FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 06-10-2011, 10:05 AM
Andy Whitcroft
 
Default fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops

CVE-2011-1577

Heap-based buffer overflow in the is_gpt_valid function in
fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows
physically proximate attackers to cause a denial of service (OOPS)
or possibly have unspecified other impact via a crafted size of
the EFI GUID partition-table header on removable media.

This vunerability is fixed by the upstream commit below:

commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde
Author: Timo Warns <Warns@pre-sense.de>
Date: Thu May 26 16:25:57 2011 -0700

fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops

Following this email are patches for Hardy; Lucid and Lucid/fsl-imx51;
and Maverick, Maverick/ti-omap4, Natty and Natty/ti-omap4. Those for
Maverick and Natty are clean cherry-picks from mainline, the remainder
are backports.

Proposing for Hardy, Lucid, Lucid/fsl-imx51, Maverick, Maveric/ti-omap4, Natty,
and Natty/ti-omap4.

Also needed for Lucid/ec2, Lucid/mvl-dove, and Maverick/mvl-dove which
will get it from their parent branch.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 06-10-2011, 10:05 AM
Andy Whitcroft
 
Default fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops

From: Timo Warns <Warns@pre-sense.de>

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
a bug that causes a kernel oops on certain corrupted GUID partition
tables.

This bug has security impacts, because it allows, for example, to
prepare a storage device that crashes a kernel subsystem upon connecting
the device (e.g., a "USB Stick of (Partial) Death").

crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));

computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
There is no validation of (*gpt)->header_size before the efi_crc32 call.

A corrupted partition table may have large values for (*gpt)->header_size.
In this case, the CRC32 computation access memory beyond the memory
allocated for gpt, which may cause a kernel heap overflow.

Validate value of GUID partition table header size.

[akpm@linux-foundation.org: fix layout and indenting]
Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: Matt Domsch <Matt_Domsch@dell.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(backported from commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde)
CVE-2011-1577
BugLink: http://bugs.launchpad.net/bugs/795418
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
fs/partitions/efi.c | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c
index e7b0700..46e9f47 100644
--- a/fs/partitions/efi.c
+++ b/fs/partitions/efi.c
@@ -312,6 +312,15 @@ is_gpt_valid(struct block_device *bdev, u64 lba,
goto fail;
}

+ /* Check the GUID Partition Table header size */
+ if (le32_to_cpu((*gpt)->header_size) >
+ bdev_hardsect_size(bdev)) {
+ Dprintk("GUID Partition Table Header size is wrong: %u > %u
",
+ le32_to_cpu((*gpt)->header_size),
+ bdev_hardsect_size(bdev));
+ goto fail;
+ }
+
/* Check the GUID Partition Table CRC */
origcrc = le32_to_cpu((*gpt)->header_crc32);
(*gpt)->header_crc32 = 0;
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 01:46 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org