series

Dann Frazier Sun, 12 Nov 2006 16:51:34 -0800

Author: dannf
Date: Mon Nov 13 01:51:29 2006
New Revision: 7776

Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__block_prepare_write-recovery.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
Log:
* __block_prepare_write-recovery.dpatch
  [SECURITY] Fix an information leak in __block_prepare_write()
  See CVE-2006-4813


Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Mon Nov 13 01:51:29 2006
@@ -9,8 +9,11 @@
     [SECURITY] Prevent cross-region mappings on ia64 and sparc which
     could be used in a local DoS attack (system crash)
     See CVE-2006-4538
+  * __block_prepare_write-recovery.dpatch
+    [SECURITY] Fix an information leak in __block_prepare_write()
+    See CVE-2006-4813
 
- -- dann frazier <[EMAIL PROTECTED]>  Wed,  8 Nov 2006 00:05:49 -0700
+ -- dann frazier <[EMAIL PROTECTED]>  Sun, 12 Nov 2006 17:50:06 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge5) stable-security; urgency=high
 

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__block_prepare_write-recovery.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__block_prepare_write-recovery.dpatch
   Mon Nov 13 01:51:29 2006
@@ -0,0 +1,69 @@
+From: Anton Altaparmakov <[EMAIL PROTECTED]>
+Date: Thu, 23 Jun 2005 07:10:21 +0000 (-0700)
+Subject: [PATCH] Bug in error recovery in fs/buffer.c::__block_prepare_write()
+X-Git-Tag: v2.6.13-rc1
+X-Git-Url: 
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=152becd26e0563aefdbc4fd1fe491928efe92d1f
+
+[PATCH] Bug in error recovery in fs/buffer.c::__block_prepare_write()
+
+fs/buffer.c::__block_prepare_write() has broken error recovery.  It calls
+the get_block() callback with "create = 1" and if that succeeds it
+immediately clears buffer_new on the just allocated buffer (which has
+buffer_new set).
+
+The bug is that if an error occurs and get_block() returns != 0, we break
+from this loop and go into recovery code.  This code has this comment:
+
+/* Error case: */
+/*
+ * Zero out any newly allocated blocks to avoid exposing stale
+ * data.  If BH_New is set, we know that the block was newly
+ * allocated in the above loop.
+ */
+
+So the intent is obviously good in that it wants to clear just allocated
+and hence not zeroed buffers.  However the code recognises allocated
+buffers by checking for buffer_new being set.
+
+Unfortunately __block_prepare_write() as discussed above already cleared
+buffer_new on all allocated buffers thus no buffers will be cleared during
+error recovery and old data will be leaked.
+
+The simplest way I can see to fix this is to make the current recovery code
+work by _not_ clearing buffer_new after calling get_block() in
+__block_prepare_write().
+
+We cannot safely allow buffer_new buffers to "leak out" of
+__block_prepare_write(), thus we simply do a quick loop over the buffers
+clearing buffer_new on each of them if it is set just before returning
+"success" from __block_prepare_write().
+
+Signed-off-by: Anton Altaparmakov <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+Backported to Debian's 2.6.8 by dann frazier <[EMAIL PROTECTED]>
+
+--- kernel-source-2.6.8.orig/fs/buffer.c       2004-08-13 23:37:14.000000000 
-0600
++++ kernel-source-2.6.8/fs/buffer.c    2006-11-12 17:32:44.704241381 -0700
+@@ -2021,7 +2021,6 @@ static int __block_prepare_write(struct 
+                       if (err)
+                               goto out;
+                       if (buffer_new(bh)) {
+-                              clear_buffer_new(bh);
+                               unmap_underlying_metadata(bh->b_bdev,
+                                                       bh->b_blocknr);
+                               if (PageUptodate(page)) {
+@@ -2063,6 +2062,11 @@ static int __block_prepare_write(struct 
+               if (!buffer_uptodate(*wait_bh))
+                       return -EIO;
+       }
++      bh = head;
++      do {
++              if (buffer_new(bh))
++                      clear_buffer_new(bh);
++      } while ((bh = bh->b_this_page) != head);
+       return 0;
+ out:
+       /*

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
   (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge6
   Mon Nov 13 01:51:29 2006
@@ -1,2 +1,3 @@
 + perfmon-fd-refcnt.dpatch
 + ia64-sparc-cross-region-mappings.dpatch
++ __block_prepare_write-recovery.dpatch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

[kernel] r7776 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Reply via email to