From patchwork Fri Jun 10 10:05:59 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andy Whitcroft X-Patchwork-Id: 99869 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 0EFC1B7006 for ; Fri, 10 Jun 2011 20:06:19 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QUybQ-0006tJ-Q3; Fri, 10 Jun 2011 10:06:08 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QUybN-0006rV-Kd for kernel-team@lists.ubuntu.com; Fri, 10 Jun 2011 10:06:05 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1QUybL-00037B-71; Fri, 10 Jun 2011 10:06:03 +0000 Received: from 212-139-215-176.dynamic.dsl.as9105.com ([212.139.215.176] helo=localhost.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1QUybL-0002aq-1U; Fri, 10 Jun 2011 10:06:03 +0000 From: Andy Whitcroft To: kernel-team@lists.ubuntu.com Subject: [maverick, maverick/ti-omap4, natty, natty/ti-omap4 CVE 1/1] fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops Date: Fri, 10 Jun 2011 11:05:59 +0100 Message-Id: <1307700359-18350-4-git-send-email-apw@canonical.com> X-Mailer: git-send-email 1.7.4.1 In-Reply-To: <1307700359-18350-1-git-send-email-apw@canonical.com> References: <1307700359-18350-1-git-send-email-apw@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com From: Timo Warns The kernel automatically evaluates partition tables of storage devices. The code for evaluating GUID partitions (in fs/partitions/efi.c) contains a bug that causes a kernel oops on certain corrupted GUID partition tables. This bug has security impacts, because it allows, for example, to prepare a storage device that crashes a kernel subsystem upon connecting the device (e.g., a "USB Stick of (Partial) Death"). crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size)); computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes. There is no validation of (*gpt)->header_size before the efi_crc32 call. A corrupted partition table may have large values for (*gpt)->header_size. In this case, the CRC32 computation access memory beyond the memory allocated for gpt, which may cause a kernel heap overflow. Validate value of GUID partition table header size. [akpm@linux-foundation.org: fix layout and indenting] Signed-off-by: Timo Warns Cc: Matt Domsch Cc: Eugene Teo Cc: Dave Jones Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds (cherry picked from commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde) CVE-2011-1577 BugLink: http://bugs.launchpad.net/bugs/795418 Signed-off-by: Andy Whitcroft --- fs/partitions/efi.c | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c index 9efb2cf..3ac773d 100644 --- a/fs/partitions/efi.c +++ b/fs/partitions/efi.c @@ -309,6 +309,15 @@ static int is_gpt_valid(struct parsed_partitions *state, u64 lba, goto fail; } + /* Check the GUID Partition Table header size */ + if (le32_to_cpu((*gpt)->header_size) > + bdev_logical_block_size(state->bdev)) { + pr_debug("GUID Partition Table Header size is wrong: %u > %u\n", + le32_to_cpu((*gpt)->header_size), + bdev_logical_block_size(state->bdev)); + goto fail; + } + /* Check the GUID Partition Table CRC */ origcrc = le32_to_cpu((*gpt)->header_crc32); (*gpt)->header_crc32 = 0;