FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 02-21-2011, 07:35 AM
Stefan Bader
 
Default Dapper CVE-2010-4163: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()

Same comment as for the Hardy patch.

On 02/18/2011 10:24 PM, Tim Gardner wrote:
> The following changes since commit 352701fdc50086ac0db65862e16dc8b20918d174:
> Steve Conklin (1):
> UBUNTU: Ubuntu-2.6.15-55.93
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-4163
>
> Tim Gardner (1):
> block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
>
> fs/bio.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> From a80bcfd393b668c43d9a8cd2b00b93fd6b31fa00 Mon Sep 17 00:00:00 2001
> From: Tim Gardner <tim.gardner@canonical.com>
> Date: Fri, 18 Feb 2011 14:22:11 -0700
> Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
>
> BugLink: http://bugs.launchpad.net/bugs/721504
>
> CVE-2010-4163
>
> commit 9284bcf checks for proper length of iov entries in
> blk_rq_map_user_iov(). But if the map is unaligned, kernel
> will break out the loop without checking for the proper length.
> So we need to check the proper length before the unalign check.
>
> Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
> Cc: stable@kernel.org
> Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
> (backported from commit 5478755616ae2ef1ce144dded589b62b2a50d575)
>
> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
> ---
> fs/bio.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/fs/bio.c b/fs/bio.c
> index 460554b..09b1255 100644
> --- a/fs/bio.c
> +++ b/fs/bio.c
> @@ -574,6 +574,9 @@ static struct bio *__bio_map_user_iov(request_queue_t *q,
> unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
> unsigned long start = uaddr >> PAGE_SHIFT;
>
> + if (!len)
> + return ERR_PTR(-EINVAL);
> +
> nr_pages += end - start;
> /*
> * transfer and buffer must be aligned to at least hardsector


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-22-2011, 03:34 PM
Brad Figg
 
Default Dapper CVE-2010-4163: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()

On 02/18/2011 01:24 PM, Tim Gardner wrote:

The following changes since commit 352701fdc50086ac0db65862e16dc8b20918d174:
Steve Conklin (1):
UBUNTU: Ubuntu-2.6.15-55.93

are available in the git repository at:

git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-4163

Tim Gardner (1):
block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

fs/bio.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)

From a80bcfd393b668c43d9a8cd2b00b93fd6b31fa00 Mon Sep 17 00:00:00 2001
From: Tim Gardner<tim.gardner@canonical.com>
Date: Fri, 18 Feb 2011 14:22:11 -0700
Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

commit 9284bcf checks for proper length of iov entries in
blk_rq_map_user_iov(). But if the map is unaligned, kernel
will break out the loop without checking for the proper length.
So we need to check the proper length before the unalign check.

Signed-off-by: Xiaotian Feng<dfeng@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe<jaxboe@fusionio.com>
(backported from commit 5478755616ae2ef1ce144dded589b62b2a50d575)

Signed-off-by: Tim Gardner<tim.gardner@canonical.com>
---
fs/bio.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/fs/bio.c b/fs/bio.c
index 460554b..09b1255 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -574,6 +574,9 @@ static struct bio *__bio_map_user_iov(request_queue_t *q,
unsigned long end = (uaddr + len + PAGE_SIZE - 1)>> PAGE_SHIFT;
unsigned long start = uaddr>> PAGE_SHIFT;

+ if (!len)
+ return ERR_PTR(-EINVAL);
+
nr_pages += end - start;
/*
* transfer and buffer must be aligned to at least hardsector


Acked-by: Brad Figg <brad.figg@canonical.com>

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 02-22-2011, 04:36 PM
Tim Gardner
 
Default Dapper CVE-2010-4163: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()

applied

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 11:01 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org