releases/2.6.15.5/normal-user-can-panic-nfs-client-with-direct-i-o.patch

   1 From vendor-sec-admin@lst.de  Tue Feb 14 21:47:34 2006
   2 Date: Wed, 15 Feb 2006 00:42:26 -0500 (EST)
   3 From: "Mike O'Connor" <mjo@dojo.mi.org>
   4 Cc: trond.myklebust@netapp.com, Greg Banks <gnb@melbourne.sgi.com>
   5 Subject: Normal user can panic NFS client with direct I/O (CVE-2006-0555)
   6
   7 From: Trond Myklebust <trond.myklebust@netapp.com>
   8
   9 This is CVE-2006-0555 and SGI bug 946529.  A normal user can panic an
  10 NFS client and cause a local DoS with 'judicious'(?) use of O_DIRECT.
  11
  12 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
  13 ---
  14
  15  fs/nfs/direct.c |    5 +++++
  16  1 files changed, 5 insertions(+)
  17
  18 --- linux-2.6.15.4.orig/fs/nfs/direct.c
  19 +++ linux-2.6.15.4/fs/nfs/direct.c
  20 @@ -106,6 +106,11 @@ nfs_get_user_pages(int rw, unsigned long
  21                 result = get_user_pages(current, current->mm, user_addr,
  22                                         page_count, (rw == READ), 0,
  23                                         *pages, NULL);
  24 +               if (result >= 0 && result < page_count) {
  25 +                       nfs_free_user_pages(*pages, result, 0);
  26 +                       *pages = NULL;
  27 +                       result = -EFAULT;
  28 +               }
  29                 up_read(&current->mm->mmap_sem);
  30         }
  31         return result;