| Message ID | 20110218205703.D2F7AF89F8@sepang.rtg.net |
|---|---|
| State | Accepted |
| Headers | show |
On 02/18/2011 12:57 PM, Tim Gardner wrote: > The following changes since commit 8c3a95c0fad82b89a1f8f89c74bfe9a8bb951072: > Brad Figg (1): > UBUNTU: Ubuntu-2.6.32-29.58 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-lucid.git CVE-2010-4163 > > Xiaotian Feng (1): > block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > block/blk-map.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > From 6ca90f56c3a0b0f6b12dd2249c53d3071a111448 Mon Sep 17 00:00:00 2001 > From: Xiaotian Feng<dfeng@redhat.com> > Date: Mon, 29 Nov 2010 10:03:55 +0100 > Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > BugLink: http://bugs.launchpad.net/bugs/721504 > > CVE-2010-4163 > > commit 9284bcf checks for proper length of iov entries in > blk_rq_map_user_iov(). But if the map is unaligned, kernel > will break out the loop without checking for the proper length. > So we need to check the proper length before the unalign check. > > Signed-off-by: Xiaotian Feng<dfeng@redhat.com> > Cc: stable@kernel.org > Signed-off-by: Jens Axboe<jaxboe@fusionio.com> > (cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575) > > Signed-off-by: Tim Gardner<tim.gardner@canonical.com> > --- > block/blk-map.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/block/blk-map.c b/block/blk-map.c > index 30a7e51..749effa 100644 > --- a/block/blk-map.c > +++ b/block/blk-map.c > @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, > for (i = 0; i< iov_count; i++) { > unsigned long uaddr = (unsigned long)iov[i].iov_base; > > + if (!iov[i].iov_len) > + return -EINVAL; > + > if (uaddr& queue_dma_alignment(q)) { > unaligned = 1; > break; > } > - if (!iov[i].iov_len) > - return -EINVAL; > } > > if (unaligned || (q->dma_pad_mask& len) || map_data) Acked-by: Brad Figg <brad.figg@canonical.com>
On 02/18/2011 12:57 PM, Tim Gardner wrote: > The following changes since commit 8c3a95c0fad82b89a1f8f89c74bfe9a8bb951072: > Brad Figg (1): > UBUNTU: Ubuntu-2.6.32-29.58 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-lucid.git CVE-2010-4163 > > Xiaotian Feng (1): > block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > block/blk-map.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > From 6ca90f56c3a0b0f6b12dd2249c53d3071a111448 Mon Sep 17 00:00:00 2001 > From: Xiaotian Feng <dfeng@redhat.com> > Date: Mon, 29 Nov 2010 10:03:55 +0100 > Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > BugLink: http://bugs.launchpad.net/bugs/721504 > > CVE-2010-4163 > > commit 9284bcf checks for proper length of iov entries in > blk_rq_map_user_iov(). But if the map is unaligned, kernel > will break out the loop without checking for the proper length. > So we need to check the proper length before the unalign check. > > Signed-off-by: Xiaotian Feng <dfeng@redhat.com> > Cc: stable@kernel.org > Signed-off-by: Jens Axboe <jaxboe@fusionio.com> > (cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575) > > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > block/blk-map.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/block/blk-map.c b/block/blk-map.c > index 30a7e51..749effa 100644 > --- a/block/blk-map.c > +++ b/block/blk-map.c > @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, > for (i = 0; i < iov_count; i++) { > unsigned long uaddr = (unsigned long)iov[i].iov_base; > > + if (!iov[i].iov_len) > + return -EINVAL; > + > if (uaddr & queue_dma_alignment(q)) { > unaligned = 1; > break; > } > - if (!iov[i].iov_len) > - return -EINVAL; > } > > if (unaligned || (q->dma_pad_mask & len) || map_data) Acked-by: John Johansen <john.johansen@canonical.com>
applied
The following changes since commit 8c3a95c0fad82b89a1f8f89c74bfe9a8bb951072: Brad Figg (1): UBUNTU: Ubuntu-2.6.32-29.58 are available in the git repository at: git://kernel.ubuntu.com/rtg/ubuntu-lucid.git CVE-2010-4163 Xiaotian Feng (1): block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 block/blk-map.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) From 6ca90f56c3a0b0f6b12dd2249c53d3071a111448 Mon Sep 17 00:00:00 2001 From: Xiaotian Feng <dfeng@redhat.com> Date: Mon, 29 Nov 2010 10:03:55 +0100 Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 BugLink: http://bugs.launchpad.net/bugs/721504 CVE-2010-4163 commit 9284bcf checks for proper length of iov entries in blk_rq_map_user_iov(). But if the map is unaligned, kernel will break out the loop without checking for the proper length. So we need to check the proper length before the unalign check. Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Cc: stable@kernel.org Signed-off-by: Jens Axboe <jaxboe@fusionio.com> (cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575) Signed-off-by: Tim Gardner <tim.gardner@canonical.com> --- block/blk-map.c | 5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-)