From: Ben Hutchings <ben@decadent.org.uk>
To: Timo Warns <warns@pre-sense.de>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
Eugene Teo <eugeneteo@kernel.sg>,
Richard Russon <rich@flatcap.org>,
akpm@linux-foundation.org, torvalds@linux-foundation.org,
stable-review@kernel.org, alan@lxorguk.ukuu.org.uk,
Harvey Harrison <harvey.harrison@gmail.com>,
Greg KH <gregkh@suse.de>
Subject: Re: [Stable-review] [patch 35/38] fs/partitions/ldm.c: fix oops caused by corrupted partition table
Date: Sat, 07 May 2011 03:24:11 +0100 [thread overview]
Message-ID: <1304735051.3203.87.camel@localhost> (raw)
In-Reply-To: <20110506001210.724927797@clark.kroah.org>
[-- Attachment #1: Type: text/plain, Size: 3184 bytes --]
On Thu, 2011-05-05 at 17:11 -0700, Greg KH wrote:
> 2.6.38-stable review patch. If anyone has any objections, please let us know.
>
> ------------------
>
> From: Timo Warns <Warns@pre-sense.de>
>
> commit c340b1d640001c8c9ecff74f68fd90422ae2448a upstream.
>
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> a bug that causes a kernel oops on certain corrupted LDM partitions.
> A kernel subsystem seems to crash, because, after the oops, the kernel no
> longer recognizes newly connected storage devices.
>
> The patch validates the value of vblk_size.
I don't think this actually fixes the vulnerability, and I don't think
this code works at all.
> [akpm@linux-foundation.org: coding-style fixes]
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: Eugene Teo <eugeneteo@kernel.sg>
> Cc: Harvey Harrison <harvey.harrison@gmail.com>
> Cc: Richard Russon <rich@flatcap.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> ---
> fs/partitions/ldm.c | 16 ++++++++++++----
> 1 file changed, 12 insertions(+), 4 deletions(-)
>
> --- a/fs/partitions/ldm.c
> +++ b/fs/partitions/ldm.c
> @@ -1299,6 +1299,11 @@ static bool ldm_frag_add (const u8 *data
>
> BUG_ON (!data || !frags);
>
> + if (size < 2 * VBLK_SIZE_HEAD) {
> + ldm_error("Value of size is to small.");
> + return false;
> + }
> +
> group = get_unaligned_be32(data + 0x08);
> rec = get_unaligned_be16(data + 0x0C);
> num = get_unaligned_be16(data + 0x0E);
> @@ -1306,6 +1311,10 @@ static bool ldm_frag_add (const u8 *data
> ldm_error ("A VBLK claims to have %d parts.", num);
> return false;
> }
> + if (rec >= num) {
> + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
> + return false;
> + }
This is fine for the first fragment we find, when we allocate memory
based on 'num'. However, when we add another fragment, we need to
compare with f->num. So there still seems to be the possibility of a
buffer overflow.
> list_for_each (item, frags) {
> f = list_entry (item, struct frag, list);
> @@ -1334,10 +1343,9 @@ found:
>
> f->map |= (1 << rec);
>
> - if (num > 0) {
> - data += VBLK_SIZE_HEAD;
> - size -= VBLK_SIZE_HEAD;
> - }
> + data += VBLK_SIZE_HEAD;
> + size -= VBLK_SIZE_HEAD;
> +
>
> memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
>
> return true;
The offset used for the destination means that the first VBLK_SIZE_HEAD
bytes of f->data are never initialised!
I suspect (without any knowledge of LDM) that the intent was to use the
header from the first fragment and drop it from the subsequent
fragments, like this:
if (rec == 0)
memcpy(f->data, data, VBLK_SIZE_HEAD);
data += VBLK_SIZE_HEAD;
size -= VBLK_SIZE_HEAD;
memcpy(f->data + VBLK_SIZE_HEAD + rec * size, data, size);
Ben.
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2011-05-07 2:24 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-06 0:12 [patch 00/38] 2.6.38.6-stable review Greg KH
2011-05-06 0:10 ` [patch 01/38] [SCSI] pmcraid: reject negative request size Greg KH
2011-05-06 0:10 ` [patch 02/38] [SCSI] mpt2sas: prevent heap overflows and unchecked reads Greg KH
2011-05-06 0:10 ` [patch 03/38] [SCSI] scsi_dh: fix reference counting in scsi_dh_activate error path Greg KH
2011-05-06 0:10 ` [patch 04/38] [SCSI] put stricter guards on queue dead checks Greg KH
2011-05-06 14:54 ` Jim Schutt
2011-05-06 16:17 ` [stable] " Greg KH
2011-05-06 16:33 ` James Bottomley
2011-05-07 8:46 ` [Stable-review] " Chuck Ebbert
2011-05-09 20:43 ` [stable] [Stable-review] " Greg KH
2011-05-06 0:10 ` [patch 05/38] ALSA: HDA: Fix automute for Gateway NV79 Greg KH
2011-05-06 0:10 ` [patch 06/38] Revert "ALSA: hda - Fix pin-config of Gigabyte mobo" Greg KH
2011-05-06 0:10 ` [patch 07/38] ALSA: hda - Fix Realteks chained fixup checks Greg KH
2011-05-06 0:10 ` [patch 08/38] i2c-parport: Fix adapter list handling Greg KH
2011-05-06 0:10 ` [patch 09/38] workqueue: fix deadlock in worker_maybe_bind_and_lock() Greg KH
2011-05-06 0:10 ` [patch 10/38] iwlwifi: fix skb usage after free Greg KH
2011-05-06 0:10 ` [patch 11/38] iwlagn: fix "Received BA when not expected" Greg KH
2011-05-06 0:10 ` [patch 12/38] atl1c: Fix work event interrupt/task races Greg KH
2011-05-06 0:10 ` [patch 13/38] UBIFS: do not free write-buffers when in R/O mode Greg KH
2011-05-06 0:10 ` [patch 14/38] UBIFS: seek journal heads to the latest bud in replay Greg KH
2011-05-06 0:10 ` [patch 15/38] mmc: fix a race between card-detect rescan and clock-gate work instances Greg KH
2011-05-06 0:10 ` [patch 16/38] mmc: sdhci-pci: Fix error case in sdhci_pci_probe_slot() Greg KH
2011-05-06 0:10 ` [patch 17/38] mmc: sdhci: Check mrq->cmd in sdhci_tasklet_finish Greg KH
2011-05-06 0:10 ` [patch 18/38] mmc: sdhci: Check mrq != NULL " Greg KH
2011-05-06 0:10 ` [patch 19/38] drm/radeon: fix regression on atom cards with hardcoded EDID record Greg KH
2011-05-06 0:10 ` [patch 20/38] USB: fix regression in usbip by setting has_tt flag Greg KH
2011-05-06 0:10 ` [patch 21/38] firewire: Fix for broken configrom updates in quick succession Greg KH
2011-05-06 0:10 ` [patch 22/38] usbnet: add support for some Huawei modems with cdc-ether ports Greg KH
2011-05-06 0:10 ` [patch 23/38] [media] v4l: make sure drivers supply a zeroed struct v4l2_subdev Greg KH
2011-05-06 0:10 ` [patch 24/38] [media] imon: add conditional locking in change_protocol Greg KH
2011-05-06 0:10 ` [patch 25/38] flex_array: flex_array_prealloc takes a number of elements, not an end Greg KH
2011-05-06 0:10 ` [patch 26/38] flex_arrays: allow zero length flex arrays Greg KH
2011-05-06 0:10 ` [patch 27/38] x86, AMD: Fix APIC timer erratum 400 affecting K8 Rev.A-E processors Greg KH
2011-05-06 0:11 ` [patch 28/38] ath9k: fix the return value of ath_stoprecv Greg KH
2011-05-06 0:11 ` [patch 29/38] mac80211: fix SMPS debugfs locking Greg KH
2011-05-06 0:11 ` [patch 30/38] af_unix: Only allow recv on connected seqpacket sockets Greg KH
2011-05-06 0:11 ` [patch 31/38] ARM: 6891/1: prevent heap corruption in OABI semtimedop Greg KH
2011-05-07 1:49 ` [Stable-review] " Ben Hutchings
2011-05-09 20:09 ` Jesper Juhl
2011-05-09 21:07 ` Ben Hutchings
2011-05-06 0:11 ` [patch 32/38] XZ decompressor: Fix decoding of empty LZMA2 streams Greg KH
2011-05-06 0:11 ` [patch 33/38] Open with O_CREAT flag set fails to open existing files on non writable directories Greg KH
2011-05-06 0:11 ` [patch 34/38] can: Add missing socket check in can/bcm release Greg KH
2011-05-06 7:16 ` [Stable-review] " Chuck Ebbert
2011-05-06 7:24 ` David Miller
2011-05-09 20:41 ` [stable] " Greg KH
2011-05-06 0:11 ` [patch 35/38] fs/partitions/ldm.c: fix oops caused by corrupted partition table Greg KH
2011-05-07 2:24 ` Ben Hutchings [this message]
2011-05-09 15:13 ` [Stable-review] " Timo Warns
2011-05-06 0:11 ` [patch 36/38] [media] cx88: Fix HVR4000 IR keymap Greg KH
2011-05-06 0:11 ` [patch 37/38] KVM: SVM: check for progress after IRET interception Greg KH
2011-05-06 0:11 ` [patch 38/38] drm/radeon/kms: add some new pci ids Greg KH
2011-05-09 16:38 ` [stable] [patch 00/38] 2.6.38.6-stable review Chuck Ebbert
2011-05-09 20:44 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1304735051.3203.87.camel@localhost \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=eugeneteo@kernel.sg \
--cc=gregkh@suse.de \
--cc=harvey.harrison@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rich@flatcap.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=warns@pre-sense.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).