[Dapper] [CVE-2011-1017] [PATCH 1/1] fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

Wed Apr 27 11:15:17 UTC 2011

On 04/26/2011 08:44 PM, Brad Figg wrote:
> From: Timo Warns <Warns at pre-sense.de>
> 
> BugLink: http://bugs.launchpad.net/bugs/771382
> 
> CVE-2011-1017
> 
> The kernel automatically evaluates partition tables of storage devices.
> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> a bug that causes a kernel oops on certain corrupted LDM partitions.
> A kernel subsystem seems to crash, because, after the oops, the kernel no
> longer recognizes newly connected storage devices.
> 
> The patch validates the value of vblk_size.
> 
> [akpm at linux-foundation.org: coding-style fixes]
> Signed-off-by: Timo Warns <warns at pre-sense.de>
> Cc: Eugene Teo <eugeneteo at kernel.sg>
> Cc: Harvey Harrison <harvey.harrison at gmail.com>
> Cc: Richard Russon <rich at flatcap.org>
> Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> 
> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
> Signed-off-by: Brad Figg <brad.figg at canonical.com>
> ---
>  fs/partitions/ldm.c |   16 ++++++++++++----
>  1 files changed, 12 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
> index 7ab1c11..c861f52 100644
> --- a/fs/partitions/ldm.c
> +++ b/fs/partitions/ldm.c
> @@ -1225,6 +1225,11 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
>  
>  	BUG_ON (!data || !frags);
>  
> +	if (size < 2 * VBLK_SIZE_HEAD) {
> +		ldm_error("Value of size is to small.");
> +		return FALSE;
> +	}
> +
>  	group = BE32 (data + 0x08);
>  	rec   = BE16 (data + 0x0C);
>  	num   = BE16 (data + 0x0E);
> @@ -1232,6 +1237,10 @@ static BOOL ldm_frag_add (const u8 *data, int size, struct list_head *frags)
>  		ldm_error ("A VBLK claims to have %d parts.", num);
>  		return FALSE;
>  	}
> +	if (rec >= num) {
> +		ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
> +		return FALSE;
> +	}
>  
>  	list_for_each (item, frags) {
>  		f = list_entry (item, struct frag, list);
> @@ -1260,10 +1269,9 @@ found:
>  
>  	f->map |= (1 << rec);
>  
> -	if (num > 0) {
> -		data += VBLK_SIZE_HEAD;
> -		size -= VBLK_SIZE_HEAD;
> -	}
> +	data += VBLK_SIZE_HEAD;
> +	size -= VBLK_SIZE_HEAD;
> +
>  	memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
>  
>  	return TRUE;

I believe some thread which cve-2011-1017 was pointing to on mitre, lead to this
patch claiming it would be the fix.

And this patch looks the same.

Acked-by: Stefan Bader <stefan.bader at canonical.com>