fedora-cvs-commits@redhat.com
[Top] [All Lists]
<prev [Date] next>
<prev [Thread] next>

rpms/kernel/FC-6 linux-2.6-fs-grow_buffers-limit.patch, NONE, 1.1 kernel

from [fedora-cvs-commits]
Subject: rpms/kernel/FC-6 linux-2.6-fs-grow_buffers-limit.patch, NONE, 1.1 kernel-2.6.spec, 1.2842, 1.2843
From:
Date: Thu, 9 Nov 2006 18:42:39 -0500 
Author: davej

Update of /cvs/dist/rpms/kernel/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv10891

Modified Files:
        kernel-2.6.spec 
Added Files:
        linux-2.6-fs-grow_buffers-limit.patch 
Log Message:
ISO9660 __find_get_block_slow() denial of service CVE-2006-5757 (#214419)

linux-2.6-fs-grow_buffers-limit.patch:
 buffer.c |   21 +++++++++++++++++++--
 1 files changed, 19 insertions(+), 2 deletions(-)

--- NEW FILE linux-2.6-fs-grow_buffers-limit.patch ---

Addresses:
CVE-2006-5757 ISO9660 __find_get_block_slow() denial of service

From: Andrew Morton <akpm@xxxxxxxx>
Date: Wed, 11 Oct 2006 08:21:46 +0000 (-0700)
Subject: [PATCH] grow_buffers() infinite loop fix
X-Git-Tag: v2.6.19-rc2
X-Git-Url: 
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e5657933863f43cc6bb76a54d659303dafaa9e58

[PATCH] grow_buffers() infinite loop fix

If grow_buffers() is for some reason passed a block number which wants to lie
outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it
will accidentally truncate `index' and will then instnatiate a page at the
wrong pagecache offset.  This causes __getblk_slow() to go into an infinite
loop.

This can happen with corrupted disks, or with software errors elsewhere.

Detect that, and handle it.

Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxx>
---

Index: linux-2.6.18-1.2732.el5/fs/buffer.c
===================================================================
--- linux-2.6.18-1.2732.el5.orig/fs/buffer.c
+++ linux-2.6.18-1.2732.el5/fs/buffer.c
@@ -1178,8 +1178,21 @@ grow_buffers(struct block_device *bdev, 
        } while ((size << sizebits) < PAGE_SIZE);
 
        index = block >> sizebits;
-       block = index << sizebits;
 
+       /*
+        * Check for a block which wants to lie outside our maximum possible
+        * pagecache index.  (this comparison is done using sector_t types).
+        */
+       if (unlikely(index != block >> sizebits)) {
+               char b[BDEVNAME_SIZE];
+
+               printk(KERN_ERR "%s: requested out-of-range block %llu for "
+                       "device %s\n",
+                       __FUNCTION__, (unsigned long long)block,
+                       bdevname(bdev, b));
+               return -EIO;
+       }
+       block = index << sizebits;
        /* Create a page with the proper size buffers.. */
        page = grow_dev_page(bdev, block, index, size);
        if (!page)
@@ -1206,12 +1219,16 @@ __getblk_slow(struct block_device *bdev,
 
        for (;;) {
                struct buffer_head * bh;
+               int ret;
 
                bh = __find_get_block(bdev, block, size);
                if (bh)
                        return bh;
 
-               if (!grow_buffers(bdev, block, size))
+               ret = grow_buffers(bdev, block, size);
+               if (ret < 0)
+                       return NULL;
+               if (ret == 0)
                        free_more_memory();
        }
 }



Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-6/kernel-2.6.spec,v
retrieving revision 1.2842
retrieving revision 1.2843
diff -u -r1.2842 -r1.2843
--- kernel-2.6.spec     9 Nov 2006 23:28:54 -0000       1.2842
+++ kernel-2.6.spec     9 Nov 2006 23:42:33 -0000       1.2843
@@ -492,6 +492,7 @@
 Patch1731: linux-2.6-cpufreq-unload-smi.patch
 Patch1740: linux-2.6-softlockup-disable.patch
 Patch1750: linux-2.6-usb-storage-reboot.patch
+Patch1760: linux-2.6-fs-grow_buffers-limit.patch
 Patch1770: linux-2.6-optimise-spinlock-debug.patch
 Patch1771: linux-2.6-silence-noise.patch
 Patch1780: linux-2.6-ehea-ethernet-driver.patch
@@ -1130,6 +1131,8 @@
 %patch1740 -p1
 # USB storage not seen upon reboot
 %patch1750 -p1
+# CVE-2006-5757 ISO9660 __find_get_block_slow() denial of service
+%patch1760 -p1
 # Speed up spinlock debug.
 %patch1770 -p1
 # Silence some useless messages that still get printed with 'quiet'
@@ -2068,6 +2071,7 @@
 - TTY locking fixes.
 - splice : Must fully check for FIFO
 - Fix potential NULL dereference in sys_move_pages
+- ISO9660 __find_get_block_slow() denial of service CVE-2006-5757
 
 * Mon Nov  6 2006 Roland McGrath <roland@xxxxxxxxxx>
 - New utrace patch: fix locking snafu crash on second engine attach.

-- 
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • rpms/kernel/FC-6 linux-2.6-fs-grow_buffers-limit.patch, NONE, 1.1 kernel-2.6.spec, 1.2842, 1.2843, fedora-cvs-commits <=
Previous by Date:  rpms/perl-DateManip/devel perl-DateManip-5.44-rhbz214709.patch, NONE, 1.1 perl-DateManip.spec, 1.13, 1.14, fedora-cvs-commits
Next by Date:  rpms/kernel/FC-5 linux-2.6-fs-grow_buffers-limit.patch, NONE, 1.1 kernel-2.6.spec, 1.2231, 1.2232, fedora-cvs-commits
Previous by Thread:  rpms/perl-DateManip/devel perl-DateManip-5.44-rhbz214709.patch, NONE, 1.1 perl-DateManip.spec, 1.13, 1.14, fedora-cvs-commits
Next by Thread:  rpms/kernel/FC-5 linux-2.6-fs-grow_buffers-limit.patch, NONE, 1.1 kernel-2.6.spec, 1.2231, 1.2232, fedora-cvs-commits
Indexes:  [Date] [Thread] [Top] [All Lists]