[kernel] r17616 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Mon Jun 6 03:39:08 UTC 2011 

Author: dannf
Date: Mon Jun  6 03:39:07 2011
New Revision: 17616

Log:
efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 03:31:36 2011	(r17615)
+++ dists/lenny-security/linux-2.6/debian/changelog	Mon Jun  6 03:39:07 2011	(r17616)
@@ -44,6 +44,7 @@
   * fs/partitions/ldm.c: fix oops caused by corrupted partition table
     (CVE-2011-1017)
   * Improve fix for buffer overflow in ldm_frag_add (CVE-2011-2182)
+  * efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch	Mon Jun  6 03:39:07 2011	(r17616)
@@ -0,0 +1,54 @@
+commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde
+Author: Timo Warns <Warns at pre-sense.de>
+Date:   Thu May 26 16:25:57 2011 -0700
+
+    fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
+    
+    The kernel automatically evaluates partition tables of storage devices.
+    The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
+    a bug that causes a kernel oops on certain corrupted GUID partition
+    tables.
+    
+    This bug has security impacts, because it allows, for example, to
+    prepare a storage device that crashes a kernel subsystem upon connecting
+    the device (e.g., a "USB Stick of (Partial) Death").
+    
+    	crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
+    
+    computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
+    There is no validation of (*gpt)->header_size before the efi_crc32 call.
+    
+    A corrupted partition table may have large values for (*gpt)->header_size.
+     In this case, the CRC32 computation access memory beyond the memory
+    allocated for gpt, which may cause a kernel heap overflow.
+    
+    Validate value of GUID partition table header size.
+    
+    [akpm at linux-foundation.org: fix layout and indenting]
+    Signed-off-by: Timo Warns <warns at pre-sense.de>
+    Cc: Matt Domsch <Matt_Domsch at dell.com>
+    Cc: Eugene Teo <eugeneteo at kernel.sg>
+    Cc: Dave Jones <davej at codemonkey.org.uk>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c
+index 19d6750..6296b40 100644
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -310,6 +310,15 @@ static int is_gpt_valid(struct parsed_partitions *state, u64 lba,
+ 		goto fail;
+ 	}
+ 
++	/* Check the GUID Partition Table header size */
++	if (le32_to_cpu((*gpt)->header_size) >
++			bdev_logical_block_size(state->bdev)) {
++		pr_debug("GUID Partition Table Header size is wrong: %u > %u\n",
++			le32_to_cpu((*gpt)->header_size),
++			bdev_logical_block_size(state->bdev));
++		goto fail;
++	}
++
+ 	/* Check the GUID Partition Table CRC */
+ 	origcrc = le32_to_cpu((*gpt)->header_crc32);
+ 	(*gpt)->header_crc32 = 0;

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 03:31:36 2011	(r17615)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Mon Jun  6 03:39:07 2011	(r17616)
@@ -41,3 +41,4 @@
 + bugfix/all/validate-size-of-efi-guid-partition-entries.patch
 + bugfix/all/partitions-ldm-fix-oops-caused-by-corrupted-partition-table.patch
 + bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch
++ bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch

More information about the Kernel-svn-changes mailing list