[linux] 02/03: ext4: Fix null dereference in ext4_fill_super() (CVE-2015-8324)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Tue Dec 1 03:08:36 UTC 2015
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch squeeze-security
in repository linux.
commit 68d72792107e506475d098cefdeaee4bb3ace1ca
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Tue Dec 1 03:05:39 2015 +0000
ext4: Fix null dereference in ext4_fill_super() (CVE-2015-8324)
---
debian/changelog | 1 +
...4-fix-null-dereference-in-ext4_fill_super.patch | 53 ++++++++++++++++++++++
debian/patches/series/48squeeze17 | 1 +
3 files changed, 55 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index e0e0bcb..e36e008 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -44,6 +44,7 @@ linux-2.6 (2.6.32-48squeeze17) UNRELEASED; urgency=medium
- security: add cred argument to security_capable()
- pagemap: hide physical addresses from non-privileged users
* unix: avoid use-after-free in ep_remove_wait_queue (CVE-2013-7446)
+ * ext4: Fix null dereference in ext4_fill_super() (CVE-2015-8324)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 08 Nov 2015 13:41:21 +0000
diff --git a/debian/patches/bugfix/all/ext4-fix-null-dereference-in-ext4_fill_super.patch b/debian/patches/bugfix/all/ext4-fix-null-dereference-in-ext4_fill_super.patch
new file mode 100644
index 0000000..33e990f
--- /dev/null
+++ b/debian/patches/bugfix/all/ext4-fix-null-dereference-in-ext4_fill_super.patch
@@ -0,0 +1,53 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Tue, 01 Dec 2015 02:50:10 +0000
+Subject: ext4: Fix null dereference in ext4_fill_super()
+
+Fix failure paths in ext4_fill_super() that can lead to a null
+dereference. This was designated CVE-2015-8324.
+
+Mostly extracted from commit 744692dc0598 ("ext4: use
+ext4_get_block_write in buffer write").
+
+However there's one more incorrect goto to fix, removed upstream in
+commit cf40db137cc2 ("ext4: remove failed journal checksum check").
+
+Reference: https://bugs.openvz.org/browse/OVZ-6541
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2767,14 +2767,14 @@
+ EXT4_SB(sb)->s_mount_state |= EXT4_ERROR_FS;
+ es->s_state |= cpu_to_le16(EXT4_ERROR_FS);
+ ext4_commit_super(sb, 1);
+- goto failed_mount4;
++ goto failed_wq;
+ }
+ }
+ } else if (test_opt(sb, NOLOAD) && !(sb->s_flags & MS_RDONLY) &&
+ EXT4_HAS_INCOMPAT_FEATURE(sb, EXT4_FEATURE_INCOMPAT_RECOVER)) {
+ ext4_msg(sb, KERN_ERR, "required journal recovery "
+ "suppressed and not mounted read-only");
+- goto failed_mount4;
++ goto failed_mount_wq;
+ } else {
+ clear_opt(sbi->s_mount_opt, DATA_FLAGS);
+ set_opt(sbi->s_mount_opt, WRITEBACK_DATA);
+@@ -2787,7 +2787,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ !jbd2_journal_set_features(EXT4_SB(sb)->s_journal, 0, 0,
+ JBD2_FEATURE_INCOMPAT_64BIT)) {
+ ext4_msg(sb, KERN_ERR, "Failed to set 64-bit journal feature");
+- goto failed_mount4;
++ goto failed_mount_wq;
+ }
+
+ if (test_opt(sb, JOURNAL_ASYNC_COMMIT)) {
+@@ -2826,7 +2826,7 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
+ (sbi->s_journal, 0, 0, JBD2_FEATURE_INCOMPAT_REVOKE)) {
+ ext4_msg(sb, KERN_ERR, "Journal does not support "
+ "requested data journaling mode");
+- goto failed_mount4;
++ goto failed_mount_wq;
+ }
+ default:
+ break;
diff --git a/debian/patches/series/48squeeze17 b/debian/patches/series/48squeeze17
index a7b6ffe..89e2438 100644
--- a/debian/patches/series/48squeeze17
+++ b/debian/patches/series/48squeeze17
@@ -34,3 +34,4 @@
- debian/af_unix-Avoid-ABI-change-from-introduction-of-recursion-limit.patch
+ bugfix/all/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
+ debian/af_unix-avoid-abi-changes.patch
++ bugfix/all/ext4-fix-null-dereference-in-ext4_fill_super.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list