oss-sec mailing list archives
Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables
From: Timo Warns <warns () pre-sense de>
Date: Sun, 05 Jun 2011 14:10:53 +0200
On 03.06.2011 08:47, Eugene Teo wrote:
On 02/25/2011 04:22 AM, Josh Bressers wrote:----- Original Message -----On Thu, 2011-02-24 at 09:25 +0800, Eugene Teo wrote:On 02/24/2011 03:59 AM, Josh Bressers wrote:----- Original Message -----The kernel automatically evaluates partition tables of storage devices. The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains a bug that allows to overflow the kernel heap. It may be possible to escalate privileges by exploiting this bug.[...]I would still like something along the lines of a proposed patch. I believe you folks (as you're much brighter than me), but I still don't quite grasp the difference. I suspect there is enough public information for MITRE to public a CVE though, so please use CVE-2011-1017.It was reported that the fix for this is insufficient. I have assigned CVE-2011-2182 to this. See https://lkml.org/lkml/2011/5/6/407. Timo, can you please post the patch here once you have submitted it to lkml for review. Thanks.
Greg has posted the patch to LKML (http://lkml.org/lkml/2011/6/1/119). The patch: commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream. As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer overflow in ldm_frag_add) is not sufficient. The original patch in commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted partition table") does not consider that, for subsequent fragments, previously allocated memory is used. [1] http://lkml.org/lkml/2011/5/6/407 Reported-by: Ben Hutchings <ben () decadent org uk> Signed-off-by: Timo Warns <warns () pre-sense de> Signed-off-by: Linus Torvalds <torvalds () linux-foundation org> Signed-off-by: Greg Kroah-Hartman <gregkh () suse de> --- fs/partitions/ldm.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/fs/partitions/ldm.c +++ b/fs/partitions/ldm.c @@ -1335,6 +1335,11 @@ static bool ldm_frag_add (const u8 *data list_add_tail (&f->list, frags); found: + if (rec >= f->num) { + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num); + return false; + } + if (f->map & (1 << rec)) { ldm_error ("Duplicate VBLK, part %d.", rec); f->map &= 0x7F; /* Mark the group as broken */
Current thread:
- Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables Timo Warns (Apr 12)
- <Possible follow-ups>
- Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables Eugene Teo (Jun 02)
- Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables Timo Warns (Jun 05)