[kernel] r18977 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Fri May 4 05:58:21 UTC 2012
Author: dannf
Date: Fri May 4 05:58:19 2012
New Revision: 18977
Log:
jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer (CVE-2011-4086)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Fri May 4 05:53:39 2012 (r18976)
+++ dists/squeeze-security/linux-2.6/debian/changelog Fri May 4 05:58:19 2012 (r18977)
@@ -8,6 +8,7 @@
* hugepages: fix use after free bug in "quota" handling (CVE-2012-2133)
* fcaps: clear the same personality flags as suid when fcaps are used
(CVE-2012-2123)
+ * jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer (CVE-2011-4086)
-- dann frazier <dannf at debian.org> Thu, 26 Apr 2012 23:29:43 -0600
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch Fri May 4 05:58:19 2012 (r18977)
@@ -0,0 +1,42 @@
+commit 15291164b22a357cb211b618adfef4fa82fc0de3
+Author: Eric Sandeen <sandeen at redhat.com>
+Date: Mon Feb 20 17:53:01 2012 -0500
+
+ jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
+
+ journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
+ state ala discard_buffer(), but does not touch _Delay or _Unwritten as
+ discard_buffer() does.
+
+ This can be problematic in some areas of the ext4 code which assume
+ that if they have found a buffer marked unwritten or delay, then it's
+ a live one. Perhaps those spots should check whether it is mapped
+ as well, but if jbd2 is going to tear down a buffer, let's really
+ tear it down completely.
+
+ Without this I get some fsx failures on sub-page-block filesystems
+ up until v3.2, at which point 4e96b2dbbf1d7e81f22047a50f862555a6cb87cb
+ and 189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go
+ away, because buried within that large change is some more flag
+ clearing. I still think it's worth doing in jbd2, since
+ ->invalidatepage leads here directly, and it's the right place
+ to clear away these flags.
+
+ Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+ Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+ Cc: stable at vger.kernel.org
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index a051270..5c156ad 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1822,6 +1822,8 @@ zap_buffer_unlocked:
+ clear_buffer_mapped(bh);
+ clear_buffer_req(bh);
+ clear_buffer_new(bh);
++ clear_buffer_delay(bh);
++ clear_buffer_unwritten(bh);
+ bh->b_bdev = NULL;
+ return may_free;
+ }
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3 Fri May 4 05:53:39 2012 (r18976)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3 Fri May 4 05:58:19 2012 (r18977)
@@ -5,3 +5,4 @@
+ bugfix/all/hugepages-fix-use-after-free-bug-in-quota-handling.patch
+ bugfix/all/fcaps-clear-the-same-personality-flags-as-suid-when-fcaps-are-used.patch
+ bugfix/all/security-fix-compile-error-in-commoncap.c.patch
++ bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch
More information about the Kernel-svn-changes
mailing list