Karmic CVE-2010-4163: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()

Tim Gardner timg at tpi.com
Fri Feb 18 21:02:15 UTC 2011 

The following changes since commit 41866a96c222c7d5d3da3abffb166ff3b80e1f3b:
  Steve Conklin (1):
        UBUNTU: Ubuntu-2.6.31-22.73

are available in the git repository at:

  git://kernel.ubuntu.com/rtg/ubuntu-karmic.git CVE-2010-4163

Jens Axboe (1):
      block: check for proper length of iov entries in blk_rq_map_user_iov(), CVE-2010-4163

Xiaotian Feng (1):
      block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

 block/blk-map.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

>From 341514d149fbeca645542fb13b2b2bb10ef5274e Mon Sep 17 00:00:00 2001
From: Jens Axboe <jaxboe at fusionio.com>
Date: Fri, 29 Oct 2010 08:10:18 -0600
Subject: [PATCH 1/2] block: check for proper length of iov entries in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

Ensure that we pass down properly validated iov segments before
calling into the mapping or copy functions.

Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
Cc: stable at kernel.org
Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
(cherry picked from commit 9284bcf4e335e5f18a8bc7b26461c33ab60d0689)

Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
 block/blk-map.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/block/blk-map.c b/block/blk-map.c
index 9083cf0..30a7e51 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
 			unaligned = 1;
 			break;
 		}
+		if (!iov[i].iov_len)
+			return -EINVAL;
 	}
 
 	if (unaligned || (q->dma_pad_mask & len) || map_data)
-- 
1.7.0.4


>From 9af549f0e924f36336015462b9220d9b453755c1 Mon Sep 17 00:00:00 2001
From: Xiaotian Feng <dfeng at redhat.com>
Date: Mon, 29 Nov 2010 10:03:55 +0100
Subject: [PATCH 2/2] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163

BugLink: http://bugs.launchpad.net/bugs/721504

CVE-2010-4163

commit 9284bcf checks for proper length of iov entries in
blk_rq_map_user_iov(). But if the map is unaligned, kernel
will break out the loop without checking for the proper length.
So we need to check the proper length before the unalign check.

Signed-off-by: Xiaotian Feng <dfeng at redhat.com>
Cc: stable at kernel.org
Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
(cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575)

Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
---
 block/blk-map.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/block/blk-map.c b/block/blk-map.c
index 30a7e51..749effa 100644
--- a/block/blk-map.c
+++ b/block/blk-map.c
@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
 	for (i = 0; i < iov_count; i++) {
 		unsigned long uaddr = (unsigned long)iov[i].iov_base;
 
+		if (!iov[i].iov_len)
+			return -EINVAL;
+
 		if (uaddr & queue_dma_alignment(q)) {
 			unaligned = 1;
 			break;
 		}
-		if (!iov[i].iov_len)
-			return -EINVAL;
 	}
 
 	if (unaligned || (q->dma_pad_mask & len) || map_data)
-- 
1.7.0.4

More information about the kernel-team mailing list