[Maverick CVE-2011-0711] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711

Tim Gardner tim.gardner at canonical.com
Thu Apr 21 12:35:46 UTC 2011 

On 04/20/2011 03:48 PM, Leann Ogasawara wrote:
> The following changes since commit c34e0e04a2ea4b8c3af37e1f621c8ab61642200c:
>    Dan Rosenberg (1):
>          CAN: Use inode instead of kernel address for /proc file, CVE-2010-4565
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/ogasawara/ubuntu-maverick.git CVE-2011-0711
>
> Dan Rosenberg (1):
>        xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711
>
>   fs/xfs/xfs_fsops.c |    3 +++
>   1 files changed, 3 insertions(+), 0 deletions(-)
>
>  From 695e59df936c802f5e528b089ec209e7b987d8fb Mon Sep 17 00:00:00 2001
> From: Dan Rosenberg<drosenberg at vsecurity.com>
> Date: Mon, 14 Feb 2011 13:45:28 +0000
> Subject: [PATCH] xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1, CVE-2011-0711
>
> BugLink: http://bugs.launchpad.net/bugs/767740
>
> CVE-2011-0711
>
> The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
> xfs_fs_geometry() with a version number of 3.  This code path does not
> fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
> the leaking of four bytes of uninitialized stack data to potentially
> unprivileged callers.
>
> v2 switches to memset() to avoid future issues if structure members
> change, on suggestion of Dave Chinner.
>
> Signed-off-by: Dan Rosenberg<drosenberg at vsecurity.com>
> Reviewed-by: Eugene Teo<eugeneteo at kernel.org>
> Signed-off-by: Alex Elder<aelder at sgi.com>
> (cherry picked from commit 3a3675b7f23f83ca8c67c9c2b6edf707fd28d1ba)
>
> Signed-off-by: Leann Ogasawara<leann.ogasawara at canonical.com>
> ---
>   fs/xfs/xfs_fsops.c |    3 +++
>   1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/fs/xfs/xfs_fsops.c b/fs/xfs/xfs_fsops.c
> index 37a6f62..4e7f02b 100644
> --- a/fs/xfs/xfs_fsops.c
> +++ b/fs/xfs/xfs_fsops.c
> @@ -57,6 +57,9 @@ xfs_fs_geometry(
>   	xfs_fsop_geom_t		*geo,
>   	int			new_version)
>   {
> +
> +	memset(geo, 0, sizeof(*geo));
> +
>   	geo->blocksize = mp->m_sb.sb_blocksize;
>   	geo->rtextsize = mp->m_sb.sb_rextsize;
>   	geo->agblocks = mp->m_sb.sb_agblocks;

applied

-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list