[kernel] r9004 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Mon, 18 Jun 2007 17:08:16 -0700 

Author: dannf
Date: Tue Jun 19 00:08:12 2007
New Revision: 9004

Log:
* compat_sys_mount-NULL-data_page.dpatch
  [SECURITY] Fix oops in compat_sys_mount triggered by NULL data_page
  See CVE-2006-7203

Added:
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch
   
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog

Modified: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    (original)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog   
    Tue Jun 19 00:08:12 2007
@@ -1,3 +1,11 @@
+kernel-source-2.6.8 (2.6.8-17sarge1) UNRELEASED; urgency=high
+
+  * compat_sys_mount-NULL-data_page.dpatch
+    [SECURITY] Fix oops in compat_sys_mount triggered by NULL data_page
+    See CVE-2006-7203
+
+ -- dann frazier <[EMAIL PROTECTED]>  Tue, 19 Jun 2007 01:02:58 +0100
+
 kernel-source-2.6.8 (2.6.8-17) oldstable; urgency=high
 
   [ Simon Horman ]

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/compat_sys_mount-NULL-data_page.dpatch
  Tue Jun 19 00:08:12 2007
@@ -0,0 +1,39 @@
+From: Andrey Mirkin <[EMAIL PROTECTED]>
+Date: Thu, 7 Dec 2006 04:31:35 +0000 (-0800)
+Subject: [PATCH] skip data conversion in compat_sys_mount when data_page is 
NULL
+X-Git-Tag: v2.6.20~683^2^2~360
+X-Git-Url: 
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=822191a2fa1584a29c3224ab328507adcaeac1ab
+
+[PATCH] skip data conversion in compat_sys_mount when data_page is NULL
+
+OpenVZ Linux kernel team has found a problem with mounting in compat mode.
+
+Simple command "mount -t smbfs ..." on Fedora Core 5 distro in 32-bit mode
+leads to oops:
+
+  Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 
compat_sys_mount+0xd6/0x290
+  Process mount (pid: 14656, veid=300, threadinfo ffff810034d30000, task 
ffff810034c86bc0)
+  Call Trace: ia32_sysret+0x0/0xa
+
+The problem is that data_page pointer can be NULL, so we should skip data
+conversion in this case.
+
+Signed-off-by: Andrey Mirkin <[EMAIL PROTECTED]>
+Cc: <[EMAIL PROTECTED]>
+Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+diff --git a/fs/compat.c b/fs/compat.c
+index 06dad66..7aef541 100644
+--- a/fs/compat.c
++++ b/fs/compat.c
+@@ -871,7 +871,7 @@ asmlinkage long compat_sys_mount(char __user * dev_name, 
char __user * dir_name,
+ 
+       retval = -EINVAL;
+ 
+-      if (type_page) {
++      if (type_page && data_page) {
+               if (!strcmp((char *)type_page, SMBFS_NAME)) {
+                       do_smb_super_data_conv((void *)data_page);
+               } else if (!strcmp((char *)type_page, NCPFS_NAME)) {

Added: 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
==============================================================================
--- (empty file)
+++ 
dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-17sarge1
   Tue Jun 19 00:08:12 2007
@@ -0,0 +1 @@
++ compat_sys_mount-NULL-data_page.dpatch

_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes

Reply via email to