From patchwork Wed Apr 20 21:48:10 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leann Ogasawara X-Patchwork-Id: 92329 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 54DE01007DB for ; Thu, 21 Apr 2011 07:48:25 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QCfFv-0005B0-I5; Wed, 20 Apr 2011 21:48:15 +0000 Received: from adelie.canonical.com ([91.189.90.139]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QCfFt-0005AX-BX for kernel-team@lists.ubuntu.com; Wed, 20 Apr 2011 21:48:13 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by adelie.canonical.com with esmtp (Exim 4.71 #1 (Debian)) id 1QCfFt-0002ix-8k for ; Wed, 20 Apr 2011 21:48:13 +0000 Received: from c-76-105-148-120.hsd1.or.comcast.net ([76.105.148.120] helo=[192.168.1.4]) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1QCfFs-00036O-TK for kernel-team@lists.ubuntu.com; Wed, 20 Apr 2011 21:48:13 +0000 Subject: [Hardy CVE-2011-0711] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 From: Leann Ogasawara To: kernel-team Date: Wed, 20 Apr 2011 14:48:10 -0700 Message-ID: <1303336090.2050.13.camel@emiko> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com The following changes since commit 62419a42fd4f8a418e90ca0d474eae77c138152e: Tim Gardner (1): UBUNTU: [Config] remove generated files are available in the git repository at: git://kernel.ubuntu.com/ogasawara/ubuntu-hardy.git CVE-2011-0711 Dan Rosenberg (1): xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 fs/xfs/xfs_fsops.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) From 147f4ed49f1fe360bc61ebea34496bcca3dc4c85 Mon Sep 17 00:00:00 2001 From: Dan Rosenberg Date: Mon, 14 Feb 2011 13:45:28 +0000 Subject: [PATCH] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711 BugLink: http://bugs.launchpad.net/bugs/767740 CVE-2011-0711 The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to xfs_fs_geometry() with a version number of 3. This code path does not fill in the logsunit member of the passed xfs_fsop_geom_t, leading to the leaking of four bytes of uninitialized stack data to potentially unprivileged callers. v2 switches to memset() to avoid future issues if structure members change, on suggestion of Dave Chinner. Signed-off-by: Dan Rosenberg Reviewed-by: Eugene Teo Signed-off-by: Alex Elder (cherry picked from commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba) Signed-off-by: Leann Ogasawara Acked-by: Stefan Bader --- fs/xfs/xfs_fsops.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c index c92d5b8..e6d08b0 100644 --- a/fs/xfs/xfs_fsops.c +++ b/fs/xfs/xfs_fsops.c @@ -56,6 +56,9 @@ xfs_fs_geometry( xfs_fsop_geom_t *geo, int new_version) { + + memset(geo, 0, sizeof(*geo)); + geo->blocksize = mp->m_sb.sb_blocksize; geo->rtextsize = mp->m_sb.sb_rextsize; geo->agblocks = mp->m_sb.sb_agblocks;