On Mon, 2011-06-13 at 15:03 +0100, Andy Whitcroft wrote:
> From: Timo Warns <Warns@pre-sense.de>
>
> commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05 upstream.
>
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating OSF partitions contains a bug that leaks data
> from kernel heap memory to userspace for certain corrupted OSF
> partitions.
>
> In more detail:
>
> for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
>
> iterates from 0 to d_npartitions - 1, where d_npartitions is read from
> the partition table without validation and partition is a pointer to an
> array of at most 8 d_partitions.
>
> Add the proper and obvious validation.
>
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: stable@kernel.org
> [ Changed the patch trivially to not repeat the whole le16_to_cpu()
> thing, and to use an explicit constant for the magic value '8' ]
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
>
> (backported from 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05 upstream)
> CVE-2011-1163
> BugLink: http://bugs.launchpad.net/bugs/796606
> Signed-off-by: Andy Whitcroft <apw@canonical.com>

Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>

> ---
> fs/partitions/osf.c | 12 ++++++++++--
> 1 files changed, 10 insertions(+), 2 deletions(-)
>
> diff --git a/fs/partitions/osf.c b/fs/partitions/osf.c
> index c05c17bc..6e0825e 100644
> --- a/fs/partitions/osf.c
> +++ b/fs/partitions/osf.c
> @@ -10,10 +10,13 @@
> #include "check.h"
> #include "osf.h"
>
> +#define MAX_OSF_PARTITIONS 8
> +
> int osf_partition(struct parsed_partitions *state, struct block_device *bdev)
> {
> int i;
> int slot = 1;
> + unsigned int npartitions;
> Sector sect;
> unsigned char *data;
> struct disklabel {
> @@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitions *state, struct block_device *bdev)
> u8 p_fstype;
> u8 p_frag;
> __le16 p_cpg;
> - } d_partitions[8];
> + } d_partitions[MAX_OSF_PARTITIONS];
> } * label;
> struct d_partition * partition;
>
> @@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitions *state, struct block_device *bdev)
> put_dev_sector(sect);
> return 0;
> }
> - for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
> + npartitions = le16_to_cpu(label->d_npartitions);
> + if (npartitions > MAX_OSF_PARTITIONS) {
> + put_dev_sector(sect);
> + return 0;
> + }
> + for (i = 0 ; i < npartitions; i++, partition++) {
> if (slot == state->limit)
> break;
> if (le32_to_cpu(partition->p_size))
> --
> 1.7.4.1
>
>



--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team

On 06/13/2011 03:03 PM, Andy Whitcroft wrote:

From: Timo Warns<Warns@pre-sense.de>

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating OSF partitions contains a bug that leaks data
from kernel heap memory to userspace for certain corrupted OSF
partitions.

In more detail:

for (i = 0 ; i< le16_to_cpu(label->d_npartitions); i++, partition++) {

iterates from 0 to d_npartitions - 1, where d_npartitions is read from
the partition table without validation and partition is a pointer to an
array of at most 8 d_partitions.

Add the proper and obvious validation.

Signed-off-by: Timo Warns<warns@pre-sense.de>
Cc: stable@kernel.org
[ Changed the patch trivially to not repeat the whole le16_to_cpu()
thing, and to use an explicit constant for the magic value '8' ]
Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>

(cherry picked from commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05)
CVE-2011-1163
BugLink: http://bugs.launchpad.net/bugs/796606
Signed-off-by: Andy Whitcroft<apw@canonical.com>
---
fs/partitions/osf.c | 12 ++++++++++--
1 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/fs/partitions/osf.c b/fs/partitions/osf.c
index fc22b85..5b49d40 100644
--- a/fs/partitions/osf.c
+++ b/fs/partitions/osf.c
@@ -10,10 +10,13 @@
#include "check.h"
#include "osf.h"

+#define MAX_OSF_PARTITIONS 8
+
int osf_partition(struct parsed_partitions *state)
{
int i;
int slot = 1;
+ unsigned int npartitions;
Sector sect;
unsigned char *data;
struct disklabel {
@@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitions *state)
u8 p_fstype;
u8 p_frag;
__le16 p_cpg;
- } d_partitions[8];
+ } d_partitions[MAX_OSF_PARTITIONS];
} * label;
struct d_partition * partition;

@@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitions *state)
put_dev_sector(sect);
return 0;
}
- for (i = 0 ; i< le16_to_cpu(label->d_npartitions); i++, partition++) {
+ npartitions = le16_to_cpu(label->d_npartitions);
+ if (npartitions> MAX_OSF_PARTITIONS) {
+ put_dev_sector(sect);
+ return 0;
+ }
+ for (i = 0 ; i< npartitions; i++, partition++) {
if (slot == state->limit)
break;
if (le32_to_cpu(partition->p_size))


Acked-by: Brad Figg <brad.figg@canonical.com>

--
Brad Figg brad.figg@canonical.com http://www.canonical.com

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team