diff options
Diffstat (limited to 'sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch')
-rw-r--r-- | sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch | 106 |
1 files changed, 106 insertions, 0 deletions
diff --git a/sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch b/sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch new file mode 100644 index 000000000000..1452939ae341 --- /dev/null +++ b/sys-kernel/xen-sources/files/xen-sources-2.6.16.28-CVE-2006-3468.patch @@ -0,0 +1,106 @@ +diff --exclude-from=/home/dang/.diffrc -u -ruN linux-2.6.16.orig/fs/ext3/inode.c linux-2.6.16/fs/ext3/inode.c +--- linux-2.6.16.orig/fs/ext3/inode.c 2006-03-20 00:53:29.000000000 -0500 ++++ linux-2.6.16/fs/ext3/inode.c 2006-09-06 17:58:38.000000000 -0400 +@@ -1005,7 +1005,7 @@ + ret = PTR_ERR(handle); + goto out; + } +- if (test_opt(inode->i_sb, NOBH)) ++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode)) + ret = nobh_prepare_write(page, from, to, ext3_get_block); + else + ret = block_prepare_write(page, from, to, ext3_get_block); +@@ -1093,7 +1093,7 @@ + if (new_i_size > EXT3_I(inode)->i_disksize) + EXT3_I(inode)->i_disksize = new_i_size; + +- if (test_opt(inode->i_sb, NOBH)) ++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode)) + ret = nobh_commit_write(file, page, from, to); + else + ret = generic_commit_write(file, page, from, to); +@@ -1343,7 +1343,7 @@ + goto out_fail; + } + +- if (test_opt(inode->i_sb, NOBH)) ++ if (test_opt(inode->i_sb, NOBH) && ext3_should_writeback_data(inode)) + ret = nobh_writepage(page, ext3_get_block, wbc); + else + ret = block_write_full_page(page, ext3_get_block, wbc); +@@ -2258,17 +2258,15 @@ + struct buffer_head *bh; + struct ext3_group_desc * gdp; + +- +- if ((ino != EXT3_ROOT_INO && +- ino != EXT3_JOURNAL_INO && +- ino != EXT3_RESIZE_INO && +- ino < EXT3_FIRST_INO(sb)) || +- ino > le32_to_cpu( +- EXT3_SB(sb)->s_es->s_inodes_count)) { +- ext3_error (sb, "ext3_get_inode_block", +- "bad inode number: %lu", ino); ++ if (!ext3_valid_inum(sb, ino)) { ++ /* ++ * This error is already checked for in namei.c unless we are ++ * looking at an NFS filehandle, in which case no error ++ * report is needed ++ */ + return 0; + } ++ + block_group = (ino - 1) / EXT3_INODES_PER_GROUP(sb); + if (block_group >= EXT3_SB(sb)->s_groups_count) { + ext3_error (sb, "ext3_get_inode_block", +diff --exclude-from=/home/dang/.diffrc -u -ruN linux-2.6.16.orig/fs/ext3/namei.c linux-2.6.16/fs/ext3/namei.c +--- linux-2.6.16.orig/fs/ext3/namei.c 2006-03-20 00:53:29.000000000 -0500 ++++ linux-2.6.16/fs/ext3/namei.c 2006-09-06 17:55:59.000000000 -0400 +@@ -1000,7 +1000,12 @@ + if (bh) { + unsigned long ino = le32_to_cpu(de->inode); + brelse (bh); +- inode = iget(dir->i_sb, ino); ++ if (!ext3_valid_inum(dir->i_sb, ino)) { ++ ext3_error(dir->i_sb, "ext3_lookup", ++ "bad inode number: %lu", ino); ++ inode = NULL; ++ } else ++ inode = iget(dir->i_sb, ino); + + if (!inode) + return ERR_PTR(-EACCES); +@@ -1028,7 +1033,13 @@ + return ERR_PTR(-ENOENT); + ino = le32_to_cpu(de->inode); + brelse(bh); +- inode = iget(child->d_inode->i_sb, ino); ++ ++ if (!ext3_valid_inum(child->d_inode->i_sb, ino)) { ++ ext3_error(child->d_inode->i_sb, "ext3_get_parent", ++ "bad inode number: %lu", ino); ++ inode = NULL; ++ } else ++ inode = iget(child->d_inode->i_sb, ino); + + if (!inode) + return ERR_PTR(-EACCES); +diff --exclude-from=/home/dang/.diffrc -u -ruN linux-2.6.16.orig/include/linux/ext3_fs.h linux-2.6.16/include/linux/ext3_fs.h +--- linux-2.6.16.orig/include/linux/ext3_fs.h 2006-03-20 00:53:29.000000000 -0500 ++++ linux-2.6.16/include/linux/ext3_fs.h 2006-09-06 17:55:59.000000000 -0400 +@@ -494,6 +494,15 @@ + { + return container_of(inode, struct ext3_inode_info, vfs_inode); + } ++ ++static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino) ++{ ++ return ino == EXT3_ROOT_INO || ++ ino == EXT3_JOURNAL_INO || ++ ino == EXT3_RESIZE_INO || ++ (ino >= EXT3_FIRST_INO(sb) && ++ ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count)); ++} + #else + /* Assume that user mode programs are passing in an ext3fs superblock, not + * a kernel struct super_block. This will allow us to call the feature-test |