[kernel/f14] Add patch to fix XFS memory corruption (rhbz 749166)

Josh Boyer jwboyer at fedoraproject.org
Wed Oct 26 16:20:56 UTC 2011 

commit 29298df87d509a2e6ff0b9b649f8392ae6ff6506
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Wed Oct 26 09:18:09 2011 -0400

    Add patch to fix XFS memory corruption (rhbz 749166)

 kernel.spec                                        |    9 ++++-
 ...ossible-memory-corruption-in-xfs_readlink.patch |   43 ++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 5b7f26b..1d6f16e 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -48,7 +48,7 @@ Summary: The Linux kernel
 # reset this by hand to 1 (or to 0 and then use rpmdev-bumpspec).
 # scripts/rebase.sh should be made to do that for you, actually.
 #
-%global baserelease 101
+%global baserelease 102
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -907,6 +907,9 @@ Patch14064: ext4-fix-BUG_ON-in-ext4_ext_insert_extent.patch
 Patch14065: epoll-fix-spurious-lockdep-warnings.patch
 Patch14066: epoll-limit-paths.patch
 
+#rhbz 749166
+Patch21050: xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1374,6 +1377,7 @@ ApplyPatch linux-2.6-32bit-mmap-exec-randomization.patch
 ApplyPatch ext4-always-journal-quota-file-modifications.patch
 
 # xfs
+ApplyPatch xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch
 
 # btrfs
 
@@ -2303,6 +2307,9 @@ fi
 # and build.
 
 %changelog
+* Wed Oct 26 2011 Josh Boyer <jwboyer at redhat.com>
+- CVE-2011-4077: Add patch to fix XFS memory corruption (rhbz 749166)
+
 * Tue Oct 25 2011 Josh Boyer <jwboyer at redhat.com>
 - CVE-2011-1083: excessive in kernel CPU consumption when creating large nested epoll structures (rhbz 748668)
 
diff --git a/xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch b/xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch
new file mode 100644
index 0000000..319f80d
--- /dev/null
+++ b/xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch
@@ -0,0 +1,43 @@
+From cbee73333a2d05c274240dff5de1b4bb74bfb497 Mon Sep 17 00:00:00 2001
+From: Carlos Maiolino <cmaiolino at redhat.com>
+Date: Tue, 18 Oct 2011 02:18:58 -0200
+Subject: [PATCH] Fix possible memory corruption in xfs_readlink
+
+Fixes a possible memory corruption when the link is larger than
+MAXPATHLEN and XFS_DEBUG is not enabled. This also remove the
+S_ISLNK assert, since the inode mode is checked previously in
+xfs_readlink_by_handle() and via VFS.
+
+Signed-off-by: Carlos Maiolino <cmaiolino at redhat.com>
+---
+ fs/xfs/xfs_vnodeops.c |   10 +++++++---
+ 1 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/fs/xfs/xfs_vnodeops.c b/fs/xfs/xfs_vnodeops.c
+index 6197207..111870b 100644
+--- a/fs/xfs/xfs_vnodeops.c
++++ b/fs/xfs/xfs_vnodeops.c
+@@ -545,13 +545,17 @@ xfs_readlink(
+ 
+ 	xfs_ilock(ip, XFS_ILOCK_SHARED);
+ 
+-	ASSERT((ip->i_d.di_mode & S_IFMT) == S_IFLNK);
+-	ASSERT(ip->i_d.di_size <= MAXPATHLEN);
+-
+ 	pathlen = ip->i_d.di_size;
+ 	if (!pathlen)
+ 		goto out;
+ 
++	if (pathlen > MAXPATHLEN) {
++		xfs_alert(mp, "%s: inode (%llu) symlink length (%d) too long",
++			 __func__, (unsigned long long)ip->i_ino, pathlen);
++		ASSERT(0);
++		return XFS_ERROR(EFSCORRUPTED);
++	}
++
+ 	if (ip->i_df.if_flags & XFS_IFINLINE) {
+ 		memcpy(link, ip->i_df.if_u1.if_data, pathlen);
+ 		link[pathlen] = '\0';
+-- 
+1.7.6.4
+

More information about the scm-commits mailing list