[kernel] r18843 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Wed Mar 14 05:16:51 UTC 2012 

Author: benh
Date: Wed Mar 14 05:16:49 2012
New Revision: 18843

Log:
Apply more eCryptfs security fixes

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Wed Mar 14 05:04:32 2012	(r18842)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Wed Mar 14 05:16:49 2012	(r18843)
@@ -15,6 +15,8 @@
     - printk_ratelimited(): fix uninitialized spinlock
   * cifs: fix dentry refcount leak when opening a FIFO on lookup
   * regset: Prevent null pointer reference on readonly regsets (CVE-2012-1097)
+  * eCryptfs: Make truncate path killable
+  * eCryptfs: Infinite loop due to overflow in ecryptfs_write()
 
  -- dann frazier <dannf at debian.org>  Tue, 13 Mar 2012 19:04:18 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch	Wed Mar 14 05:16:49 2012	(r18843)
@@ -0,0 +1,50 @@
+From e065d6f4f4453db007d4fb22ebb937e38922cb4b Mon Sep 17 00:00:00 2001
+From: Li Wang <liwang at nudt.edu.cn>
+Date: Thu, 19 Jan 2012 09:44:36 +0800
+Subject: [PATCH] eCryptfs: Infinite loop due to overflow in ecryptfs_write()
+
+commit 684a3ff7e69acc7c678d1a1394fe9e757993fd34 upstream.
+
+ecryptfs_write() can enter an infinite loop when truncating a file to a
+size larger than 4G. This only happens on architectures where size_t is
+represented by 32 bits.
+
+This was caused by a size_t overflow due to it incorrectly being used to
+store the result of a calculation which uses potentially large values of
+type loff_t.
+
+[tyhicks at canonical.com: rewrite subject and commit message]
+Signed-off-by: Li Wang <liwang at nudt.edu.cn>
+Signed-off-by: Yunchuan Wen <wenyunchuan at kylinos.com.cn>
+Reviewed-by: Cong Wang <xiyou.wangcong at gmail.com>
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ fs/ecryptfs/read_write.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
+index 6b78546..0404659 100644
+--- a/fs/ecryptfs/read_write.c
++++ b/fs/ecryptfs/read_write.c
+@@ -134,7 +134,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ 		pgoff_t ecryptfs_page_idx = (pos >> PAGE_CACHE_SHIFT);
+ 		size_t start_offset_in_page = (pos & ~PAGE_CACHE_MASK);
+ 		size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
+-		size_t total_remaining_bytes = ((offset + size) - pos);
++		loff_t total_remaining_bytes = ((offset + size) - pos);
+ 
+ 		if (fatal_signal_pending(current)) {
+ 			rc = -EINTR;
+@@ -145,7 +145,7 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ 			num_bytes = total_remaining_bytes;
+ 		if (pos < offset) {
+ 			/* remaining zeros to write, up to destination offset */
+-			size_t total_remaining_zeros = (offset - pos);
++			loff_t total_remaining_zeros = (offset - pos);
+ 
+ 			if (num_bytes > total_remaining_zeros)
+ 				num_bytes = total_remaining_zeros;
+-- 
+1.7.9.1
+

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/eCryptfs-Make-truncate-path-killable.patch	Wed Mar 14 05:16:49 2012	(r18843)
@@ -0,0 +1,71 @@
+From bd8f0a46a1d92470b88ae53e8282dc4edf4f0ba9 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks at canonical.com>
+Date: Wed, 18 Jan 2012 18:30:04 -0600
+Subject: [PATCH] eCryptfs: Make truncate path killable
+
+commit 5e6f0d769017cc49207ef56996e42363ec26c1f0 upstream.
+
+ecryptfs_write() handles the truncation of eCryptfs inodes. It grabs a
+page, zeroes out the appropriate portions, and then encrypts the page
+before writing it to the lower filesystem. It was unkillable and due to
+the lack of sparse file support could result in tying up a large portion
+of system resources, while encrypting pages of zeros, with no way for
+the truncate operation to be stopped from userspace.
+
+This patch adds the ability for ecryptfs_write() to detect a pending
+fatal signal and return as gracefully as possible. The intent is to
+leave the lower file in a useable state, while still allowing a user to
+break out of the encryption loop. If a pending fatal signal is detected,
+the eCryptfs inode size is updated to reflect the modified inode size
+and then -EINTR is returned.
+
+Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ fs/ecryptfs/read_write.c |   19 ++++++++++++++-----
+ 1 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/fs/ecryptfs/read_write.c b/fs/ecryptfs/read_write.c
+index 0cc4faf..6b78546 100644
+--- a/fs/ecryptfs/read_write.c
++++ b/fs/ecryptfs/read_write.c
+@@ -136,6 +136,11 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ 		size_t num_bytes = (PAGE_CACHE_SIZE - start_offset_in_page);
+ 		size_t total_remaining_bytes = ((offset + size) - pos);
+ 
++		if (fatal_signal_pending(current)) {
++			rc = -EINTR;
++			break;
++		}
++
+ 		if (num_bytes > total_remaining_bytes)
+ 			num_bytes = total_remaining_bytes;
+ 		if (pos < offset) {
+@@ -197,15 +202,19 @@ int ecryptfs_write(struct file *ecryptfs_file, char *data, loff_t offset,
+ 		}
+ 		pos += num_bytes;
+ 	}
+-	if ((offset + size) > ecryptfs_file_size) {
+-		i_size_write(ecryptfs_inode, (offset + size));
++	if (pos > ecryptfs_file_size) {
++		i_size_write(ecryptfs_inode, pos);
+ 		if (crypt_stat->flags & ECRYPTFS_ENCRYPTED) {
+-			rc = ecryptfs_write_inode_size_to_metadata(
++			int rc2;
++
++			rc2 = ecryptfs_write_inode_size_to_metadata(
+ 								ecryptfs_inode);
+-			if (rc) {
++			if (rc2) {
+ 				printk(KERN_ERR	"Problem with "
+ 				       "ecryptfs_write_inode_size_to_metadata; "
+-				       "rc = [%d]\n", rc);
++				       "rc = [%d]\n", rc2);
++				if (!rc)
++					rc = rc2;
+ 				goto out;
+ 			}
+ 		}
+-- 
+1.7.9.1
+

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1	Wed Mar 14 05:04:32 2012	(r18842)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze1	Wed Mar 14 05:16:49 2012	(r18843)
@@ -9,3 +9,5 @@
 + bugfix/all/printk_ratelimited-fix-uninitialized-spinlock.patch
 + bugfix/all/cifs-fix-dentry-refcount-leak-when-opening-a-FIFO-on.patch
 + bugfix/all/regset-Prevent-null-pointer-reference-on-readonly-re.patch
++ bugfix/all/eCryptfs-Make-truncate-path-killable.patch
++ bugfix/all/eCryptfs-Infinite-loop-due-to-overflow-in-ecryptfs_w.patch

More information about the Kernel-svn-changes mailing list