From 4f956229641a5c3b55498603c899a6633c5801bb Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Tue, 1 Nov 2011 14:25:01 +0000 Subject: [PATCH] xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077) svn path=/dists/sid/linux-2.6/; revision=18209 --- debian/changelog | 1 + ...-memory-corruption-in-xfs_readlink-2.patch | 18 ++++++++ ...ix-memory-corruption-in-xfs_readlink.patch | 44 +++++++++++++++++++ debian/patches/series/6 | 2 + 4 files changed, 65 insertions(+) create mode 100644 debian/patches/bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink-2.patch create mode 100644 debian/patches/bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink.patch diff --git a/debian/changelog b/debian/changelog index f827325b0..04073be97 100644 --- a/debian/changelog +++ b/debian/changelog @@ -30,6 +30,7 @@ linux-2.6 (3.0.0-6) UNRELEASED; urgency=low * ark3116: Fix initialisation order (Closes: #640391) * Add empty files to trigger generation of kernel-image udebs * aufs: Update to aufs3.0-20111031 (Closes: #644687) + * xfs: Fix possible memory corruption in xfs_readlink (CVE-2011-4077) -- Uwe Kleine-König Fri, 07 Oct 2011 15:48:22 +0200 diff --git a/debian/patches/bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink-2.patch b/debian/patches/bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink-2.patch new file mode 100644 index 000000000..a35070ae4 --- /dev/null +++ b/debian/patches/bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink-2.patch @@ -0,0 +1,18 @@ +Subject: [PATCH] xfs: Fix possible memory corruption in xfs_readlink (2) +From: Ben Hutchings + +Previous fix doesn't check for integer overflow. + +Signed-off-by: Ben Hutchings +--- +--- a/fs/xfs/xfs_vnodeops.c ++++ b/fs/xfs/xfs_vnodeops.c +@@ -127,7 +127,7 @@ xfs_readlink( + if (!pathlen) + goto out; + +- if (pathlen > MAXPATHLEN) { ++ if (pathlen < 0 || pathlen > MAXPATHLEN) { + xfs_alert(mp, "%s: inode (%llu) symlink length (%d) too long", + __func__, (unsigned long long)ip->i_ino, pathlen); + ASSERT(0); diff --git a/debian/patches/bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink.patch b/debian/patches/bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink.patch new file mode 100644 index 000000000..d47ebb1f8 --- /dev/null +++ b/debian/patches/bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink.patch @@ -0,0 +1,44 @@ +Subject: [PATCH] Fix possible memory corruption in xfs_readlink +From: Carlos Maiolino +Date: Tue, 18 Oct 2011 02:18:58 -0200 + +Fixes a possible memory corruption when the link is larger than +MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the +S_ISLNK assert, since the inode mode is checked previously in +xfs_readlink_by_handle() and via VFS. + +Signed-off-by: Carlos Maiolino +[bwh: Adjust deleted S_ISLNK check for 3.0] +--- + fs/xfs/xfs_vnodeops.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c +index 51fc429..c3288be 100644 +--- a/fs/xfs/xfs_vnodeops.c ++++ b/fs/xfs/xfs_vnodeops.c +@@ -123,13 +123,18 @@ xfs_readlink( + + xfs_ilock(ip, XFS_ILOCK_SHARED); + +- ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK); +- ASSERT(ip->i_d.di_size <= MAXPATHLEN); +- + pathlen = ip->i_d.di_size; + if (!pathlen) + goto out; + ++ if (pathlen > MAXPATHLEN) { ++ xfs_alert(mp, "%s: inode (%llu) symlink length (%d) too long", ++ __func__, (unsigned long long)ip->i_ino, pathlen); ++ ASSERT(0); ++ return XFS_ERROR(EFSCORRUPTED); ++ } ++ ++ + if (ip->i_df.if_flags & XFS_IFINLINE) { + memcpy(link, ip->i_df.if_u1.if_data, pathlen); + link[pathlen] = '\0'; +-- +1.7.6.2 + diff --git a/debian/patches/series/6 b/debian/patches/series/6 index 08da7026f..45ea7108c 100644 --- a/debian/patches/series/6 +++ b/debian/patches/series/6 @@ -12,3 +12,5 @@ + features/all/aufs3/aufs3-kbuild.patch + features/all/aufs3/aufs3-add.patch + features/all/aufs2/mark-as-staging.patch ++ bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink.patch ++ bugfix/all/xfs-fix-memory-corruption-in-xfs_readlink-2.patch