Lucid CVE-2010-4163: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()

John Johansen john.johansen at canonical.com
Fri Feb 18 21:57:27 UTC 2011


On 02/18/2011 12:57 PM, Tim Gardner wrote:
> The following changes since commit 8c3a95c0fad82b89a1f8f89c74bfe9a8bb951072:
>   Brad Figg (1):
>         UBUNTU: Ubuntu-2.6.32-29.58
> 
> are available in the git repository at:
> 
>   git://kernel.ubuntu.com/rtg/ubuntu-lucid.git CVE-2010-4163
> 
> Xiaotian Feng (1):
>       block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
> 
>  block/blk-map.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> From 6ca90f56c3a0b0f6b12dd2249c53d3071a111448 Mon Sep 17 00:00:00 2001
> From: Xiaotian Feng <dfeng at redhat.com>
> Date: Mon, 29 Nov 2010 10:03:55 +0100
> Subject: [PATCH] block: check for proper length of iov entries earlier in blk_rq_map_user_iov(), CVE-2010-4163
> 
> BugLink: http://bugs.launchpad.net/bugs/721504
> 
> CVE-2010-4163
> 
> commit 9284bcf checks for proper length of iov entries in
> blk_rq_map_user_iov(). But if the map is unaligned, kernel
> will break out the loop without checking for the proper length.
> So we need to check the proper length before the unalign check.
> 
> Signed-off-by: Xiaotian Feng <dfeng at redhat.com>
> Cc: stable at kernel.org
> Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
> (cherry picked from commit 5478755616ae2ef1ce144dded589b62b2a50d575)
> 
> Signed-off-by: Tim Gardner <tim.gardner at canonical.com>
> ---
>  block/blk-map.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/block/blk-map.c b/block/blk-map.c
> index 30a7e51..749effa 100644
> --- a/block/blk-map.c
> +++ b/block/blk-map.c
> @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
>  	for (i = 0; i < iov_count; i++) {
>  		unsigned long uaddr = (unsigned long)iov[i].iov_base;
>  
> +		if (!iov[i].iov_len)
> +			return -EINVAL;
> +
>  		if (uaddr & queue_dma_alignment(q)) {
>  			unaligned = 1;
>  			break;
>  		}
> -		if (!iov[i].iov_len)
> -			return -EINVAL;
>  	}
>  
>  	if (unaligned || (q->dma_pad_mask & len) || map_data)

Acked-by: John Johansen <john.johansen at canonical.com>




More information about the kernel-team mailing list