Dapper CVE: bio: take care not overflow page count when mapping/copying user data
John Johansen
john.johansen at canonical.com
Fri Feb 18 21:33:06 UTC 2011
On 02/18/2011 12:02 PM, Tim Gardner wrote:
> The following changes since commit 352701fdc50086ac0db65862e16dc8b20918d174:
> Steve Conklin (1):
> UBUNTU: Ubuntu-2.6.15-55.93
>
> are available in the git repository at:
>
> git://kernel.ubuntu.com/rtg/ubuntu-dapper.git CVE-2010-4162
>
> Tim Gardner (1):
> bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
>
> fs/bio.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> From e6326904fee89c475f6875f3787931601ac14a33 Mon Sep 17 00:00:00 2001
> From: Tim Gardner <tim.gardner at canonical.com>
> Date: Fri, 18 Feb 2011 12:57:38 -0700
> Subject: [PATCH] bio: take care not overflow page count when mapping/copying user data, CVE-2010-4162
>
> BugLink: http://bugs.launchpad.net/bugs/721441
>
> CVE-2010-4162
>
> backport of commit cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
>
> If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
> to overflow, we could end up attempting to map a huge number of
> pages. Check for this invalid input type.
>
> Reported-by: Dan Rosenberg <drosenberg at vsecurity.com>
> Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
> fs/bio.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/fs/bio.c b/fs/bio.c
> index 460554b..f776d0a 100644
> --- a/fs/bio.c
> +++ b/fs/bio.c
> @@ -574,6 +574,12 @@ static struct bio *__bio_map_user_iov(request_queue_t *q,
> unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
> unsigned long start = uaddr >> PAGE_SHIFT;
>
> + /*
> + * Overflow, abort
> + */
> + if (end < start)
> + return ERR_PTR(-EINVAL);
> +
> nr_pages += end - start;
> /*
> * transfer and buffer must be aligned to at least hardsector
Acked-by: John Johansen <john.johansen at canonical.com>
More information about the kernel-team
mailing list