[Dapper] [CVE-2011-1017] [PATCH 1/1] fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

Brad Figg brad.figg at canonical.com
Wed Apr 27 14:48:50 UTC 2011 

On 04/27/2011 06:45 AM, Tim Gardner wrote:
> On 04/26/2011 02:43 PM, Brad Figg wrote:
>> On 04/26/2011 01:37 PM, Tim Gardner wrote:
>>> On 04/26/2011 12:44 PM, Brad Figg wrote:
>>>> From: Timo Warns<Warns at pre-sense.de>
>>>>
>>>> BugLink: http://bugs.launchpad.net/bugs/771382
>>>>
>>>> CVE-2011-1017
>>>>
>>>> The kernel automatically evaluates partition tables of storage devices.
>>>> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
>>>> a bug that causes a kernel oops on certain corrupted LDM partitions.
>>>> A kernel subsystem seems to crash, because, after the oops, the
>>>> kernel no
>>>> longer recognizes newly connected storage devices.
>>>>
>>>> The patch validates the value of vblk_size.
>>>>
>>>> [akpm at linux-foundation.org: coding-style fixes]
>>>> Signed-off-by: Timo Warns<warns at pre-sense.de>
>>>> Cc: Eugene Teo<eugeneteo at kernel.sg>
>>>> Cc: Harvey Harrison<harvey.harrison at gmail.com>
>>>> Cc: Richard Russon<rich at flatcap.org>
>>>> Signed-off-by: Andrew Morton<akpm at linux-foundation.org>
>>>> Signed-off-by: Linus Torvalds<torvalds at linux-foundation.org>
>>>>
>>>> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
>>>> Signed-off-by: Brad Figg<brad.figg at canonical.com>
>>>
>>> Where did you find a reference that this patch fixes CVE-2011-1017 ?
>>>
>>> rtg
>>
>> There was no specific reference. From the comments in the commit and
>> comments in the CVE reference
>> (http://openwall.com/lists/oss-security/2011/02/24/4)
>> indicated the same code block. The patch is validating that the size
>> is correct.
>>
>> Brad
>
> While this patch is worthy of application on its own merit, I don't think its sufficient. The mitre announcement says this vulnerability exists for kernels _before_ 2.6.37.2, the implication being that the problem was solved thereafter. I'm not sure why
> the mitre report doesn't reference a specific commit, but if you look at git history there is only one possibility:
>
> rtg at lochsa:~/proj/linux/linux-2.6.37.y$ git log --pretty=oneline v2.6.37.2..HEAD -- fs/partitions
> 91999d4336fc7c94635cb10e254813a35bd3157e Increase OSF partition limit from 8 to 18
> 67725123d5df7aace72676b94e1bdffbdbbc0f75 Fix corrupted OSF partition table parsing
> 9d482869ef6414b388d582f498e7eac78bd2bc20 ldm: corrupted partition table can cause kernel oops
>
> It seems to me that if we're gonna declare CVE-2011-1017 to be fixed (which without a reproducer is a leap of faith), then we also have to include 'ldm: corrupted partition table can cause kernel oops', despite the fact that the mitre report directly
> references ldm_frag_add(). Its a bit ambiguous.
>
> See attached. The same argument holds true for Hardy and Maverick though I haven't checked to see if this patch has already come down via stable.
>
> rtg

I agree that it looks like we should apply both patches.

Acked-by: Brad Figg <brad.figg at canonical.com>

-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com

More information about the kernel-team mailing list