Bug 688021 (CVE-2011-1163)

Summary: CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: arozansk, bhu, davej, dfeng, dhoward, jkacur, jpirko, kernel-mgr, kmcmartin, lgoncalv, lwang, rt-maint, tcallawa, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-26 19:23:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 688022, 688023, 688024, 688025, 688026    
Bug Blocks:    

Description Eugene Teo (Security Response) 2011-03-16 03:35:31 UTC
The kernel automatically evaluates partition tables of storage devices. 
The code for evaluating OSF partitions (in fs/partitions/osf.c) contains a
bug that leaks data from kernel heap memory to userspace for certain
corrupted OSF partitions.

In more detail (from Kernel 2.6.37 fs/partition/osf.c):

(66)    for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {

iterates from 0 to d_npartitions - 1, where

    d_npartitions is read from the partition table without validation and
    partition is a pointer to an array of at most 8 d_partitions.

(70)        put_partition(state, slot,
(71)          le32_to_cpu(partition->p_offset),
(72)          le32_to_cpu(partition->p_size));

adds a partition based on data referenced by partition.  As partition may
point beyond the partition table data structure, p_offset and p_size are
read from kernel heap beyond the partition table.

In some cases, put_partition logs error messages to userspace including
the p_offset and p_size values.  Hence, some values from kernel heap are
leaked to userspace.

So validate the value of d_npartitions.



Red Hat would like to thank Timo Warns for reporting this issue.

Comment 3 Eugene Teo (Security Response) 2011-03-16 03:39:20 UTC

This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0833.html, https://rhn.redhat.com/errata/RHSA-2011-0542.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for
this issue is not currently planned to be included in the future updates.

Comment 4 Vincent Danen 2011-03-17 17:14:40 UTC
Reporter's advisory is now available: http://www.pre-cert.de/advisories/PRE-SA-2011-02.txt

Comment 5 Eugene Teo (Security Response) 2011-03-22 08:05:03 UTC
Upstream commit:

Comment 6 Danny Feng 2011-03-28 08:37:14 UTC
(In reply to comment #5)
> Upstream commit:
> http://git.kernel.org/linus/1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05

I remember someone report a regression with this commit, we also need:

Comment 7 errata-xmlrpc 2011-05-10 17:20:52 UTC
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html

Comment 8 errata-xmlrpc 2011-05-19 11:58:55 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html

Comment 10 errata-xmlrpc 2011-05-31 14:06:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0833 https://rhn.redhat.com/errata/RHSA-2011-0833.html

Comment 11 errata-xmlrpc 2011-06-21 23:53:24 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html