summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch')
-rw-r--r--sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch106
1 files changed, 106 insertions, 0 deletions
diff --git a/sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch b/sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch
new file mode 100644
index 000000000000..1452939ae341
--- /dev/null
+++ b/sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch
@@ -0,0 +1,106 @@
+diff --exclude-from=/home/dang/.diffrc -u -ruN linux-2.6.16.orig/fs/ext3/inode.c linux-2.6.16/fs/ext3/inode.c
+--- linux-2.6.16.orig/fs/ext3/inode.c 2006-03-20 00:53:29.000000000 -0500
++++ linux-2.6.16/fs/ext3/inode.c 2006-09-06 17:58:38.000000000 -0400
+@@ -1005,7 +1005,7 @@
+ ret = PTR_ERR(handle);
+ goto out;
+ }
+- if (test_opt(inode->i_sb, NOBH))
++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode))
+ ret = nobh_prepare_write(page, from, to, ext3_get_block);
+ else
+ ret = block_prepare_write(page, from, to, ext3_get_block);
+@@ -1093,7 +1093,7 @@
+ if (new_i_size > EXT3_I(inode)->i_disksize)
+ EXT3_I(inode)->i_disksize = new_i_size;
+
+- if (test_opt(inode->i_sb, NOBH))
++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode))
+ ret = nobh_commit_write(file, page, from, to);
+ else
+ ret = generic_commit_write(file, page, from, to);
+@@ -1343,7 +1343,7 @@
+ goto out_fail;
+ }
+
+- if (test_opt(inode->i_sb, NOBH))
++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode))
+ ret = nobh_writepage(page, ext3_get_block, wbc);
+ else
+ ret = block_write_full_page(page, ext3_get_block, wbc);
+@@ -2258,17 +2258,15 @@
+ struct buffer_head *bh;
+ struct ext3_group_desc * gdp;
+
+-
+- if ((ino != EXT3_ROOT_INO &&
+- ino != EXT3_JOURNAL_INO &&
+- ino != EXT3_RESIZE_INO &&
+- ino < EXT3_FIRST_INO(sb)) ||
+- ino > le32_to_cpu(
+- EXT3_SB(sb)->s_es->s_inodes_count)) {
+- ext3_error (sb, "ext3_get_inode_block",
+- "bad inode number: %lu", ino);
++ if (!ext3_valid_inum(sb, ino)) {
++ /*
++ * This error is already checked for in namei.c unless we are
++ * looking at an NFS filehandle, in which case no error
++ * report is needed
++ */
+ return 0;
+ }
++
+ block_group = (ino - 1) / EXT3_INODES_PER_GROUP(sb);
+ if (block_group >= EXT3_SB(sb)->s_groups_count) {
+ ext3_error (sb, "ext3_get_inode_block",
+diff --exclude-from=/home/dang/.diffrc -u -ruN linux-2.6.16.orig/fs/ext3/namei.c linux-2.6.16/fs/ext3/namei.c
+--- linux-2.6.16.orig/fs/ext3/namei.c 2006-03-20 00:53:29.000000000 -0500
++++ linux-2.6.16/fs/ext3/namei.c 2006-09-06 17:55:59.000000000 -0400
+@@ -1000,7 +1000,12 @@
+ if (bh) {
+ unsigned long ino = le32_to_cpu(de->inode);
+ brelse (bh);
+- inode = iget(dir->i_sb, ino);
++ if (!ext3_valid_inum(dir->i_sb, ino)) {
++ ext3_error(dir->i_sb, "ext3_lookup",
++ "bad inode number: %lu", ino);
++ inode = NULL;
++ } else
++ inode = iget(dir->i_sb, ino);
+
+ if (!inode)
+ return ERR_PTR(-EACCES);
+@@ -1028,7 +1033,13 @@
+ return ERR_PTR(-ENOENT);
+ ino = le32_to_cpu(de->inode);
+ brelse(bh);
+- inode = iget(child->d_inode->i_sb, ino);
++
++ if (!ext3_valid_inum(child->d_inode->i_sb, ino)) {
++ ext3_error(child->d_inode->i_sb, "ext3_get_parent",
++ "bad inode number: %lu", ino);
++ inode = NULL;
++ } else
++ inode = iget(child->d_inode->i_sb, ino);
+
+ if (!inode)
+ return ERR_PTR(-EACCES);
+diff --exclude-from=/home/dang/.diffrc -u -ruN linux-2.6.16.orig/include/linux/ext3_fs.h linux-2.6.16/include/linux/ext3_fs.h
+--- linux-2.6.16.orig/include/linux/ext3_fs.h 2006-03-20 00:53:29.000000000 -0500
++++ linux-2.6.16/include/linux/ext3_fs.h 2006-09-06 17:55:59.000000000 -0400
+@@ -494,6 +494,15 @@
+ {
+ return container_of(inode, struct ext3_inode_info, vfs_inode);
+ }
++
++static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino)
++{
++ return ino == EXT3_ROOT_INO ||
++ ino == EXT3_JOURNAL_INO ||
++ ino == EXT3_RESIZE_INO ||
++ (ino >= EXT3_FIRST_INO(sb) &&
++ ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count));
++}
+ #else
+ /* Assume that user mode programs are passing in an ext3fs superblock, not
+ * a kernel struct super_block. This will allow us to call the feature-test