Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables

[Jon Oberheide <jon () oberheide org>]

On Thu, 2011-02-24 at 09:25 +0800, Eugene Teo wrote:
> On 02/24/2011 03:59 AM, Josh Bressers wrote:
> > ----- Original Message -----
> > > The kernel automatically evaluates partition tables of storage devices.
> > > The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> > > a bug that allows to overflow the kernel heap. It may be possible to
> > > escalate privileges by exploiting this bug.
> > >
> > > (This bug is distinct from the LDM bug reported by Eugene Teo on
> > > 2011-02-23.)
> > >
> > > This should affect both, 2.4 and 2.6 kernel. As a prerequisite,
> > > CONFIG_LDM_PARTITION needs to be set.
> >
> > Can you point to a commit message or something else that is public? It's
> > not clear how this differs from Eugene's request.
>
> As far as I can tell, it's not public yet. Timo will follow-up once his 
> patch is accepted.

The advisory Timo posted mentioned ldm_frag_add() so it's public for all
practical purposes at this point:

static bool ldm_frag_add (const u8 *data, int size, struct list_head
*frags)
{
...
        f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
        if (!f) {
                ldm_crit ("Out of memory.");
                return false;
        }
...
        memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data,
size);
        return true;
}

Regards,
Jon Oberheide

-- 
Jon Oberheide <jon () oberheide org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE

Attachment: signature.asc
Description: This is a digitally signed message part