[kernel] r17105 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Wed Mar 23 06:06:31 UTC 2011
Author: dannf
Date: Wed Mar 23 06:06:21 2011
New Revision: 17105
Log:
Fix corrupted OSF partition table parsing (CVE-2011-1163)
Added:
dists/squeeze/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch
dists/squeeze/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch
Modified:
dists/squeeze/linux-2.6/debian/changelog
dists/squeeze/linux-2.6/debian/patches/series/32
Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog Wed Mar 23 05:37:30 2011 (r17104)
+++ dists/squeeze/linux-2.6/debian/changelog Wed Mar 23 06:06:21 2011 (r17105)
@@ -23,6 +23,9 @@
* r8169: Fix up backport of "r8169: keep firmware in memory."
(Closes: #619173)
+ [ dann frazier ]
+ * Fix corrupted OSF partition table parsing (CVE-2011-1163)
+
-- Ben Hutchings <ben at decadent.org.uk> Sat, 12 Mar 2011 20:20:58 +0000
linux-2.6 (2.6.32-31) stable; urgency=low
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/fix-corrupted-osf-partition-parsing.patch Wed Mar 23 06:06:21 2011 (r17105)
@@ -0,0 +1,68 @@
+commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05
+Author: Timo Warns <Warns at pre-sense.de>
+Date: Mon Mar 14 14:59:33 2011 +0100
+
+ Fix corrupted OSF partition table parsing
+
+ The kernel automatically evaluates partition tables of storage devices.
+ The code for evaluating OSF partitions contains a bug that leaks data
+ from kernel heap memory to userspace for certain corrupted OSF
+ partitions.
+
+ In more detail:
+
+ for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
+
+ iterates from 0 to d_npartitions - 1, where d_npartitions is read from
+ the partition table without validation and partition is a pointer to an
+ array of at most 8 d_partitions.
+
+ Add the proper and obvious validation.
+
+ Signed-off-by: Timo Warns <warns at pre-sense.de>
+ Cc: stable at kernel.org
+ [ Changed the patch trivially to not repeat the whole le16_to_cpu()
+ thing, and to use an explicit constant for the magic value '8' ]
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/fs/partitions/osf.c linux-source-2.6.32/fs/partitions/osf.c
+--- linux-source-2.6.32.orig/fs/partitions/osf.c 2009-12-02 20:51:21.000000000 -0700
++++ linux-source-2.6.32/fs/partitions/osf.c 2011-03-22 23:27:01.507715211 -0600
+@@ -10,10 +10,13 @@
+ #include "check.h"
+ #include "osf.h"
+
++#define MAX_OSF_PARTITIONS 8
++
+ int osf_partition(struct parsed_partitions *state, struct block_device *bdev)
+ {
+ int i;
+ int slot = 1;
++ unsigned int npartitions;
+ Sector sect;
+ unsigned char *data;
+ struct disklabel {
+@@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitio
+ u8 p_fstype;
+ u8 p_frag;
+ __le16 p_cpg;
+- } d_partitions[8];
++ } d_partitions[MAX_OSF_PARTITIONS];
+ } * label;
+ struct d_partition * partition;
+
+@@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitio
+ put_dev_sector(sect);
+ return 0;
+ }
+- for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
++ npartitions = le16_to_cpu(label->d_npartitions);
++ if (npartitions > MAX_OSF_PARTITIONS) {
++ put_dev_sector(sect);
++ return 0;
++ }
++ for (i = 0 ; i < npartitions; i++, partition++) {
+ if (slot == state->limit)
+ break;
+ if (le32_to_cpu(partition->p_size))
Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/increase-osf-partition-limit-from-8-to-18.patch Wed Mar 23 06:06:21 2011 (r17105)
@@ -0,0 +1,33 @@
+commit 34d211a2d5df4984a35b18d8ccacbe1d10abb067
+Author: Linus Torvalds <torvalds at linux-foundation.org>
+Date: Wed Mar 16 08:04:07 2011 -0700
+
+ Increase OSF partition limit from 8 to 18
+
+ It turns out that while a maximum of 8 partitions may be what people
+ "should" have had, you can actually fit up to 18 entries(*) in a sector.
+
+ And some people clearly were taking advantage of that, like Michael
+ Cree, who had ten partitions on one of his OSF disks.
+
+ (*) The OSF partition data starts at byte offset 64 in the first sector,
+ and the array of 16-byte partition entries start at offset 148 in
+ the on-disk partition structure.
+
+ Reported-by: Michael Cree <mcree at orcon.net.nz>
+ Cc: stable at kernel.org (v2.6.38)
+ Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+ [dannf: Adjusted to apply to Debian's 2.6.32]
+
+diff -urpN linux-source-2.6.32.orig/fs/partitions/osf.c linux-source-2.6.32/fs/partitions/osf.c
+--- linux-source-2.6.32.orig/fs/partitions/osf.c 2011-03-22 23:27:01.507715211 -0600
++++ linux-source-2.6.32/fs/partitions/osf.c 2011-03-22 23:30:09.964362350 -0600
+@@ -10,7 +10,7 @@
+ #include "check.h"
+ #include "osf.h"
+
+-#define MAX_OSF_PARTITIONS 8
++#define MAX_OSF_PARTITIONS 18
+
+ int osf_partition(struct parsed_partitions *state, struct block_device *bdev)
+ {
Modified: dists/squeeze/linux-2.6/debian/patches/series/32
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/32 Wed Mar 23 05:37:30 2011 (r17104)
+++ dists/squeeze/linux-2.6/debian/patches/series/32 Wed Mar 23 06:06:21 2011 (r17105)
@@ -5,3 +5,5 @@
- bugfix/x86/drm-i915-add-pipe-A-force-quirks-to-i915-driver.patch
+ bugfix/x86/x86-quirk-fix-sb600-revision-check.patch
+ bugfix/all/r8169-Fix-up-backport-of-r8169-keep-firmware-in-memo.patch
++ bugfix/all/fix-corrupted-osf-partition-parsing.patch
++ bugfix/all/increase-osf-partition-limit-from-8-to-18.patch
More information about the Kernel-svn-changes
mailing list