Sophie: kernel-2.6.18-238.19.1.el5.centos.plus src

kernel-2.6.18-238.19.1.el5.centos.plus.src.rpm

From: Jerome Marchand <jmarchan@redhat.com>
Date: Mon, 18 Apr 2011 14:01:51 -0400
Subject: [fs] fix corrupted GUID partition table kernel oops
Message-id: <4DAC444F.70709@redhat.com>
Patchwork-id: 4568
O-Subject: [kernel team] [PATCH RHEL5] CVE-2011-1577: corrupted GUID partition
 tables can cause kernel oops
Bugzilla: 695980
CVE: CVE-2011-1577

Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=695980

Description (from -mm):

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
a bug that causes a kernel oops on certain corrupted GUID partition
tables.

This bug has security impacts, because it allows, for example, to
prepare a storage device that crashes a kernel subsystem upon connecting
the device (e.g., a "USB Stick of (Partial) Death").

	crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->head
er_size));

computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
There is no validation of (*gpt)->header_size before the efi_crc32 call.

A corrupted partition table may have large values for (*gpt)->header_size.
 In this case, the CRC32 computation access memory beyond the memory
allocated for gpt, which may cause a kernel heap overflow.

Validate value of GUID partition table header size.

Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: Matt Domsch <Matt_Domsch@dell.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

This backport is slighty different from upstream because in RHEL5 the
logical block size is fixed (512 bytes).

Upstream status:
In -mm tree.

Test status:
I tested that with this patch applied, kernel does not longer crash when
it encounters a corrupted GPT header.

Regards,
Jerome


diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c
index 6373028..38833b2 100644
--- a/fs/partitions/efi.c
+++ b/fs/partitions/efi.c
@@ -315,6 +315,13 @@ is_gpt_valid(struct block_device *bdev, u64 lba,
 		goto fail;
 	}
 
+	/* Check the GUID Partition Table header size */
+	if (le32_to_cpu((*gpt)->header_size) > GPT_BLOCK_SIZE) {
+		pr_debug("GUID Partition Table Header size is wrong: %u > %u\n",
+			 le32_to_cpu((*gpt)->header_size), GPT_BLOCK_SIZE);
+		goto fail;
+	}
+
 	/* Check the GUID Partition Table CRC */
 	origcrc = le32_to_cpu((*gpt)->header_crc32);
 	(*gpt)->header_crc32 = 0;