series

Dann Frazier Sun, 13 Aug 2006 20:19:23 -0700

Author: dannf
Date: Mon Aug 14 03:18:53 2006
New Revision: 7153

Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-ext3-bad-nfs-handle.dpatch
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog


Log:
* fs-ext3-bad-nfs-handle.dpatch
  [SECURITY] James McKenzie discovered a Denial of Service vulnerability 
  in the NFS driver. When exporting an ext3 file system over NFS, a remote
  attacker could exploit this to trigger a file system panic by sending
  a specially crafted UDP packet.
  See CVE-2006-3468

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Mon Aug 14 03:18:53 2006
@@ -1,3 +1,14 @@
+kernel-source-2.6.8 (2.6.8-16sarge5) UNRELEASED; urgency=high
+
+  * fs-ext3-bad-nfs-handle.dpatch
+    [SECURITY] James McKenzie discovered a Denial of Service vulnerability 
+    in the NFS driver. When exporting an ext3 file system over NFS, a remote
+    attacker could exploit this to trigger a file system panic by sending
+    a specially crafted UDP packet.
+    See CVE-2006-3468
+
+ -- dann frazier <[EMAIL PROTECTED]>  Sun, 13 Aug 2006 21:15:35 -0600
+
 kernel-source-2.6.8 (2.6.8-16sarge4) stable-security; urgency=high
 
   * proc-environ-race-1.dpatch, proc-environ-race-2.dpatch

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-ext3-bad-nfs-handle.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/fs-ext3-bad-nfs-handle.dpatch
   Mon Aug 14 03:18:53 2006
@@ -0,0 +1,107 @@
+From: Neil Brown <[EMAIL PROTECTED]>
+Date: Sun, 30 Jul 2006 10:03:01 +0000 (-0700)
+Subject: [PATCH] ext3: avoid triggering ext3_error on bad NFS file handle
+X-Git-Tag: v2.6.18-rc4
+X-Git-Url: 
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=2ccb48ebb4de139eef4fcefd5f2bb823cb0d81b9
+
+[PATCH] ext3: avoid triggering ext3_error on bad NFS file handle
+
+The inode number out of an NFS file handle gets passed eventually to
+ext3_get_inode_block() without any checking.  If ext3_get_inode_block()
+allows it to trigger an error, then bad filehandles can have unpleasant
+effect - ext3_error() will usually cause a forced read-only remount, or a
+panic if `errors=panic' was used.
+
+So remove the call to ext3_error there and put a matching check in
+ext3/namei.c where inode numbers are read off storage.
+
[EMAIL PROTECTED]: fix off-by-one error]
+Signed-off-by: Neil Brown <[EMAIL PROTECTED]>
+Signed-off-by: Jan Kara <[EMAIL PROTECTED]>
+Cc: Marcel Holtmann <[EMAIL PROTECTED]>
+Cc: <[EMAIL PROTECTED]>
+Cc: "Stephen C. Tweedie" <[EMAIL PROTECTED]>
+Cc: Eric Sandeen <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Trivial backport to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+diff -urN kernel-source-2.6.8.orig/fs/ext3/inode.c 
kernel-source-2.6.8/fs/ext3/inode.c
+--- kernel-source-2.6.8.orig/fs/ext3/inode.c   2006-07-15 02:22:40.000000000 
-0600
++++ kernel-source-2.6.8/fs/ext3/inode.c        2006-08-13 21:12:08.224405535 
-0600
+@@ -2317,15 +2317,15 @@
+       struct buffer_head *bh;
+       struct ext3_group_desc * gdp;
+ 
+-      if ((ino != EXT3_ROOT_INO &&
+-              ino != EXT3_JOURNAL_INO &&
+-              ino < EXT3_FIRST_INO(sb)) ||
+-              ino > le32_to_cpu(
+-                      EXT3_SB(sb)->s_es->s_inodes_count)) {
+-              ext3_error (sb, "ext3_get_inode_block",
+-                          "bad inode number: %lu", ino);
++      if (!ext3_valid_inum(sb, ino)) {
++              /*
++               * This error is already checked for in namei.c unless we are
++               * looking at an NFS filehandle, in which case no error
++               * report is needed
++               */
+               return 0;
+       }
++
+       block_group = (ino - 1) / EXT3_INODES_PER_GROUP(sb);
+       if (block_group >= EXT3_SB(sb)->s_groups_count) {
+               ext3_error (sb, "ext3_get_inode_block",
+diff -urN kernel-source-2.6.8.orig/fs/ext3/namei.c 
kernel-source-2.6.8/fs/ext3/namei.c
+--- kernel-source-2.6.8.orig/fs/ext3/namei.c   2004-08-13 23:37:14.000000000 
-0600
++++ kernel-source-2.6.8/fs/ext3/namei.c        2006-08-13 21:10:59.744628281 
-0600
+@@ -988,7 +988,12 @@
+       if (bh) {
+               unsigned long ino = le32_to_cpu(de->inode);
+               brelse (bh);
+-              inode = iget(dir->i_sb, ino);
++              if (!ext3_valid_inum(dir->i_sb, ino)) {
++                      ext3_error(dir->i_sb, "ext3_lookup",
++                                 "bad inode number: %lu", ino);
++                      inode = NULL;
++              } else
++                      inode = iget(dir->i_sb, ino);
+ 
+               if (!inode)
+                       return ERR_PTR(-EACCES);
+@@ -1019,7 +1024,13 @@
+               return ERR_PTR(-ENOENT);
+       ino = le32_to_cpu(de->inode);
+       brelse(bh);
+-      inode = iget(child->d_inode->i_sb, ino);
++
++      if (!ext3_valid_inum(child->d_inode->i_sb, ino)) {
++              ext3_error(child->d_inode->i_sb, "ext3_get_parent",
++                         "bad inode number: %lu", ino);
++              inode = NULL;
++      } else
++              inode = iget(child->d_inode->i_sb, ino);
+ 
+       if (!inode)
+               return ERR_PTR(-EACCES);
+diff -urN kernel-source-2.6.8.orig/include/linux/ext3_fs.h 
kernel-source-2.6.8/include/linux/ext3_fs.h
+--- kernel-source-2.6.8.orig/include/linux/ext3_fs.h   2004-08-13 
23:37:14.000000000 -0600
++++ kernel-source-2.6.8/include/linux/ext3_fs.h        2006-08-13 
21:10:59.752628715 -0600
+@@ -443,6 +443,15 @@
+ {
+       return container_of(inode, struct ext3_inode_info, vfs_inode);
+ }
++
++static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino)
++{
++      return ino == EXT3_ROOT_INO ||
++              ino == EXT3_JOURNAL_INO ||
++              ino == EXT3_RESIZE_INO ||
++              (ino >= EXT3_FIRST_INO(sb) &&
++               ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count));
++}
+ #else
+ /* Assume that user mode programs are passing in an ext3fs superblock, not
+  * a kernel struct super_block.  This will allow us to call the feature-test

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge5
   Mon Aug 14 03:18:53 2006
@@ -0,0 +1 @@
++ fs-ext3-bad-nfs-handle.dpatch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r7153 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: patches patches/series

Reply via email to