[kernel] r18839 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Mar 14 01:17:29 UTC 2012
Author: dannf
Date: Wed Mar 14 01:17:27 2012
New Revision: 18839
Log:
ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Wed Mar 14 00:08:46 2012 (r18838)
+++ dists/squeeze-security/linux-2.6/debian/changelog Wed Mar 14 01:17:27 2012 (r18839)
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.32-41squeeze1) UNRELEASED; urgency=high
+
+ * ext4: fix undefined behavior in ext4_fill_flex_info() (CVE-2009-4307)
+
+ -- dann frazier <dannf at debian.org> Tue, 13 Mar 2012 19:04:18 -0600
+
linux-2.6 (2.6.32-41) stable; urgency=low
[ Ben Hutchings ]
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch Wed Mar 14 01:17:27 2012 (r18839)
@@ -0,0 +1,71 @@
+From d50f2ab6f050311dbf7b8f5501b25f0bf64a439b Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang at gmail.com>
+Date: Tue, 10 Jan 2012 11:51:10 -0500
+Subject: ext4: fix undefined behavior in ext4_fill_flex_info()
+
+From: Xi Wang <xi.wang at gmail.com>
+
+commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b upstream.
+
+Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
+zero when trying to mount a corrupted file system") fixes CVE-2009-4307
+by performing a sanity check on s_log_groups_per_flex, since it can be
+set to a bogus value by an attacker.
+
+ sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+ groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+
+ if (groups_per_flex < 2) { ... }
+
+This patch fixes two potential issues in the previous commit.
+
+1) The sanity check might only work on architectures like PowerPC.
+On x86, 5 bits are used for the shifting amount. That means, given a
+large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
+is essentially 1 << 4 = 16, rather than 0. This will bypass the check,
+leaving s_log_groups_per_flex and groups_per_flex inconsistent.
+
+2) The sanity check relies on undefined behavior, i.e., oversized shift.
+A standard-confirming C compiler could rewrite the check in unexpected
+ways. Consider the following equivalent form, assuming groups_per_flex
+is unsigned for simplicity.
+
+ groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+ if (groups_per_flex == 0 || groups_per_flex == 1) {
+
+We compile the code snippet using Clang 3.0 and GCC 4.6. Clang will
+completely optimize away the check groups_per_flex == 0, leaving the
+patched code as vulnerable as the original. GCC keeps the check, but
+there is no guarantee that future versions will do the same.
+
+Signed-off-by: Xi Wang <xi.wang at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
+
+---
+ fs/ext4/super.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -1705,17 +1705,16 @@ static int ext4_fill_flex_info(struct su
+ struct ext4_group_desc *gdp = NULL;
+ ext4_group_t flex_group_count;
+ ext4_group_t flex_group;
+- int groups_per_flex = 0;
++ unsigned int groups_per_flex = 0;
+ size_t size;
+ int i;
+
+ sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
+- groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+-
+- if (groups_per_flex < 2) {
++ if (sbi->s_log_groups_per_flex < 1 || sbi->s_log_groups_per_flex > 31) {
+ sbi->s_log_groups_per_flex = 0;
+ return 1;
+ }
++ groups_per_flex = 1 << sbi->s_log_groups_per_flex;
+
+ /* We allocate both existing and potentially added groups */
+ flex_group_count = ((sbi->s_groups_count + groups_per_flex - 1) +
Added: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1 Wed Mar 14 01:17:27 2012 (r18839)
@@ -0,0 +1 @@
++ bugfix/all/ext4-fix-undefined-behavior-in-ext4_fill_flex_info.patch
More information about the Kernel-svn-changes
mailing list