From 4cd0bef378be6e19f81aad8ec0919da274b7136d Mon Sep 17 00:00:00 2001 From: maximilian attems Date: Tue, 20 Feb 2007 10:44:20 +0000 Subject: add 2.6.18.7 nfs acl security fix svn path=/dists/sid/linux-2.6/; revision=8315 --- debian/changelog | 4 +- .../bugfix/nfs-acl-free-wrong-pointer.patch | 45 ++++++++++++++++++++++ debian/patches/series/11 | 1 + 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 debian/patches/bugfix/nfs-acl-free-wrong-pointer.patch diff --git a/debian/changelog b/debian/changelog index c93fe866d6dc..1244845055f5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -24,8 +24,10 @@ linux-2.6 (2.6.18.dfsg.1-11) UNRELEASED; urgency=low * Forward port complete IPX checksum patch 2.6.16.34 * From the 2.6.18 stable queue: - IB/mad: Fix race between cancel and receive completion + * Add 2.6.18.7, thanks gregkh: + - Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772) - -- maximilian attems Mon, 19 Feb 2007 17:31:22 +0100 + -- maximilian attems Tue, 20 Feb 2007 11:41:20 +0100 linux-2.6 (2.6.18.dfsg.1-10) unstable; urgency=low diff --git a/debian/patches/bugfix/nfs-acl-free-wrong-pointer.patch b/debian/patches/bugfix/nfs-acl-free-wrong-pointer.patch new file mode 100644 index 000000000000..ca0b9c7fa8bc --- /dev/null +++ b/debian/patches/bugfix/nfs-acl-free-wrong-pointer.patch @@ -0,0 +1,45 @@ +diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c +index fc95c4d..c318b6f 100644 +--- a/fs/nfsd/nfs2acl.c ++++ b/fs/nfsd/nfs2acl.c +@@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, u32 *p, + return 1; + } + +-static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, u32 *p, +- struct nfsd_fhandle *resp) ++static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, u32 *p, ++ struct nfsd_attrstat *resp) + { + fh_put(&resp->fh); + return 1; + } + ++static int nfsaclsvc_release_access(struct svc_rqst *rqstp, u32 *p, ++ struct nfsd3_accessres *resp) ++{ ++ fh_put(&resp->fh); ++ return 1; ++} ++ + #define nfsaclsvc_decode_voidargs NULL + #define nfsaclsvc_encode_voidres NULL + #define nfsaclsvc_release_void NULL +@@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; }; + static struct svc_procedure nfsd_acl_procedures2[] = { + PROC(null, void, void, void, RC_NOCACHE, ST), + PROC(getacl, getacl, getacl, getacl, RC_NOCACHE, ST+1+2*(1+ACL)), +- PROC(setacl, setacl, attrstat, fhandle, RC_NOCACHE, ST+AT), +- PROC(getattr, fhandle, attrstat, fhandle, RC_NOCACHE, ST+AT), +- PROC(access, access, access, fhandle, RC_NOCACHE, ST+AT+1), ++ PROC(setacl, setacl, attrstat, attrstat, RC_NOCACHE, ST+AT), ++ PROC(getattr, fhandle, attrstat, attrstat, RC_NOCACHE, ST+AT), ++ PROC(access, access, access, access, RC_NOCACHE, ST+AT+1), + }; + + struct svc_version nfsd_acl_version2 = { +- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/debian/patches/series/11 b/debian/patches/series/11 index 4746e48ed000..9dd689f66ebd 100644 --- a/debian/patches/series/11 +++ b/debian/patches/series/11 @@ -5,3 +5,4 @@ + bugfix/net-ipx-annotation-checksum.patch + bugfix/ib-mad-fix-race-between-cancel-and-receive-completion.patch + bugfix/sparc/sbus-envctrl-remove-execve.patch ++ bugfix/nfs-acl-free-wrong-pointer.patch -- cgit v1.2.3