FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 02-18-2011, 08:01 PM
Brad Figg
 
Default Hardy CVE, bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162

On 02/18/2011 12:06 PM, Tim Gardner wrote:

The following changes since commit 0b2f210442dd2ca2c184c1451f5d41fa37e7c60b:
Brad Figg (1):
UBUNTU: Ubuntu-2.6.24-28.86

are available in the git repository at:

git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-4162

Tim Gardner (1):
bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162

fs/bio.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)

From 3034d11a31600265b7286ae11e770946b7650a0c Mon Sep 17 00:00:00 2001
From: Tim Gardner<tim.gardner@canonical.com>
Date: Fri, 18 Feb 2011 12:49:29 -0700
Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162

BugLink: http://bugs.launchpad.net/bugs/721441

CVE-2010-4162

backported from commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.

If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.

Reported-by: Dan Rosenberg<drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe<jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de>
Signed-off-by: Tim Gardner<tim.gardner@canonical.com>
---
fs/bio.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/fs/bio.c b/fs/bio.c
index d59ddbf..2c8224c 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -609,6 +609,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
unsigned long end = (uaddr + len + PAGE_SIZE - 1)>> PAGE_SHIFT;
unsigned long start = uaddr>> PAGE_SHIFT;

+ /*
+ * Overflow, abort
+ */
+ if (end< start)
+ return ERR_PTR(-EINVAL);
+
nr_pages += end - start;
/*
* buffer must be aligned to at least hardsector size for now


Acked-by: Brad Figg <brad.figg@canonical.com>

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-18-2011, 08:28 PM
John Johansen
 
Default Hardy CVE, bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162

On 02/18/2011 12:06 PM, Tim Gardner wrote:
> The following changes since commit 0b2f210442dd2ca2c184c1451f5d41fa37e7c60b:
> Brad Figg (1):
> UBUNTU: Ubuntu-2.6.24-28.86
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-4162
>
> Tim Gardner (1):
> bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
>
> fs/bio.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> From 3034d11a31600265b7286ae11e770946b7650a0c Mon Sep 17 00:00:00 2001
> From: Tim Gardner <tim.gardner@canonical.com>
> Date: Fri, 18 Feb 2011 12:49:29 -0700
> Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
>
> BugLink: http://bugs.launchpad.net/bugs/721441
>
> CVE-2010-4162
>
> backported from commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
>
> If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
> to overflow, we could end up attempting to map a huge number of
> pages. Check for this invalid input type.
>
> Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
> ---
> fs/bio.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/fs/bio.c b/fs/bio.c
> index d59ddbf..2c8224c 100644
> --- a/fs/bio.c
> +++ b/fs/bio.c
> @@ -609,6 +609,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
> unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
> unsigned long start = uaddr >> PAGE_SHIFT;
>
> + /*
> + * Overflow, abort
> + */
> + if (end < start)
> + return ERR_PTR(-EINVAL);
> +
> nr_pages += end - start;
> /*
> * buffer must be aligned to at least hardsector size for now

Acked-by: John Johansen <john.johansen@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-20-2011, 01:14 AM
Tim Gardner
 
Default Hardy CVE, bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162

applied

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 09:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org