oss-sec mailing list archives

Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables

From: Timo Warns <warns () pre-sense de>
Date: Sun, 05 Jun 2011 14:10:53 +0200

On 03.06.2011 08:47, Eugene Teo wrote:

On 02/25/2011 04:22 AM, Josh Bressers wrote:


----- Original Message -----

On Thu, 2011-02-24 at 09:25 +0800, Eugene Teo wrote:

On 02/24/2011 03:59 AM, Josh Bressers wrote:

----- Original Message -----


The kernel automatically evaluates partition tables of storage
devices.  The code for evaluating LDM partitions (in
fs/partitions/ldm.c) contains a bug that allows to overflow the
kernel heap. It may be possible to escalate privileges by exploiting
this bug.

[...]

I would still like something along the lines of a proposed patch. I believe
you folks (as you're much brighter than me), but I still don't quite grasp
the difference. I suspect there is enough public information for MITRE to
public a CVE though, so please use CVE-2011-1017.


It was reported that the fix for this is insufficient. I have assigned
CVE-2011-2182 to this. See https://lkml.org/lkml/2011/5/6/407.

Timo, can you please post the patch here once you have submitted it to
lkml for review. Thanks.


Greg has posted the patch to LKML (http://lkml.org/lkml/2011/6/1/119).

The patch:

commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream.

As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer
overflow in ldm_frag_add) is not sufficient.  The original patch in
commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted
partition table") does not consider that, for subsequent fragments,
previously allocated memory is used.

[1] http://lkml.org/lkml/2011/5/6/407

Reported-by: Ben Hutchings <ben () decadent org uk>
Signed-off-by: Timo Warns <warns () pre-sense de>
Signed-off-by: Linus Torvalds <torvalds () linux-foundation org>
Signed-off-by: Greg Kroah-Hartman <gregkh () suse de>

---
 fs/partitions/ldm.c |    5 +++++
 1 file changed, 5 insertions(+)
--- a/fs/partitions/ldm.c
+++ b/fs/partitions/ldm.c
@@ -1335,6 +1335,11 @@ static bool ldm_frag_add (const u8 *data

        list_add_tail (&f->list, frags);
 found:
+       if (rec >= f->num) {
+               ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num);
+               return false;
+       }
+
        if (f->map & (1 << rec)) {
                ldm_error ("Duplicate VBLK, part %d.", rec);
                f->map &= 0x7F;                 /* Mark the group as broken */

Current thread:

Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables Timo Warns (Apr 12)
- <Possible follow-ups>
- Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables Eugene Teo (Jun 02)
  - Re: CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables Timo Warns (Jun 05)