rpms/kernel/FC-5 linux-2.6-fs-grow_buffers-limit.patch, NONE, 1.1 kernel-2.6.spec, 1.2231, 1.2232
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Nov 9 23:42:50 UTC 2006
Author: davej
Update of /cvs/dist/rpms/kernel/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv11041
Modified Files:
kernel-2.6.spec
Added Files:
linux-2.6-fs-grow_buffers-limit.patch
Log Message:
ISO9660 __find_get_block_slow() denial of service CVE-2006-5757
linux-2.6-fs-grow_buffers-limit.patch:
buffer.c | 21 +++++++++++++++++++--
1 files changed, 19 insertions(+), 2 deletions(-)
--- NEW FILE linux-2.6-fs-grow_buffers-limit.patch ---
Addresses:
CVE-2006-5757 ISO9660 __find_get_block_slow() denial of service
From: Andrew Morton <akpm at osdl.org>
Date: Wed, 11 Oct 2006 08:21:46 +0000 (-0700)
Subject: [PATCH] grow_buffers() infinite loop fix
X-Git-Tag: v2.6.19-rc2
X-Git-Url: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e5657933863f43cc6bb76a54d659303dafaa9e58
[PATCH] grow_buffers() infinite loop fix
If grow_buffers() is for some reason passed a block number which wants to lie
outside the maximum-addressable pagecache range (PAGE_SIZE * 4G bytes) then it
will accidentally truncate `index' and will then instnatiate a page at the
wrong pagecache offset. This causes __getblk_slow() to go into an infinite
loop.
This can happen with corrupted disks, or with software errors elsewhere.
Detect that, and handle it.
Signed-off-by: Andrew Morton <akpm at osdl.org>
Signed-off-by: Linus Torvalds <torvalds at osdl.org>
---
Index: linux-2.6.18-1.2732.el5/fs/buffer.c
===================================================================
--- linux-2.6.18-1.2732.el5.orig/fs/buffer.c
+++ linux-2.6.18-1.2732.el5/fs/buffer.c
@@ -1178,8 +1178,21 @@ grow_buffers(struct block_device *bdev,
} while ((size << sizebits) < PAGE_SIZE);
index = block >> sizebits;
- block = index << sizebits;
+ /*
+ * Check for a block which wants to lie outside our maximum possible
+ * pagecache index. (this comparison is done using sector_t types).
+ */
+ if (unlikely(index != block >> sizebits)) {
+ char b[BDEVNAME_SIZE];
+
+ printk(KERN_ERR "%s: requested out-of-range block %llu for "
+ "device %s\n",
+ __FUNCTION__, (unsigned long long)block,
+ bdevname(bdev, b));
+ return -EIO;
+ }
+ block = index << sizebits;
/* Create a page with the proper size buffers.. */
page = grow_dev_page(bdev, block, index, size);
if (!page)
@@ -1206,12 +1219,16 @@ __getblk_slow(struct block_device *bdev,
for (;;) {
struct buffer_head * bh;
+ int ret;
bh = __find_get_block(bdev, block, size);
if (bh)
return bh;
- if (!grow_buffers(bdev, block, size))
+ ret = grow_buffers(bdev, block, size);
+ if (ret < 0)
+ return NULL;
+ if (ret == 0)
free_more_memory();
}
}
Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/FC-5/kernel-2.6.spec,v
retrieving revision 1.2231
retrieving revision 1.2232
diff -u -r1.2231 -r1.2232
--- kernel-2.6.spec 9 Nov 2006 23:29:08 -0000 1.2231
+++ kernel-2.6.spec 9 Nov 2006 23:42:48 -0000 1.2232
@@ -403,6 +403,7 @@
Patch1731: linux-2.6-cpufreq-unload-smi.patch
Patch1740: linux-2.6-softlockup-disable.patch
Patch1750: linux-2.6-usb-storage-reboot.patch
+Patch1760: linux-2.6-fs-grow_buffers-limit.patch
Patch1770: linux-2.6-optimise-spinlock-debug.patch
Patch1771: linux-2.6-silence-noise.patch
Patch1790: linux-2.6-drivers-add-qlogic-firmware.patch
@@ -970,6 +971,8 @@
%patch1740 -p1
# USB storage not seen upon reboot
%patch1750 -p1
+# CVE-2006-5757 ISO9660 __find_get_block_slow() denial of service
+%patch1760 -p1
# Speed up spinlock debug.
%patch1770 -p1
# Silence some noisy printks at boot time.
@@ -1644,6 +1647,7 @@
- TTY locking fixes.
- splice : Must fully check for FIFO
- Fix potential NULL dereference in sys_move_pages
+- ISO9660 __find_get_block_slow() denial of service CVE-2006-5757
* Mon Nov 6 2006 Roland McGrath <roland at redhat.com>
- New utrace patch: fix locking snafu crash on second engine attach.
More information about the fedora-cvs-commits
mailing list