Ubuntu
linux-source-2.6.15 package

  1. Bug #137978
  2. Comment #23

Comment 23 for bug 137978

Revision history for this message
Lei Zhang (thestig-google) wrote :

When the package maintainers backported CVE-2007-2878, [1] they made a typo while adapting the code to kernel 2.6.15.

With [2] applied to the 2.6.15 source code, fat_ioctl_readdir() is as follows:

...
down(&inode->i_sem);
ret = -ENOENT;
if (!IS_DEADDIR(inode)) {
    ret = __fat_readdir(inode, filp, &buf, filldir, short_only, both);
}
down(&inode->i_sem);
...

The second down() should be an up().

This only affect the dapper kernels 2.6.15-28-51, but not later kernels used in Ubuntu 6.10+, which kept the mutex_lock() / mutex_unlock() from the original commit in kernel 2.6.21.2.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2878
[2] http://archive.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.15/linux-source-2.6.15_2.6.15-51.66.diff.gz