Patchwork [Dapper,CVE-2011-1017,1/1] fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

login
register
mail settings
Submitter Brad Figg
Date April 26, 2011, 6:44 p.m.
Message ID <1303843496-8390-1-git-send-email-brad.figg@canonical.com>
Download mbox | patch
Permalink /patch/92948/
State New
Headers show

Comments

Brad Figg - April 26, 2011, 6:44 p.m.
From: Timo Warns <Warns@pre-sense.de>

BugLink: http://bugs.launchpad.net/bugs/771382

CVE-2011-1017

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
a bug that causes a kernel oops on certain corrupted LDM partitions.
A kernel subsystem seems to crash, because, after the oops, the kernel no
longer recognizes newly connected storage devices.

The patch validates the value of vblk_size.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Harvey Harrison <harvey.harrison@gmail.com>
Cc: Richard Russon <rich@flatcap.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
Signed-off-by: Brad Figg <brad.figg@canonical.com>
---
 fs/partitions/ldm.c |   16 ++++++++++++----
 1 files changed, 12 insertions(+), 4 deletions(-)
Steve Conklin - April 26, 2011, 8:26 p.m.
On Tue, 2011-04-26 at 11:44 -0700, Brad Figg wrote:
> From: Timo Warns <Warns@pre-sense.de>
> 
> BugLink: http://bugs.launchpad.net/bugs/771382
> 
> CVE-2011-1017
> 
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> a bug that causes a kernel oops on certain corrupted LDM partitions.
> A kernel subsystem seems to crash, because, after the oops, the kernel no
> longer recognizes newly connected storage devices.
> 
> The patch validates the value of vblk_size.
> 
> [akpm@linux-foundation.org: coding-style fixes]
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: Eugene Teo <eugeneteo@kernel.sg>
> Cc: Harvey Harrison <harvey.harrison@gmail.com>
> Cc: Richard Russon <rich@flatcap.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
> ---
>  fs/partitions/ldm.c |   16 ++++++++++++----
>  1 files changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
> index 7ab1c11..c861f52 100644
> --- a/fs/partitions/ldm.c
> +++ b/fs/partitions/ldm.c
> @@ -1225,6 +1225,11 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
>  
>  	BUG_ON (!data || !frags);
>  
> +	if (size < 2 * VBLK_SIZE_HEAD) {
> +		ldm_error("Value of size is to small.");
> +		return FALSE;
> +	}
> +
>  	group = BE32 (data + 0x08);
>  	rec   = BE16 (data + 0x0C);
>  	num   = BE16 (data + 0x0E);
> @@ -1232,6 +1237,10 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
>  		ldm_error ("A VBLK claims to have %d parts.", num);
>  		return FALSE;
>  	}
> +	if (rec >= num) {
> +		ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
> +		return FALSE;
> +	}
>  
>  	list_for_each (item, frags) {
>  		f = list_entry (item, struct frag, list);
> @@ -1260,10 +1269,9 @@ found:
>  
>  	f->map |= (1 << rec);
>  
> -	if (num > 0) {
> -		data += VBLK_SIZE_HEAD;
> -		size -= VBLK_SIZE_HEAD;
> -	}
> +	data += VBLK_SIZE_HEAD;
> +	size -= VBLK_SIZE_HEAD;
> +
>  	memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
>  
>  	return TRUE;
> -- 
> 1.7.0.4
> 
> 
Acked-by: Steve Conklin <sconklin@canonical.com>
Tim Gardner - April 26, 2011, 8:37 p.m.
On 04/26/2011 12:44 PM, Brad Figg wrote:
> From: Timo Warns<Warns@pre-sense.de>
>
> BugLink: http://bugs.launchpad.net/bugs/771382
>
> CVE-2011-1017
>
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> a bug that causes a kernel oops on certain corrupted LDM partitions.
> A kernel subsystem seems to crash, because, after the oops, the kernel no
> longer recognizes newly connected storage devices.
>
> The patch validates the value of vblk_size.
>
> [akpm@linux-foundation.org: coding-style fixes]
> Signed-off-by: Timo Warns<warns@pre-sense.de>
> Cc: Eugene Teo<eugeneteo@kernel.sg>
> Cc: Harvey Harrison<harvey.harrison@gmail.com>
> Cc: Richard Russon<rich@flatcap.org>
> Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>
> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
> Signed-off-by: Brad Figg<brad.figg@canonical.com>

Where did you find a reference that this patch fixes CVE-2011-1017 ?

rtg
Brad Figg - April 26, 2011, 8:43 p.m.
On 04/26/2011 01:37 PM, Tim Gardner wrote:
> On 04/26/2011 12:44 PM, Brad Figg wrote:
>> From: Timo Warns<Warns@pre-sense.de>
>>
>> BugLink: http://bugs.launchpad.net/bugs/771382
>>
>> CVE-2011-1017
>>
>> The kernel automatically evaluates partition tables of storage devices.
>> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
>> a bug that causes a kernel oops on certain corrupted LDM partitions.
>> A kernel subsystem seems to crash, because, after the oops, the kernel no
>> longer recognizes newly connected storage devices.
>>
>> The patch validates the value of vblk_size.
>>
>> [akpm@linux-foundation.org: coding-style fixes]
>> Signed-off-by: Timo Warns<warns@pre-sense.de>
>> Cc: Eugene Teo<eugeneteo@kernel.sg>
>> Cc: Harvey Harrison<harvey.harrison@gmail.com>
>> Cc: Richard Russon<rich@flatcap.org>
>> Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
>> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>>
>> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
>> Signed-off-by: Brad Figg<brad.figg@canonical.com>
>
> Where did you find a reference that this patch fixes CVE-2011-1017 ?
>
> rtg

There was no specific reference. From the comments in the commit and
comments in the CVE reference (http://openwall.com/lists/oss-security/2011/02/24/4)
indicated the same code block. The patch is validating that the size
is correct.

Brad
Brad Figg - April 26, 2011, 9:11 p.m.
On 04/26/2011 01:37 PM, Tim Gardner wrote:
> On 04/26/2011 12:44 PM, Brad Figg wrote:
>> From: Timo Warns<Warns@pre-sense.de>
>>
>> BugLink: http://bugs.launchpad.net/bugs/771382
>>
>> CVE-2011-1017
>>
>> The kernel automatically evaluates partition tables of storage devices.
>> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
>> a bug that causes a kernel oops on certain corrupted LDM partitions.
>> A kernel subsystem seems to crash, because, after the oops, the kernel no
>> longer recognizes newly connected storage devices.
>>
>> The patch validates the value of vblk_size.
>>
>> [akpm@linux-foundation.org: coding-style fixes]
>> Signed-off-by: Timo Warns<warns@pre-sense.de>
>> Cc: Eugene Teo<eugeneteo@kernel.sg>
>> Cc: Harvey Harrison<harvey.harrison@gmail.com>
>> Cc: Richard Russon<rich@flatcap.org>
>> Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
>> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>>
>> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
>> Signed-off-by: Brad Figg<brad.figg@canonical.com>
>
> Where did you find a reference that this patch fixes CVE-2011-1017 ?
>
> rtg

http://www.spinics.net/lists/mm-commits/msg83181.html
Stefan Bader - April 27, 2011, 11:15 a.m.
On 04/26/2011 08:44 PM, Brad Figg wrote:
> From: Timo Warns <Warns@pre-sense.de>
> 
> BugLink: http://bugs.launchpad.net/bugs/771382
> 
> CVE-2011-1017
> 
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> a bug that causes a kernel oops on certain corrupted LDM partitions.
> A kernel subsystem seems to crash, because, after the oops, the kernel no
> longer recognizes newly connected storage devices.
> 
> The patch validates the value of vblk_size.
> 
> [akpm@linux-foundation.org: coding-style fixes]
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: Eugene Teo <eugeneteo@kernel.sg>
> Cc: Harvey Harrison <harvey.harrison@gmail.com>
> Cc: Richard Russon <rich@flatcap.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
> Signed-off-by: Brad Figg <brad.figg@canonical.com>
> ---
>  fs/partitions/ldm.c |   16 ++++++++++++----
>  1 files changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
> index 7ab1c11..c861f52 100644
> --- a/fs/partitions/ldm.c
> +++ b/fs/partitions/ldm.c
> @@ -1225,6 +1225,11 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
>  
>  	BUG_ON (!data || !frags);
>  
> +	if (size < 2 * VBLK_SIZE_HEAD) {
> +		ldm_error("Value of size is to small.");
> +		return FALSE;
> +	}
> +
>  	group = BE32 (data + 0x08);
>  	rec   = BE16 (data + 0x0C);
>  	num   = BE16 (data + 0x0E);
> @@ -1232,6 +1237,10 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
>  		ldm_error ("A VBLK claims to have %d parts.", num);
>  		return FALSE;
>  	}
> +	if (rec >= num) {
> +		ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
> +		return FALSE;
> +	}
>  
>  	list_for_each (item, frags) {
>  		f = list_entry (item, struct frag, list);
> @@ -1260,10 +1269,9 @@ found:
>  
>  	f->map |= (1 << rec);
>  
> -	if (num > 0) {
> -		data += VBLK_SIZE_HEAD;
> -		size -= VBLK_SIZE_HEAD;
> -	}
> +	data += VBLK_SIZE_HEAD;
> +	size -= VBLK_SIZE_HEAD;
> +
>  	memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
>  
>  	return TRUE;

I believe some thread which cve-2011-1017 was pointing to on mitre, lead to this
patch claiming it would be the fix.

And this patch looks the same.

Acked-by: Stefan Bader <stefan.bader@canonical.com>
Tim Gardner - April 27, 2011, 2:56 p.m.
applied both patches

Patch

diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
index 7ab1c11..c861f52 100644
--- a/fs/partitions/ldm.c
+++ b/fs/partitions/ldm.c
@@ -1225,6 +1225,11 @@  static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
 
 	BUG_ON (!data || !frags);
 
+	if (size < 2 * VBLK_SIZE_HEAD) {
+		ldm_error("Value of size is to small.");
+		return FALSE;
+	}
+
 	group = BE32 (data + 0x08);
 	rec   = BE16 (data + 0x0C);
 	num   = BE16 (data + 0x0E);
@@ -1232,6 +1237,10 @@  static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
 		ldm_error ("A VBLK claims to have %d parts.", num);
 		return FALSE;
 	}
+	if (rec >= num) {
+		ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
+		return FALSE;
+	}
 
 	list_for_each (item, frags) {
 		f = list_entry (item, struct frag, list);
@@ -1260,10 +1269,9 @@  found:
 
 	f->map |= (1 << rec);
 
-	if (num > 0) {
-		data += VBLK_SIZE_HEAD;
-		size -= VBLK_SIZE_HEAD;
-	}
+	data += VBLK_SIZE_HEAD;
+	size -= VBLK_SIZE_HEAD;
+
 	memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
 
 	return TRUE;