[kernel] r17643 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Sat Jun 11 14:22:54 UTC 2011 

Author: dannf
Date: Sat Jun 11 14:22:53 2011
New Revision: 17643

Log:
efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)

Added:
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
Modified:
   dists/squeeze/linux-2.6/debian/changelog
   dists/squeeze/linux-2.6/debian/patches/series/35

Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog	Fri Jun 10 03:47:28 2011	(r17642)
+++ dists/squeeze/linux-2.6/debian/changelog	Sat Jun 11 14:22:53 2011	(r17643)
@@ -34,6 +34,9 @@
   [ Ian Campbell ]
   * Remove lazy vunmap for non-Xen flavours too. (Closes: #613634)
 
+  [ dann frazier ]
+  * efi: corrupted GUID partition tables can cause kernel oops (CVE-2011-1577)
+
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 04 May 2011 01:44:34 +0100
 
 linux-2.6 (2.6.32-34squeeze1) stable-security; urgency=high

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch	Sat Jun 11 14:22:53 2011	(r17643)
@@ -0,0 +1,55 @@
+commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde
+Author: Timo Warns <Warns at pre-sense.de>
+Date:   Thu May 26 16:25:57 2011 -0700
+
+    fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
+    
+    The kernel automatically evaluates partition tables of storage devices.
+    The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
+    a bug that causes a kernel oops on certain corrupted GUID partition
+    tables.
+    
+    This bug has security impacts, because it allows, for example, to
+    prepare a storage device that crashes a kernel subsystem upon connecting
+    the device (e.g., a "USB Stick of (Partial) Death").
+    
+    	crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
+    
+    computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
+    There is no validation of (*gpt)->header_size before the efi_crc32 call.
+    
+    A corrupted partition table may have large values for (*gpt)->header_size.
+     In this case, the CRC32 computation access memory beyond the memory
+    allocated for gpt, which may cause a kernel heap overflow.
+    
+    Validate value of GUID partition table header size.
+    
+    [akpm at linux-foundation.org: fix layout and indenting]
+    Signed-off-by: Timo Warns <warns at pre-sense.de>
+    Cc: Matt Domsch <Matt_Domsch at dell.com>
+    Cc: Eugene Teo <eugeneteo at kernel.sg>
+    Cc: Dave Jones <davej at codemonkey.org.uk>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: backported to Debian's 2.6.32]
+
+diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c
+index 19d6750..6296b40 100644
+--- a/fs/partitions/efi.c
++++ b/fs/partitions/efi.c
+@@ -310,6 +310,15 @@ static int is_gpt_valid(struct block_device *bdev, u64 lba,gpt_he
+ 		goto fail;
+ 	}
+ 
++	/* Check the GUID Partition Table header size */
++	if (le32_to_cpu((*gpt)->header_size) >
++			bdev_logical_block_size(bdev)) {
++		pr_debug("GUID Partition Table Header size is wrong: %u > %u\n",
++			le32_to_cpu((*gpt)->header_size),
++			bdev_logical_block_size(bdev));
++		goto fail;
++	}
++
+ 	/* Check the GUID Partition Table CRC */
+ 	origcrc = le32_to_cpu((*gpt)->header_crc32);
+ 	(*gpt)->header_crc32 = 0;

Modified: dists/squeeze/linux-2.6/debian/patches/series/35
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/35	Fri Jun 10 03:47:28 2011	(r17642)
+++ dists/squeeze/linux-2.6/debian/patches/series/35	Sat Jun 11 14:22:53 2011	(r17643)
@@ -263,3 +263,4 @@
 
 + bugfix/all/slub-Revert-PARISC-slub-fix-panic-with-DISCONTIGMEM.patch
 + bugfix/x86/x86-amd-do-not-enable-arat-feature-on-amd-processors-below.patch
++ bugfix/all/efi-corrupted-GUID-partition-tables-can-cause-kernel-oops.patch

More information about the Kernel-svn-changes mailing list