From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 20 Feb 2007 22:10:28 +0000 (-0800)
Subject: 2.6.18.7, 2.6.19.4 and 2.6.20.1 releases
X-Git-Tag: v2.6.18.7^0
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bd8594e4f274672471900f26030548d21c80864b;p=thirdparty%2Fkernel%2Fstable-queue.git

2.6.18.7, 2.6.19.4 and 2.6.20.1 releases
---

diff --git a/releases/2.6.18.7/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch b/releases/2.6.18.7/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
new file mode 100644
index 00000000000..66ec6b813dc
--- /dev/null
+++ b/releases/2.6.18.7/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
@@ -0,0 +1,51 @@
+From c9ce228306fda4448f5f495b4f36c07956f45acd Mon Sep 17 00:00:00 2001
+From: Greg Banks <gnb@sgi.com>
+Date: Tue, 20 Feb 2007 10:12:34 +1100
+Subject: Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)
+
+Due to type confusion, when an nfsacl verison 2 'ACCESS' request
+finishes and tries to clean up, it calls fh_put on entiredly the
+wrong thing and this can cause an oops.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, __be32 *p,
+ 	return 1;
+ }
+ 
+-static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, u32 *p,
+-		struct nfsd_fhandle *resp)
++static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, u32 *p,
++		struct nfsd_attrstat *resp)
+ {
+ 	fh_put(&resp->fh);
+ 	return 1;
+ }
+ 
++static int nfsaclsvc_release_access(struct svc_rqst *rqstp, u32 *p,
++               struct nfsd3_accessres *resp)
++{
++       fh_put(&resp->fh);
++       return 1;
++}
++
+ #define nfsaclsvc_decode_voidargs	NULL
+ #define nfsaclsvc_encode_voidres	NULL
+ #define nfsaclsvc_release_void		NULL
+@@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; };
+ static struct svc_procedure		nfsd_acl_procedures2[] = {
+   PROC(null,	void,		void,		void,	  RC_NOCACHE, ST),
+   PROC(getacl,	getacl,		getacl,		getacl,	  RC_NOCACHE, ST+1+2*(1+ACL)),
+-  PROC(setacl,	setacl,		attrstat,	fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(getattr, fhandle,	attrstat,	fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(access,	access,		access,		fhandle,  RC_NOCACHE, ST+AT+1),
++  PROC(setacl,	setacl,		attrstat,	attrstat, RC_NOCACHE, ST+AT),
++  PROC(getattr, fhandle,	attrstat,	attrstat, RC_NOCACHE, ST+AT),
++  PROC(access,	access,		access,		access,   RC_NOCACHE, ST+AT+1),
+ };
+ 
+ struct svc_version	nfsd_acl_version2 = {
diff --git a/releases/2.6.19.4/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch b/releases/2.6.19.4/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
new file mode 100644
index 00000000000..e89a9f96ea1
--- /dev/null
+++ b/releases/2.6.19.4/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
@@ -0,0 +1,53 @@
+From e162a033a5882bde0c3bf5a07ee2119f9535cd8c Mon Sep 17 00:00:00 2001
+From: Greg Banks <gnb@sgi.com>
+Date: Tue, 20 Feb 2007 10:12:34 +1100
+Subject: [PATCH] [PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)
+
+Due to type confusion, when an nfsacl verison 2 'ACCESS' request
+finishes and tries to clean up, it calls fh_put on entiredly the
+wrong thing and this can cause an oops.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c
+index edde5dc..b617428 100644
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, __be32 *p,
+ 	return 1;
+ }
+ 
+-static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, __be32 *p,
+-		struct nfsd_fhandle *resp)
++static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, __be32 *p,
++		struct nfsd_attrstat *resp)
+ {
+ 	fh_put(&resp->fh);
+ 	return 1;
+ }
+ 
++static int nfsaclsvc_release_access(struct svc_rqst *rqstp, __be32 *p,
++               struct nfsd3_accessres *resp)
++{
++       fh_put(&resp->fh);
++       return 1;
++}
++
+ #define nfsaclsvc_decode_voidargs	NULL
+ #define nfsaclsvc_encode_voidres	NULL
+ #define nfsaclsvc_release_void		NULL
+@@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; };
+ static struct svc_procedure		nfsd_acl_procedures2[] = {
+   PROC(null,	void,		void,		void,	  RC_NOCACHE, ST),
+   PROC(getacl,	getacl,		getacl,		getacl,	  RC_NOCACHE, ST+1+2*(1+ACL)),
+-  PROC(setacl,	setacl,		attrstat,	fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(getattr, fhandle,	attrstat,	fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(access,	access,		access,		fhandle,  RC_NOCACHE, ST+AT+1),
++  PROC(setacl,	setacl,		attrstat,	attrstat, RC_NOCACHE, ST+AT),
++  PROC(getattr, fhandle,	attrstat,	attrstat, RC_NOCACHE, ST+AT),
++  PROC(access,	access,		access,		access,   RC_NOCACHE, ST+AT+1),
+ };
+ 
+ struct svc_version	nfsd_acl_version2 = {
diff --git a/releases/2.6.20.1/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch b/releases/2.6.20.1/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
new file mode 100644
index 00000000000..e89a9f96ea1
--- /dev/null
+++ b/releases/2.6.20.1/fix-a-free-wrong-pointer-bug-in-nfs-acl-server.patch
@@ -0,0 +1,53 @@
+From e162a033a5882bde0c3bf5a07ee2119f9535cd8c Mon Sep 17 00:00:00 2001
+From: Greg Banks <gnb@sgi.com>
+Date: Tue, 20 Feb 2007 10:12:34 +1100
+Subject: [PATCH] [PATCH] Fix a free-wrong-pointer bug in nfs/acl server (CVE-2007-0772)
+
+Due to type confusion, when an nfsacl verison 2 'ACCESS' request
+finishes and tries to clean up, it calls fh_put on entiredly the
+wrong thing and this can cause an oops.
+
+Signed-off-by: Neil Brown <neilb@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+diff --git a/fs/nfsd/nfs2acl.c b/fs/nfsd/nfs2acl.c
+index edde5dc..b617428 100644
+--- a/fs/nfsd/nfs2acl.c
++++ b/fs/nfsd/nfs2acl.c
+@@ -287,13 +287,20 @@ static int nfsaclsvc_release_getacl(struct svc_rqst *rqstp, __be32 *p,
+ 	return 1;
+ }
+ 
+-static int nfsaclsvc_release_fhandle(struct svc_rqst *rqstp, __be32 *p,
+-		struct nfsd_fhandle *resp)
++static int nfsaclsvc_release_attrstat(struct svc_rqst *rqstp, __be32 *p,
++		struct nfsd_attrstat *resp)
+ {
+ 	fh_put(&resp->fh);
+ 	return 1;
+ }
+ 
++static int nfsaclsvc_release_access(struct svc_rqst *rqstp, __be32 *p,
++               struct nfsd3_accessres *resp)
++{
++       fh_put(&resp->fh);
++       return 1;
++}
++
+ #define nfsaclsvc_decode_voidargs	NULL
+ #define nfsaclsvc_encode_voidres	NULL
+ #define nfsaclsvc_release_void		NULL
+@@ -322,9 +329,9 @@ struct nfsd3_voidargs { int dummy; };
+ static struct svc_procedure		nfsd_acl_procedures2[] = {
+   PROC(null,	void,		void,		void,	  RC_NOCACHE, ST),
+   PROC(getacl,	getacl,		getacl,		getacl,	  RC_NOCACHE, ST+1+2*(1+ACL)),
+-  PROC(setacl,	setacl,		attrstat,	fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(getattr, fhandle,	attrstat,	fhandle,  RC_NOCACHE, ST+AT),
+-  PROC(access,	access,		access,		fhandle,  RC_NOCACHE, ST+AT+1),
++  PROC(setacl,	setacl,		attrstat,	attrstat, RC_NOCACHE, ST+AT),
++  PROC(getattr, fhandle,	attrstat,	attrstat, RC_NOCACHE, ST+AT),
++  PROC(access,	access,		access,		access,   RC_NOCACHE, ST+AT+1),
+ };
+ 
+ struct svc_version	nfsd_acl_version2 = {