From patchwork Wed Apr 27 13:45:41 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tim Gardner X-Patchwork-Id: 93063 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id E4317B6F12 for ; Wed, 27 Apr 2011 23:46:08 +1000 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QF53y-0000sX-FM; Wed, 27 Apr 2011 13:45:54 +0000 Received: from mail.tpi.com ([70.99.223.143]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1QF53r-0000eT-6u for kernel-team@lists.ubuntu.com; Wed, 27 Apr 2011 13:45:47 +0000 Received: from [10.0.2.5] (unknown [10.0.2.5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.tpi.com (Postfix) with ESMTP id 8264D2BB50E; Wed, 27 Apr 2011 06:45:45 -0700 (PDT) Message-ID: <4DB81E05.4070209@canonical.com> Date: Wed, 27 Apr 2011 07:45:41 -0600 From: Tim Gardner User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 MIME-Version: 1.0 To: Brad Figg Subject: Re: [Dapper] [CVE-2011-1017] [PATCH 1/1] fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017 References: <1303843496-8390-1-git-send-email-brad.figg@canonical.com> <4DB72D19.10105@canonical.com> <4DB72E85.3040505@canonical.com> In-Reply-To: <4DB72E85.3040505@canonical.com> Cc: kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list Reply-To: tim.gardner@canonical.com List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com On 04/26/2011 02:43 PM, Brad Figg wrote: > On 04/26/2011 01:37 PM, Tim Gardner wrote: >> On 04/26/2011 12:44 PM, Brad Figg wrote: >>> From: Timo Warns >>> >>> BugLink: http://bugs.launchpad.net/bugs/771382 >>> >>> CVE-2011-1017 >>> >>> The kernel automatically evaluates partition tables of storage devices. >>> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains >>> a bug that causes a kernel oops on certain corrupted LDM partitions. >>> A kernel subsystem seems to crash, because, after the oops, the >>> kernel no >>> longer recognizes newly connected storage devices. >>> >>> The patch validates the value of vblk_size. >>> >>> [akpm@linux-foundation.org: coding-style fixes] >>> Signed-off-by: Timo Warns >>> Cc: Eugene Teo >>> Cc: Harvey Harrison >>> Cc: Richard Russon >>> Signed-off-by: Andrew Morton >>> Signed-off-by: Linus Torvalds >>> >>> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a) >>> Signed-off-by: Brad Figg >> >> Where did you find a reference that this patch fixes CVE-2011-1017 ? >> >> rtg > > There was no specific reference. From the comments in the commit and > comments in the CVE reference > (http://openwall.com/lists/oss-security/2011/02/24/4) > indicated the same code block. The patch is validating that the size > is correct. > > Brad While this patch is worthy of application on its own merit, I don't think its sufficient. The mitre announcement says this vulnerability exists for kernels _before_ 2.6.37.2, the implication being that the problem was solved thereafter. I'm not sure why the mitre report doesn't reference a specific commit, but if you look at git history there is only one possibility: rtg@lochsa:~/proj/linux/linux-2.6.37.y$ git log --pretty=oneline v2.6.37.2..HEAD -- fs/partitions 91999d4336fc7c94635cb10e254813a35bd3157e Increase OSF partition limit from 8 to 18 67725123d5df7aace72676b94e1bdffbdbbc0f75 Fix corrupted OSF partition table parsing 9d482869ef6414b388d582f498e7eac78bd2bc20 ldm: corrupted partition table can cause kernel oops It seems to me that if we're gonna declare CVE-2011-1017 to be fixed (which without a reproducer is a leap of faith), then we also have to include 'ldm: corrupted partition table can cause kernel oops', despite the fact that the mitre report directly references ldm_frag_add(). Its a bit ambiguous. See attached. The same argument holds true for Hardy and Maverick though I haven't checked to see if this patch has already come down via stable. rtg Acked-by: Brad Figg From 1d8c0f739b7eb6437dc68fdc07939dc2a94ef9d9 Mon Sep 17 00:00:00 2001 From: Timo Warns Date: Fri, 25 Feb 2011 14:44:21 -0800 Subject: [PATCH] ldm: corrupted partition table can cause kernel oops BugLink: http://bugs.launchpad.net/bugs/771382 backported from 294f6cf48666825d23c9372ef37631232746e40d upstream. The kernel automatically evaluates partition tables of storage devices. The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains a bug that causes a kernel oops on certain corrupted LDM partitions. A kernel subsystem seems to crash, because, after the oops, the kernel no longer recognizes newly connected storage devices. The patch changes ldm_parse_vmdb() to Validate the value of vblk_size. Signed-off-by: Timo Warns Cc: Eugene Teo Acked-by: Richard Russon Cc: Harvey Harrison Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman Signed-off-by: Tim Gardner --- fs/partitions/ldm.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c index 7ab1c11..b94e145 100644 --- a/fs/partitions/ldm.c +++ b/fs/partitions/ldm.c @@ -256,6 +256,10 @@ static BOOL ldm_parse_vmdb (const u8 *data, struct vmdb *vm) } vm->vblk_size = BE32 (data + 0x08); + if (vm->vblk_size == 0) { + ldm_error ("Illegal VBLK size"); + return FALSE; + } vm->vblk_offset = BE32 (data + 0x0C); vm->last_vblk_seq = BE32 (data + 0x04); -- 1.7.0.4