Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 23 Feb 2011 21:46:29 -0500
From: Jon Oberheide <jon@...rheide.org>
To: oss-security@...ts.openwall.com
Cc: Josh Bressers <bressers@...hat.com>, Timo Warns <warns@...-sense.de>
Subject: Re: CVE request: kernel: fs/partitions: Kernel heap
 overflow via corrupted LDM partition tables

On Thu, 2011-02-24 at 09:25 +0800, Eugene Teo wrote:
> On 02/24/2011 03:59 AM, Josh Bressers wrote:
> > ----- Original Message -----
> >>
> >> The kernel automatically evaluates partition tables of storage devices.
> >> The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
> >> a bug that allows to overflow the kernel heap. It may be possible to
> >> escalate privileges by exploiting this bug.
> >>
> >> (This bug is distinct from the LDM bug reported by Eugene Teo on
> >> 2011-02-23.)
> >>
> >> This should affect both, 2.4 and 2.6 kernel. As a prerequisite,
> >> CONFIG_LDM_PARTITION needs to be set.
> >>
> >
> > Can you point to a commit message or something else that is public? It's
> > not clear how this differs from Eugene's request.
> 
> As far as I can tell, it's not public yet. Timo will follow-up once his 
> patch is accepted.

The advisory Timo posted mentioned ldm_frag_add() so it's public for all
practical purposes at this point:

static bool ldm_frag_add (const u8 *data, int size, struct list_head
*frags)
{
...
        f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
        if (!f) {
                ldm_crit ("Out of memory.");
                return false;
        }
...
        memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data,
size);
        return true;
}

Regards,
Jon Oberheide

-- 
Jon Oberheide <jon@...rheide.org>
GnuPG Key: 1024D/F47C17FE
Fingerprint: B716 DA66 8173 6EDD 28F6  F184 5842 1C89 F47C 17FE

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ