[kernel] r18977 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

[Dann Frazier]

Author: dannf
Date: Fri May  4 05:58:19 2012
New Revision: 18977

Log:
jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer (CVE-2011-4086)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Fri May  4 05:53:39 2012	(r18976)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Fri May  4 05:58:19 2012	(r18977)
@@ -8,6 +8,7 @@
   * hugepages: fix use after free bug in "quota" handling (CVE-2012-2133)
   * fcaps: clear the same personality flags as suid when fcaps are used
     (CVE-2012-2123)
+  * jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer (CVE-2011-4086)
 
  -- dann frazier <dannf at debian.org>  Thu, 26 Apr 2012 23:29:43 -0600
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch	Fri May  4 05:58:19 2012	(r18977)
@@ -0,0 +1,42 @@
+commit 15291164b22a357cb211b618adfef4fa82fc0de3
+Author: Eric Sandeen <sandeen at redhat.com>
+Date:   Mon Feb 20 17:53:01 2012 -0500
+
+    jbd2: clear BH_Delay & BH_Unwritten in journal_unmap_buffer
+    
+    journal_unmap_buffer()'s zap_buffer: code clears a lot of buffer head
+    state ala discard_buffer(), but does not touch _Delay or _Unwritten as
+    discard_buffer() does.
+    
+    This can be problematic in some areas of the ext4 code which assume
+    that if they have found a buffer marked unwritten or delay, then it's
+    a live one.  Perhaps those spots should check whether it is mapped
+    as well, but if jbd2 is going to tear down a buffer, let's really
+    tear it down completely.
+    
+    Without this I get some fsx failures on sub-page-block filesystems
+    up until v3.2, at which point 4e96b2dbbf1d7e81f22047a50f862555a6cb87cb
+    and 189e868fa8fdca702eb9db9d8afc46b5cb9144c9 make the failures go
+    away, because buried within that large change is some more flag
+    clearing.  I still think it's worth doing in jbd2, since
+    ->invalidatepage leads here directly, and it's the right place
+    to clear away these flags.
+    
+    Signed-off-by: Eric Sandeen <sandeen at redhat.com>
+    Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+    Cc: stable at vger.kernel.org
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
+index a051270..5c156ad 100644
+--- a/fs/jbd2/transaction.c
++++ b/fs/jbd2/transaction.c
+@@ -1822,6 +1822,8 @@ zap_buffer_unlocked:
+ 	clear_buffer_mapped(bh);
+ 	clear_buffer_req(bh);
+ 	clear_buffer_new(bh);
++	clear_buffer_delay(bh);
++	clear_buffer_unwritten(bh);
+ 	bh->b_bdev = NULL;
+ 	return may_free;
+ }

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3	Fri May  4 05:53:39 2012	(r18976)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/41squeeze3	Fri May  4 05:58:19 2012	(r18977)
@@ -5,3 +5,4 @@
 + bugfix/all/hugepages-fix-use-after-free-bug-in-quota-handling.patch
 + bugfix/all/fcaps-clear-the-same-personality-flags-as-suid-when-fcaps-are-used.patch
 + bugfix/all/security-fix-compile-error-in-commoncap.c.patch
++ bugfix/all/jbd2-clear-BH_Delay-BH_Unwritten-in-journal_unmap_buffer.patch