Hardy CVE-2010-4163: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()

Brad Figg brad.figg at canonical.com
Tue Feb 22 16:33:30 UTC 2011 

On 02/18/2011 01:18 PM, Tim Gardner wrote:
> The following changes since commit 0b2f210442dd2ca2c184c1451f5d41fa37e7c60b:
>    Brad Figg (1):
>          UBUNTU: Ubuntu-2.6.24-28.86
>
> are available in the git repository at:
>
>    git://kernel.ubuntu.com/rtg/ubuntu-hardy.git CVE-2010-4163
>
> Tim Gardner (1):
>        block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
>
>   fs/bio.c |    3 +++
>   1 files changed, 3 insertions(+), 0 deletions(-)
>
>  From aabab832c692067d4558aa577222ee408be06df0 Mon Sep 17 00:00:00 2001
> From: Tim Gardner<tim.gardner at canonical.com>
> Date: Fri, 18 Feb 2011 14:15:10 -0700
> Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
>
> BugLink: http://bugs.launchpad.net/bugs/721504
>
> CVE-2010-4163
>
> commit 9284bcf checks for proper length of iov entries in
> blk_rq_map_user_iov(). But if the map is unaligned, kernel
> will break out the loop without checking for the proper length.
> So we need to check the proper length before the unalign check.
>
> Signed-off-by: Xiaotian Feng<dfeng at redhat.com>
> Cc: stable at kernel.org
> Signed-off-by: Jens Axboe<jaxboe at fusionio.com>
> (backported from commit 5478755616ae2ef1ce144dded589b62b2a50d575)
>
> Signed-off-by: Tim Gardner<tim.gardner at canonical.com>
> ---
>   fs/bio.c |    3 +++
>   1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/fs/bio.c b/fs/bio.c
> index d59ddbf..461ca55 100644
> --- a/fs/bio.c
> +++ b/fs/bio.c
> @@ -609,6 +609,9 @@ static struct bio *__bio_map_user_iov(struct request_queue *q,
>   		unsigned long end = (uaddr + len + PAGE_SIZE - 1)>>  PAGE_SHIFT;
>   		unsigned long start = uaddr>>  PAGE_SHIFT;
>
> +		if (!len)
> +			return ERR_PTR(-EINVAL);
> +
>   		nr_pages += end - start;
>   		/*
>   		 * buffer must be aligned to at least hardsector size for now

Acked-by: Brad Figg <brad.figg at canonical.com>

-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com

More information about the kernel-team mailing list