forked from rpms/kernel
		
	CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670)
This commit is contained in:
		
							parent
							
								
									8b409de043
								
							
						
					
					
						commit
						761de8d1ef
					
				| @ -707,6 +707,9 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch | ||||
| 
 | ||||
| Patch25142: 0001-staging-imx-drm-Fix-modular-build-of-DRM_IMX_IPUV3.patch | ||||
| 
 | ||||
| #CVE-2013-6382 rhbz 1033603 1034670 | ||||
| Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch | ||||
| 
 | ||||
| # END OF PATCH DEFINITIONS | ||||
| 
 | ||||
| %endif | ||||
| @ -1380,6 +1383,9 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch | ||||
| 
 | ||||
| ApplyPatch 0001-staging-imx-drm-Fix-modular-build-of-DRM_IMX_IPUV3.patch | ||||
| 
 | ||||
| #CVE-2013-6382 rhbz 1033603 1034670 | ||||
| ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch | ||||
| 
 | ||||
| # END OF PATCH APPLICATIONS | ||||
| 
 | ||||
| %endif | ||||
| @ -2192,6 +2198,9 @@ fi | ||||
| #                                    ||----w | | ||||
| #                                    ||     || | ||||
| %changelog | ||||
| * Tue Nov 26 2013 Josh Boyer <jwboyer@fedoraproject.org> | ||||
| - CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670) | ||||
| 
 | ||||
| * Mon Nov 25 2013 Josh Boyer <jwboyer@fedoraproject.org> - 3.13.0-0.rc1.git2.1 | ||||
| - Linux v3.13-rc1-85-g7e3528c | ||||
| 
 | ||||
|  | ||||
							
								
								
									
										149
									
								
								xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										149
									
								
								xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,149 @@ | ||||
| Bugzilla: 1033603 | ||||
| Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654 | ||||
| 
 | ||||
| Path: news.gmane.org!not-for-mail | ||||
| From: Dan Carpenter <dan.carpenter@oracle.com> | ||||
| Newsgroups: gmane.comp.file-systems.xfs.general | ||||
| Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle() | ||||
| Date: Thu, 31 Oct 2013 21:00:10 +0300 | ||||
| Lines: 43 | ||||
| Approved: news@gmane.org | ||||
| Message-ID: <20131031180010.GA24839@longonot.mountain> | ||||
| References: <20131025144452.GA28451@ngolde.de> | ||||
| NNTP-Posting-Host: plane.gmane.org | ||||
| Mime-Version: 1.0 | ||||
| Content-Type: text/plain; charset="us-ascii" | ||||
| Content-Transfer-Encoding: 7bit | ||||
| X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT) | ||||
| X-Complaints-To: usenet@ger.gmane.org | ||||
| NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC) | ||||
| Cc: Fabian Yamaguchi <fabs@goesec.de>, security@kernel.org, | ||||
| 	Alex Elder <elder@kernel.org>, Nico Golde <nico@ngolde.de>, xfs@oss.sgi.com | ||||
| To: Ben Myers <bpm@sgi.com> | ||||
| Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013 | ||||
| Return-path: <xfs-bounces@oss.sgi.com> | ||||
| Envelope-to: sgi-linux-xfs@gmane.org | ||||
| Original-Received: from oss.sgi.com ([192.48.182.195]) | ||||
| 	by plane.gmane.org with esmtp (Exim 4.69) | ||||
| 	(envelope-from <xfs-bounces@oss.sgi.com>) | ||||
| 	id 1Vbwag-0001Ow-Sv | ||||
| 	for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100 | ||||
| Original-Received: from oss.sgi.com (localhost [IPv6:::1]) | ||||
| 	by oss.sgi.com (Postfix) with ESMTP id DB14A7F85; | ||||
| 	Thu, 31 Oct 2013 13:03:28 -0500 (CDT) | ||||
| X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com | ||||
| X-Spam-Level:  | ||||
| X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY | ||||
| 	autolearn=ham version=3.3.1 | ||||
| X-Original-To: xfs@oss.sgi.com | ||||
| Delivered-To: xfs@oss.sgi.com | ||||
| Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111]) | ||||
| 	by oss.sgi.com (Postfix) with ESMTP id A0ED87F83 | ||||
| 	for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT) | ||||
| Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11]) | ||||
| 	by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B | ||||
| 	for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT) | ||||
| X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ | ||||
| Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by | ||||
| 	cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1 | ||||
| 	cipher=AES256-SHA bits=256 verify=NO); | ||||
| 	Thu, 31 Oct 2013 11:03:20 -0700 (PDT) | ||||
| X-Barracuda-Envelope-From: dan.carpenter@oracle.com | ||||
| X-Barracuda-Apparent-Source-IP: 156.151.31.81 | ||||
| Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) | ||||
| 	by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with | ||||
| 	ESMTP id r9VI3AZn009606 | ||||
| 	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); | ||||
| 	Thu, 31 Oct 2013 18:03:11 GMT | ||||
| Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) | ||||
| 	by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id | ||||
| 	r9VI39qG016923 | ||||
| 	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); | ||||
| 	Thu, 31 Oct 2013 18:03:10 GMT | ||||
| Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) | ||||
| 	by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id | ||||
| 	r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT | ||||
| Original-Received: from longonot.mountain (/105.160.144.228) | ||||
| 	by default (Oracle Beehive Gateway v4.0) | ||||
| 	with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700 | ||||
| X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle() | ||||
| Content-Disposition: inline | ||||
| In-Reply-To: <20131025144452.GA28451@ngolde.de> | ||||
| User-Agent: Mutt/1.5.21 (2010-09-15) | ||||
| X-Source-IP: acsinet22.oracle.com [141.146.126.238] | ||||
| X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81] | ||||
| X-Barracuda-Start-Time: 1383242600 | ||||
| X-Barracuda-Encrypted: AES256-SHA | ||||
| X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi | ||||
| X-Virus-Scanned: by bsmtpd at sgi.com | ||||
| X-Barracuda-BRTS-Status: 1 | ||||
| X-Barracuda-Spam-Score: 0.00 | ||||
| X-Barracuda-Spam-Status: No, | ||||
| 	SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 | ||||
| 	QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY | ||||
| X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937 | ||||
| 	Rule breakdown below | ||||
| 	pts rule name              description | ||||
| 	---- ---------------------- | ||||
| 	-------------------------------------------------- | ||||
| 	0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay | ||||
| 	lines | ||||
| X-BeenThere: xfs@oss.sgi.com | ||||
| X-Mailman-Version: 2.1.14 | ||||
| Precedence: list | ||||
| List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com> | ||||
| List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>, | ||||
| 	<mailto:xfs-request@oss.sgi.com?subject=unsubscribe> | ||||
| List-Archive: <http://oss.sgi.com/pipermail/xfs> | ||||
| List-Post: <mailto:xfs@oss.sgi.com> | ||||
| List-Help: <mailto:xfs-request@oss.sgi.com?subject=help> | ||||
| List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>, | ||||
| 	<mailto:xfs-request@oss.sgi.com?subject=subscribe> | ||||
| Errors-To: xfs-bounces@oss.sgi.com | ||||
| Original-Sender: xfs-bounces@oss.sgi.com | ||||
| Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654 | ||||
| Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654> | ||||
| 
 | ||||
| If we allocate less than sizeof(struct attrlist) then we end up | ||||
| corrupting memory or doing a ZERO_PTR_SIZE dereference. | ||||
| 
 | ||||
| This can only be triggered with CAP_SYS_ADMIN. | ||||
| 
 | ||||
| Reported-by: Nico Golde <nico@ngolde.de> | ||||
| Reported-by: Fabian Yamaguchi <fabs@goesec.de> | ||||
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> | ||||
| 
 | ||||
| diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
 | ||||
| index 4d61340..33ad9a7 100644
 | ||||
| --- a/fs/xfs/xfs_ioctl.c
 | ||||
| +++ b/fs/xfs/xfs_ioctl.c
 | ||||
| @@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
 | ||||
|  		return -XFS_ERROR(EPERM); | ||||
|  	if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) | ||||
|  		return -XFS_ERROR(EFAULT); | ||||
| -	if (al_hreq.buflen > XATTR_LIST_MAX)
 | ||||
| +	if (al_hreq.buflen < sizeof(struct attrlist) ||
 | ||||
| +	    al_hreq.buflen > XATTR_LIST_MAX)
 | ||||
|  		return -XFS_ERROR(EINVAL); | ||||
|   | ||||
|  	/* | ||||
| diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
 | ||||
| index e8fb123..a7992f8 100644
 | ||||
| --- a/fs/xfs/xfs_ioctl32.c
 | ||||
| +++ b/fs/xfs/xfs_ioctl32.c
 | ||||
| @@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
 | ||||
|  	if (copy_from_user(&al_hreq, arg, | ||||
|  			   sizeof(compat_xfs_fsop_attrlist_handlereq_t))) | ||||
|  		return -XFS_ERROR(EFAULT); | ||||
| -	if (al_hreq.buflen > XATTR_LIST_MAX)
 | ||||
| +	if (al_hreq.buflen < sizeof(struct attrlist) ||
 | ||||
| +	    al_hreq.buflen > XATTR_LIST_MAX)
 | ||||
|  		return -XFS_ERROR(EINVAL); | ||||
|   | ||||
|  	/* | ||||
| 
 | ||||
| _______________________________________________ | ||||
| xfs mailing list | ||||
| xfs@oss.sgi.com | ||||
| http://oss.sgi.com/mailman/listinfo/xfs | ||||
| 
 | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user