[kernel] r14676 - in dists/lenny/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Nov 25 05:03:45 UTC 2009 

Author: dannf
Date: Wed Nov 25 05:03:42 2009
New Revision: 14676

Log:
NFSv4: Fix a problem whereby a buggy server can oops the kernel
(CVE-2009-3726)

Added:
   dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsv4-buggy-server-oops.patch
Modified:
   dists/lenny/linux-2.6/debian/changelog
   dists/lenny/linux-2.6/debian/patches/series/21

Modified: dists/lenny/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny/linux-2.6/debian/changelog	Wed Nov 25 05:03:01 2009	(r14675)
+++ dists/lenny/linux-2.6/debian/changelog	Wed Nov 25 05:03:42 2009	(r14676)
@@ -20,6 +20,8 @@
   * igb: Add 82576 MAC support (Closes: #522922), backport
     by Ben Hutchings
   * [SCSI] gdth: Prevent negative offsets in ioctl (CVE-2009-3080)
+  * NFSv4: Fix a problem whereby a buggy server can oops the kernel
+    (CVE-2009-3726)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sat, 24 Oct 2009 23:45:45 +0100
 

Added: dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsv4-buggy-server-oops.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny/linux-2.6/debian/patches/bugfix/all/nfsv4-buggy-server-oops.patch	Wed Nov 25 05:03:42 2009	(r14676)
@@ -0,0 +1,72 @@
+commit d953126a28f97ec965d23c69fd5795854c048f30
+Author: Trond Myklebust <Trond.Myklebust at netapp.com>
+Date:   Tue Jul 21 19:22:38 2009 -0400
+
+    NFSv4: Fix a problem whereby a buggy server can oops the kernel
+    
+    We just had a case in which a buggy server occasionally returns the wrong
+    attributes during an OPEN call. While the client does catch this sort of
+    condition in nfs4_open_done(), and causes the nfs4_atomic_open() to return
+    -EISDIR, the logic in nfs_atomic_lookup() is broken, since it causes a
+    fallback to an ordinary lookup instead of just returning the error.
+    
+    When the buggy server then returns a regular file for the fallback lookup,
+    the VFS allows the open, and bad things start to happen, since the open
+    file doesn't have any associated NFSv4 state.
+    
+    The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and
+    secondly to ensure that we are always careful when dereferencing the
+    nfs_open_context state pointer.
+    
+    Signed-off-by: Trond Myklebust <Trond.Myklebust at netapp.com>
+
+diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
+index 38d42c2..32062c3 100644
+--- a/fs/nfs/dir.c
++++ b/fs/nfs/dir.c
+@@ -1025,12 +1025,12 @@ static struct dentry *nfs_atomic_lookup(struct inode *dir, struct dentry *dentry
+ 				res = NULL;
+ 				goto out;
+ 			/* This turned out not to be a regular file */
+-			case -EISDIR:
+ 			case -ENOTDIR:
+ 				goto no_open;
+ 			case -ELOOP:
+ 				if (!(nd->intent.open.flags & O_NOFOLLOW))
+ 					goto no_open;
++			/* case -EISDIR: */
+ 			/* case -EINVAL: */
+ 			default:
+ 				goto out;
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index df24f67..6917311 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -4093,15 +4093,23 @@ nfs4_proc_lock(struct file *filp, int cmd, struct file_lock *request)
+ 	if (request->fl_start < 0 || request->fl_end < 0)
+ 		return -EINVAL;
+ 
+-	if (IS_GETLK(cmd))
+-		return nfs4_proc_getlk(state, F_GETLK, request);
++	if (IS_GETLK(cmd)) {
++		if (state != NULL)
++			return nfs4_proc_getlk(state, F_GETLK, request);
++		return 0;
++	}
+ 
+ 	if (!(IS_SETLK(cmd) || IS_SETLKW(cmd)))
+ 		return -EINVAL;
+ 
+-	if (request->fl_type == F_UNLCK)
+-		return nfs4_proc_unlck(state, cmd, request);
++	if (request->fl_type == F_UNLCK) {
++		if (state != NULL)
++			return nfs4_proc_unlck(state, cmd, request);
++		return 0;
++	}
+ 
++	if (state == NULL)
++		return -ENOLCK;
+ 	do {
+ 		status = nfs4_proc_setlk(state, cmd, request);
+ 		if ((status != -EAGAIN) || IS_SETLK(cmd))

Modified: dists/lenny/linux-2.6/debian/patches/series/21
==============================================================================
--- dists/lenny/linux-2.6/debian/patches/series/21	Wed Nov 25 05:03:01 2009	(r14675)
+++ dists/lenny/linux-2.6/debian/patches/series/21	Wed Nov 25 05:03:42 2009	(r14676)
@@ -29,3 +29,4 @@
 + bugfix/all/floppy-request-and-release-only-the-ports-we-actually-use.patch
 + features/all/igb-add-82576-MAC-support.patch
 + bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch
++ bugfix/all/nfsv4-buggy-server-oops.patch

More information about the Kernel-svn-changes mailing list