From 3f831a879994231763c4c639d1be39351b838644 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 26 Oct 2011 09:18:09 -0400 Subject: [PATCH] Add patch to fix XFS memory corruption (rhbz 749166) --- kernel.spec | 9 ++- ...le-memory-corruption-in-xfs_readlink.patch | 77 +++++++++++++++++++ 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch diff --git a/kernel.spec b/kernel.spec index a4834e745..5fd6f976f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -51,7 +51,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be prepended with "0.", so # for example a 3 here will become 0.3 # -%global baserelease 3 +%global baserelease 4 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -762,6 +762,9 @@ Patch21021: 0002-mm-Abort-reclaim-compaction-if-compaction-can-procee.patch Patch21030: be2net-non-member-vlan-pkts-not-received-in-promisco.patch Patch21031: benet-remove-bogus-unlikely-on-vlan-check.patch +#rhbz 749166 +Patch21050: xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch + %endif BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root @@ -1262,6 +1265,7 @@ ApplyPatch arm-smsc-support-reading-mac-address-from-device-tree.patch # ext4 # xfs +ApplyPatch xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch # btrfs @@ -2114,6 +2118,9 @@ fi # ||----w | # || || %changelog +* Wed Oct 26 2011 Josh Boyer +- Add patch to fix XFS memory corruption (rhbz 749166) + * Tue Oct 25 2011 Josh Boyer - CVE-2011-3347: be2net: promiscuous mode and non-member VLAN packets DoS (rhbz 748691) - CVE-2011-1083: excessive in kernel CPU consumption when creating large nested epoll structures (rhbz 748668) diff --git a/xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch b/xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch new file mode 100644 index 000000000..9e810dba8 --- /dev/null +++ b/xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch @@ -0,0 +1,77 @@ +X-Spam-Checker-Version: SpamAssassin 3.4.0-r929098 (2010-03-30) on oss.sgi.com +X-Spam-Level: +X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,J_CHICKENPOX_64 + autolearn=no version=3.4.0-r929098 +Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11]) + by oss.sgi.com (8.14.3/8.14.3/SuSE Linux 0.8) with ESMTP id p9I1KBVD036341 + for ; Mon, 17 Oct 2011 20:20:11 -0500 +X-ASG-Debug-ID: 1318901280-3911029d0000-NocioJ +X-Barracuda-URL: http://cuda.sgi.com:80/cgi-bin/mark.cgi +Received: from hades.usersys.redhat.com (localhost [127.0.0.1]) + by cuda.sgi.com (Spam Firewall) with ESMTP id B9D1DF75F0A + for ; Mon, 17 Oct 2011 18:28:01 -0700 (PDT) +Received: from hades.usersys.redhat.com ([187.60.101.4]) by cuda.sgi.com with ESMTP id 81CuyNdYBqrtvtnD for ; Mon, 17 Oct 2011 18:28:01 -0700 (PDT) +Received: by hades.usersys.redhat.com (Postfix, from userid 500) + id 5B763E089B; Tue, 18 Oct 2011 02:18:59 -0200 (BRST) +From: Carlos Maiolino +To: xfs@oss.sgi.com +Cc: Carlos Maiolino +X-ASG-Orig-Subj: [PATCH] Fix possible memory corruption in xfs_readlink +Subject: [PATCH] Fix possible memory corruption in xfs_readlink +Date: Tue, 18 Oct 2011 02:18:58 -0200 +Message-Id: <1318911538-9174-1-git-send-email-cmaiolino@redhat.com> +X-Mailer: git-send-email 1.7.6.2 +X-Barracuda-Connect: UNKNOWN[187.60.101.4] +X-Barracuda-Start-Time: 1318901282 +X-Barracuda-Bayes: INNOCENT GLOBAL 0.0000 1.0000 -2.0210 +X-Barracuda-Virus-Scanned: by cuda.sgi.com at sgi.com +X-Barracuda-Spam-Score: -1.42 +X-Barracuda-Spam-Status: No, SCORE=-1.42 using per-user scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.1 tests=BSF_SC5_MJ1963, RDNS_NONE +X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.77645 + Rule breakdown below + pts rule name description + ---- ---------------------- -------------------------------------------------- + 0.10 RDNS_NONE Delivered to trusted network by a host with no rDNS + 0.50 BSF_SC5_MJ1963 Custom Rule MJ1963 +X-Virus-Scanned: ClamAV version 0.94.2, clamav-milter version 0.94.2 on oss.sgi.com +X-Virus-Status: Clean + +Fixes a possible memory corruption when the link is larger than +MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the +S_ISLNK assert, since the inode mode is checked previously in +xfs_readlink_by_handle() and via VFS. + +Signed-off-by: Carlos Maiolino +--- + fs/xfs/xfs_vnodeops.c | 11 ++++++++--- + 1 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c +index 51fc429..c3288be 100644 +--- a/fs/xfs/xfs_vnodeops.c ++++ b/fs/xfs/xfs_vnodeops.c +@@ -123,13 +123,18 @@ xfs_readlink( + + xfs_ilock(ip, XFS_ILOCK_SHARED); + +- ASSERT(S_ISLNK(ip->i_d.di_mode)); +- ASSERT(ip->i_d.di_size <= MAXPATHLEN); +- + pathlen = ip->i_d.di_size; + if (!pathlen) + goto out; + ++ if (pathlen > MAXPATHLEN) { ++ xfs_alert(mp, "%s: inode (%llu) symlink length (%d) too long", ++ __func__, (unsigned long long)ip->i_ino, pathlen); ++ ASSERT(0); ++ return XFS_ERROR(EFSCORRUPTED); ++ } ++ ++ + if (ip->i_df.if_flags & XFS_IFINLINE) { + memcpy(link, ip->i_df.if_u1.if_data, pathlen); + link[pathlen] = '\0'; +-- +1.7.6.2 +