FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 11-29-2010, 08:03 AM
Xiaotian Feng
 
Default block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

commit 9284bcf checks for proper length of iov entries in
blk_rq_map_user_iov(). But if the map is unaligned, kernel
will break out the loop without checking for the proper length.
So we need to check the proper length before the unalign check.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
(cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
block/blk-map.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/blk-map.c b/block/blk-map.c
index 30a7e51..749effa 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
for (i = 0; i < iov_count; i++) {
unsigned long uaddr = (unsigned long)iov[i].iov_base;

+ if (!iov[i].iov_len)
+ return -EINVAL;
+
if (uaddr & queue_dma_alignment(q)) {
unaligned = 1;
break;
}
- if (!iov[i].iov_len)
- return -EINVAL;
}

if (unaligned || (q->dma_pad_mask & len) || map_data)
--
1.7.0.4


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-29-2010, 08:03 AM
Xiaotian Feng
 
Default block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

commit 9284bcf checks for proper length of iov entries in
blk_rq_map_user_iov(). But if the map is unaligned, kernel
will break out the loop without checking for the proper length.
So we need to check the proper length before the unalign check.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
(cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
block/blk-map.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/blk-map.c b/block/blk-map.c
index 30a7e51..749effa 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
for (i = 0; i < iov_count; i++) {
unsigned long uaddr = (unsigned long)iov[i].iov_base;

+ if (!iov[i].iov_len)
+ return -EINVAL;
+
if (uaddr & queue_dma_alignment(q)) {
unaligned = 1;
break;
}
- if (!iov[i].iov_len)
- return -EINVAL;
}

if (unaligned || (q->dma_pad_mask & len) || map_data)
--
1.7.0.4


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-29-2010, 08:03 AM
Xiaotian Feng
 
Default block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

commit 9284bcf checks for proper length of iov entries in
blk_rq_map_user_iov(). But if the map is unaligned, kernel
will break out the loop without checking for the proper length.
So we need to check the proper length before the unalign check.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
(cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
block/blk-map.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/blk-map.c b/block/blk-map.c
index 30a7e51..749effa 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
for (i = 0; i < iov_count; i++) {
unsigned long uaddr = (unsigned long)iov[i].iov_base;

+ if (!iov[i].iov_len)
+ return -EINVAL;
+
if (uaddr & queue_dma_alignment(q)) {
unaligned = 1;
break;
}
- if (!iov[i].iov_len)
- return -EINVAL;
}

if (unaligned || (q->dma_pad_mask & len) || map_data)
--
1.7.0.4


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-18-2011, 08:15 PM
Tim Gardner
 
Default block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

commit 9284bcf checks for proper length of iov entries in
blk_rq_map_user_iov(). But if the map is unaligned, kernel
will break out the loop without checking for the proper length.
So we need to check the proper length before the unalign check.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
(backported from commit 5478755616ae2ef1ce144dded589b62b2a50d575)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
fs/bio.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/fs/bio.c b/fs/bio.c
index d59ddbf..461ca55 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -609,6 +609,9 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
unsigned long start = uaddr >> PAGE_SHIFT;

+ if (!len)
+ return ERR_PTR(-EINVAL);
+
nr_pages += end - start;
/*
* buffer must be aligned to at least hardsector size for now
--
1.7.0.4


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-18-2011, 08:22 PM
Tim Gardner
 
Default block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

commit 9284bcf checks for proper length of iov entries in
blk_rq_map_user_iov(). But if the map is unaligned, kernel
will break out the loop without checking for the proper length.
So we need to check the proper length before the unalign check.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
(backported from commit 5478755616ae2ef1ce144dded589b62b2a50d575)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
fs/bio.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/fs/bio.c b/fs/bio.c
index 460554b..09b1255 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -574,6 +574,9 @@ static struct bio *__bio_map_user_iov(request_queue_t *q,
unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
unsigned long start = uaddr >> PAGE_SHIFT;

+ if (!len)
+ return ERR_PTR(-EINVAL);
+
nr_pages += end - start;
/*
* transfer and buffer must be aligned to at least hardsector
--
1.7.0.4


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 04:37 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org