From: Ben Hutchings <ben@decadent.org.uk>
To: Timo Warns <warns@pre-sense.de>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
Eugene Teo <eugeneteo@kernel.sg>,
Richard Russon <rich@flatcap.org>,
akpm@linux-foundation.org, torvalds@linux-foundation.org,
stable-review@kernel.org, alan@lxorguk.ukuu.org.uk,
Harvey Harrison <harvey.harrison@gmail.com>,
Greg KH <gregkh@suse.de>
Subject: Re: [Stable-review] [patch 35/38] fs/partitions/ldm.c: fix oops caused by corrupted partition table
Date: Sat, 07 May 2011 03:24:11 +0100 [thread overview]
Message-ID: <1304735051.3203.87.camel@localhost> (raw)
In-Reply-To: <20110506001210.724927797@clark.kroah.org>
[-- Attachment #1: Type: text/plain, Size: 3184 bytes --]
On Thu, 2011-05-05 at 17:11 -0700, Greg KH wrote:
> 2.6.38-stable review patch. If anyone has any objections, please let us know.
>
> ------------------
>
> From: Timo Warns <Warns@pre-sense.de>
>
> commit c340b1d640001c8c9ecff74f68fd90422ae2448a upstream.
>
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> a bug that causes a kernel oops on certain corrupted LDM partitions.
> A kernel subsystem seems to crash, because, after the oops, the kernel no
> longer recognizes newly connected storage devices.
>
> The patch validates the value of vblk_size.
I don't think this actually fixes the vulnerability, and I don't think
this code works at all.
> [akpm@linux-foundation.org: coding-style fixes]
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: Eugene Teo <eugeneteo@kernel.sg>
> Cc: Harvey Harrison <harvey.harrison@gmail.com>
> Cc: Richard Russon <rich@flatcap.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> ---
> fs/partitions/ldm.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> --- a/fs/partitions/ldm.c
> +++ b/fs/partitions/ldm.c
> @@ -1299,6 +1299,11 @@ static bool ldm_frag_add (const u8 *data
>
> BUG_ON (!data || !frags);
>
> + if (size < 2 * VBLK_SIZE_HEAD) {
> + ldm_error("Value of size is to small.");
> + return false;
> + }
> +
> group = get_unaligned_be32(data + 0x08);
> rec = get_unaligned_be16(data + 0x0C);
> num = get_unaligned_be16(data + 0x0E);
> @@ -1306,6 +1311,10 @@ static bool ldm_frag_add (const u8 *data
> ldm_error ("A VBLK claims to have %d parts.", num);
> return false;
> }
> + if (rec >= num) {
> + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
> + return false;
> + }
This is fine for the first fragment we find, when we allocate memory
based on 'num'. However, when we add another fragment, we need to
compare with f->num. So there still seems to be the possibility of a
buffer overflow.
> list_for_each (item, frags) {
> f = list_entry (item, struct frag, list);
> @@ -1334,10 +1343,9 @@ found:
>
> f->map |= (1 << rec);
>
> - if (num > 0) {
> - data += VBLK_SIZE_HEAD;
> - size -= VBLK_SIZE_HEAD;
> - }
> + data += VBLK_SIZE_HEAD;
> + size -= VBLK_SIZE_HEAD;
> +
>
> memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
>
> return true;
The offset used for the destination means that the first VBLK_SIZE_HEAD
bytes of f->data are never initialised!
I suspect (without any knowledge of LDM) that the intent was to use the
header from the first fragment and drop it from the subsequent
fragments, like this:
if (rec == 0)
memcpy(f->data, data, VBLK_SIZE_HEAD);
data += VBLK_SIZE_HEAD;
size -= VBLK_SIZE_HEAD;
memcpy(f->data + VBLK_SIZE_HEAD + rec * size, data, size);
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2011-05-07 2:24 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-06 0:12 [patch 00/38] 2.6.38.6-stable review Greg KH
2011-05-06 0:10 ` [patch 01/38] [SCSI] pmcraid: reject negative request size Greg KH
2011-05-06 0:10 ` [patch 02/38] [SCSI] mpt2sas: prevent heap overflows and unchecked reads Greg KH
2011-05-06 0:10 ` [patch 03/38] [SCSI] scsi_dh: fix reference counting in scsi_dh_activate error path Greg KH
2011-05-06 0:10 ` [patch 04/38] [SCSI] put stricter guards on queue dead checks Greg KH
2011-05-06 14:54 ` Jim Schutt
2011-05-06 16:17 ` [stable] " Greg KH
2011-05-06 16:33 ` James Bottomley
2011-05-07 8:46 ` [Stable-review] " Chuck Ebbert
2011-05-09 20:43 ` [stable] [Stable-review] " Greg KH
2011-05-06 0:10 ` [patch 05/38] ALSA: HDA: Fix automute for Gateway NV79 Greg KH
2011-05-06 0:10 ` [patch 06/38] Revert "ALSA: hda - Fix pin-config of Gigabyte mobo" Greg KH
2011-05-06 0:10 ` [patch 07/38] ALSA: hda - Fix Realteks chained fixup checks Greg KH
2011-05-06 0:10 ` [patch 08/38] i2c-parport: Fix adapter list handling Greg KH
2011-05-06 0:10 ` [patch 09/38] workqueue: fix deadlock in worker_maybe_bind_and_lock() Greg KH
2011-05-06 0:10 ` [patch 10/38] iwlwifi: fix skb usage after free Greg KH
2011-05-06 0:10 ` [patch 11/38] iwlagn: fix "Received BA when not expected" Greg KH
2011-05-06 0:10 ` [patch 12/38] atl1c: Fix work event interrupt/task races Greg KH
2011-05-06 0:10 ` [patch 13/38] UBIFS: do not free write-buffers when in R/O mode Greg KH
2011-05-06 0:10 ` [patch 14/38] UBIFS: seek journal heads to the latest bud in replay Greg KH
2011-05-06 0:10 ` [patch 15/38] mmc: fix a race between card-detect rescan and clock-gate work instances Greg KH
2011-05-06 0:10 ` [patch 16/38] mmc: sdhci-pci: Fix error case in sdhci_pci_probe_slot() Greg KH
2011-05-06 0:10 ` [patch 17/38] mmc: sdhci: Check mrq->cmd in sdhci_tasklet_finish Greg KH
2011-05-06 0:10 ` [patch 18/38] mmc: sdhci: Check mrq != NULL " Greg KH
2011-05-06 0:10 ` [patch 19/38] drm/radeon: fix regression on atom cards with hardcoded EDID record Greg KH
2011-05-06 0:10 ` [patch 20/38] USB: fix regression in usbip by setting has_tt flag Greg KH
2011-05-06 0:10 ` [patch 21/38] firewire: Fix for broken configrom updates in quick succession Greg KH
2011-05-06 0:10 ` [patch 22/38] usbnet: add support for some Huawei modems with cdc-ether ports Greg KH
2011-05-06 0:10 ` [patch 23/38] [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev Greg KH
2011-05-06 0:10 ` [patch 24/38] [media] imon: add conditional locking in change_protocol Greg KH
2011-05-06 0:10 ` [patch 25/38] flex_array: flex_array_prealloc takes a number of elements, not an end Greg KH
2011-05-06 0:10 ` [patch 26/38] flex_arrays: allow zero length flex arrays Greg KH
2011-05-06 0:10 ` [patch 27/38] x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors Greg KH
2011-05-06 0:11 ` [patch 28/38] ath9k: fix the return value of ath_stoprecv Greg KH
2011-05-06 0:11 ` [patch 29/38] mac80211: fix SMPS debugfs locking Greg KH
2011-05-06 0:11 ` [patch 30/38] af_unix: Only allow recv on connected seqpacket sockets Greg KH
2011-05-06 0:11 ` [patch 31/38] ARM: 6891/1: prevent heap corruption in OABI semtimedop Greg KH
2011-05-07 1:49 ` [Stable-review] " Ben Hutchings
2011-05-09 20:09 ` Jesper Juhl
2011-05-09 21:07 ` Ben Hutchings
2011-05-06 0:11 ` [patch 32/38] XZ decompressor: Fix decoding of empty LZMA2 streams Greg KH
2011-05-06 0:11 ` [patch 33/38] Open with O_CREAT flag set fails to open existing files on non writable directories Greg KH
2011-05-06 0:11 ` [patch 34/38] can: Add missing socket check in can/bcm release Greg KH
2011-05-06 7:16 ` [Stable-review] " Chuck Ebbert
2011-05-06 7:24 ` David Miller
2011-05-09 20:41 ` [stable] " Greg KH
2011-05-06 0:11 ` [patch 35/38] fs/partitions/ldm.c: fix oops caused by corrupted partition table Greg KH
2011-05-07 2:24 ` Ben Hutchings [this message]
2011-05-09 15:13 ` [Stable-review] " Timo Warns
2011-05-06 0:11 ` [patch 36/38] [media] cx88: Fix HVR4000 IR keymap Greg KH
2011-05-06 0:11 ` [patch 37/38] KVM: SVM: check for progress after IRET interception Greg KH
2011-05-06 0:11 ` [patch 38/38] drm/radeon/kms: add some new pci ids Greg KH
2011-05-09 16:38 ` [stable] [patch 00/38] 2.6.38.6-stable review Chuck Ebbert
2011-05-09 20:44 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1304735051.3203.87.camel@localhost \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=eugeneteo@kernel.sg \
--cc=gregkh@suse.de \
--cc=harvey.harrison@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rich@flatcap.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=warns@pre-sense.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.