[kernel] r17616 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Mon Jun 6 03:39:08 UTC 2011
Author: dannf
Date: Mon Jun 6 03:39:07 2011
New Revision: 17616
Log:
efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)
Added:
dists/lenny-security/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
Modified:
dists/lenny-security/linux-2.6/debian/changelog
dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog Mon Jun 6 03:31:36 2011 (r17615)
+++ dists/lenny-security/linux-2.6/debian/changelog Mon Jun 6 03:39:07 2011 (r17616)
@@ -44,6 +44,7 @@
* fs/partitions/ldm.c: fix oops caused by corrupted partition table
(CVE-2011-1017)
* Improve fix for buffer overflow in ldm_frag_add (CVE-2011-2182)
+ * efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)
[ Ben Hutchings ]
* [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)
Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch Mon Jun 6 03:39:07 2011 (r17616)
@@ -0,0 +1,54 @@
+commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Thu May 26 16:25:57 2011 -0700
+
+ fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
+
+ The kernel automatically evaluates partition tables of storage devices.
+ The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
+ a bug that causes a kernel oops on certain corrupted GUID partition
+ tables.
+
+ This bug has security impacts, because it allows, for example, to
+ prepare a storage device that crashes a kernel subsystem upon connecting
+ the device (e.g., a "USB Stick of (Partial) Death").
+
+ crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
+
+ computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
+ There is no validation of (*gpt)->header_size before the efi_crc32 call.
+
+ A corrupted partition table may have large values for (*gpt)->header_size.
+ In this case, the CRC32 computation access memory beyond the memory
+ allocated for gpt, which may cause a kernel heap overflow.
+
+ Validate value of GUID partition table header size.
+
+ [akpm at linux-foundation.org: fix layout and indenting]
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Cc: Matt Domsch <Matt_Domsch at dell.com>
+ Cc: Eugene Teo <eugeneteo at kernel.sg>
+ Cc: Dave Jones <davej at codemonkey.org.uk>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c
+index 19d6750..6296b40 100644
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -310,6 +310,15 @@ static int is_gpt_valid(struct parsed_partitions *state, u64 lba,
+ goto fail;
+ }
+
++ /* Check the GUID Partition Table header size */
++ if (le32_to_cpu((*gpt)->header_size) >
++ bdev_logical_block_size(state->bdev)) {
++ pr_debug("GUID Partition Table Header size is wrong: %u > %u\n",
++ le32_to_cpu((*gpt)->header_size),
++ bdev_logical_block_size(state->bdev));
++ goto fail;
++ }
++
+ /* Check the GUID Partition Table CRC */
+ origcrc = le32_to_cpu((*gpt)->header_crc32);
+ (*gpt)->header_crc32 = 0;
Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Jun 6 03:31:36 2011 (r17615)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3 Mon Jun 6 03:39:07 2011 (r17616)
@@ -41,3 +41,4 @@
+ bugfix/all/validate-size-of-efi-guid-partition-entries.patch
+ bugfix/all/partitions-ldm-fix-oops-caused-by-corrupted-partition-table.patch
+ bugfix/all/fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch
++ bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
More information about the Kernel-svn-changes
mailing list