From: Jerome Marchand <jmarchan@redhat.com> Date: Mon, 18 Apr 2011 14:01:51 -0400 Subject: [fs] fix corrupted GUID partition table kernel oops Message-id: <4DAC444F.70709@redhat.com> Patchwork-id: 4568 O-Subject: [kernel team] [PATCH RHEL5] CVE-2011-1577: corrupted GUID partition tables can cause kernel oops Bugzilla: 695980 CVE: CVE-2011-1577 Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=695980 Description (from -mm): The kernel automatically evaluates partition tables of storage devices. The code for evaluating GUID partitions (in fs/partitions/efi.c) contains a bug that causes a kernel oops on certain corrupted GUID partition tables. This bug has security impacts, because it allows, for example, to prepare a storage device that crashes a kernel subsystem upon connecting the device (e.g., a "USB Stick of (Partial) Death"). crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->head er_size)); computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes. There is no validation of (*gpt)->header_size before the efi_crc32 call. A corrupted partition table may have large values for (*gpt)->header_size. In this case, the CRC32 computation access memory beyond the memory allocated for gpt, which may cause a kernel heap overflow. Validate value of GUID partition table header size. Signed-off-by: Timo Warns <warns@pre-sense.de> Cc: Matt Domsch <Matt_Domsch@dell.com> Cc: Eugene Teo <eugeneteo@kernel.sg> Cc: Dave Jones <davej@codemonkey.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> This backport is slighty different from upstream because in RHEL5 the logical block size is fixed (512 bytes). Upstream status: In -mm tree. Test status: I tested that with this patch applied, kernel does not longer crash when it encounters a corrupted GPT header. Regards, Jerome diff --git a/fs/partitions/efi.c b/fs/partitions/efi.c index 6373028..38833b2 100644 --- a/fs/partitions/efi.c +++ b/fs/partitions/efi.c @@ -315,6 +315,13 @@ is_gpt_valid(struct block_device *bdev, u64 lba, goto fail; } + /* Check the GUID Partition Table header size */ + if (le32_to_cpu((*gpt)->header_size) > GPT_BLOCK_SIZE) { + pr_debug("GUID Partition Table Header size is wrong: %u > %u\n", + le32_to_cpu((*gpt)->header_size), GPT_BLOCK_SIZE); + goto fail; + } + /* Check the GUID Partition Table CRC */ origcrc = le32_to_cpu((*gpt)->header_crc32); (*gpt)->header_crc32 = 0;