From patchwork Fri Feb 18 20:57:03 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <timg@tpi.com>
X-Patchwork-Id: 83649
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 7AC3EB711B
	for <incoming@patchwork.ozlabs.org>;
	Sat, 19 Feb 2011 07:57:11 +1100 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1PqXNy-0002FR-7Y; Fri, 18 Feb 2011 20:57:06 +0000
Received: from mail.tpi.com ([70.99.223.143])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <timg@tpi.com>) id 1PqXNw-0002CC-7X
	for kernel-team@lists.ubuntu.com; Fri, 18 Feb 2011 20:57:04 +0000
Received: from sepang.rtg.net (unknown [10.0.2.5])
	by mail.tpi.com (Postfix) with ESMTP id 5D09A2944D1
	for <kernel-team@lists.ubuntu.com>;
	Fri, 18 Feb 2011 12:57:03 -0800 (PST)
Received: by sepang.rtg.net (Postfix, from userid 1000)
	id D2F7AF89F8; Fri, 18 Feb 2011 13:57:03 -0700 (MST)
To: kernel-team@lists.ubuntu.com
Subject: Lucid CVE-2010-4163: block: check for proper length of iov entries
	earlier in blk_rq_map_user_iov()
Message-Id: <20110218205703.D2F7AF89F8@sepang.rtg.net>
Date: Fri, 18 Feb 2011 13:57:03 -0700 (MST)
From: timg@tpi.com (Tim Gardner)
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

The following changes since commit 8c3a95c0fad82b89a1f8f89c74bfe9a8bb951072:
  Brad Figg (1):
        UBUNTU: Ubuntu-2.6.32-29.58

are available in the git repository at:

  git://kernel.ubuntu.com/rtg/ubuntu-lucid.git CVE-2010-4163

Xiaotian Feng (1):
      block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

 block/blk-map.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

From 6ca90f56c3a0b0f6b12dd2249c53d3071a111448 Mon Sep 17 00:00:00 2001
From: Xiaotian Feng <dfeng@redhat.com>
Date: Mon, 29 Nov 2010 10:03:55 +0100
Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

commit 9284bcf checks for proper length of iov entries in
blk_rq_map_user_iov(). But if the map is unaligned, kernel
will break out the loop without checking for the proper length.
So we need to check the proper length before the unalign check.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
(cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575)

Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Brad Figg <brad.figg@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
---
 block/blk-map.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)