oss-security February 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE request: kernel: fs/partiti

Re: [oss-security] CVE request: kernel: fs/partitions: Kernel heap overflow via corrupted LDM partition tables

From: Josh Bressers <bressers_at_nospam>
Date: Thu Feb 24 2011 - 20:22:32 GMT
To: Jon Oberheide <jon@oberheide.org>

----- Original Message -----
> On Thu, 2011-02-24 at 09:25 +0800, Eugene Teo wrote:
> > On 02/24/2011 03:59 AM, Josh Bressers wrote:
> > > ----- Original Message -----
> > >>
> > >> The kernel automatically evaluates partition tables of storage
> > >> devices. The code for evaluating LDM partitions (in
> > >> fs/partitions/ldm.c) contains a bug that allows to overflow the
> > >> kernel heap. It may be possible to escalate privileges by exploiting
> > >> this bug.
> > >>
> > >> (This bug is distinct from the LDM bug reported by Eugene Teo on
> > >> 2011-02-23.)
> > >>
> > >> This should affect both, 2.4 and 2.6 kernel. As a prerequisite,
> > >> CONFIG_LDM_PARTITION needs to be set.
> > >>
> > >
> > > Can you point to a commit message or something else that is public?
> > > It's not clear how this differs from Eugene's request.
> >
> > As far as I can tell, it's not public yet. Timo will follow-up once his
> > patch is accepted.
>
> The advisory Timo posted mentioned ldm_frag_add() so it's public for all
> practical purposes at this point:
>
> static bool ldm_frag_add (const u8 *data, int size, struct list_head
> *frags)
> {
> ...
> f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
> if (!f) {
> ldm_crit ("Out of memory.");
> return false;
> }
> ...
> memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data,
> size);
> return true;
> }
>

I would still like something along the lines of a proposed patch. I believe
you folks (as you're much brighter than me), but I still don't quite grasp
the difference. I suspect there is enough public information for MITRE to
public a CVE though, so please use CVE-2011-1017.

Thanks.

-- JB