rpms/kernel/F-10 ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch, NONE, 1.1.2.1 kernel.spec, 1.1206.2.97, 1.1206.2.98
Chuck Ebbert
cebbert at fedoraproject.org
Wed Oct 7 11:14:39 UTC 2009
- Previous message (by thread): rpms/inkscape/devel inkscape.spec,1.85,1.86 sources,1.26,1.27
- Next message (by thread): rpms/kdenetwork/F-10 .cvsignore, 1.65, 1.66 kdenetwork.spec, 1.176, 1.177 sources, 1.75, 1.76 kdenetwork-4.3.1-kde#162493.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: cebbert
Update of /cvs/pkgs/rpms/kernel/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16692
Modified Files:
Tag: private-fedora-10-2_6_27
kernel.spec
Added Files:
Tag: private-fedora-10-2_6_27
ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
Log Message:
eCryptfs: Prevent lower dentry from going negative during unlink (CVE-2009-2908)
ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch:
inode.c | 2 ++
1 file changed, 2 insertions(+)
--- NEW FILE ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch ---
>From 9c2d2056647790c5034d722bd24e9d913ebca73c Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
Date: Tue, 22 Sep 2009 12:52:17 -0500
Subject: eCryptfs: Prevent lower dentry from going negative during unlink
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
From: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
commit 9c2d2056647790c5034d722bd24e9d913ebca73c upstream.
When calling vfs_unlink() on the lower dentry, d_delete() turns the
dentry into a negative dentry when the d_count is 1. This eventually
caused a NULL pointer deref when a read() or write() was done and the
negative dentry's d_inode was dereferenced in
ecryptfs_read_update_atime() or ecryptfs_getxattr().
Placing mutt's tmpdir in an eCryptfs mount is what initially triggered
the oops and I was able to reproduce it with the following sequence:
open("/tmp/upper/foo", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600) = 3
link("/tmp/upper/foo", "/tmp/upper/bar") = 0
unlink("/tmp/upper/foo") = 0
open("/tmp/upper/bar", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 4
unlink("/tmp/upper/bar") = 0
write(4, "eCryptfs test\n"..., 14 <unfinished ...>
+++ killed by SIGKILL +++
https://bugs.launchpad.net/ecryptfs/+bug/387073
Reported-by: Loïc Minier <loic.minier at canonical.com>
Cc: Serge Hallyn <serue at us.ibm.com>
Cc: Dave Kleikamp <shaggy at linux.vnet.ibm.com>
Cc: ecryptfs-devel at lists.launchpad.net
Signed-off-by: Tyler Hicks <tyhicks at linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
fs/ecryptfs/inode.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ecryptfs/inode.c
+++ b/fs/ecryptfs/inode.c
@@ -443,6 +443,7 @@ static int ecryptfs_unlink(struct inode
struct inode *lower_dir_inode = ecryptfs_inode_to_lower(dir);
struct dentry *lower_dir_dentry;
+ dget(lower_dentry);
lower_dir_dentry = lock_parent(lower_dentry);
rc = vfs_unlink(lower_dir_inode, lower_dentry);
if (rc) {
@@ -456,6 +457,7 @@ static int ecryptfs_unlink(struct inode
d_drop(dentry);
out_unlock:
unlock_dir(lower_dir_dentry);
+ dput(lower_dentry);
return rc;
}
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-10/kernel.spec,v
retrieving revision 1.1206.2.97
retrieving revision 1.1206.2.98
diff -u -p -r1.1206.2.97 -r1.1206.2.98
--- kernel.spec 5 Oct 2009 21:42:17 -0000 1.1206.2.97
+++ kernel.spec 7 Oct 2009 11:14:39 -0000 1.1206.2.98
@@ -792,6 +792,9 @@ Patch15200: appletalk-fix-skb-leak-when-
# fix stack randomization (#526882)
Patch15300: x86-increase-min_gap-to-include-randomized-stack.patch
+# CVE-2009-2908
+Patch15400: ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1433,6 +1436,9 @@ ApplyPatch appletalk-fix-skb-leak-when-i
# backport of stack randomization fix from 2.6.31.2
ApplyPatch x86-increase-min_gap-to-include-randomized-stack.patch
+# CVE-2009-2908
+ApplyPatch ecryptfs-prevent-lower-dentry-from-going-negative-during-unlink.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2008,6 +2014,9 @@ fi
%kernel_variant_files -k vmlinux %{with_kdump} kdump
%changelog
+* Wed Oct 07 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.36-170.2.98
+- eCryptfs: Prevent lower dentry from going negative during unlink (CVE-2009-2908)
+
* Mon Oct 05 2009 Chuck Ebbert <cebbert at redhat.com> 2.6.27.36-170.2.97
- Linux 2.6.27.36
- Previous message (by thread): rpms/inkscape/devel inkscape.spec,1.85,1.86 sources,1.26,1.27
- Next message (by thread): rpms/kdenetwork/F-10 .cvsignore, 1.65, 1.66 kdenetwork.spec, 1.176, 1.177 sources, 1.75, 1.76 kdenetwork-4.3.1-kde#162493.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list