Re: CVE Request: Stability fixes in UDF Logical Volume Descriptor handling

[Marcus Meissner <meissner () suse de>]

On Wed, Jul 04, 2012 at 02:51:15PM -0600, Kurt Seifried wrote:
> On 07/03/2012 02:46 PM, Timo Warns wrote:
> > Am 03.07.2012 20:58, schrieb Kurt Seifried:
> > > On 07/03/2012 07:22 AM, Marcus Meissner wrote:
> > >
> > > > People (do not know who) reported to the kernel security team
> > > > and Jan Kara some UDF filesystem crashes.
> > >
> > > > Jan Kara did some fixes in the UDF fs and they were committed
> > > > to mainline already, both actual bugfixes and some more sanity
> > > >  checking for hardening.
> > > >
> > > > I think a single CVE is sufficient.
> > >
> > > Were they discovered by the same person or different people?
> >
> > I reported the following issue for sparing tables on 2012-06-17 to 
> > security () kernel org. Eugene Teo informed Jan Kara, who is the
> > maintainer for the UDF filesystem, on the same day. Jan had a
> > closer look at the UDF code and identified all other issues
> > addressed by the patches.
> >
> > | udf_load_logicalvol() in fs/udf/super.c parses the number of
> > sparing | tables and stores the sparing tables on the heap: | |
> > (1286)  for (j = 0; j < spm->numSparingTables; j++) { | [...] |
> > (1293)    map->s_type_specific.s_sparing. | (1294)
> > s_spar_map[j] = bh2; | | map is of type udf_part_map, whose |
> > s_type_specific.s_sparing.s_spar_map | member can only hold 4
> > pointers to buffer_head structs. | | spm->numSparingTables is read
> > from the file system and not further | validated. A corrupted file
> > system with numSparingTables > 4 causes | a heap overflow.
> >
> > Regards, Timo
>
> Just a placeholder: I'm waiting for a reply from Steve to see if we
> can violate CVE assignment guidelines and put this under one CVE (it
> should probably be two but sorting it out seems like it might not be
> worthwhile).

Unclear ... 

1 reporter
1 developer fixing this bug and making stability fixes on the side

Might just be 1 issue.

CIao, Marcus