Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 24 Feb 2011 15:22:32 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: Jon Oberheide <jon@...rheide.org>
Cc: Timo Warns <warns@...-sense.de>, oss-security@...ts.openwall.com,
        coley <coley@...re.org>
Subject: Re: CVE request: kernel: fs/partitions: Kernel heap
 overflow via corrupted LDM partition tables


----- Original Message -----
> On Thu, 2011-02-24 at 09:25 +0800, Eugene Teo wrote:
> > On 02/24/2011 03:59 AM, Josh Bressers wrote:
> > > ----- Original Message -----
> > >>
> > >> The kernel automatically evaluates partition tables of storage
> > >> devices.  The code for evaluating LDM partitions (in
> > >> fs/partitions/ldm.c) contains a bug that allows to overflow the
> > >> kernel heap. It may be possible to escalate privileges by exploiting
> > >> this bug.
> > >>
> > >> (This bug is distinct from the LDM bug reported by Eugene Teo on
> > >> 2011-02-23.)
> > >>
> > >> This should affect both, 2.4 and 2.6 kernel. As a prerequisite,
> > >> CONFIG_LDM_PARTITION needs to be set.
> > >>
> > >
> > > Can you point to a commit message or something else that is public?
> > > It's not clear how this differs from Eugene's request.
> >
> > As far as I can tell, it's not public yet. Timo will follow-up once his
> > patch is accepted.
> 
> The advisory Timo posted mentioned ldm_frag_add() so it's public for all
> practical purposes at this point:
> 
> static bool ldm_frag_add (const u8 *data, int size, struct list_head
> *frags)
> {
> ...
> f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
> if (!f) {
> ldm_crit ("Out of memory.");
> return false;
> }
> ...
> memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data,
> size);
> return true;
> }
> 

I would still like something along the lines of a proposed patch. I believe
you folks (as you're much brighter than me), but I still don't quite grasp
the difference. I suspect there is enough public information for MITRE to
public a CVE though, so please use CVE-2011-1017.

Thanks.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ