[kernel] r17197 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Apr 4 02:12:46 UTC 2011 

Author: dannf
Date: Mon Apr  4 02:12:42 2011
New Revision: 17197

Log:
Fix corrupted OSF partition table parsing (CVE-2011-1163)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch
      - copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch
      - copied unchanged from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 02:10:35 2011	(r17196)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Apr  4 02:12:42 2011	(r17197)
@@ -12,6 +12,7 @@
   * nfs4: Ensure that ACL pages sent over NFS were not allocated from the slab
     (CVE-2011-1090)
   * dccp: fix oops on Reset after close (CVE-2011-1093)
+  * Fix corrupted OSF partition table parsing (CVE-2011-1163)
 
  -- dann frazier <dannf at debian.org>  Wed, 30 Mar 2011 22:46:26 -0600
 

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch	Mon Apr  4 02:12:42 2011	(r17197, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch)
@@ -0,0 +1,68 @@
+commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05
+Author: Timo Warns <Warns at pre-sense.de>
+Date:   Mon Mar 14 14:59:33 2011 +0100
+
+    Fix corrupted OSF partition table parsing
+    
+    The kernel automatically evaluates partition tables of storage devices.
+    The code for evaluating OSF partitions contains a bug that leaks data
+    from kernel heap memory to userspace for certain corrupted OSF
+    partitions.
+    
+    In more detail:
+    
+      for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
+    
+    iterates from 0 to d_npartitions - 1, where d_npartitions is read from
+    the partition table without validation and partition is a pointer to an
+    array of at most 8 d_partitions.
+    
+    Add the proper and obvious validation.
+    
+    Signed-off-by: Timo Warns <warns at pre-sense.de>
+    Cc: stable at kernel.org
+    [ Changed the patch trivially to not repeat the whole le16_to_cpu()
+      thing, and to use an explicit constant for the magic value '8' ]
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/fs/partitions/osf.c linux-source-2.6.32/fs/partitions/osf.c
+--- linux-source-2.6.32.orig/fs/partitions/osf.c	2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/fs/partitions/osf.c	2011-03-22 23:27:01.507715211 -0600
+@@ -10,10 +10,13 @@
+ #include "check.h"
+ #include "osf.h"
+ 
++#define MAX_OSF_PARTITIONS 8
++
+ int osf_partition(struct parsed_partitions *state, struct block_device *bdev)
+ {
+ 	int i;
+ 	int slot = 1;
++	unsigned int npartitions;
+ 	Sector sect;
+ 	unsigned char *data;
+ 	struct disklabel {
+@@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitio
+ 			u8  p_fstype;
+ 			u8  p_frag;
+ 			__le16 p_cpg;
+-		} d_partitions[8];
++		} d_partitions[MAX_OSF_PARTITIONS];
+ 	} * label;
+ 	struct d_partition * partition;
+ 
+@@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitio
+ 		put_dev_sector(sect);
+ 		return 0;
+ 	}
+-	for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
++	npartitions = le16_to_cpu(label->d_npartitions);
++	if (npartitions > MAX_OSF_PARTITIONS) {
++		put_dev_sector(sect);
++		return 0;
++	}
++	for (i = 0 ; i < npartitions; i++, partition++) {
+ 		if (slot == state->limit)
+ 		        break;
+ 		if (le32_to_cpu(partition->p_size))

Copied: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch (from r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch	Mon Apr  4 02:12:42 2011	(r17197, copy of r17187, dists/squeeze/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch)
@@ -0,0 +1,33 @@
+commit 34d211a2d5df4984a35b18d8ccacbe1d10abb067
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date:   Wed Mar 16 08:04:07 2011 -0700
+
+    Increase OSF partition limit from 8 to 18
+    
+    It turns out that while a maximum of 8 partitions may be what people
+    "should" have had, you can actually fit up to 18 entries(*) in a sector.
+    
+    And some people clearly were taking advantage of that, like Michael
+    Cree, who had ten partitions on one of his OSF disks.
+    
+    (*) The OSF partition data starts at byte offset 64 in the first sector,
+        and the array of 16-byte partition entries start at offset 148 in
+        the on-disk partition structure.
+    
+    Reported-by: Michael Cree <mcree at orcon.net.nz>
+    Cc: stable at kernel.org (v2.6.38)
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/fs/partitions/osf.c linux-source-2.6.32/fs/partitions/osf.c
+--- linux-source-2.6.32.orig/fs/partitions/osf.c	2011-03-22 23:27:01.507715211 -0600
++++ linux-source-2.6.32/fs/partitions/osf.c	2011-03-22 23:30:09.964362350 -0600
+@@ -10,7 +10,7 @@
+ #include "check.h"
+ #include "osf.h"
+ 
+-#define MAX_OSF_PARTITIONS 8
++#define MAX_OSF_PARTITIONS 18
+ 
+ int osf_partition(struct parsed_partitions *state, struct block_device *bdev)
+ {

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 02:10:35 2011	(r17196)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Apr  4 02:12:42 2011	(r17197)
@@ -10,3 +10,5 @@
 + bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab.patch
 + bugfix/all/nfs4-ensure-that-acl-pages-sent-over-nfs-were-not-allocated-from-the-slab-compilation-warning.patch
 + bugfix/all/dccp-fix-oops-on-Reset-after-close.patch
++ bugfix/all/fix-corrupted-osf-partition-parsing.patch
++ bugfix/all/increase-osf-partition-limit-from-8-to-18.patch

More information about the Kernel-svn-changes mailing list