From 761de8d1ef0e1cb1d370987d8d6485132b52b22c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 26 Nov 2013 12:20:03 -0500 Subject: [PATCH] CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670) --- kernel.spec | 9 ++ ...erflow-bug-in-xfs_attrlist_by_handle.patch | 149 ++++++++++++++++++ 2 files changed, 158 insertions(+) create mode 100644 xfs-underflow-bug-in-xfs_attrlist_by_handle.patch diff --git a/kernel.spec b/kernel.spec index 61554e07b..760bf06eb 100644 --- a/kernel.spec +++ b/kernel.spec @@ -707,6 +707,9 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch Patch25142: 0001-staging-imx-drm-Fix-modular-build-of-DRM_IMX_IPUV3.patch +#CVE-2013-6382 rhbz 1033603 1034670 +Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch + # END OF PATCH DEFINITIONS %endif @@ -1380,6 +1383,9 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch ApplyPatch 0001-staging-imx-drm-Fix-modular-build-of-DRM_IMX_IPUV3.patch +#CVE-2013-6382 rhbz 1033603 1034670 +ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch + # END OF PATCH APPLICATIONS %endif @@ -2192,6 +2198,9 @@ fi # ||----w | # || || %changelog +* Tue Nov 26 2013 Josh Boyer +- CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670) + * Mon Nov 25 2013 Josh Boyer - 3.13.0-0.rc1.git2.1 - Linux v3.13-rc1-85-g7e3528c diff --git a/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch b/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch new file mode 100644 index 000000000..6c7f60dd9 --- /dev/null +++ b/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch @@ -0,0 +1,149 @@ +Bugzilla: 1033603 +Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654 + +Path: news.gmane.org!not-for-mail +From: Dan Carpenter +Newsgroups: gmane.comp.file-systems.xfs.general +Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle() +Date: Thu, 31 Oct 2013 21:00:10 +0300 +Lines: 43 +Approved: news@gmane.org +Message-ID: <20131031180010.GA24839@longonot.mountain> +References: <20131025144452.GA28451@ngolde.de> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: text/plain; charset="us-ascii" +Content-Transfer-Encoding: 7bit +X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC) +Cc: Fabian Yamaguchi , security@kernel.org, + Alex Elder , Nico Golde , xfs@oss.sgi.com +To: Ben Myers +Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013 +Return-path: +Envelope-to: sgi-linux-xfs@gmane.org +Original-Received: from oss.sgi.com ([192.48.182.195]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1Vbwag-0001Ow-Sv + for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100 +Original-Received: from oss.sgi.com (localhost [IPv6:::1]) + by oss.sgi.com (Postfix) with ESMTP id DB14A7F85; + Thu, 31 Oct 2013 13:03:28 -0500 (CDT) +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com +X-Spam-Level: +X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY + autolearn=ham version=3.3.1 +X-Original-To: xfs@oss.sgi.com +Delivered-To: xfs@oss.sgi.com +Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111]) + by oss.sgi.com (Postfix) with ESMTP id A0ED87F83 + for ; Thu, 31 Oct 2013 13:03:27 -0500 (CDT) +Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11]) + by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B + for ; Thu, 31 Oct 2013 11:03:24 -0700 (PDT) +X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ +Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by + cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1 + cipher=AES256-SHA bits=256 verify=NO); + Thu, 31 Oct 2013 11:03:20 -0700 (PDT) +X-Barracuda-Envelope-From: dan.carpenter@oracle.com +X-Barracuda-Apparent-Source-IP: 156.151.31.81 +Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) + by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with + ESMTP id r9VI3AZn009606 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Thu, 31 Oct 2013 18:03:11 GMT +Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) + by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id + r9VI39qG016923 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); + Thu, 31 Oct 2013 18:03:10 GMT +Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) + by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id + r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT +Original-Received: from longonot.mountain (/105.160.144.228) + by default (Oracle Beehive Gateway v4.0) + with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700 +X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle() +Content-Disposition: inline +In-Reply-To: <20131025144452.GA28451@ngolde.de> +User-Agent: Mutt/1.5.21 (2010-09-15) +X-Source-IP: acsinet22.oracle.com [141.146.126.238] +X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81] +X-Barracuda-Start-Time: 1383242600 +X-Barracuda-Encrypted: AES256-SHA +X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi +X-Virus-Scanned: by bsmtpd at sgi.com +X-Barracuda-BRTS-Status: 1 +X-Barracuda-Spam-Score: 0.00 +X-Barracuda-Spam-Status: No, + SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 + QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY +X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937 + Rule breakdown below + pts rule name description + ---- ---------------------- + -------------------------------------------------- + 0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay + lines +X-BeenThere: xfs@oss.sgi.com +X-Mailman-Version: 2.1.14 +Precedence: list +List-Id: XFS Filesystem from SGI +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +Errors-To: xfs-bounces@oss.sgi.com +Original-Sender: xfs-bounces@oss.sgi.com +Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654 +Archived-At: + +If we allocate less than sizeof(struct attrlist) then we end up +corrupting memory or doing a ZERO_PTR_SIZE dereference. + +This can only be triggered with CAP_SYS_ADMIN. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter + +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index 4d61340..33ad9a7 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -442,7 +442,8 @@ xfs_attrlist_by_handle( + return -XFS_ERROR(EPERM); + if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) + return -XFS_ERROR(EFAULT); +- if (al_hreq.buflen > XATTR_LIST_MAX) ++ if (al_hreq.buflen < sizeof(struct attrlist) || ++ al_hreq.buflen > XATTR_LIST_MAX) + return -XFS_ERROR(EINVAL); + + /* +diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c +index e8fb123..a7992f8 100644 +--- a/fs/xfs/xfs_ioctl32.c ++++ b/fs/xfs/xfs_ioctl32.c +@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle( + if (copy_from_user(&al_hreq, arg, + sizeof(compat_xfs_fsop_attrlist_handlereq_t))) + return -XFS_ERROR(EFAULT); +- if (al_hreq.buflen > XATTR_LIST_MAX) ++ if (al_hreq.buflen < sizeof(struct attrlist) || ++ al_hreq.buflen > XATTR_LIST_MAX) + return -XFS_ERROR(EINVAL); + + /* + +_______________________________________________ +xfs mailing list +xfs@oss.sgi.com +http://oss.sgi.com/mailman/listinfo/xfs +