| Message ID | 20110218200739.7215BF89F8@sepang.rtg.net |
|---|---|
| State | Accepted |
| Headers | show |
On 02/18/2011 12:07 PM, Tim Gardner wrote: > The following changes since commit 41866a96c222c7d5d3da3abffb166ff3b80e1f3b: > Steve Conklin (1): > UBUNTU: Ubuntu-2.6.31-22.73 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4162 > > Jens Axboe (1): > bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162 > > fs/bio.c | 14 +++++++++++++- > 1 files changed, 13 insertions(+), 1 deletions(-) > > From ace13f458e62d5ed3722e61e4fc0c39ca90ddf15 Mon Sep 17 00:00:00 2001 > From: Jens Axboe<jaxboe@fusionio.com> > Date: Wed, 10 Nov 2010 14:36:25 +0100 > Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162 > > BugLink: http://bugs.launchpad.net/bugs/721441 > > CVE-2010-4162 > > commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream. > > If the iovec is being set up in a way that causes uaddr + PAGE_SIZE > to overflow, we could end up attempting to map a huge number of > pages. Check for this invalid input type. > > Reported-by: Dan Rosenberg<drosenberg@vsecurity.com> > Signed-off-by: Jens Axboe<jaxboe@fusionio.com> > Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de> > Signed-off-by: Tim Gardner<tim.gardner@canonical.com> > --- > fs/bio.c | 14 +++++++++++++- > 1 files changed, 13 insertions(+), 1 deletions(-) > > diff --git a/fs/bio.c b/fs/bio.c > index 7673800..8bcc085 100644 > --- a/fs/bio.c > +++ b/fs/bio.c > @@ -813,6 +813,12 @@ struct bio *bio_copy_user_iov(struct request_queue *q, > end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1)>> PAGE_SHIFT; > start = uaddr>> PAGE_SHIFT; > > + /* > + * Overflow, abort > + */ > + if (end< start) > + return ERR_PTR(-EINVAL); > + > nr_pages += end - start; > len += iov[i].iov_len; > } > @@ -939,6 +945,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, > unsigned long end = (uaddr + len + PAGE_SIZE - 1)>> PAGE_SHIFT; > unsigned long start = uaddr>> PAGE_SHIFT; > > + /* > + * Overflow, abort > + */ > + if (end< start) > + return ERR_PTR(-EINVAL); > + > nr_pages += end - start; > /* > * buffer must be aligned to at least hardsector size for now > @@ -966,7 +978,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, > unsigned long start = uaddr>> PAGE_SHIFT; > const int local_nr_pages = end - start; > const int page_limit = cur_page + local_nr_pages; > - > + > ret = get_user_pages_fast(uaddr, local_nr_pages, > write_to_vm,&pages[cur_page]); > if (ret< local_nr_pages) { Acked-by: Brad Figg <brad.figg@canonical.com>
On 02/18/2011 12:07 PM, Tim Gardner wrote: > The following changes since commit 41866a96c222c7d5d3da3abffb166ff3b80e1f3b: > Steve Conklin (1): > UBUNTU: Ubuntu-2.6.31-22.73 > > are available in the git repository at: > > git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4162 > > Jens Axboe (1): > bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162 > > fs/bio.c | 14 +++++++++++++- > 1 files changed, 13 insertions(+), 1 deletions(-) > > From ace13f458e62d5ed3722e61e4fc0c39ca90ddf15 Mon Sep 17 00:00:00 2001 > From: Jens Axboe <jaxboe@fusionio.com> > Date: Wed, 10 Nov 2010 14:36:25 +0100 > Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162 > > BugLink: http://bugs.launchpad.net/bugs/721441 > > CVE-2010-4162 > > commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream. > > If the iovec is being set up in a way that causes uaddr + PAGE_SIZE > to overflow, we could end up attempting to map a huge number of > pages. Check for this invalid input type. > > Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> > Signed-off-by: Jens Axboe <jaxboe@fusionio.com> > Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> > Signed-off-by: Tim Gardner <tim.gardner@canonical.com> > --- > fs/bio.c | 14 +++++++++++++- > 1 files changed, 13 insertions(+), 1 deletions(-) > > diff --git a/fs/bio.c b/fs/bio.c > index 7673800..8bcc085 100644 > --- a/fs/bio.c > +++ b/fs/bio.c > @@ -813,6 +813,12 @@ struct bio *bio_copy_user_iov(struct request_queue *q, > end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT; > start = uaddr >> PAGE_SHIFT; > > + /* > + * Overflow, abort > + */ > + if (end < start) > + return ERR_PTR(-EINVAL); > + > nr_pages += end - start; > len += iov[i].iov_len; > } > @@ -939,6 +945,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, > unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT; > unsigned long start = uaddr >> PAGE_SHIFT; > > + /* > + * Overflow, abort > + */ > + if (end < start) > + return ERR_PTR(-EINVAL); > + > nr_pages += end - start; > /* > * buffer must be aligned to at least hardsector size for now > @@ -966,7 +978,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q, > unsigned long start = uaddr >> PAGE_SHIFT; > const int local_nr_pages = end - start; > const int page_limit = cur_page + local_nr_pages; > - > + > ret = get_user_pages_fast(uaddr, local_nr_pages, > write_to_vm, &pages[cur_page]); > if (ret < local_nr_pages) { Acked-by: John Johansen <john.johansen@canonical.com>
applied
The following changes since commit 41866a96c222c7d5d3da3abffb166ff3b80e1f3b: Steve Conklin (1): UBUNTU: Ubuntu-2.6.31-22.73 are available in the git repository at: git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4162 Jens Axboe (1): bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162 fs/bio.c | 14 +++++++++++++- 1 files changed, 13 insertions(+), 1 deletions(-) From ace13f458e62d5ed3722e61e4fc0c39ca90ddf15 Mon Sep 17 00:00:00 2001 From: Jens Axboe <jaxboe@fusionio.com> Date: Wed, 10 Nov 2010 14:36:25 +0100 Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162 BugLink: http://bugs.launchpad.net/bugs/721441 CVE-2010-4162 commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream. If the iovec is being set up in a way that causes uaddr + PAGE_SIZE to overflow, we could end up attempting to map a huge number of pages. Check for this invalid input type. Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: Jens Axboe <jaxboe@fusionio.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> --- fs/bio.c | 14 +++++++++++++- 1 files changed, 13 insertions(+), 1 deletions(-)