Add patch to fix XFS memory corruption (rhbz 749166)
This commit is contained in:
Josh Boyer
parent
4b0fbfcf05
commit
0e7a717305
|
|
@ -51,7 +51,7 @@ Summary: The Linux kernel
|
|||
# For non-released -rc kernels, this will be prepended with "0.", so
|
||||
# for example a 3 here will become 0.3
|
||||
#
|
||||
%global baserelease 3
|
||||
%global baserelease 4
|
||||
%global fedora_build %{baserelease}
|
||||
|
||||
# base_sublevel is the kernel version we're starting with and patching
|
||||
|
|
@ -760,6 +760,9 @@ Patch21021: 0002-mm-Abort-reclaim-compaction-if-compaction-can-procee.patch
|
|||
Patch21030: be2net-non-member-vlan-pkts-not-received-in-promisco.patch
|
||||
Patch21031: benet-remove-bogus-unlikely-on-vlan-check.patch
|
||||
|
||||
#rhbz 749166
|
||||
Patch21050: xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
|
@ -1255,6 +1258,7 @@ ApplyPatch linux-2.6-i386-nx-emulation.patch
|
|||
# ext4
|
||||
|
||||
# xfs
|
||||
ApplyPatch xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch
|
||||
|
||||
# btrfs
|
||||
|
||||
|
|
@ -2103,6 +2107,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Wed Oct 26 2011 Josh Boyer <jwboyer@redhat.com>
|
||||
- Add patch to fix XFS memory corruption (rhbz 749166)
|
||||
|
||||
* Tue Oct 25 2011 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2011-3347: be2net: promiscuous mode and non-member VLAN packets DoS (rhbz 748691)
|
||||
- CVE-2011-1083: excessive in kernel CPU consumption when creating large nested epoll structures (rhbz 748668)
|
||||
|
|
|
|||
|
|
@ -0,0 +1,77 @@
|
|||
X-Spam-Checker-Version: SpamAssassin 3.4.0-r929098 (2010-03-30) on oss.sgi.com
|
||||
X-Spam-Level:
|
||||
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,J_CHICKENPOX_64
|
||||
autolearn=no version=3.4.0-r929098
|
||||
Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11])
|
||||
by oss.sgi.com (8.14.3/8.14.3/SuSE Linux 0.8) with ESMTP id p9I1KBVD036341
|
||||
for <xfs@oss.sgi.com>; Mon, 17 Oct 2011 20:20:11 -0500
|
||||
X-ASG-Debug-ID: 1318901280-3911029d0000-NocioJ
|
||||
X-Barracuda-URL: http://cuda.sgi.com:80/cgi-bin/mark.cgi
|
||||
Received: from hades.usersys.redhat.com (localhost [127.0.0.1])
|
||||
by cuda.sgi.com (Spam Firewall) with ESMTP id B9D1DF75F0A
|
||||
for <xfs@oss.sgi.com>; Mon, 17 Oct 2011 18:28:01 -0700 (PDT)
|
||||
Received: from hades.usersys.redhat.com ([187.60.101.4]) by cuda.sgi.com with ESMTP id 81CuyNdYBqrtvtnD for <xfs@oss.sgi.com>; Mon, 17 Oct 2011 18:28:01 -0700 (PDT)
|
||||
Received: by hades.usersys.redhat.com (Postfix, from userid 500)
|
||||
id 5B763E089B; Tue, 18 Oct 2011 02:18:59 -0200 (BRST)
|
||||
From: Carlos Maiolino <cmaiolino@redhat.com>
|
||||
To: xfs@oss.sgi.com
|
||||
Cc: Carlos Maiolino <cmaiolino@redhat.com>
|
||||
X-ASG-Orig-Subj: [PATCH] Fix possible memory corruption in xfs_readlink
|
||||
Subject: [PATCH] Fix possible memory corruption in xfs_readlink
|
||||
Date: Tue, 18 Oct 2011 02:18:58 -0200
|
||||
Message-Id: <1318911538-9174-1-git-send-email-cmaiolino@redhat.com>
|
||||
X-Mailer: git-send-email 1.7.6.2
|
||||
X-Barracuda-Connect: UNKNOWN[187.60.101.4]
|
||||
X-Barracuda-Start-Time: 1318901282
|
||||
X-Barracuda-Bayes: INNOCENT GLOBAL 0.0000 1.0000 -2.0210
|
||||
X-Barracuda-Virus-Scanned: by cuda.sgi.com at sgi.com
|
||||
X-Barracuda-Spam-Score: -1.42
|
||||
X-Barracuda-Spam-Status: No, SCORE=-1.42 using per-user scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.1 tests=BSF_SC5_MJ1963, RDNS_NONE
|
||||
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.77645
|
||||
Rule breakdown below
|
||||
pts rule name description
|
||||
---- ---------------------- --------------------------------------------------
|
||||
0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS
|
||||
0.50 BSF_SC5_MJ1963 Custom Rule MJ1963
|
||||
X-Virus-Scanned: ClamAV version 0.94.2, clamav-milter version 0.94.2 on oss.sgi.com
|
||||
X-Virus-Status: Clean
|
||||
|
||||
Fixes a possible memory corruption when the link is larger than
|
||||
MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
|
||||
S_ISLNK assert, since the inode mode is checked previously in
|
||||
xfs_readlink_by_handle() and via VFS.
|
||||
|
||||
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
|
||||
---
|
||||
fs/xfs/xfs_vnodeops.c | 11 ++++++++---
|
||||
1 files changed, 8 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
|
||||
index 51fc429..c3288be 100644
|
||||
--- a/fs/xfs/xfs_vnodeops.c
|
||||
+++ b/fs/xfs/xfs_vnodeops.c
|
||||
@@ -123,13 +123,18 @@ xfs_readlink(
|
||||
|
||||
xfs_ilock(ip, XFS_ILOCK_SHARED);
|
||||
|
||||
- ASSERT(S_ISLNK(ip->i_d.di_mode));
|
||||
- ASSERT(ip->i_d.di_size <= MAXPATHLEN);
|
||||
-
|
||||
pathlen = ip->i_d.di_size;
|
||||
if (!pathlen)
|
||||
goto out;
|
||||
|
||||
+ if (pathlen > MAXPATHLEN) {
|
||||
+ xfs_alert(mp, "%s: inode (%llu) symlink length (%d) too long",
|
||||
+ __func__, (unsigned long long)ip->i_ino, pathlen);
|
||||
+ ASSERT(0);
|
||||
+ return XFS_ERROR(EFSCORRUPTED);
|
||||
+ }
|
||||
+
|
||||
+
|
||||
if (ip->i_df.if_flags & XFS_IFINLINE) {
|
||||
memcpy(link, ip->i_df.if_u1.if_data, pathlen);
|
||||
link[pathlen] = '\0';
|
||||
--
|
||||
1.7.6.2
|
||||
|
||||
Loading…
Reference in New Issue