[kernel] r6674 - dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches

Dann Frazier dannf at costa.debian.org
Wed May 24 04:03:51 UTC 2006 

Author: dannf
Date: Wed May 24 04:03:49 2006
New Revision: 6674

Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nfs-another-O_DIRECT-fix.dpatch

Log:
backport was missing a necessary prototype (nfs_free_users_pages);
rebackported to include it


Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nfs-another-O_DIRECT-fix.dpatch
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nfs-another-O_DIRECT-fix.dpatch	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/nfs-another-O_DIRECT-fix.dpatch	Wed May 24 04:03:49 2006
@@ -1,31 +1,66 @@
-Fix for CVE-2006-0555 for Sarge 2.6.8. 
+From: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date: Tue, 14 Mar 2006 05:20:46 +0000 (-0800)
+Subject: [PATCH] NFS: Fix a potential panic in O_DIRECT
+X-Git-Tag: v2.6.16
+X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=143f412eb4c7cc48b9eb4381f9133b7d36c68075
 
-Signed-off-by: Troy Heber <troyh at debian.org>`
+[PATCH] NFS: Fix a potential panic in O_DIRECT
 
-diff-tree 93e3d00a9f0158e522cada1088233fad23247882 (from 8dcd7c19f2624b7150edd60da336da0bb5291bef)
-Author: Trond Myklebust <trond.myklebust at netapp.com>
-Date:   Wed Feb 15 00:42:26 2006 -0500
-
-    [PATCH] Normal user can panic NFS client with direct I/O (CVE-2006-0555)
-    
-    This is CVE-2006-0555 and SGI bug 946529.  A normal user can panic an
-    NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
-    
-    Signed-off-by: Chris Wright <chrisw at sous-sol.org>
-
-diff --git a/fs/nfs/direct.c b/fs/nfs/direct.c
-index 0792288..3ebb06e 100644
---- a/fs/nfs/direct.c
-+++ b/fs/nfs/direct.c
-@@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
- 		result = get_user_pages(current, current->mm, user_addr,
+Based on an original patch by Mike O'Connor and Greg Banks of SGI.
+
+Mike states:
+
+A normal user can panic an NFS client and cause a local DoS with
+'judicious'(?) use of O_DIRECT.  Any O_DIRECT write to an NFS file where the
+user buffer starts with a valid mapped page and contains an unmapped page,
+will crash in this way.  I haven't followed the code, but O_DIRECT reads with
+similar user buffers will probably also crash albeit in different ways.
+
+Details: when nfs_get_user_pages() calls get_user_pages(), it detects and
+correctly handles get_user_pages() returning an error, which happens if the
+first page covered by the user buffer's address range is unmapped.  However,
+if the first page is mapped but some subsequent page isn't, get_user_pages()
+will return a positive number which is less than the number of pages requested
+(this behaviour is sort of analagous to a short write() call and appears to be
+intentional).  nfs_get_user_pages() doesn't detect this and hands off the
+array of pages (whose last few elements are random rubbish from the newly
+allocated array memory) to it's caller, whence they go to
+nfs_direct_write_seg(), which then totally ignores the nr_pages it's given,
+and calculates its own idea of how many pages are in the array from the user
+buffer length.  Needless to say, when it comes to transmit those uninitialised
+page* pointers, we see a crash in the network stack.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at osdl.org>
+---
+
+# Backported to Debian's kernel-source-2.6.8 by dann frazier <dannf at debian.org>
+
+diff -urN kernel-source-2.6.8.orig/fs/nfs/direct.c kernel-source-2.6.8/fs/nfs/direct.c
+--- kernel-source-2.6.8.orig/fs/nfs/direct.c	2006-02-08 23:55:59.000000000 -0600
++++ kernel-source-2.6.8/fs/nfs/direct.c	2006-05-23 23:02:07.532223968 -0500
+@@ -55,6 +55,7 @@
+ #define VERF_SIZE		(2 * sizeof(__u32))
+ #define MAX_DIRECTIO_SIZE	(4096UL << PAGE_SHIFT)
+ 
++static void nfs_free_user_pages(struct page **pages, int npages, int do_dirty);
+ 
+ /**
+  * nfs_get_user_pages - find and set up pages underlying user's buffer
+@@ -88,6 +89,15 @@
  					page_count, (rw == READ), 0,
  					*pages, NULL);
+ 		up_read(&current->mm->mmap_sem);
++		/*
++		 * If we got fewer pages than expected from get_user_pages(),
++		 * the user buffer runs off the end of a mapping; return EFAULT.
++		 */
 +		if (result >= 0 && result < page_count) {
 +			nfs_free_user_pages(*pages, result, 0);
 +			*pages = NULL;
 +			result = -EFAULT;
 +		}
- 		up_read(&current->mm->mmap_sem);
  	}
  	return result;
+ }

More information about the Kernel-svn-changes mailing list