[Maverick CVE-2011-0711] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711

Stefan Bader stefan.bader at canonical.com
Thu Apr 21 07:14:42 UTC 2011 

On 04/20/2011 11:48 PM, Leann Ogasawara wrote:
> The following changes since commit c34e0e04a2ea4b8c3af37e1f621c8ab61642200c:
>   Dan Rosenberg (1):
>         CAN: Use inode instead of kernel address for /proc file, CVE-2010-4565
> 
> are available in the git repository at:
> 
>   git://kernel.ubuntu.com/ogasawara/ubuntu-maverick.git CVE-2011-0711
> 
> Dan Rosenberg (1):
>       xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711
> 
>  fs/xfs/xfs_fsops.c |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> From 695e59df936c802f5e528b089ec209e7b987d8fb Mon Sep 17 00:00:00 2001
> From: Dan Rosenberg <drosenberg at vsecurity.com>
> Date: Mon, 14 Feb 2011 13:45:28 +0000
> Subject: [PATCH] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711
> 
> BugLink: http://bugs.launchpad.net/bugs/767740
> 
> CVE-2011-0711
> 
> The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
> xfs_fs_geometry() with a version number of 3.  This code path does not
> fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
> the leaking of four bytes of uninitialized stack data to potentially
> unprivileged callers.
> 
> v2 switches to memset() to avoid future issues if structure members
> change, on suggestion of Dave Chinner.
> 
> Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
> Reviewed-by: Eugene Teo <eugeneteo at kernel.org>
> Signed-off-by: Alex Elder <aelder at sgi.com>
> (cherry picked from commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba)
> 
> Signed-off-by: Leann Ogasawara <leann.ogasawara at canonical.com>
> ---
>  fs/xfs/xfs_fsops.c |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c
> index 37a6f62..4e7f02b 100644
> --- a/fs/xfs/xfs_fsops.c
> +++ b/fs/xfs/xfs_fsops.c
> @@ -57,6 +57,9 @@ xfs_fs_geometry(
>  	xfs_fsop_geom_t		*geo,
>  	int			new_version)
>  {
> +
> +	memset(geo, 0, sizeof(*geo));
> +
>  	geo->blocksize = mp->m_sb.sb_blocksize;
>  	geo->rtextsize = mp->m_sb.sb_rextsize;
>  	geo->agblocks = mp->m_sb.sb_agblocks;

Looks safe enough.

Acked-by: Stefan Bader <stefan.bade at canonical.com>

More information about the kernel-team mailing list