688021 – (CVE-2011-1163) CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak

Bug 688021 (CVE-2011-1163) - CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak

Summary: CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-1163
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	688022 688023 688024 688025 688026
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-16 03:35 UTC by Eugene Teo (Security Response)
Modified:	2023-05-11 17:05 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-03-26 19:23:28 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0500	normal	SHIPPED_LIVE	Important: kernel-rt security and bug fix update	2011-05-10 17:18:23 UTC
Red Hat Product Errata	RHSA-2011:0542	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux 6.1 kernel security, bug fix and enhancement update	2011-05-19 11:58:07 UTC
Red Hat Product Errata	RHSA-2011:0833	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2011-05-31 14:05:42 UTC
Red Hat Product Errata	RHSA-2011:0883	normal	SHIPPED_LIVE	Important: kernel security and bug fix update	2011-06-21 23:52:55 UTC

Description Eugene Teo (Security Response) 2011-03-16 03:35:31 UTC

The kernel automatically evaluates partition tables of storage devices. 
The code for evaluating OSF partitions (in fs/partitions/osf.c) contains a
bug that leaks data from kernel heap memory to userspace for certain
corrupted OSF partitions.

In more detail (from Kernel 2.6.37 fs/partition/osf.c):

(66)    for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {

iterates from 0 to d_npartitions - 1, where

    d_npartitions is read from the partition table without validation and
    partition is a pointer to an array of at most 8 d_partitions.

(70)        put_partition(state, slot,
(71)          le32_to_cpu(partition->p_offset),
(72)          le32_to_cpu(partition->p_size));

adds a partition based on data referenced by partition.  As partition may
point beyond the partition table data structure, p_offset and p_size are
read from kernel heap beyond the partition table.

In some cases, put_partition logs error messages to userspace including
the p_offset and p_size values.  Hence, some values from kernel heap are
leaked to userspace.

So validate the value of d_npartitions.

Reference:
http://www.spinics.net/lists/mm-commits/msg82737.html

Acknowledgements:

Red Hat would like to thank Timo Warns for reporting this issue.

Comment 3 Eugene Teo (Security Response) 2011-03-16 03:39:20 UTC

Statement:

This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0833.html, https://rhn.redhat.com/errata/RHSA-2011-0542.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for
this issue is not currently planned to be included in the future updates.

Comment 4 Vincent Danen 2011-03-17 17:14:40 UTC

Reporter's advisory is now available: http://www.pre-cert.de/advisories/PRE-SA-2011-02.txt

Comment 5 Eugene Teo (Security Response) 2011-03-22 08:05:03 UTC

Upstream commit:
http://git.kernel.org/linus/1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05

Comment 6 Danny Feng 2011-03-28 08:37:14 UTC

(In reply to comment #5)
> Upstream commit:
> http://git.kernel.org/linus/1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05

I remember someone report a regression with this commit, we also need:
http://git.kernel.org/linus/34d211a2d5df4984a35b18d8ccacbe1d10abb067

Comment 7 errata-xmlrpc 2011-05-10 17:20:52 UTC

This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html

Comment 8 errata-xmlrpc 2011-05-19 11:58:55 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html

Comment 10 errata-xmlrpc 2011-05-31 14:06:11 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0833 https://rhn.redhat.com/errata/RHSA-2011-0833.html

Comment 11 errata-xmlrpc 2011-06-21 23:53:24 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html

Note You need to log in before you can comment on or make changes to this bug.