Patchwork Maverick CVE-2010-4163: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()

login
register
mail settings
Submitter Tim Gardner
Date Feb. 18, 2011, 8:52 p.m.
Message ID <20110218205230.031C8F89F8@sepang.rtg.net>
Download mbox
Permalink /patch/83648/
State Accepted
Headers show

Pull-request

git://kernel.ubuntu.com/rtg/ubuntu-maverick.git CVE-2010-4163

Comments

Tim Gardner - Feb. 18, 2011, 8:52 p.m.
The following changes since commit 03d14db75e19c63e0f50e6413af3a75d7a97a833:
  Brad Figg (1):
        UBUNTU: Bump ABI

are available in the git repository at:

  git://kernel.ubuntu.com/rtg/ubuntu-maverick.git CVE-2010-4163

Xiaotian Feng (1):
      block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

 block/blk-map.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

From aa1feb8576da51d7aa25759bc0e26824e6020f74 Mon Sep 17 00:00:00 2001
From: Xiaotian Feng <dfeng@redhat.com>
Date: Mon, 29 Nov 2010 10:03:55 +0100
Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

commit 9284bcf checks for proper length of iov entries in
blk_rq_map_user_iov(). But if the map is unaligned, kernel
will break out the loop without checking for the proper length.
So we need to check the proper length before the unalign check.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
(cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 block/blk-map.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)
Brad Figg - Feb. 18, 2011, 9:04 p.m.
On 02/18/2011 12:52 PM, Tim Gardner wrote:
> The following changes since commit 03d14db75e19c63e0f50e6413af3a75d7a97a833:
>    Brad Figg (1):
>          UBUNTU: Bump ABI
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/rtg/ubuntu-maverick.git CVE-2010-4163
>
> Xiaotian Feng (1):
>        block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
>
>   block/blk-map.c |    5 +++--
>   1 files changed, 3 insertions(+), 2 deletions(-)
>
>  From aa1feb8576da51d7aa25759bc0e26824e6020f74 Mon Sep 17 00:00:00 2001
> From: Xiaotian Feng<dfeng@redhat.com>
> Date: Mon, 29 Nov 2010 10:03:55 +0100
> Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
>
> BugLink: http://bugs.launchpad.net/bugs/721504
>
> CVE-2010-4163
>
> commit 9284bcf checks for proper length of iov entries in
> blk_rq_map_user_iov(). But if the map is unaligned, kernel
> will break out the loop without checking for the proper length.
> So we need to check the proper length before the unalign check.
>
> Signed-off-by: Xiaotian Feng<dfeng@redhat.com>
> Cc: stable@kernel.org
> Signed-off-by: Jens Axboe<jaxboe@fusionio.com>
> (cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575)
>
> Signed-off-by: Tim Gardner<tim.gardner@canonical.com>
> ---
>   block/blk-map.c |    5 +++--
>   1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/block/blk-map.c b/block/blk-map.c
> index 30a7e51..749effa 100644
> --- a/block/blk-map.c
> +++ b/block/blk-map.c
> @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
>   	for (i = 0; i<  iov_count; i++) {
>   		unsigned long uaddr = (unsigned long)iov[i].iov_base;
>
> +		if (!iov[i].iov_len)
> +			return -EINVAL;
> +
>   		if (uaddr&  queue_dma_alignment(q)) {
>   			unaligned = 1;
>   			break;
>   		}
> -		if (!iov[i].iov_len)
> -			return -EINVAL;
>   	}
>
>   	if (unaligned || (q->dma_pad_mask&  len) || map_data)

Acked-by: Brad Figg <brad.figg@canonical.com>
John Johansen - Feb. 18, 2011, 9:56 p.m.
On 02/18/2011 12:52 PM, Tim Gardner wrote:
> The following changes since commit 03d14db75e19c63e0f50e6413af3a75d7a97a833:
>   Brad Figg (1):
>         UBUNTU: Bump ABI
> 
> are available in the git repository at:
> 
>   git://kernel.ubuntu.com/rtg/ubuntu-maverick.git CVE-2010-4163
> 
> Xiaotian Feng (1):
>       block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
> 
>  block/blk-map.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> From aa1feb8576da51d7aa25759bc0e26824e6020f74 Mon Sep 17 00:00:00 2001
> From: Xiaotian Feng <dfeng@redhat.com>
> Date: Mon, 29 Nov 2010 10:03:55 +0100
> Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
> 
> BugLink: http://bugs.launchpad.net/bugs/721504
> 
> CVE-2010-4163
> 
> commit 9284bcf checks for proper length of iov entries in
> blk_rq_map_user_iov(). But if the map is unaligned, kernel
> will break out the loop without checking for the proper length.
> So we need to check the proper length before the unalign check.
> 
> Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
> Cc: stable@kernel.org
> Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
> (cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575)
> 
> Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
> ---
>  block/blk-map.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/block/blk-map.c b/block/blk-map.c
> index 30a7e51..749effa 100644
> --- a/block/blk-map.c
> +++ b/block/blk-map.c
> @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
>  	for (i = 0; i < iov_count; i++) {
>  		unsigned long uaddr = (unsigned long)iov[i].iov_base;
>  
> +		if (!iov[i].iov_len)
> +			return -EINVAL;
> +
>  		if (uaddr & queue_dma_alignment(q)) {
>  			unaligned = 1;
>  			break;
>  		}
> -		if (!iov[i].iov_len)
> -			return -EINVAL;
>  	}
>  
>  	if (unaligned || (q->dma_pad_mask & len) || map_data)

Acked-by: John Johansen <john.johansen@canonical.com>
Tim Gardner - Feb. 20, 2011, 2:44 a.m.
applied