Message ID | 20110218205703.D2F7AF89F8@sepang.rtg.net |
---|---|
State | Accepted |
Headers | show |
On 02/18/2011 12:57 PM, Tim Gardner wrote: > The following changes since commit 8c3a95c0fad82b89a1f8f89c74bfe9a8bb951072: > Brad Figg (1): > UBUNTU: Ubuntu-2.6.32-29.58 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-lucid.git CVE-2010-4163 > > Xiaotian Feng (1): > block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > block/blk-map.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > From 6ca90f56c3a0b0f6b12dd2249c53d3071a111448 Mon Sep 17 00:00:00 2001 > From: Xiaotian Feng<dfeng@redhat.com> > Date: Mon, 29 Nov 2010 10:03:55 +0100 > Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > BugLink: http://bugs.launchpad.net/bugs/721504 > > CVE-2010-4163 > > commit 9284bcf checks for proper length of iov entries in > blk_rq_map_user_iov(). But if the map is unaligned, kernel > will break out the loop without checking for the proper length. > So we need to check the proper length before the unalign check. > > Signed-off-by: Xiaotian Feng<dfeng@redhat.com> > Cc: stable@kernel.org > Signed-off-by: Jens Axboe<jaxboe@fusionio.com> > (cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575) > > Signed-off-by: Tim Gardner<tim.gardner@canonical.com> > --- > block/blk-map.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/block/blk-map.c b/block/blk-map.c > index 30a7e51..749effa 100644 > --- a/block/blk-map.c > +++ b/block/blk-map.c > @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, > for (i = 0; i< iov_count; i++) { > unsigned long uaddr = (unsigned long)iov[i].iov_base; > > + if (!iov[i].iov_len) > + return -EINVAL; > + > if (uaddr& queue_dma_alignment(q)) { > unaligned = 1; > break; > } > - if (!iov[i].iov_len) > - return -EINVAL; > } > > if (unaligned || (q->dma_pad_mask& len) || map_data) Acked-by: Brad Figg <brad.figg@canonical.com>
On 02/18/2011 12:57 PM, Tim Gardner wrote: > The following changes since commit 8c3a95c0fad82b89a1f8f89c74bfe9a8bb951072: > Brad Figg (1): > UBUNTU: Ubuntu-2.6.32-29.58 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-lucid.git CVE-2010-4163 > > Xiaotian Feng (1): > block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > block/blk-map.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > From 6ca90f56c3a0b0f6b12dd2249c53d3071a111448 Mon Sep 17 00:00:00 2001 > From: Xiaotian Feng <dfeng@redhat.com> > Date: Mon, 29 Nov 2010 10:03:55 +0100 > Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > BugLink: http://bugs.launchpad.net/bugs/721504 > > CVE-2010-4163 > > commit 9284bcf checks for proper length of iov entries in > blk_rq_map_user_iov(). But if the map is unaligned, kernel > will break out the loop without checking for the proper length. > So we need to check the proper length before the unalign check. > > Signed-off-by: Xiaotian Feng <dfeng@redhat.com> > Cc: stable@kernel.org > Signed-off-by: Jens Axboe <jaxboe@fusionio.com> > (cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575) > > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > block/blk-map.c | 5 +++-- > 1 files changed, 3 insertions(+), 2 deletions(-) > > diff --git a/block/blk-map.c b/block/blk-map.c > index 30a7e51..749effa 100644 > --- a/block/blk-map.c > +++ b/block/blk-map.c > @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq, > for (i = 0; i < iov_count; i++) { > unsigned long uaddr = (unsigned long)iov[i].iov_base; > > + if (!iov[i].iov_len) > + return -EINVAL; > + > if (uaddr & queue_dma_alignment(q)) { > unaligned = 1; > break; > } > - if (!iov[i].iov_len) > - return -EINVAL; > } > > if (unaligned || (q->dma_pad_mask & len) || map_data) Acked-by: John Johansen <john.johansen@canonical.com>
applied