Bug 688021 (CVE-2011-1163) - CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak
Summary: CVE-2011-1163 kernel: fs/partitions: Corrupted OSF partition table infoleak
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1163
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 688022 688023 688024 688025 688026
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-16 03:35 UTC by Eugene Teo (Security Response)
Modified: 2021-02-24 16:18 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-26 19:23:28 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0500 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2011-05-10 17:18:23 UTC
Red Hat Product Errata RHSA-2011:0542 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 6.1 kernel security, bug fix and enhancement update 2011-05-19 11:58:07 UTC
Red Hat Product Errata RHSA-2011:0833 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-05-31 14:05:42 UTC
Red Hat Product Errata RHSA-2011:0883 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-06-21 23:52:55 UTC

Description Eugene Teo (Security Response) 2011-03-16 03:35:31 UTC 
The kernel automatically evaluates partition tables of storage devices. 
The code for evaluating OSF partitions (in fs/partitions/osf.c) contains a
bug that leaks data from kernel heap memory to userspace for certain
corrupted OSF partitions.

In more detail (from Kernel 2.6.37 fs/partition/osf.c):

(66)    for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {

iterates from 0 to d_npartitions - 1, where

    d_npartitions is read from the partition table without validation and
    partition is a pointer to an array of at most 8 d_partitions.

(70)        put_partition(state, slot,
(71)          le32_to_cpu(partition->p_offset),
(72)          le32_to_cpu(partition->p_size));

adds a partition based on data referenced by partition.  As partition may
point beyond the partition table data structure, p_offset and p_size are
read from kernel heap beyond the partition table.

In some cases, put_partition logs error messages to userspace including
the p_offset and p_size values.  Hence, some values from kernel heap are
leaked to userspace.

So validate the value of d_npartitions.

Reference:
http://www.spinics.net/lists/mm-commits/msg82737.html

Acknowledgements:

Red Hat would like to thank Timo Warns for reporting this issue.
Comment 3 Eugene Teo (Security Response) 2011-03-16 03:39:20 UTC 
Statement:

This has been addressed in Red Hat Enterprise Linux 5, 6, and Red Hat Enterprise MRG via https://rhn.redhat.com/errata/RHSA-2011-0833.html, https://rhn.redhat.com/errata/RHSA-2011-0542.html, and https://rhn.redhat.com/errata/RHSA-2011-0500.html. Red Hat Enterprise Linux 4 is now in Production 3 of the maintenance life-cycle, https://access.redhat.com/support/policy/updates/errata/, therefore the fix for
this issue is not currently planned to be included in the future updates.
Comment 4 Vincent Danen 2011-03-17 17:14:40 UTC 
Reporter's advisory is now available: http://www.pre-cert.de/advisories/PRE-SA-2011-02.txt
Comment 5 Eugene Teo (Security Response) 2011-03-22 08:05:03 UTC 
Upstream commit:
http://git.kernel.org/linus/1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05
Comment 6 Danny Feng 2011-03-28 08:37:14 UTC 
(In reply to comment #5)
> Upstream commit:
> http://git.kernel.org/linus/1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05

I remember someone report a regression with this commit, we also need:
http://git.kernel.org/linus/34d211a2d5df4984a35b18d8ccacbe1d10abb067
Comment 7 errata-xmlrpc 2011-05-10 17:20:52 UTC 
This issue has been addressed in following products:

  MRG for RHEL-5

Via RHSA-2011:0500 https://rhn.redhat.com/errata/RHSA-2011-0500.html
Comment 8 errata-xmlrpc 2011-05-19 11:58:55 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0542 https://rhn.redhat.com/errata/RHSA-2011-0542.html
Comment 10 errata-xmlrpc 2011-05-31 14:06:11 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0833 https://rhn.redhat.com/errata/RHSA-2011-0833.html
Comment 11 errata-xmlrpc 2011-06-21 23:53:24 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6.0.Z - Server Only

Via RHSA-2011:0883 https://rhn.redhat.com/errata/RHSA-2011-0883.html
Note You need to log in before you can comment on or make changes to this bug.