[kernel] r17643 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Sat Jun 11 14:22:54 UTC 2011
Author: dannf
Date: Sat Jun 11 14:22:53 2011
New Revision: 17643
Log:
efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
Modified:
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/35
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Fri Jun 10 03:47:28 2011 (r17642)
+++ dists/squeeze/linux-2.6/debian/changelog Sat Jun 11 14:22:53 2011 (r17643)
@@ -34,6 +34,9 @@
[ Ian Campbell ]
* Remove lazy vunmap for non-Xen flavours too. (Closes: #613634)
+ [ dann frazier ]
+ * efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)
+
-- Ben Hutchings <ben at decadent.org.uk> Wed, 04 May 2011 01:44:34 +0100
linux-2.6 (2.6.32-34squeeze1) stable-security; urgency=high
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch Sat Jun 11 14:22:53 2011 (r17643)
@@ -0,0 +1,55 @@
+commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Thu May 26 16:25:57 2011 -0700
+
+ fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
+
+ The kernel automatically evaluates partition tables of storage devices.
+ The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
+ a bug that causes a kernel oops on certain corrupted GUID partition
+ tables.
+
+ This bug has security impacts, because it allows, for example, to
+ prepare a storage device that crashes a kernel subsystem upon connecting
+ the device (e.g., a "USB Stick of (Partial) Death").
+
+ crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
+
+ computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
+ There is no validation of (*gpt)->header_size before the efi_crc32 call.
+
+ A corrupted partition table may have large values for (*gpt)->header_size.
+ In this case, the CRC32 computation access memory beyond the memory
+ allocated for gpt, which may cause a kernel heap overflow.
+
+ Validate value of GUID partition table header size.
+
+ [akpm at linux-foundation.org: fix layout and indenting]
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Cc: Matt Domsch <Matt_Domsch at dell.com>
+ Cc: Eugene Teo <eugeneteo at kernel.sg>
+ Cc: Dave Jones <davej at codemonkey.org.uk>
+ Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c
+index 19d6750..6296b40 100644
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -310,6 +310,15 @@ static int is_gpt_valid(struct block_device *bdev, u64 lba,gpt_he
+ goto fail;
+ }
+
++ /* Check the GUID Partition Table header size */
++ if (le32_to_cpu((*gpt)->header_size) >
++ bdev_logical_block_size(bdev)) {
++ pr_debug("GUID Partition Table Header size is wrong: %u > %u\n",
++ le32_to_cpu((*gpt)->header_size),
++ bdev_logical_block_size(bdev));
++ goto fail;
++ }
++
+ /* Check the GUID Partition Table CRC */
+ origcrc = le32_to_cpu((*gpt)->header_crc32);
+ (*gpt)->header_crc32 = 0;
Modified: dists/squeeze/linux-2.6/debian/patches/series/35
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/35 Fri Jun 10 03:47:28 2011 (r17642)
+++ dists/squeeze/linux-2.6/debian/patches/series/35 Sat Jun 11 14:22:53 2011 (r17643)
@@ -263,3 +263,4 @@
+ bugfix/all/slub-Revert-PARISC-slub-fix-panic-with-DISCONTIGMEM.patch
+ bugfix/x86/x86-amd-do-not-enable-arat-feature-on-amd-processors-below.patch
++ bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
More information about the Kernel-svn-changes
mailing list