| Message ID | 1303843496-8390-1-git-send-email-brad.figg@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Tue, 2011-04-26 at 11:44 -0700, Brad Figg wrote: > From: Timo Warns <Warns@pre-sense.de> > > BugLink: http://bugs.launchpad.net/bugs/771382 > > CVE-2011-1017 > > The kernel automatically evaluates partition tables of storage devices. > The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains > a bug that causes a kernel oops on certain corrupted LDM partitions. > A kernel subsystem seems to crash, because, after the oops, the kernel no > longer recognizes newly connected storage devices. > > The patch validates the value of vblk_size. > > [akpm@linux-foundation.org: coding-style fixes] > Signed-off-by: Timo Warns <warns@pre-sense.de> > Cc: Eugene Teo <eugeneteo@kernel.sg> > Cc: Harvey Harrison <harvey.harrison@gmail.com> > Cc: Richard Russon <rich@flatcap.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a) > Signed-off-by: Brad Figg <brad.figg@canonical.com> > --- > fs/partitions/ldm.c | 16 ++++++++++++---- > 1 files changed, 12 insertions(+), 4 deletions(-) > > diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c > index 7ab1c11..c861f52 100644 > --- a/fs/partitions/ldm.c > +++ b/fs/partitions/ldm.c > @@ -1225,6 +1225,11 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags) > > BUG_ON (!data || !frags); > > + if (size < 2 * VBLK_SIZE_HEAD) { > + ldm_error("Value of size is to small."); > + return FALSE; > + } > + > group = BE32 (data + 0x08); > rec = BE16 (data + 0x0C); > num = BE16 (data + 0x0E); > @@ -1232,6 +1237,10 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags) > ldm_error ("A VBLK claims to have %d parts.", num); > return FALSE; > } > + if (rec >= num) { > + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num); > + return FALSE; > + } > > list_for_each (item, frags) { > f = list_entry (item, struct frag, list); > @@ -1260,10 +1269,9 @@ found: > > f->map |= (1 << rec); > > - if (num > 0) { > - data += VBLK_SIZE_HEAD; > - size -= VBLK_SIZE_HEAD; > - } > + data += VBLK_SIZE_HEAD; > + size -= VBLK_SIZE_HEAD; > + > memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size); > > return TRUE; > -- > 1.7.0.4 > > Acked-by: Steve Conklin <sconklin@canonical.com>
On 04/26/2011 12:44 PM, Brad Figg wrote: > From: Timo Warns<Warns@pre-sense.de> > > BugLink: http://bugs.launchpad.net/bugs/771382 > > CVE-2011-1017 > > The kernel automatically evaluates partition tables of storage devices. > The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains > a bug that causes a kernel oops on certain corrupted LDM partitions. > A kernel subsystem seems to crash, because, after the oops, the kernel no > longer recognizes newly connected storage devices. > > The patch validates the value of vblk_size. > > [akpm@linux-foundation.org: coding-style fixes] > Signed-off-by: Timo Warns<warns@pre-sense.de> > Cc: Eugene Teo<eugeneteo@kernel.sg> > Cc: Harvey Harrison<harvey.harrison@gmail.com> > Cc: Richard Russon<rich@flatcap.org> > Signed-off-by: Andrew Morton<akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org> > > (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a) > Signed-off-by: Brad Figg<brad.figg@canonical.com> Where did you find a reference that this patch fixes CVE-2011-1017 ? rtg
On 04/26/2011 01:37 PM, Tim Gardner wrote: > On 04/26/2011 12:44 PM, Brad Figg wrote: >> From: Timo Warns<Warns@pre-sense.de> >> >> BugLink: http://bugs.launchpad.net/bugs/771382 >> >> CVE-2011-1017 >> >> The kernel automatically evaluates partition tables of storage devices. >> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains >> a bug that causes a kernel oops on certain corrupted LDM partitions. >> A kernel subsystem seems to crash, because, after the oops, the kernel no >> longer recognizes newly connected storage devices. >> >> The patch validates the value of vblk_size. >> >> [akpm@linux-foundation.org: coding-style fixes] >> Signed-off-by: Timo Warns<warns@pre-sense.de> >> Cc: Eugene Teo<eugeneteo@kernel.sg> >> Cc: Harvey Harrison<harvey.harrison@gmail.com> >> Cc: Richard Russon<rich@flatcap.org> >> Signed-off-by: Andrew Morton<akpm@linux-foundation.org> >> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org> >> >> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a) >> Signed-off-by: Brad Figg<brad.figg@canonical.com> > > Where did you find a reference that this patch fixes CVE-2011-1017 ? > > rtg There was no specific reference. From the comments in the commit and comments in the CVE reference (http://openwall.com/lists/oss-security/2011/02/24/4) indicated the same code block. The patch is validating that the size is correct. Brad
On 04/26/2011 01:37 PM, Tim Gardner wrote: > On 04/26/2011 12:44 PM, Brad Figg wrote: >> From: Timo Warns<Warns@pre-sense.de> >> >> BugLink: http://bugs.launchpad.net/bugs/771382 >> >> CVE-2011-1017 >> >> The kernel automatically evaluates partition tables of storage devices. >> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains >> a bug that causes a kernel oops on certain corrupted LDM partitions. >> A kernel subsystem seems to crash, because, after the oops, the kernel no >> longer recognizes newly connected storage devices. >> >> The patch validates the value of vblk_size. >> >> [akpm@linux-foundation.org: coding-style fixes] >> Signed-off-by: Timo Warns<warns@pre-sense.de> >> Cc: Eugene Teo<eugeneteo@kernel.sg> >> Cc: Harvey Harrison<harvey.harrison@gmail.com> >> Cc: Richard Russon<rich@flatcap.org> >> Signed-off-by: Andrew Morton<akpm@linux-foundation.org> >> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org> >> >> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a) >> Signed-off-by: Brad Figg<brad.figg@canonical.com> > > Where did you find a reference that this patch fixes CVE-2011-1017 ? > > rtg http://www.spinics.net/lists/mm-commits/msg83181.html
On 04/26/2011 08:44 PM, Brad Figg wrote: > From: Timo Warns <Warns@pre-sense.de> > > BugLink: http://bugs.launchpad.net/bugs/771382 > > CVE-2011-1017 > > The kernel automatically evaluates partition tables of storage devices. > The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains > a bug that causes a kernel oops on certain corrupted LDM partitions. > A kernel subsystem seems to crash, because, after the oops, the kernel no > longer recognizes newly connected storage devices. > > The patch validates the value of vblk_size. > > [akpm@linux-foundation.org: coding-style fixes] > Signed-off-by: Timo Warns <warns@pre-sense.de> > Cc: Eugene Teo <eugeneteo@kernel.sg> > Cc: Harvey Harrison <harvey.harrison@gmail.com> > Cc: Richard Russon <rich@flatcap.org> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a) > Signed-off-by: Brad Figg <brad.figg@canonical.com> > --- > fs/partitions/ldm.c | 16 ++++++++++++---- > 1 files changed, 12 insertions(+), 4 deletions(-) > > diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c > index 7ab1c11..c861f52 100644 > --- a/fs/partitions/ldm.c > +++ b/fs/partitions/ldm.c > @@ -1225,6 +1225,11 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags) > > BUG_ON (!data || !frags); > > + if (size < 2 * VBLK_SIZE_HEAD) { > + ldm_error("Value of size is to small."); > + return FALSE; > + } > + > group = BE32 (data + 0x08); > rec = BE16 (data + 0x0C); > num = BE16 (data + 0x0E); > @@ -1232,6 +1237,10 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags) > ldm_error ("A VBLK claims to have %d parts.", num); > return FALSE; > } > + if (rec >= num) { > + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num); > + return FALSE; > + } > > list_for_each (item, frags) { > f = list_entry (item, struct frag, list); > @@ -1260,10 +1269,9 @@ found: > > f->map |= (1 << rec); > > - if (num > 0) { > - data += VBLK_SIZE_HEAD; > - size -= VBLK_SIZE_HEAD; > - } > + data += VBLK_SIZE_HEAD; > + size -= VBLK_SIZE_HEAD; > + > memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size); > > return TRUE; I believe some thread which cve-2011-1017 was pointing to on mitre, lead to this patch claiming it would be the fix. And this patch looks the same. Acked-by: Stefan Bader <stefan.bader@canonical.com>
applied both patches
diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c index 7ab1c11..c861f52 100644 --- a/fs/partitions/ldm.c +++ b/fs/partitions/ldm.c @@ -1225,6 +1225,11 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags) BUG_ON (!data || !frags); + if (size < 2 * VBLK_SIZE_HEAD) { + ldm_error("Value of size is to small."); + return FALSE; + } + group = BE32 (data + 0x08); rec = BE16 (data + 0x0C); num = BE16 (data + 0x0E); @@ -1232,6 +1237,10 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags) ldm_error ("A VBLK claims to have %d parts.", num); return FALSE; } + if (rec >= num) { + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num); + return FALSE; + } list_for_each (item, frags) { f = list_entry (item, struct frag, list); @@ -1260,10 +1269,9 @@ found: f->map |= (1 << rec); - if (num > 0) { - data += VBLK_SIZE_HEAD; - size -= VBLK_SIZE_HEAD; - } + data += VBLK_SIZE_HEAD; + size -= VBLK_SIZE_HEAD; + memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size); return TRUE;