On Mon, May 04, 2015 at 09:45:36AM +0800, Sheng Yong wrote:
> CVE-2015-0274 is caused by commit e461fcb ("xfs: remote attribute
> lookups require the value length"), which was introduced in 3.11.
> It should have had nothing to do with 3.10-stable. However, when
> we checked 3.10, we found that this commit was check-picked from
> (maybe) the xfs tree. The patch ("xfs: remote attribute lookups
> require the value length") was also included in 3.10, and its
> commit is 7ae077802. So 3.10-stable is affected by the CVE.
So aparently it is needed if there is any bug exposed, which I can't
tell from the complete lack of information in the CVE about it.
Indeed, I originally found the problem on a CONFIG_XFS_DEBUG=y
kernel, which flags lots of issues that have no effect on run-time
behaviour of production systems. A transaction overrun does *not*
cause a production system to fail, so I'm really not sure that there
is a problem that needs to be fixed here.
Regardless of whether there is a bug to be fixed or not, what
regression testing have you done on your backport to ensure you
haven't introduced any new problems?
Cheers,
Dave.
--
Dave Chinner
david@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html