(r18839)
@@ -0,0 +1,71 @@
+From d50f2ab6f050311dbf7b8f5501b25f0bf64a439b Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang at gmail.com>
+Date: Tue, 10 Jan 2012 11:51:10 -0500
+Subject: ext4: fix undefined behavior in ext4_fill_flex_info()
+
+From: Xi Wang <xi.wang at gmail.com>
+
+commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b upstream.
+
+Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
+zero when trying to mount a corrupted file system") fixes CVE-2009-4307
+by performing a sanity check on s_log_groups_per_flex, since it can be
+set to a bogus value by an attacker.
+
+	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+
+	if (groups_per_flex < 2) { ... }
+
+This patch fixes two potential issues in the previous commit.
+
+1) The sanity check might only work on architectures like PowerPC.
+On x86, 5 bits are used for the shifting amount.  That means, given a
+large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
+is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
+leaving s_log_groups_per_flex and groups_per_flex inconsistent.
+
+2) The sanity check relies on undefined behavior, i.e., oversized shift.
+A standard-confirming C compiler could rewrite the check in unexpected
+ways.  Consider the following equivalent form, assuming groups_per_flex
+is unsigned for simplicity.
+
+	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+	if (groups_per_flex == 0 || groups_per_flex == 1) {
+
+We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
+completely optimize away the check groups_per_flex == 0, leaving the
+patched code as vulnerable as the original.  GCC keeps the check, but
+there is no guarantee that future versions will do the same.
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/ext4/super.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1705,17 +1705,16 @@ static int ext4_fill_flex_info(struct su
+ 	struct ext4_group_desc *gdp = NULL;
+ 	ext4_group_t flex_group_count;
+ 	ext4_group_t flex_group;
+-	int groups_per_flex = 0;
++	unsigned int groups_per_flex = 0;
+ 	size_t size;
+ 	int i;
+ 
+ 	sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+-	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+-
+-	if (groups_per_flex < 2) {
++	if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) {
+ 		sbi->s_log_groups_per_flex = 0;
+ 		return 1;
+ 	}
++	groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+ 
+ 	/* We allocate both existing and potentially added groups */
+ 	flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +

Added: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1	Wed Mar 14 01:17:27 2012	(r18839)
@@ -0,0 +1 @@
++ bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch

More information about the Kernel-svn-changes mailing list