** Changed in: linux (Ubuntu Maverick) Status: In Progress => Fix Committed
** Description changed: + The osf_partition function in fs/partitions/osf.c in the Linux kernel + before 2.6.38 does not properly handle an invalid number of partitions, + which might allow local users to obtain potentially sensitive + information from kernel heap memory via vectors related to partition- + table parsing. + Fixed-by: 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05 - - commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05 - Author: Timo Warns <wa...@pre-sense.de> - Date: Mon Mar 14 14:59:33 2011 +0100 - - Fix corrupted OSF partition table parsing - - The kernel automatically evaluates partition tables of storage devices. - The code for evaluating OSF partitions contains a bug that leaks data - from kernel heap memory to userspace for certain corrupted OSF - partitions. - - In more detail: - - for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) { - - iterates from 0 to d_npartitions - 1, where d_npartitions is read from - the partition table without validation and partition is a pointer to an - array of at most 8 d_partitions. - - Add the proper and obvious validation. - - Signed-off-by: Timo Warns <wa...@pre-sense.de> - Cc: sta...@kernel.org - [ Changed the patch trivially to not repeat the whole le16_to_cpu() - thing, and to use an explicit constant for the magic value '8' ] - Signed-off-by: Linus Torvalds <torva...@linux-foundation.org> -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/796606 Title: CVE-2011-1163 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/796606/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs