Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> On Thu, 2011-02-24 at 09:25 +0800, Eugene Teo wrote:
> > On 02/24/2011 03:59 AM, Josh Bressers wrote:
> > > ----- Original Message -----
> > > > The kernel automatically evaluates partition tables of storage
> > > > devices.  The code for evaluating LDM partitions (in
> > > > fs/partitions/ldm.c) contains a bug that allows to overflow the
> > > > kernel heap. It may be possible to escalate privileges by exploiting
> > > > this bug.
> > > >
> > > > (This bug is distinct from the LDM bug reported by Eugene Teo on
> > > > 2011-02-23.)
> > > >
> > > > This should affect both, 2.4 and 2.6 kernel. As a prerequisite,
> > > > CONFIG_LDM_PARTITION needs to be set.
> > >
> > > Can you point to a commit message or something else that is public?
> > > It's not clear how this differs from Eugene's request.
> >
> > As far as I can tell, it's not public yet. Timo will follow-up once his
> > patch is accepted.
>
> The advisory Timo posted mentioned ldm_frag_add() so it's public for all
> practical purposes at this point:
>
> static bool ldm_frag_add (const u8 *data, int size, struct list_head
> *frags)
> {
> ...
> f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
> if (!f) {
> ldm_crit ("Out of memory.");
> return false;
> }
> ...
> memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data,
> size);
> return true;
> }

I would still like something along the lines of a proposed patch. I believe
you folks (as you're much brighter than me), but I still don't quite grasp
the difference. I suspect there is enough public information for MITRE to
public a CVE though, so please use CVE-2011-1017.

Thanks.

-- 
    JB