[linux] 01/02: fs: Fix oops when fcntl() is called on an aufs directory

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Sep 2 19:52:08 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit f2f6f5fe2f53db2a262c7005df189e4a6bdbd608
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Aug 31 02:43:16 2016 +0100

    fs: Fix oops when fcntl() is called on an aufs directory
    
    CVE-2016-7118; regression in 3.2.81-1.
    
    In modifying the check for the setfl operation to be safe with old
    modules that have a smaller file_operations structure, I mistakenly
    dropped the check that the operation pointer is non-null.  The
    modified check rejects file_operations in any module other than the
    rebuilt aufs, but it is still necessary to check the pointer because
    for aufs directories it is NULL.
---
 debian/changelog                                                   | 2 ++
 debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index ee1a74d..84bc0ec 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,8 @@ linux (3.2.81-2) UNRELEASED; urgency=medium
   * [arm*] oabi compat: add missing access checks (CVE-2016-3857)
   * aacraid: Check size values after double-fetch from user (CVE-2016-6480)
   * tcp: fix use after free in tcp_xmit_retransmit_queue() (CVE-2016-6828)
+  * fs: Fix oops when fcntl() is called on an aufs directory (CVE-2016-7118;
+    regression in 3.2.81-1)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 17 Jun 2016 23:35:41 +0100
 
diff --git a/debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch b/debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch
index c35f7d9..ed13cae 100644
--- a/debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch
+++ b/debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch
@@ -19,7 +19,7 @@ version of the module that implements the file_operations.
 ---
 --- a/fs/fcntl.c
 +++ b/fs/fcntl.c
-@@ -175,8 +175,20 @@ int setfl(int fd, struct file * filp, un
+@@ -175,8 +175,21 @@ int setfl(int fd, struct file * filp, un
  
  	if (filp->f_op && filp->f_op->check_flags)
  		error = filp->f_op->check_flags(arg);
@@ -34,7 +34,8 @@ version of the module that implements the file_operations.
 +#ifdef CONFIG_AUFS_FS_MODULE
 +	if (!error && filp->f_op->owner &&
 +	    !strcmp(filp->f_op->owner->name, "aufs") &&
-+	    strstr(filp->f_op->owner->version, "+setfl"))
++	    strstr(filp->f_op->owner->version, "+setfl") &&
++	    filp->f_op->setfl)
  		error = filp->f_op->setfl(filp, arg);
 +#endif
 +

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list