[linux] 01/01: fs: Fix oops when fcntl() is called on an aufs directory

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Sep 2 20:11:49 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch jessie-security
in repository linux.

commit 5a092f0ef9f759d382d11770a980b34e375a71b1
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Wed Aug 31 02:43:16 2016 +0100

    fs: Fix oops when fcntl() is called on an aufs directory
    
    CVE-2016-7118; regression in 3.16.36-1.
    
    In modifying the check for the setfl operation to be safe with old
    modules that have a smaller file_operations structure, I mistakenly
    dropped the check that the operation pointer is non-null.  The
    modified check rejects file_operations in any module other than the
    rebuilt aufs, but it is still necessary to check the pointer because
    for aufs directories it is NULL.
---
 debian/changelog                                                   | 2 ++
 debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 73470e1..433e7fb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ linux (3.16.36-1+deb8u1) UNRELEASED; urgency=medium
   [ Ben Hutchings ]
   * tcp: make challenge acks less predictable (CVE-2016-5696)
   * audit: fix a double fetch in audit_log_single_execve_arg() (CVE-2016-6136)
+  * fs: Fix oops when fcntl() is called on an aufs directory (CVE-2016-7118;
+    regression in 3.16.36-1)
 
   [ Salvatore Bonaccorso ]
   * tcp: fix use after free in tcp_xmit_retransmit_queue() (CVE-2016-6828)
diff --git a/debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch b/debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch
index ec7003f..0627206 100644
--- a/debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch
+++ b/debian/patches/debian/fs-fix-abi-change-for-aufs-f_setfl-fix.patch
@@ -19,7 +19,7 @@ version of the module that implements the file_operations.
 ---
 --- a/fs/fcntl.c
 +++ b/fs/fcntl.c
-@@ -59,8 +59,20 @@ int setfl(int fd, struct file * filp, un
+@@ -59,8 +59,21 @@ int setfl(int fd, struct file * filp, un
  
  	if (filp->f_op->check_flags)
  		error = filp->f_op->check_flags(arg);
@@ -34,7 +34,8 @@ version of the module that implements the file_operations.
 +#ifdef CONFIG_AUFS_FS_MODULE
 +	if (!error && filp->f_op->owner &&
 +	    !strcmp(filp->f_op->owner->name, "aufs") &&
-+	    strstr(filp->f_op->owner->version, "+setfl"))
++	    strstr(filp->f_op->owner->version, "+setfl") &&
++	    filp->f_op->setfl)
  		error = filp->f_op->setfl(filp, arg);
 +#endif
 +

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list