I caught this fix in the changelog linked above, already in Linus's tree. From the log: * [SECURITY] NFS client O_DIRECT error case fix: - Add patch stolen-from-head_nfs-client-odirect.dpatch. . The NFS direct-io error return path for request sizes greater than MAX_DIRECTIO_SIZE fails to initialize the returned page struct array pointer to NULL. . Discovered using AKPM's ext3-tools: odwrite -ko 0 16385 foo Exploitability of this flaw seems to be undisclosed at this time. I've broken out the patch, attaching below.
Created attachment 48436 [details, diff] O_DIRECT fix from -bk Broken out from Ubuntu kernel sources, pulled from linus-bk
This is fixed without a changelog entry in -ac. hardened-dev-sources 2.6.10 includes -ac8, and is unaffected. Will go stable soon.
hardened-dev-sources stable, resolved for us.
Created attachment 48583 [details, diff] Patch
mips-sources patched
gentoo-dev-sources is done
Mass-Ccing kern-sec@gentoo.org to make sure Kernel Security guys know about all of these...
Following sources still need this fix: hppa-sources:- Adding GMSoft... pegasos-sources:- Adding dholm... rsbac-sources:- Adding kang...
just a note: this vuln is not present in rsbac kernels.
pegasos-sources fixed
All fixed, closing bug.
http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=6bf784fa4fbe697cc87b42f65bce319bf9a98c20