Author: dannf
Date: Mon Jan 21 07:53:09 2008
New Revision: 10157
Log:
* 254_cramfs-check-block-length.diff
[SECURITY] Add a sanity check of the block length in cramfs_readpage to
avoid a potential oops condition
See CVE-2006-5823
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Mon Jan 21 07:53:09 2008
@@ -45,8 +45,12 @@
[SECURITY] Fix an issue where core dumping over a file that
already exists retains the ownership of the original file
See CVE-2007-6206
+ * 254_cramfs-check-block-length.diff
+ [SECURITY] Add a sanity check of the block length in cramfs_readpage to
+ avoid a potential oops condition
+ See CVE-2006-5823
- -- dann frazier <[EMAIL PROTECTED]> Mon, 12 Nov 2007 16:29:16 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Mon, 21 Jan 2008 00:48:39 -0700
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/254_cramfs-check-block-length.diff
Mon Jan 21 07:53:09 2008
@@ -0,0 +1,51 @@
+From: Moritz Muehlenhoff <[EMAIL PROTECTED]>
+Date: Sun, 11 Nov 2007 17:02:24 +0000 (+0100)
+Subject: [PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
+X-Git-Tag: v2.4.36-pre2~3
+X-Git-Url:
http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=bf45d0bda54148841426979209d5f1df4f4d34e0
+
+[PATCH] corrupted cramfs filesystems cause kernel oops (CVE-2006-5823)
+
+From http://projects.info-pull.com/mokb/MOKB-07-11-2006.html :
+
+| The zlib_inflate function in Linux kernel 2.6.x allows local users to cause a
+| denial of service (crash) via a malformed filesystem that uses zlib
+| compression that triggers memory corruption, as demonstrated using cramfs.
+
+We could reproduce this with 2.4.27, since there aren't any changes to git
+for cramfs since initial import this is likely unfixed in 2.4.35 too.
+2.6 patch below.
+
+http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8bb0269160df2a60764013994d0bc5165406cf4a
+
+| Steve Grubb's fzfuzzer tool (http://people.redhat.com/sgrubb/files/
+| fsfuzzer-0.6.tar.gz) generates corrupt Cramfs filesystems which cause
+| Cramfs to kernel oops in cramfs_uncompress_block(). The cause of the oops
+| is an unchecked corrupted block length field read by cramfs_readpage().
+|
+| This patch adds a sanity check to cramfs_readpage() which checks that the
+| block length field is sensible. The (PAGE_CACHE_SIZE << 1) size check is
+| intentional, even though the uncompressed data is not going to be larger
+| than PAGE_CACHE_SIZE, gzip sometimes generates compressed data larger than
+| the original source data. Mkcramfs checks that the compressed size is
+| always less than or equal to PAGE_CACHE_SIZE << 1. Of course Cramfs could
+| use the original uncompressed data in this case, but it doesn't.
+|
+| Signed-off-by: Phillip Lougher <[EMAIL PROTECTED]>
+| Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
+| Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+---
+
+diff --git a/fs/cramfs/inode.c b/fs/cramfs/inode.c
+index 8fb1e70..71495ac 100644
+--- a/fs/cramfs/inode.c
++++ b/fs/cramfs/inode.c
+@@ -404,6 +404,8 @@ static int cramfs_readpage(struct file *file, struct page
* page)
+ pgdata = kmap(page);
+ if (compr_len == 0)
+ ; /* hole */
++ else if (compr_len > (PAGE_CACHE_SIZE << 1))
++ printk(KERN_ERR "cramfs: bad compressed blocksize
%u\n", compr_len);
+ else {
+ down(&read_mutex);
+ bytes_filled = cramfs_uncompress_block(pgdata,
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Mon Jan 21 07:53:09 2008
@@ -13,3 +13,4 @@
+ 251_openpromfs-checks-2.diff
+ 252_openpromfs-checks-3.diff
+ 253_coredump-only-to-same-uid.diff
++ 254_cramfs-check-block-length.diff
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
