[Dapper] [CVE-2011-1017] [PATCH 1/1] fs/partitions/ldm.c: fix oops caused by corrupted partition table, CVE-2011-1017

Tim Gardner tim.gardner at canonical.com
Wed Apr 27 13:45:41 UTC 2011

On 04/26/2011 02:43 PM, Brad Figg wrote:
> On 04/26/2011 01:37 PM, Tim Gardner wrote:
>> On 04/26/2011 12:44 PM, Brad Figg wrote:
>>> From: Timo Warns<Warns at pre-sense.de>
>>> BugLink: http://bugs.launchpad.net/bugs/771382
>>> CVE-2011-1017
>>> The kernel automatically evaluates partition tables of storage devices.
>>> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
>>> a bug that causes a kernel oops on certain corrupted LDM partitions.
>>> A kernel subsystem seems to crash, because, after the oops, the
>>> kernel no
>>> longer recognizes newly connected storage devices.
>>> The patch validates the value of vblk_size.
>>> [akpm at linux-foundation.org: coding-style fixes]
>>> Signed-off-by: Timo Warns<warns at pre-sense.de>
>>> Cc: Eugene Teo<eugeneteo at kernel.sg>
>>> Cc: Harvey Harrison<harvey.harrison at gmail.com>
>>> Cc: Richard Russon<rich at flatcap.org>
>>> Signed-off-by: Andrew Morton<akpm at linux-foundation.org>
>>> Signed-off-by: Linus Torvalds<torvalds at linux-foundation.org>
>>> (backported from commit c340b1d640001c8c9ecff74f68fd90422ae2448a)
>>> Signed-off-by: Brad Figg<brad.figg at canonical.com>
>> Where did you find a reference that this patch fixes CVE-2011-1017 ?
>> rtg
> There was no specific reference. From the comments in the commit and
> comments in the CVE reference
> (http://openwall.com/lists/oss-security/2011/02/24/4)
> indicated the same code block. The patch is validating that the size
> is correct.
> Brad

While this patch is worthy of application on its own merit, I don't 
think its sufficient. The mitre announcement says this vulnerability 
exists for kernels _before_, the implication being that the 
problem was solved thereafter. I'm not sure why the mitre report doesn't 
reference a specific commit, but if you look at git history there is 
only one possibility:

rtg at lochsa:~/proj/linux/linux-2.6.37.y$ git log --pretty=oneline 
v2.6.37.2..HEAD -- fs/partitions
91999d4336fc7c94635cb10e254813a35bd3157e Increase OSF partition limit 
from 8 to 18
67725123d5df7aace72676b94e1bdffbdbbc0f75 Fix corrupted OSF partition 
table parsing
9d482869ef6414b388d582f498e7eac78bd2bc20 ldm: corrupted partition table 
can cause kernel oops

It seems to me that if we're gonna declare CVE-2011-1017 to be fixed 
(which without a reproducer is a leap of faith), then we also have to 
include 'ldm: corrupted partition table can cause kernel oops', despite 
the fact that the mitre report directly references ldm_frag_add(). Its a 
bit ambiguous.

See attached. The same argument holds true for Hardy and Maverick though 
I haven't checked to see if this patch has already come down via stable.

Tim Gardner tim.gardner at canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-ldm-corrupted-partition-table-can-cause-kernel-oops.patch
Type: text/x-patch
Size: 1687 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20110427/02c51195/attachment.bin>

More information about the kernel-team mailing list