| Message ID | 1303336092.2050.14.camel@emiko |
|---|---|
| State | New |
| Headers | show |
On 04/20/2011 11:48 PM, Leann Ogasawara wrote: > The following changes since commit c34e0e04a2ea4b8c3af37e1f621c8ab61642200c: > Dan Rosenberg (1): > CAN: Use inode instead of kernel address for /proc file, CVE-2010-4565 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-maverick.git CVE-2011-0711 > > Dan Rosenberg (1): > xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 > > fs/xfs/xfs_fsops.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > From 695e59df936c802f5e528b089ec209e7b987d8fb Mon Sep 17 00:00:00 2001 > From: Dan Rosenberg <drosenberg@vsecurity.com> > Date: Mon, 14 Feb 2011 13:45:28 +0000 > Subject: [PATCH] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 > > BugLink: http://bugs.launchpad.net/bugs/767740 > > CVE-2011-0711 > > The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to > xfs_fs_geometry() with a version number of 3. This code path does not > fill in the logsunit member of the passed xfs_fsop_geom_t, leading to > the leaking of four bytes of uninitialized stack data to potentially > unprivileged callers. > > v2 switches to memset() to avoid future issues if structure members > change, on suggestion of Dave Chinner. > > Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> > Reviewed-by: Eugene Teo <eugeneteo@kernel.org> > Signed-off-by: Alex Elder <aelder@sgi.com> > (cherry picked from commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba) > > Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > fs/xfs/xfs_fsops.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c > index 37a6f62..4e7f02b 100644 > --- a/fs/xfs/xfs_fsops.c > +++ b/fs/xfs/xfs_fsops.c > @@ -57,6 +57,9 @@ xfs_fs_geometry( > xfs_fsop_geom_t *geo, > int new_version) > { > + > + memset(geo, 0, sizeof(*geo)); > + > geo->blocksize = mp->m_sb.sb_blocksize; > geo->rtextsize = mp->m_sb.sb_rextsize; > geo->agblocks = mp->m_sb.sb_agblocks; Looks safe enough. Acked-by: Stefan Bader <stefan.bade@canonical.com>
On 04/20/2011 03:48 PM, Leann Ogasawara wrote: > The following changes since commit c34e0e04a2ea4b8c3af37e1f621c8ab61642200c: > Dan Rosenberg (1): > CAN: Use inode instead of kernel address for /proc file, CVE-2010-4565 > > are available in the git repository at: > > git://kernel.ubuntu.com/ogasawara/ubuntu-maverick.git CVE-2011-0711 > > Dan Rosenberg (1): > xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 > > fs/xfs/xfs_fsops.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > From 695e59df936c802f5e528b089ec209e7b987d8fb Mon Sep 17 00:00:00 2001 > From: Dan Rosenberg<drosenberg@vsecurity.com> > Date: Mon, 14 Feb 2011 13:45:28 +0000 > Subject: [PATCH] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 > > BugLink: http://bugs.launchpad.net/bugs/767740 > > CVE-2011-0711 > > The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to > xfs_fs_geometry() with a version number of 3. This code path does not > fill in the logsunit member of the passed xfs_fsop_geom_t, leading to > the leaking of four bytes of uninitialized stack data to potentially > unprivileged callers. > > v2 switches to memset() to avoid future issues if structure members > change, on suggestion of Dave Chinner. > > Signed-off-by: Dan Rosenberg<drosenberg@vsecurity.com> > Reviewed-by: Eugene Teo<eugeneteo@kernel.org> > Signed-off-by: Alex Elder<aelder@sgi.com> > (cherry picked from commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba) > > Signed-off-by: Leann Ogasawara<leann.ogasawara@canonical.com> > --- > fs/xfs/xfs_fsops.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c > index 37a6f62..4e7f02b 100644 > --- a/fs/xfs/xfs_fsops.c > +++ b/fs/xfs/xfs_fsops.c > @@ -57,6 +57,9 @@ xfs_fs_geometry( > xfs_fsop_geom_t *geo, > int new_version) > { > + > + memset(geo, 0, sizeof(*geo)); > + > geo->blocksize = mp->m_sb.sb_blocksize; > geo->rtextsize = mp->m_sb.sb_rextsize; > geo->agblocks = mp->m_sb.sb_agblocks; applied
diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c index 37a6f62..4e7f02b 100644 --- a/fs/xfs/xfs_fsops.c +++ b/fs/xfs/xfs_fsops.c @@ -57,6 +57,9 @@ xfs_fs_geometry( xfs_fsop_geom_t *geo, int new_version) { + + memset(geo, 0, sizeof(*geo)); + geo->blocksize = mp->m_sb.sb_blocksize; geo->rtextsize = mp->m_sb.sb_rextsize; geo->agblocks = mp->m_sb.sb_agblocks;
The following changes since commit c34e0e04a2ea4b8c3af37e1f621c8ab61642200c: Dan Rosenberg (1): CAN: Use inode instead of kernel address for /proc file, CVE-2010-4565 are available in the git repository at: git://kernel.ubuntu.com/ogasawara/ubuntu-maverick.git CVE-2011-0711 Dan Rosenberg (1): xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 fs/xfs/xfs_fsops.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) From 695e59df936c802f5e528b089ec209e7b987d8fb Mon Sep 17 00:00:00 2001 From: Dan Rosenberg <drosenberg@vsecurity.com> Date: Mon, 14 Feb 2011 13:45:28 +0000 Subject: [PATCH] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 BugLink: http://bugs.launchpad.net/bugs/767740 CVE-2011-0711 The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to xfs_fs_geometry() with a version number of 3. This code path does not fill in the logsunit member of the passed xfs_fsop_geom_t, leading to the leaking of four bytes of uninitialized stack data to potentially unprivileged callers. v2 switches to memset() to avoid future issues if structure members change, on suggestion of Dave Chinner. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Reviewed-by: Eugene Teo <eugeneteo@kernel.org> Signed-off-by: Alex Elder <aelder@sgi.com> (cherry picked from commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba) Signed-off-by: Leann Ogasawara <leann.ogasawara@canonical.com> --- fs/xfs/xfs_fsops.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-)