| Message ID | 20110218211814.7CD4AF89F8@sepang.rtg.net |
|---|---|
| State | Accepted |
| Headers | show |
Implementation looks correct, only thing I would probably change is to take the reference and description of the first patch and add a comment about the fixup in the body... On 02/18/2011 10:18 PM, Tim Gardner wrote: > The following changes since commit 0b2f210442dd2ca2c184c1451f5d41fa37e7c60b: > Brad Figg (1): > UBUNTU: Ubuntu-2.6.24-28.86 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-4163 > > Tim Gardner (1): > block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > fs/bio.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > From aabab832c692067d4558aa577222ee408be06df0 Mon Sep 17 00:00:00 2001 > From: Tim Gardner <tim.gardner@canonical.com> > Date: Fri, 18 Feb 2011 14:15:10 -0700 > Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > BugLink: http://bugs.launchpad.net/bugs/721504 > > CVE-2010-4163 > > commit 9284bcf checks for proper length of iov entries in > blk_rq_map_user_iov(). But if the map is unaligned, kernel > will break out the loop without checking for the proper length. > So we need to check the proper length before the unalign check. > > Signed-off-by: Xiaotian Feng <dfeng@redhat.com> > Cc: stable@kernel.org > Signed-off-by: Jens Axboe <jaxboe@fusionio.com> > (backported from commit 5478755616ae2ef1ce144dded589b62b2a50d575) > > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > fs/bio.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/fs/bio.c b/fs/bio.c > index d59ddbf..461ca55 100644 > --- a/fs/bio.c > +++ b/fs/bio.c > @@ -609,6 +609,9 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, > unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT; > unsigned long start = uaddr >> PAGE_SHIFT; > > + if (!len) > + return ERR_PTR(-EINVAL); > + > nr_pages += end - start; > /* > * buffer must be aligned to at least hardsector size for now
On 02/18/2011 01:18 PM, Tim Gardner wrote: > The following changes since commit 0b2f210442dd2ca2c184c1451f5d41fa37e7c60b: > Brad Figg (1): > UBUNTU: Ubuntu-2.6.24-28.86 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-4163 > > Tim Gardner (1): > block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > fs/bio.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > From aabab832c692067d4558aa577222ee408be06df0 Mon Sep 17 00:00:00 2001 > From: Tim Gardner<tim.gardner@canonical.com> > Date: Fri, 18 Feb 2011 14:15:10 -0700 > Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > BugLink: http://bugs.launchpad.net/bugs/721504 > > CVE-2010-4163 > > commit 9284bcf checks for proper length of iov entries in > blk_rq_map_user_iov(). But if the map is unaligned, kernel > will break out the loop without checking for the proper length. > So we need to check the proper length before the unalign check. > > Signed-off-by: Xiaotian Feng<dfeng@redhat.com> > Cc: stable@kernel.org > Signed-off-by: Jens Axboe<jaxboe@fusionio.com> > (backported from commit 5478755616ae2ef1ce144dded589b62b2a50d575) > > Signed-off-by: Tim Gardner<tim.gardner@canonical.com> > --- > fs/bio.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/fs/bio.c b/fs/bio.c > index d59ddbf..461ca55 100644 > --- a/fs/bio.c > +++ b/fs/bio.c > @@ -609,6 +609,9 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, > unsigned long end = (uaddr + len + PAGE_SIZE - 1)>> PAGE_SHIFT; > unsigned long start = uaddr>> PAGE_SHIFT; > > + if (!len) > + return ERR_PTR(-EINVAL); > + > nr_pages += end - start; > /* > * buffer must be aligned to at least hardsector size for now Acked-by: Brad Figg <brad.figg@canonical.com>
On 02/18/2011 01:18 PM, Tim Gardner wrote: > The following changes since commit 0b2f210442dd2ca2c184c1451f5d41fa37e7c60b: > Brad Figg (1): > UBUNTU: Ubuntu-2.6.24-28.86 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-4163 > > Tim Gardner (1): > block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > fs/bio.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > From aabab832c692067d4558aa577222ee408be06df0 Mon Sep 17 00:00:00 2001 > From: Tim Gardner<tim.gardner@canonical.com> > Date: Fri, 18 Feb 2011 14:15:10 -0700 > Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 > > BugLink: http://bugs.launchpad.net/bugs/721504 > > CVE-2010-4163 > > commit 9284bcf checks for proper length of iov entries in > blk_rq_map_user_iov(). But if the map is unaligned, kernel > will break out the loop without checking for the proper length. > So we need to check the proper length before the unalign check. > > Signed-off-by: Xiaotian Feng<dfeng@redhat.com> > Cc: stable@kernel.org > Signed-off-by: Jens Axboe<jaxboe@fusionio.com> > (backported from commit 5478755616ae2ef1ce144dded589b62b2a50d575) > > Signed-off-by: Tim Gardner<tim.gardner@canonical.com> > --- > fs/bio.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/fs/bio.c b/fs/bio.c > index d59ddbf..461ca55 100644 > --- a/fs/bio.c > +++ b/fs/bio.c > @@ -609,6 +609,9 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, > unsigned long end = (uaddr + len + PAGE_SIZE - 1)>> PAGE_SHIFT; > unsigned long start = uaddr>> PAGE_SHIFT; > > + if (!len) > + return ERR_PTR(-EINVAL); > + > nr_pages += end - start; > /* > * buffer must be aligned to at least hardsector size for now Acked-by: Brad Figg <brad.figg@canonical.com>
applied
The following changes since commit 0b2f210442dd2ca2c184c1451f5d41fa37e7c60b: Brad Figg (1): UBUNTU: Ubuntu-2.6.24-28.86 are available in the git repository at: git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-4163 Tim Gardner (1): block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 fs/bio.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) From aabab832c692067d4558aa577222ee408be06df0 Mon Sep 17 00:00:00 2001 From: Tim Gardner <tim.gardner@canonical.com> Date: Fri, 18 Feb 2011 14:15:10 -0700 Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163 BugLink: http://bugs.launchpad.net/bugs/721504 CVE-2010-4163 commit 9284bcf checks for proper length of iov entries in blk_rq_map_user_iov(). But if the map is unaligned, kernel will break out the loop without checking for the proper length. So we need to check the proper length before the unalign check. Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Cc: stable@kernel.org Signed-off-by: Jens Axboe <jaxboe@fusionio.com> (backported from commit 5478755616ae2ef1ce144dded589b62b2a50d575) Signed-off-by: Tim Gardner <tim.gardner@canonical.com> --- fs/bio.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-)