FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 04-26-2011, 08:37 PM
Tim Gardner
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

On 04/26/2011 12:44 PM, Brad Figg wrote:

From: Timo Warns<Warns@pre-sense.de>

BugLink: http://bugs.launchpad.net/bugs/771382

CVE-2011-1017

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
a bug that causes a kernel oops on certain corrupted LDM partitions.
A kernel subsystem seems to crash, because, after the oops, the kernel no
longer recognizes newly connected storage devices.

The patch validates the value of vblk_size.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Timo Warns<warns@pre-sense.de>
Cc: Eugene Teo<eugeneteo@kernel.sg>
Cc: Harvey Harrison<harvey.harrison@gmail.com>
Cc: Richard Russon<rich@flatcap.org>
Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>

(backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
Signed-off-by: Brad Figg<brad.figg@canonical.com>


Where did you find a reference that this patch fixes CVE-2011-1017 ?

rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 04-26-2011, 08:43 PM
Brad Figg
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

On 04/26/2011 01:37 PM, Tim Gardner wrote:

On 04/26/2011 12:44 PM, Brad Figg wrote:

From: Timo Warns<Warns@pre-sense.de>

BugLink: http://bugs.launchpad.net/bugs/771382

CVE-2011-1017

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
a bug that causes a kernel oops on certain corrupted LDM partitions.
A kernel subsystem seems to crash, because, after the oops, the kernel no
longer recognizes newly connected storage devices.

The patch validates the value of vblk_size.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Timo Warns<warns@pre-sense.de>
Cc: Eugene Teo<eugeneteo@kernel.sg>
Cc: Harvey Harrison<harvey.harrison@gmail.com>
Cc: Richard Russon<rich@flatcap.org>
Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>

(backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
Signed-off-by: Brad Figg<brad.figg@canonical.com>


Where did you find a reference that this patch fixes CVE-2011-1017 ?

rtg


There was no specific reference. From the comments in the commit and
comments in the CVE reference (http://openwall.com/lists/oss-security/2011/02/24/4)
indicated the same code block. The patch is validating that the size
is correct.

Brad
--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 04-26-2011, 09:11 PM
Brad Figg
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

On 04/26/2011 01:37 PM, Tim Gardner wrote:

On 04/26/2011 12:44 PM, Brad Figg wrote:

From: Timo Warns<Warns@pre-sense.de>

BugLink: http://bugs.launchpad.net/bugs/771382

CVE-2011-1017

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
a bug that causes a kernel oops on certain corrupted LDM partitions.
A kernel subsystem seems to crash, because, after the oops, the kernel no
longer recognizes newly connected storage devices.

The patch validates the value of vblk_size.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Timo Warns<warns@pre-sense.de>
Cc: Eugene Teo<eugeneteo@kernel.sg>
Cc: Harvey Harrison<harvey.harrison@gmail.com>
Cc: Richard Russon<rich@flatcap.org>
Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>

(backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
Signed-off-by: Brad Figg<brad.figg@canonical.com>


Where did you find a reference that this patch fixes CVE-2011-1017 ?

rtg


http://www.spinics.net/lists/mm-commits/msg83181.html

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 04-27-2011, 08:07 AM
John Johansen
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

On 04/26/2011 01:35 PM, Brad Figg wrote:
> From: Timo Warns <Warns@pre-sense.de>
>
> BugLink: http://bugs.launchpad.net/bugs/771382
>
> CVE-2011-1017
>
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> a bug that causes a kernel oops on certain corrupted LDM partitions.
> A kernel subsystem seems to crash, because, after the oops, the kernel no
> longer recognizes newly connected storage devices.
>
> The patch validates the value of vblk_size.
>
> [akpm@linux-foundation.org: coding-style fixes]
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: Eugene Teo <eugeneteo@kernel.sg>
> Cc: Harvey Harrison <harvey.harrison@gmail.com>
> Cc: Richard Russon <rich@flatcap.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>
> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>

looks good
Acked-by: John Johansen <john.johansen@canonical.com>


> ---
> fs/partitions/ldm.c | 16 ++++++++++++----
> 1 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
> index 7ab1c11..c861f52 100644
> --- a/fs/partitions/ldm.c
> +++ b/fs/partitions/ldm.c
> @@ -1225,6 +1225,11 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags)
>
> BUG_ON (!data || !frags);
>
> + if (size < 2 * VBLK_SIZE_HEAD) {
> + ldm_error("Value of size is to small.");
> + return false;
> + }
> +
> group = BE32 (data + 0x08);
> rec = BE16 (data + 0x0C);
> num = BE16 (data + 0x0E);
> @@ -1232,6 +1237,10 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags)
> ldm_error ("A VBLK claims to have %d parts.", num);
> return false;
> }
> + if (rec >= num) {
> + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
> + return false;
> + }
>
> list_for_each (item, frags) {
> f = list_entry (item, struct frag, list);
> @@ -1260,10 +1269,9 @@ found:
>
> f->map |= (1 << rec);
>
> - if (num > 0) {
> - data += VBLK_SIZE_HEAD;
> - size -= VBLK_SIZE_HEAD;
> - }
> + data += VBLK_SIZE_HEAD;
> + size -= VBLK_SIZE_HEAD;
> +
> memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
>
> return true;


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 04-27-2011, 11:15 AM
Stefan Bader
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

On 04/26/2011 08:44 PM, Brad Figg wrote:
> From: Timo Warns <Warns@pre-sense.de>
>
> BugLink: http://bugs.launchpad.net/bugs/771382
>
> CVE-2011-1017
>
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> a bug that causes a kernel oops on certain corrupted LDM partitions.
> A kernel subsystem seems to crash, because, after the oops, the kernel no
> longer recognizes newly connected storage devices.
>
> The patch validates the value of vblk_size.
>
> [akpm@linux-foundation.org: coding-style fixes]
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: Eugene Teo <eugeneteo@kernel.sg>
> Cc: Harvey Harrison <harvey.harrison@gmail.com>
> Cc: Richard Russon <rich@flatcap.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>
> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
> ---
> fs/partitions/ldm.c | 16 ++++++++++++----
> 1 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
> index 7ab1c11..c861f52 100644
> --- a/fs/partitions/ldm.c
> +++ b/fs/partitions/ldm.c
> @@ -1225,6 +1225,11 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
>
> BUG_ON (!data || !frags);
>
> + if (size < 2 * VBLK_SIZE_HEAD) {
> + ldm_error("Value of size is to small.");
> + return FALSE;
> + }
> +
> group = BE32 (data + 0x08);
> rec = BE16 (data + 0x0C);
> num = BE16 (data + 0x0E);
> @@ -1232,6 +1237,10 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
> ldm_error ("A VBLK claims to have %d parts.", num);
> return FALSE;
> }
> + if (rec >= num) {
> + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
> + return FALSE;
> + }
>
> list_for_each (item, frags) {
> f = list_entry (item, struct frag, list);
> @@ -1260,10 +1269,9 @@ found:
>
> f->map |= (1 << rec);
>
> - if (num > 0) {
> - data += VBLK_SIZE_HEAD;
> - size -= VBLK_SIZE_HEAD;
> - }
> + data += VBLK_SIZE_HEAD;
> + size -= VBLK_SIZE_HEAD;
> +
> memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
>
> return TRUE;

I believe some thread which cve-2011-1017 was pointing to on mitre, lead to this
patch claiming it would be the fix.

And this patch looks the same.

Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 04-27-2011, 11:16 AM
Stefan Bader
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

On 04/26/2011 10:35 PM, Brad Figg wrote:
> From: Timo Warns <Warns@pre-sense.de>
>
> BugLink: http://bugs.launchpad.net/bugs/771382
>
> CVE-2011-1017
>
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> a bug that causes a kernel oops on certain corrupted LDM partitions.
> A kernel subsystem seems to crash, because, after the oops, the kernel no
> longer recognizes newly connected storage devices.
>
> The patch validates the value of vblk_size.
>
> [akpm@linux-foundation.org: coding-style fixes]
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: Eugene Teo <eugeneteo@kernel.sg>
> Cc: Harvey Harrison <harvey.harrison@gmail.com>
> Cc: Richard Russon <rich@flatcap.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>
> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
> ---
> fs/partitions/ldm.c | 16 ++++++++++++----
> 1 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
> index 7ab1c11..c861f52 100644
> --- a/fs/partitions/ldm.c
> +++ b/fs/partitions/ldm.c
> @@ -1225,6 +1225,11 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags)
>
> BUG_ON (!data || !frags);
>
> + if (size < 2 * VBLK_SIZE_HEAD) {
> + ldm_error("Value of size is to small.");
> + return false;
> + }
> +
> group = BE32 (data + 0x08);
> rec = BE16 (data + 0x0C);
> num = BE16 (data + 0x0E);
> @@ -1232,6 +1237,10 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags)
> ldm_error ("A VBLK claims to have %d parts.", num);
> return false;
> }
> + if (rec >= num) {
> + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
> + return false;
> + }
>
> list_for_each (item, frags) {
> f = list_entry (item, struct frag, list);
> @@ -1260,10 +1269,9 @@ found:
>
> f->map |= (1 << rec);
>
> - if (num > 0) {
> - data += VBLK_SIZE_HEAD;
> - size -= VBLK_SIZE_HEAD;
> - }
> + data += VBLK_SIZE_HEAD;
> + size -= VBLK_SIZE_HEAD;
> +
> memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
>
> return true;
Acked-by: Stefan Bader <stefan.bader@canonical.com>

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 04-27-2011, 01:45 PM
Tim Gardner
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

This is a multi-part message in MIME format.
On 04/26/2011 02:43 PM, Brad Figg wrote:

On 04/26/2011 01:37 PM, Tim Gardner wrote:

On 04/26/2011 12:44 PM, Brad Figg wrote:

From: Timo Warns<Warns@pre-sense.de>

BugLink: http://bugs.launchpad.net/bugs/771382

CVE-2011-1017

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
a bug that causes a kernel oops on certain corrupted LDM partitions.
A kernel subsystem seems to crash, because, after the oops, the
kernel no
longer recognizes newly connected storage devices.

The patch validates the value of vblk_size.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Timo Warns<warns@pre-sense.de>
Cc: Eugene Teo<eugeneteo@kernel.sg>
Cc: Harvey Harrison<harvey.harrison@gmail.com>
Cc: Richard Russon<rich@flatcap.org>
Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>

(backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
Signed-off-by: Brad Figg<brad.figg@canonical.com>


Where did you find a reference that this patch fixes CVE-2011-1017 ?

rtg


There was no specific reference. From the comments in the commit and
comments in the CVE reference
(http://openwall.com/lists/oss-security/2011/02/24/4)
indicated the same code block. The patch is validating that the size
is correct.

Brad


While this patch is worthy of application on its own merit, I don't
think its sufficient. The mitre announcement says this vulnerability
exists for kernels _before_ 2.6.37.2, the implication being that the
problem was solved thereafter. I'm not sure why the mitre report doesn't
reference a specific commit, but if you look at git history there is
only one possibility:


rtg@lochsa:~/proj/linux/linux-2.6.37.y$ git log --pretty=oneline
v2.6.37.2..HEAD -- fs/partitions
91999d4336fc7c94635cb10e254813a35bd3157e Increase OSF partition limit
from 8 to 18
67725123d5df7aace72676b94e1bdffbdbbc0f75 Fix corrupted OSF partition
table parsing
9d482869ef6414b388d582f498e7eac78bd2bc20 ldm: corrupted partition table
can cause kernel oops


It seems to me that if we're gonna declare CVE-2011-1017 to be fixed
(which without a reproducer is a leap of faith), then we also have to
include 'ldm: corrupted partition table can cause kernel oops', despite
the fact that the mitre report directly references ldm_frag_add(). Its a
bit ambiguous.


See attached. The same argument holds true for Hardy and Maverick though
I haven't checked to see if this patch has already come down via stable.


rtg
--
Tim Gardner tim.gardner@canonical.com
 
Old 04-27-2011, 02:48 PM
Brad Figg
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

On 04/27/2011 06:45 AM, Tim Gardner wrote:

On 04/26/2011 02:43 PM, Brad Figg wrote:

On 04/26/2011 01:37 PM, Tim Gardner wrote:

On 04/26/2011 12:44 PM, Brad Figg wrote:

From: Timo Warns<Warns@pre-sense.de>

BugLink: http://bugs.launchpad.net/bugs/771382

CVE-2011-1017

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
a bug that causes a kernel oops on certain corrupted LDM partitions.
A kernel subsystem seems to crash, because, after the oops, the
kernel no
longer recognizes newly connected storage devices.

The patch validates the value of vblk_size.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Timo Warns<warns@pre-sense.de>
Cc: Eugene Teo<eugeneteo@kernel.sg>
Cc: Harvey Harrison<harvey.harrison@gmail.com>
Cc: Richard Russon<rich@flatcap.org>
Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>

(backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
Signed-off-by: Brad Figg<brad.figg@canonical.com>


Where did you find a reference that this patch fixes CVE-2011-1017 ?

rtg


There was no specific reference. From the comments in the commit and
comments in the CVE reference
(http://openwall.com/lists/oss-security/2011/02/24/4)
indicated the same code block. The patch is validating that the size
is correct.

Brad


While this patch is worthy of application on its own merit, I don't think its sufficient. The mitre announcement says this vulnerability exists for kernels _before_ 2.6.37.2, the implication being that the problem was solved thereafter. I'm not sure why
the mitre report doesn't reference a specific commit, but if you look at git history there is only one possibility:

rtg@lochsa:~/proj/linux/linux-2.6.37.y$ git log --pretty=oneline v2.6.37.2..HEAD -- fs/partitions
91999d4336fc7c94635cb10e254813a35bd3157e Increase OSF partition limit from 8 to 18
67725123d5df7aace72676b94e1bdffbdbbc0f75 Fix corrupted OSF partition table parsing
9d482869ef6414b388d582f498e7eac78bd2bc20 ldm: corrupted partition table can cause kernel oops

It seems to me that if we're gonna declare CVE-2011-1017 to be fixed (which without a reproducer is a leap of faith), then we also have to include 'ldm: corrupted partition table can cause kernel oops', despite the fact that the mitre report directly
references ldm_frag_add(). Its a bit ambiguous.

See attached. The same argument holds true for Hardy and Maverick though I haven't checked to see if this patch has already come down via stable.

rtg


I agree that it looks like we should apply both patches.

Acked-by: Brad Figg <brad.figg@canonical.com>

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 04-27-2011, 02:56 PM
Tim Gardner
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

applied both patches

--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 04-27-2011, 03:05 PM
Tim Gardner
 
Default fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

Applied 'ldm: corrupted partition table can cause kernel oops,
CVE-2011-1017' and 'fs/partitions/ldm.c: fix oops caused by corrupted
partition table, CVE-2011-1017'


rtg
--
Tim Gardner tim.gardner@canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 12:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org