Patchwork [Dapper,CVE-2011-1017,1/1] fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

login
register
mail settings
Submitter Tim Gardner
Date April 27, 2011, 1:45 p.m.
Message ID <4DB81E05.4070209@canonical.com>
Download mbox | patch
Permalink /patch/93063/
State New
Headers show

Comments

Tim Gardner - April 27, 2011, 1:45 p.m.
On 04/26/2011 02:43 PM, Brad Figg wrote:
> On 04/26/2011 01:37 PM, Tim Gardner wrote:
>> On 04/26/2011 12:44 PM, Brad Figg wrote:
>>> From: Timo Warns<Warns@pre-sense.de>
>>>
>>> BugLink: http://bugs.launchpad.net/bugs/771382
>>>
>>> CVE-2011-1017
>>>
>>> The kernel automatically evaluates partition tables of storage devices.
>>> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
>>> a bug that causes a kernel oops on certain corrupted LDM partitions.
>>> A kernel subsystem seems to crash, because, after the oops, the
>>> kernel no
>>> longer recognizes newly connected storage devices.
>>>
>>> The patch validates the value of vblk_size.
>>>
>>> [akpm@linux-foundation.org: coding-style fixes]
>>> Signed-off-by: Timo Warns<warns@pre-sense.de>
>>> Cc: Eugene Teo<eugeneteo@kernel.sg>
>>> Cc: Harvey Harrison<harvey.harrison@gmail.com>
>>> Cc: Richard Russon<rich@flatcap.org>
>>> Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
>>> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>>>
>>> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
>>> Signed-off-by: Brad Figg<brad.figg@canonical.com>
>>
>> Where did you find a reference that this patch fixes CVE-2011-1017 ?
>>
>> rtg
>
> There was no specific reference. From the comments in the commit and
> comments in the CVE reference
> (http://openwall.com/lists/oss-security/2011/02/24/4)
> indicated the same code block. The patch is validating that the size
> is correct.
>
> Brad

While this patch is worthy of application on its own merit, I don't 
think its sufficient. The mitre announcement says this vulnerability 
exists for kernels _before_ 2.6.37.2, the implication being that the 
problem was solved thereafter. I'm not sure why the mitre report doesn't 
reference a specific commit, but if you look at git history there is 
only one possibility:

rtg@lochsa:~/proj/linux/linux-2.6.37.y$ git log --pretty=oneline 
v2.6.37.2..HEAD -- fs/partitions
91999d4336fc7c94635cb10e254813a35bd3157e Increase OSF partition limit 
from 8 to 18
67725123d5df7aace72676b94e1bdffbdbbc0f75 Fix corrupted OSF partition 
table parsing
9d482869ef6414b388d582f498e7eac78bd2bc20 ldm: corrupted partition table 
can cause kernel oops

It seems to me that if we're gonna declare CVE-2011-1017 to be fixed 
(which without a reproducer is a leap of faith), then we also have to 
include 'ldm: corrupted partition table can cause kernel oops', despite 
the fact that the mitre report directly references ldm_frag_add(). Its a 
bit ambiguous.

See attached. The same argument holds true for Hardy and Maverick though 
I haven't checked to see if this patch has already come down via stable.

rtg
Brad Figg - April 27, 2011, 2:48 p.m.
On 04/27/2011 06:45 AM, Tim Gardner wrote:
> On 04/26/2011 02:43 PM, Brad Figg wrote:
>> On 04/26/2011 01:37 PM, Tim Gardner wrote:
>>> On 04/26/2011 12:44 PM, Brad Figg wrote:
>>>> From: Timo Warns<Warns@pre-sense.de>
>>>>
>>>> BugLink: http://bugs.launchpad.net/bugs/771382
>>>>
>>>> CVE-2011-1017
>>>>
>>>> The kernel automatically evaluates partition tables of storage devices.
>>>> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
>>>> a bug that causes a kernel oops on certain corrupted LDM partitions.
>>>> A kernel subsystem seems to crash, because, after the oops, the
>>>> kernel no
>>>> longer recognizes newly connected storage devices.
>>>>
>>>> The patch validates the value of vblk_size.
>>>>
>>>> [akpm@linux-foundation.org: coding-style fixes]
>>>> Signed-off-by: Timo Warns<warns@pre-sense.de>
>>>> Cc: Eugene Teo<eugeneteo@kernel.sg>
>>>> Cc: Harvey Harrison<harvey.harrison@gmail.com>
>>>> Cc: Richard Russon<rich@flatcap.org>
>>>> Signed-off-by: Andrew Morton<akpm@linux-foundation.org>
>>>> Signed-off-by: Linus Torvalds<torvalds@linux-foundation.org>
>>>>
>>>> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
>>>> Signed-off-by: Brad Figg<brad.figg@canonical.com>
>>>
>>> Where did you find a reference that this patch fixes CVE-2011-1017 ?
>>>
>>> rtg
>>
>> There was no specific reference. From the comments in the commit and
>> comments in the CVE reference
>> (http://openwall.com/lists/oss-security/2011/02/24/4)
>> indicated the same code block. The patch is validating that the size
>> is correct.
>>
>> Brad
>
> While this patch is worthy of application on its own merit, I don't think its sufficient. The mitre announcement says this vulnerability exists for kernels _before_ 2.6.37.2, the implication being that the problem was solved thereafter. I'm not sure why
> the mitre report doesn't reference a specific commit, but if you look at git history there is only one possibility:
>
> rtg@lochsa:~/proj/linux/linux-2.6.37.y$ git log --pretty=oneline v2.6.37.2..HEAD -- fs/partitions
> 91999d4336fc7c94635cb10e254813a35bd3157e Increase OSF partition limit from 8 to 18
> 67725123d5df7aace72676b94e1bdffbdbbc0f75 Fix corrupted OSF partition table parsing
> 9d482869ef6414b388d582f498e7eac78bd2bc20 ldm: corrupted partition table can cause kernel oops
>
> It seems to me that if we're gonna declare CVE-2011-1017 to be fixed (which without a reproducer is a leap of faith), then we also have to include 'ldm: corrupted partition table can cause kernel oops', despite the fact that the mitre report directly
> references ldm_frag_add(). Its a bit ambiguous.
>
> See attached. The same argument holds true for Hardy and Maverick though I haven't checked to see if this patch has already come down via stable.
>
> rtg

I agree that it looks like we should apply both patches.

Acked-by: Brad Figg <brad.figg@canonical.com>

Patch

From 1d8c0f739b7eb6437dc68fdc07939dc2a94ef9d9 Mon Sep 17 00:00:00 2001
From: Timo Warns <Warns@pre-sense.de>
Date: Fri, 25 Feb 2011 14:44:21 -0800
Subject: [PATCH] ldm: corrupted partition table can cause kernel oops

BugLink: http://bugs.launchpad.net/bugs/771382

backported from 294f6cf48666825d23c9372ef37631232746e40d upstream.

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
a bug that causes a kernel oops on certain corrupted LDM partitions.  A
kernel subsystem seems to crash, because, after the oops, the kernel no
longer recognizes newly connected storage devices.

The patch changes ldm_parse_vmdb() to Validate the value of vblk_size.

Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Acked-by: Richard Russon <ldm@flatcap.org>
Cc: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 fs/partitions/ldm.c |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
index 7ab1c11..b94e145 100644
--- a/fs/partitions/ldm.c
+++ b/fs/partitions/ldm.c
@@ -256,6 +256,10 @@  static BOOL ldm_parse_vmdb (const u8 *data, struct vmdb *vm)
 	}
 
 	vm->vblk_size     = BE32 (data + 0x08);
+	if (vm->vblk_size == 0) {
+		ldm_error ("Illegal VBLK size");
+		return FALSE;
+	}
 	vm->vblk_offset   = BE32 (data + 0x0C);
 	vm->last_vblk_seq = BE32 (data + 0x04);
 
-- 
1.7.0.4