| Message ID | 1307973817-5773-3-git-send-email-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Mon, 2011-06-13 at 15:03 +0100, Andy Whitcroft wrote: > From: Timo Warns <Warns@pre-sense.de> > > The kernel automatically evaluates partition tables of storage devices. > The code for evaluating OSF partitions contains a bug that leaks data > from kernel heap memory to userspace for certain corrupted OSF > partitions. > > In more detail: > > for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) { > > iterates from 0 to d_npartitions - 1, where d_npartitions is read from > the partition table without validation and partition is a pointer to an > array of at most 8 d_partitions. > > Add the proper and obvious validation. > > Signed-off-by: Timo Warns <warns@pre-sense.de> > Cc: stable@kernel.org > [ Changed the patch trivially to not repeat the whole le16_to_cpu() > thing, and to use an explicit constant for the magic value '8' ] > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05) > CVE-2011-1163 > BugLink: http://bugs.launchpad.net/bugs/796606 > Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > fs/partitions/osf.c | 12 ++++++++++-- > 1 files changed, 10 insertions(+), 2 deletions(-) > > diff --git a/fs/partitions/osf.c b/fs/partitions/osf.c > index fc22b85..5b49d40 100644 > --- a/fs/partitions/osf.c > +++ b/fs/partitions/osf.c > @@ -10,10 +10,13 @@ > #include "check.h" > #include "osf.h" > > +#define MAX_OSF_PARTITIONS 8 > + > int osf_partition(struct parsed_partitions *state) > { > int i; > int slot = 1; > + unsigned int npartitions; > Sector sect; > unsigned char *data; > struct disklabel { > @@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitions *state) > u8 p_fstype; > u8 p_frag; > __le16 p_cpg; > - } d_partitions[8]; > + } d_partitions[MAX_OSF_PARTITIONS]; > } * label; > struct d_partition * partition; > > @@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitions *state) > put_dev_sector(sect); > return 0; > } > - for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) { > + npartitions = le16_to_cpu(label->d_npartitions); > + if (npartitions > MAX_OSF_PARTITIONS) { > + put_dev_sector(sect); > + return 0; > + } > + for (i = 0 ; i < npartitions; i++, partition++) { > if (slot == state->limit) > break; > if (le32_to_cpu(partition->p_size)) > -- > 1.7.4.1 > >
On 06/13/2011 03:03 PM, Andy Whitcroft wrote: > From: Timo Warns<Warns@pre-sense.de> > > The kernel automatically evaluates partition tables of storage devices. > The code for evaluating OSF partitions contains a bug that leaks data > from kernel heap memory to userspace for certain corrupted OSF > partitions. > > In more detail: > > for (i = 0 ; i< le16_to_cpu(label->d_npartitions); i++, partition++) { > > iterates from 0 to d_npartitions - 1, where d_npartitions is read from > the partition table without validation and partition is a pointer to an > array of at most 8 d_partitions. > > Add the proper and obvious validation. > > Signed-off-by: Timo Warns<warns@pre-sense.de> > Cc: stable@kernel.org > [ Changed the patch trivially to not repeat the whole le16_to_cpu() > thing, and to use an explicit constant for the magic value '8' ] > Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org> > > (cherry picked from commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05) > CVE-2011-1163 > BugLink: http://bugs.launchpad.net/bugs/796606 > Signed-off-by: Andy Whitcroft<apw@canonical.com> > --- > fs/partitions/osf.c | 12 ++++++++++-- > 1 files changed, 10 insertions(+), 2 deletions(-) > > diff --git a/fs/partitions/osf.c b/fs/partitions/osf.c > index fc22b85..5b49d40 100644 > --- a/fs/partitions/osf.c > +++ b/fs/partitions/osf.c > @@ -10,10 +10,13 @@ > #include "check.h" > #include "osf.h" > > +#define MAX_OSF_PARTITIONS 8 > + > int osf_partition(struct parsed_partitions *state) > { > int i; > int slot = 1; > + unsigned int npartitions; > Sector sect; > unsigned char *data; > struct disklabel { > @@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitions *state) > u8 p_fstype; > u8 p_frag; > __le16 p_cpg; > - } d_partitions[8]; > + } d_partitions[MAX_OSF_PARTITIONS]; > } * label; > struct d_partition * partition; > > @@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitions *state) > put_dev_sector(sect); > return 0; > } > - for (i = 0 ; i< le16_to_cpu(label->d_npartitions); i++, partition++) { > + npartitions = le16_to_cpu(label->d_npartitions); > + if (npartitions> MAX_OSF_PARTITIONS) { > + put_dev_sector(sect); > + return 0; > + } > + for (i = 0 ; i< npartitions; i++, partition++) { > if (slot == state->limit) > break; > if (le32_to_cpu(partition->p_size)) Acked-by: Brad Figg <brad.figg@canonical.com>
diff --git a/fs/partitions/osf.c b/fs/partitions/osf.c index fc22b85..5b49d40 100644 --- a/fs/partitions/osf.c +++ b/fs/partitions/osf.c @@ -10,10 +10,13 @@ #include "check.h" #include "osf.h" +#define MAX_OSF_PARTITIONS 8 + int osf_partition(struct parsed_partitions *state) { int i; int slot = 1; + unsigned int npartitions; Sector sect; unsigned char *data; struct disklabel { @@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitions *state) u8 p_fstype; u8 p_frag; __le16 p_cpg; - } d_partitions[8]; + } d_partitions[MAX_OSF_PARTITIONS]; } * label; struct d_partition * partition; @@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitions *state) put_dev_sector(sect); return 0; } - for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) { + npartitions = le16_to_cpu(label->d_npartitions); + if (npartitions > MAX_OSF_PARTITIONS) { + put_dev_sector(sect); + return 0; + } + for (i = 0 ; i < npartitions; i++, partition++) { if (slot == state->limit) break; if (le32_to_cpu(partition->p_size))