Patchwork Karmic CVE: bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162

login
register
mail settings
Submitter Tim Gardner
Date Feb. 18, 2011, 8:07 p.m.
Message ID <20110218200739.7215BF89F8@sepang.rtg.net>
Download mbox
Permalink /patch/83643/
State Accepted
Headers show

Pull-request

git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4162

Comments

Tim Gardner - Feb. 18, 2011, 8:07 p.m.
The following changes since commit 41866a96c222c7d5d3da3abffb166ff3b80e1f3b:
  Steve Conklin (1):
        UBUNTU: Ubuntu-2.6.31-22.73

are available in the git repository at:

  git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4162

Jens Axboe (1):
      bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162

 fs/bio.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)

From ace13f458e62d5ed3722e61e4fc0c39ca90ddf15 Mon Sep 17 00:00:00 2001
From: Jens Axboe <jaxboe@fusionio.com>
Date: Wed, 10 Nov 2010 14:36:25 +0100
Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162

BugLink: http://bugs.launchpad.net/bugs/721441

CVE-2010-4162

commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.

If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 fs/bio.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)
Brad Figg - Feb. 18, 2011, 9:02 p.m.
On 02/18/2011 12:07 PM, Tim Gardner wrote:
> The following changes since commit 41866a96c222c7d5d3da3abffb166ff3b80e1f3b:
>    Steve Conklin (1):
>          UBUNTU: Ubuntu-2.6.31-22.73
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4162
>
> Jens Axboe (1):
>        bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
>
>   fs/bio.c |   14 +++++++++++++-
>   1 files changed, 13 insertions(+), 1 deletions(-)
>
>  From ace13f458e62d5ed3722e61e4fc0c39ca90ddf15 Mon Sep 17 00:00:00 2001
> From: Jens Axboe<jaxboe@fusionio.com>
> Date: Wed, 10 Nov 2010 14:36:25 +0100
> Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
>
> BugLink: http://bugs.launchpad.net/bugs/721441
>
> CVE-2010-4162
>
> commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
>
> If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
> to overflow, we could end up attempting to map a huge number of
> pages. Check for this invalid input type.
>
> Reported-by: Dan Rosenberg<drosenberg@vsecurity.com>
> Signed-off-by: Jens Axboe<jaxboe@fusionio.com>
> Signed-off-by: Greg Kroah-Hartman<gregkh@suse.de>
> Signed-off-by: Tim Gardner<tim.gardner@canonical.com>
> ---
>   fs/bio.c |   14 +++++++++++++-
>   1 files changed, 13 insertions(+), 1 deletions(-)
>
> diff --git a/fs/bio.c b/fs/bio.c
> index 7673800..8bcc085 100644
> --- a/fs/bio.c
> +++ b/fs/bio.c
> @@ -813,6 +813,12 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
>   		end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1)>>  PAGE_SHIFT;
>   		start = uaddr>>  PAGE_SHIFT;
>
> +		/*
> +		 * Overflow, abort
> +		 */
> +		if (end<  start)
> +			return ERR_PTR(-EINVAL);
> +
>   		nr_pages += end - start;
>   		len += iov[i].iov_len;
>   	}
> @@ -939,6 +945,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
>   		unsigned long end = (uaddr + len + PAGE_SIZE - 1)>>  PAGE_SHIFT;
>   		unsigned long start = uaddr>>  PAGE_SHIFT;
>
> +		/*
> +		 * Overflow, abort
> +		 */
> +		if (end<  start)
> +			return ERR_PTR(-EINVAL);
> +
>   		nr_pages += end - start;
>   		/*
>   		 * buffer must be aligned to at least hardsector size for now
> @@ -966,7 +978,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
>   		unsigned long start = uaddr>>  PAGE_SHIFT;
>   		const int local_nr_pages = end - start;
>   		const int page_limit = cur_page + local_nr_pages;
> -		
> +
>   		ret = get_user_pages_fast(uaddr, local_nr_pages,
>   				write_to_vm,&pages[cur_page]);
>   		if (ret<  local_nr_pages) {

Acked-by: Brad Figg <brad.figg@canonical.com>
John Johansen - Feb. 18, 2011, 9:56 p.m.
On 02/18/2011 12:07 PM, Tim Gardner wrote:
> The following changes since commit 41866a96c222c7d5d3da3abffb166ff3b80e1f3b:
>   Steve Conklin (1):
>         UBUNTU: Ubuntu-2.6.31-22.73
> 
> are available in the git repository at:
> 
>   git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4162
> 
> Jens Axboe (1):
>       bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
> 
>  fs/bio.c |   14 +++++++++++++-
>  1 files changed, 13 insertions(+), 1 deletions(-)
> 
> From ace13f458e62d5ed3722e61e4fc0c39ca90ddf15 Mon Sep 17 00:00:00 2001
> From: Jens Axboe <jaxboe@fusionio.com>
> Date: Wed, 10 Nov 2010 14:36:25 +0100
> Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
> 
> BugLink: http://bugs.launchpad.net/bugs/721441
> 
> CVE-2010-4162
> 
> commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
> 
> If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
> to overflow, we could end up attempting to map a huge number of
> pages. Check for this invalid input type.
> 
> Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
> ---
>  fs/bio.c |   14 +++++++++++++-
>  1 files changed, 13 insertions(+), 1 deletions(-)
> 
> diff --git a/fs/bio.c b/fs/bio.c
> index 7673800..8bcc085 100644
> --- a/fs/bio.c
> +++ b/fs/bio.c
> @@ -813,6 +813,12 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
>  		end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
>  		start = uaddr >> PAGE_SHIFT;
>  
> +		/*
> +		 * Overflow, abort
> +		 */
> +		if (end < start)
> +			return ERR_PTR(-EINVAL);
> +
>  		nr_pages += end - start;
>  		len += iov[i].iov_len;
>  	}
> @@ -939,6 +945,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
>  		unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
>  		unsigned long start = uaddr >> PAGE_SHIFT;
>  
> +		/*
> +		 * Overflow, abort
> +		 */
> +		if (end < start)
> +			return ERR_PTR(-EINVAL);
> +
>  		nr_pages += end - start;
>  		/*
>  		 * buffer must be aligned to at least hardsector size for now
> @@ -966,7 +978,7 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
>  		unsigned long start = uaddr >> PAGE_SHIFT;
>  		const int local_nr_pages = end - start;
>  		const int page_limit = cur_page + local_nr_pages;
> -		
> +
>  		ret = get_user_pages_fast(uaddr, local_nr_pages,
>  				write_to_vm, &pages[cur_page]);
>  		if (ret < local_nr_pages) {

Acked-by: John Johansen <john.johansen@canonical.com>
Tim Gardner - Feb. 20, 2011, 2:39 a.m.
applied