An error occurred fetching the project authors.
  1. 17 Sep, 2019 2 commits
    • Bob Peterson's avatar
      GFS2: don't set rgrp gl_object until it's inserted into rgrp tree · 2d1829b5
      Bob Peterson authored
      CVE-2016-10905
      
      Before this patch, function read_rindex_entry would set a rgrp
      glock's gl_object pointer to itself before inserting the rgrp into
      the rgrp rbtree. The problem is: if another process was also reading
      the rgrp in, and had already inserted its newly created rgrp, then
      the second call to read_rindex_entry would overwrite that value,
      then return a bad return code to the caller. Later, other functions
      would reference the now-freed rgrp memory by way of gl_object.
      In some cases, that could result in gfs2_rgrp_brelse being called
      twice for the same rgrp: once for the failed attempt and once for
      the "real" rgrp release. Eventually the kernel would panic.
      There are also a number of other things that could go wrong when
      a kernel module is accessing freed storage. For example, this could
      result in rgrp corruption because the fake rgrp would point to a
      fake bitmap in memory too, causing gfs2_inplace_reserve to search
      some random memory for free blocks, and find some, since we were
      never setting rgd->rd_bits to NULL before freeing it.
      
      This patch fixes the problem by not setting gl_object until we
      have successfully inserted the rgrp into the rbtree. Also, it sets
      rd_bits to NULL as it frees them, which will ensure any accidental
      access to the wrong rgrp will result in a kernel panic rather than
      file system corruption, which is preferred.
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      (backported from commit 36e4ad03)
      [ Connor Kuehl: Minor context adjustment. The hunk in
        read_rindex_entry() expected 'PAGE_CACHE_ALIGN' to be 'PAGE_ALIGN' but
        that rename is introduced in a mainline patch that is not in Xenial:
        09cbfeaf "mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release}
        macros" ]
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Acked-by: default avatarKleber Souza <kleber.souza@canonical.com>
      Acked-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      2d1829b5
    • Stefan Bader's avatar
      UBUNTU: Start new release · 0be7d2ce
      Stefan Bader authored
      Ignore: yes
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      0be7d2ce
  2. 13 Sep, 2019 3 commits
  3. 27 Aug, 2019 5 commits
  4. 13 Aug, 2019 26 commits
  5. 12 Aug, 2019 4 commits