Bug 688021 - (CVE-2011-1163) CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak
CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 688022 688023 688024 688025 688026
  Show dependency treegraph
Reported: 2011-03-15 23:35 EDT by Eugene Teo (Security Response)
Modified: 2015-08-19 05:08 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-03-26 15:23:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eugene Teo (Security Response) 2011-03-15 23:35:31 EDT
The kernel automatically evaluates partition tables of storage devices. 
The code for evaluating OSF partitions (in fs/partitions/osf.c) contains a
bug that leaks data from kernel heap memory to userspace for certain
corrupted OSF partitions.

In more detail (from Kernel 2.6.37 fs/partition/osf.c):

(66)    for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {

iterates from 0 to d_npartitions - 1, where

    d_npartitions is read from the partition table without validation and
    partition is a pointer to an array of at most 8 d_partitions.

(70)        put_partition(state, slot,
(71)          le32_to_cpu(partition->p_offset),
(72)          le32_to_cpu(partition->p_size));

adds a partition based on data referenced by partition.  As partition may
point beyond the partition table data structure, p_offset and p_size are
read from kernel heap beyond the partition table.

In some cases, put_partition logs error messages to userspace including
the p_offset and p_size values.  Hence, some values from kernel heap are
leaked to userspace.

So validate the value of d_npartitions.



Red Hat would like to thank Timo Warns for reporting this issue.
Comment 3 Eugene Teo (Security Response) 2011-03-15 23:39:20 EDT

This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0833.html, https://rhn.redhat.com/errata/RHSA-2011-0542.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for
this issue is not currently planned to be included in the future updates.
Comment 4 Vincent Danen 2011-03-17 13:14:40 EDT
Reporter's advisory is now available: http://www.pre-cert.de/advisories/PRE-SA-2011-02.txt
Comment 5 Eugene Teo (Security Response) 2011-03-22 04:05:03 EDT
Upstream commit:
Comment 6 Danny Feng 2011-03-28 04:37:14 EDT
(In reply to comment #5)
> Upstream commit:
> http://git.kernel.org/linus/1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05

I remember someone report a regression with this commit, we also need:
Comment 7 errata-xmlrpc 2011-05-10 13:20:52 EDT
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html
Comment 8 errata-xmlrpc 2011-05-19 07:58:55 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html
Comment 10 errata-xmlrpc 2011-05-31 10:06:11 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0833 https://rhn.redhat.com/errata/RHSA-2011-0833.html
Comment 11 errata-xmlrpc 2011-06-21 19:53:24 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html

Note You need to log in before you can comment on or make changes to this bug.