Hardy CVE, bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
Tim Gardner
timg at tpi.com
Fri Feb 18 20:06:13 UTC 2011
The following changes since commit 0b2f210442dd2ca2c184c1451f5d41fa37e7c60b:
Brad Figg (1):
UBUNTU: Ubuntu-2.6.24-28.86
are available in the git repository at:
git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-4162
Tim Gardner (1):
bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
fs/bio.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
>From 3034d11a31600265b7286ae11e770946b7650a0c Mon Sep 17 00:00:00 2001
From: Tim Gardner <tim.gardner at canonical.com>
Date: Fri, 18 Feb 2011 12:49:29 -0700
Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
BugLink: http://bugs.launchpad.net/bugs/721441
CVE-2010-4162
backported from commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.
Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
fs/bio.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/fs/bio.c b/fs/bio.c
index d59ddbf..2c8224c 100644
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -609,6 +609,12 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
unsigned long start = uaddr >> PAGE_SHIFT;
+ /*
+ * Overflow, abort
+ */
+ if (end < start)
+ return ERR_PTR(-EINVAL);
+
nr_pages += end - start;
/*
* buffer must be aligned to at least hardsector size for now
--
1.7.0.4
More information about the kernel-team
mailing list