Author: dannf
Date: Sat Mar 31 20:24:55 2007
New Revision: 8405
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__find_get_block_slow-race.dpatch
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* __find_get_block_slow-race.dpatch
[SECURITY] Fix infinite loop in __find_get_block_slow that can
be triggered by mounting and accessing a malicious iso9660 or NTFS
filesystem
See CVE-2006-5757, CVE-2006-6060
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
Sat Mar 31 20:24:55 2007
@@ -24,6 +24,11 @@
[SECURITY] Add additional length checks to avoid potential remote
DoS attacks in the handling of CAPI messages in the bluetooth driver
See CVE-2006-6106
+ * __find_get_block_slow-race.dpatch
+ [SECURITY] Fix infinite loop in __find_get_block_slow that can
+ be triggered by mounting and accessing a malicious iso9660 or NTFS
+ filesystem
+ See CVE-2006-5757, CVE-2006-6060
* listxattr-mem-corruption.dpatch
[SECURITY] Fix userspace corruption vulnerability caused by
incorrectly promoted return values in bad_inode_ops
@@ -33,7 +38,7 @@
avoid a race that can lead to a system crash
See CVE-2006-5754
- -- dann frazier <[EMAIL PROTECTED]> Tue, 20 Mar 2007 01:05:01 -0600
+ -- dann frazier <[EMAIL PROTECTED]> Sat, 31 Mar 2007 13:51:04 -0600
kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
Added:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__find_get_block_slow-race.dpatch
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/__find_get_block_slow-race.dpatch
Sat Mar 31 20:24:55 2007
@@ -0,0 +1,69 @@
+From: Andrew Morton <[EMAIL PROTECTED]>
+Date: Sat, 30 Dec 2006 23:23:35 +0000 (-0500)
+Subject: grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)
+X-Git-Tag: v2.6.18.8^0~17
+X-Git-Url:
http://www.kernel.org/git/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6.18.y.git;a=commitdiff_plain;h=0fc7b9055c2069bdb2fae508cefaeef4d26f86aa;hp=6ce115c0d888086716aef2b4b3cd702d3b4f060d
+
+grow_buffers() infinite loop fix (CVE-2006-5757, CVE-2006-6060)
+
+If grow_buffers() is for some reason passed a block number which wants to lie
+outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it
+will accidentally truncate `index' and will then instnatiate a page at the
+wrong pagecache offset. This causes __getblk_slow() to go into an infinite
+loop.
+
+This can happen with corrupted disks, or with software errors elsewhere.
+
+Detect that, and handle it.
+
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+Signed-off-by: Chris Wright <[EMAIL PROTECTED]>
+Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
+---
+
+diff --git a/fs/buffer.c b/fs/buffer.c
+index 5b329f0..29fc99f 100644
+--- a/fs/buffer.c
++++ b/fs/buffer.c
+@@ -1179,8 +1179,21 @@ grow_buffers(struct block_device *bdev, sector_t block,
int size)
+ } while ((size << sizebits) < PAGE_SIZE);
+
+ index = block >> sizebits;
+- block = index << sizebits;
+
++ /*
++ * Check for a block which wants to lie outside our maximum possible
++ * pagecache index. (this comparison is done using sector_t types).
++ */
++ if (unlikely(index != block >> sizebits)) {
++ char b[BDEVNAME_SIZE];
++
++ printk(KERN_ERR "%s: requested out-of-range block %llu for "
++ "device %s\n",
++ __FUNCTION__, (unsigned long long)block,
++ bdevname(bdev, b));
++ return -EIO;
++ }
++ block = index << sizebits;
+ /* Create a page with the proper size buffers.. */
+ page = grow_dev_page(bdev, block, index, size);
+ if (!page)
+@@ -1207,12 +1220,16 @@ __getblk_slow(struct block_device *bdev, sector_t
block, int size)
+
+ for (;;) {
+ struct buffer_head * bh;
++ int ret;
+
+ bh = __find_get_block(bdev, block, size);
+ if (bh)
+ return bh;
+
+- if (!grow_buffers(bdev, block, size))
++ ret = grow_buffers(bdev, block, size);
++ if (ret < 0)
++ return NULL;
++ if (ret == 0)
+ free_more_memory();
+ }
+ }
Modified:
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
---
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
(original)
+++
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Sat Mar 31 20:24:55 2007
@@ -4,5 +4,6 @@
+ dvb-core-handle-0-length-ule-sndu.dpatch
+ smbfs-honor-mount-opts-2.dpatch
+ bluetooth-capi-size-checks.dpatch
++ __find_get_block_slow-race.dpatch
+ listxattr-mem-corruption.dpatch
+ aio-fix-nr_pages-init.dpatch
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
