Re: CVE Request: Stability fixes in UDF Logical Volume Descriptor handling

[Timo Warns <warns () pre-sense de>]

Am 03.07.2012 20:58, schrieb Kurt Seifried:
> On 07/03/2012 07:22 AM, Marcus Meissner wrote:
>
> > People (do not know who) reported to the kernel security team and
> > Jan Kara some UDF filesystem crashes.
>
> > Jan Kara did some fixes in the UDF fs and they were committed to
> > mainline already, both actual bugfixes and some more sanity 
> > checking for hardening.
> >
> > I think a single CVE is sufficient.
>
> Were they discovered by the same person or different people?

I reported the following issue for sparing tables on 2012-06-17 to
security () kernel org. Eugene Teo informed Jan Kara, who is the maintainer
for the UDF filesystem, on the same day. Jan had a closer look at the
UDF code and identified all other issues addressed by the patches.

| udf_load_logicalvol() in fs/udf/super.c parses the number of sparing
| tables and stores the sparing tables on the heap:
|
| (1286)  for (j = 0; j < spm->numSparingTables; j++) {
| [...]
| (1293)    map->s_type_specific.s_sparing.
| (1294)            s_spar_map[j] = bh2;
|
| map is of type udf_part_map, whose
| s_type_specific.s_sparing.s_spar_map
| member can only hold 4 pointers to buffer_head structs.
|
| spm->numSparingTables is read from the file system and not further
| validated. A corrupted file system with numSparingTables > 4 causes
| a heap overflow.

Regards, Timo