[linux] 02/03: ext4: Fix null dereference in ext4_fill_super() (CVE-2015-8324)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Tue Dec 1 03:08:36 UTC 2015


This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit 68d72792107e506475d098cefdeaee4bb3ace1ca
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Tue Dec 1 03:05:39 2015 +0000

    ext4: Fix null dereference in ext4_fill_super() (CVE-2015-8324)
---
 debian/changelog                                   |  1 +
 ...4-fix-null-dereference-in-ext4_fill_super.patch | 53 ++++++++++++++++++++++
 debian/patches/series/48squeeze17                  |  1 +
 3 files changed, 55 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index e0e0bcb..e36e008 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,6 +44,7 @@ linux-2.6 (2.6.32-48squeeze17) UNRELEASED; urgency=medium
     - security: add cred argument to security_capable()
     - pagemap: hide physical addresses from non-privileged users
   * unix: avoid use-after-free in ep_remove_wait_queue (CVE-2013-7446)
+  * ext4: Fix null dereference in ext4_fill_super() (CVE-2015-8324)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 08 Nov 2015 13:41:21 +0000
 
diff --git a/debian/patches/bugfix/all/ext4-fix-null-dereference-in-ext4_fill_super.patch b/debian/patches/bugfix/all/ext4-fix-null-dereference-in-ext4_fill_super.patch
new file mode 100644
index 0000000..33e990f
--- /dev/null
+++ b/debian/patches/bugfix/all/ext4-fix-null-dereference-in-ext4_fill_super.patch
@@ -0,0 +1,53 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Tue, 01 Dec 2015 02:50:10 +0000
+Subject: ext4: Fix null dereference in ext4_fill_super()
+
+Fix failure paths in ext4_fill_super() that can lead to a null
+dereference.  This was designated CVE-2015-8324.
+
+Mostly extracted from commit 744692dc0598 ("ext4: use
+ext4_get_block_write in buffer write").
+
+However there's one more incorrect goto to fix, removed upstream in
+commit cf40db137cc2 ("ext4: remove failed journal checksum check").
+
+Reference: https://bugs.openvz.org/browse/OVZ-6541
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2767,14 +2767,14 @@
+ 				EXT4_SB(sb)->s_mount_state |= EXT4_ERROR_FS;
+ 				es->s_state |= cpu_to_le16(EXT4_ERROR_FS);
+ 				ext4_commit_super(sb, 1);
+-				goto failed_mount4;
++				goto failed_wq;
+ 			}
+ 		}
+ 	} else if (test_opt(sb, NOLOAD) && !(sb->s_flags & MS_RDONLY) &&
+ 	      EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER)) {
+ 		ext4_msg(sb, KERN_ERR, "required journal recovery "
+ 		       "suppressed and not mounted read-only");
+-		goto failed_mount4;
++		goto failed_mount_wq;
+ 	} else {
+ 		clear_opt(sbi->s_mount_opt, DATA_FLAGS);
+ 		set_opt(sbi->s_mount_opt, WRITEBACK_DATA);
+@@ -2787,7 +2787,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ 	    !jbd2_journal_set_features(EXT4_SB(sb)->s_journal, 0, 0,
+ 				       JBD2_FEATURE_INCOMPAT_64BIT)) {
+ 		ext4_msg(sb, KERN_ERR, "Failed to set 64-bit journal feature");
+-		goto failed_mount4;
++		goto failed_mount_wq;
+ 	}
+ 
+ 	if (test_opt(sb, JOURNAL_ASYNC_COMMIT)) {
+@@ -2826,7 +2826,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ 		    (sbi->s_journal, 0, 0, JBD2_FEATURE_INCOMPAT_REVOKE)) {
+ 			ext4_msg(sb, KERN_ERR, "Journal does not support "
+ 			       "requested data journaling mode");
+-			goto failed_mount4;
++			goto failed_mount_wq;
+ 		}
+ 	default:
+ 		break;
diff --git a/debian/patches/series/48squeeze17 b/debian/patches/series/48squeeze17
index a7b6ffe..89e2438 100644
--- a/debian/patches/series/48squeeze17
+++ b/debian/patches/series/48squeeze17
@@ -34,3 +34,4 @@
 - debian/af_unix-Avoid-ABI-change-from-introduction-of-recursion-limit.patch
 + bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
 + debian/af_unix-avoid-abi-changes.patch
++ bugfix/all/ext4-fix-null-dereference-in-ext4_fill_super.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git



More information about the Kernel-svn-changes mailing list