[kernel] r20028 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon May 6 00:25:32 UTC 2013
Author: dannf
Date: Mon May 6 00:25:31 2013
New Revision: 20028
Log:
ext4: avoid hang when mounting non-journal filesystems with orphan list
(CVE-2013-2015)
Added:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
Modified:
dists/squeeze-security/linux-2.6/debian/changelog
dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog Sun May 5 22:35:56 2013 (r20027)
+++ dists/squeeze-security/linux-2.6/debian/changelog Mon May 6 00:25:31 2013 (r20028)
@@ -14,6 +14,8 @@
* rose: fix info leak via msg_name in rose_recvmsg() (CVE-2013-3234)
* tipc: fix info leaks via msg_name in recv_msg/recv_stream (CVE-2013-3235)
* ext4: AIO vs fallocate stale data exposure (CVE-2012-4508)
+ * ext4: avoid hang when mounting non-journal filesystems with orphan list
+ (CVE-2013-2015)
[ Ben Hutchings ]
* ptrace: Fix ptrace when task is in task_is_stopped() state
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch Mon May 6 00:25:31 2013 (r20028)
@@ -0,0 +1,46 @@
+From 0e9a9a1ad619e7e987815d20262d36a2f95717ca Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso at mit.edu>
+Date: Thu, 27 Dec 2012 01:42:50 -0500
+Subject: [PATCH] ext4: avoid hang when mounting non-journal filesystems with
+ orphan list
+
+When trying to mount a file system which does not contain a journal,
+but which does have a orphan list containing an inode which needs to
+be truncated, the mount call with hang forever in
+ext4_orphan_cleanup() because ext4_orphan_del() will return
+immediately without removing the inode from the orphan list, leading
+to an uninterruptible loop in kernel code which will busy out one of
+the CPU's on the system.
+
+This can be trivially reproduced by trying to mount the file system
+found in tests/f_orphan_extents_inode/image.gz from the e2fsprogs
+source tree. If a malicious user were to put this on a USB stick, and
+mount it on a Linux desktop which has automatic mounts enabled, this
+could be considered a potential denial of service attack. (Not a big
+deal in practice, but professional paranoids worry about such things,
+and have even been known to allocate CVE numbers for such problems.)
+
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+Reviewed-by: Zheng Liu <wenqing.lz at taobao.com>
+Cc: stable at vger.kernel.org
+---
+ fs/ext4/namei.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index cac4482..8990165 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2648,7 +2648,8 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
+ struct ext4_iloc iloc;
+ int err = 0;
+
+- if (!EXT4_SB(inode->i_sb)->s_journal)
++ if ((!EXT4_SB(inode->i_sb)->s_journal) &&
++ !(EXT4_SB(inode->i_sb)->s_mount_state & EXT4_ORPHAN_FS))
+ return 0;
+
+ mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
+--
+1.7.10.4
+
Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch Mon May 6 00:25:31 2013 (r20028)
@@ -0,0 +1,50 @@
+From c9b92530a723ac5ef8e352885a1862b18f31b2f5 Mon Sep 17 00:00:00 2001
+From: Anatol Pomozov <anatol.pomozov at gmail.com>
+Date: Tue, 18 Sep 2012 13:38:59 -0400
+Subject: [PATCH] ext4: make orphan functions be no-op in no-journal mode
+
+Instead of checking whether the handle is valid, we check if journal
+is enabled. This avoids taking the s_orphan_lock mutex in all cases
+when there is no journal in use, including the error paths where
+ext4_orphan_del() is called with a handle set to NULL.
+
+Signed-off-by: Anatol Pomozov <anatol.pomozov at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+---
+ fs/ext4/namei.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
+index 37c03b3..8f4bda7 100644
+--- a/fs/ext4/namei.c
++++ b/fs/ext4/namei.c
+@@ -2369,7 +2369,7 @@ int ext4_orphan_add(handle_t *handle, struct inode *inode)
+ struct ext4_iloc iloc;
+ int err = 0, rc;
+
+- if (!ext4_handle_valid(handle))
++ if (!EXT4_SB(sb)->s_journal)
+ return 0;
+
+ mutex_lock(&EXT4_SB(sb)->s_orphan_lock);
+@@ -2443,8 +2443,7 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
+ struct ext4_iloc iloc;
+ int err = 0;
+
+- /* ext4_handle_valid() assumes a valid handle_t pointer */
+- if (handle && !ext4_handle_valid(handle))
++ if (!EXT4_SB(inode->i_sb)->s_journal)
+ return 0;
+
+ mutex_lock(&EXT4_SB(inode->i_sb)->s_orphan_lock);
+@@ -2463,7 +2462,7 @@ int ext4_orphan_del(handle_t *handle, struct inode *inode)
+ * transaction handle with which to update the orphan list on
+ * disk, but we still need to remove the inode from the linked
+ * list in memory. */
+- if (sbi->s_journal && !handle)
++ if (!handle)
+ goto out;
+
+ err = ext4_reserve_inode_write(handle, inode, &iloc);
+--
+1.7.10.4
Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Sun May 5 22:35:56 2013 (r20027)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze2 Mon May 6 00:25:31 2013 (r20028)
@@ -47,3 +47,5 @@
+ bugfix/all/rose-fix-info-leak-via-msg_name-in-rose_recvmsg.patch
+ bugfix/all/tipc-fix-info-leaks-via-msg_name-in-recv_msg-recv_st.patch
+ bugfix/all/ext4-AIO-vs-fallocate-stale-data-exposure.patch
++ bugfix/all/ext4-make-orphan-functions-be-no-op-in-no-journal-mo.patch
++ bugfix/all/ext4-avoid-hang-when-mounting-non-journal-filesystem.patch
More information about the Kernel-svn-changes
mailing list