Karmic CVE-2010-4163: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()

[Brad Figg]

On 02/18/2011 01:02 PM, Tim Gardner wrote:
> The following changes since commit 41866a96c222c7d5d3da3abffb166ff3b80e1f3b:
>    Steve Conklin (1):
>          UBUNTU: Ubuntu-2.6.31-22.73
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4163
>
> Jens Axboe (1):
>        block: check for proper length of iov entries in blk_rq_map_user_iov(), CVE-2010-4163
>
> Xiaotian Feng (1):
>        block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
>
>   block/blk-map.c |    3 +++
>   1 files changed, 3 insertions(+), 0 deletions(-)
>
>  From 341514d149fbeca645542fb13b2b2bb10ef5274e Mon Sep 17 00:00:00 2001
> From: Jens Axboe<jaxboe at fusionio.com>
> Date: Fri, 29 Oct 2010 08:10:18 -0600
> Subject: [PATCH 1/2] block: check for proper length of iov entries in blk_rq_map_user_iov(), CVE-2010-4163
>
> BugLink: http://bugs.launchpad.net/bugs/721504
>
> CVE-2010-4163
>
> Ensure that we pass down properly validated iov segments before
> calling into the mapping or copy functions.
>
> Reported-by: Dan Rosenberg<drosenberg at vsecurity.com>
> Cc: stable at kernel.org
> Signed-off-by: Jens Axboe<jaxboe at fusionio.com>
> (cherry picked from commit 9284bcf4e335e5f18a8bc7b26461c33ab60d0689)
>
> Signed-off-by: Tim Gardner<tim.gardner at canonical.com>
> ---
>   block/blk-map.c |    2 ++
>   1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/block/blk-map.c b/block/blk-map.c
> index 9083cf0..30a7e51 100644
> --- a/block/blk-map.c
> +++ b/block/blk-map.c
> @@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
>   			unaligned = 1;
>   			break;
>   		}
> +		if (!iov[i].iov_len)
> +			return -EINVAL;
>   	}
>
>   	if (unaligned || (q->dma_pad_mask&  len) || map_data)

Acked-by: Brad Figg <brad.figg at canonical.com>

-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com