** Changed in: linux (Ubuntu Maverick)
Status: In Progress => Fix Committed
** Description changed:
+ The osf_partition function in fs/partitions/osf.c in the Linux kernel
+ before 2.6.38 does not properly handle an invalid number of partitions,
+ which might allow local users to obtain potentially sensitive
+ information from kernel heap memory via vectors related to partition-
+ table parsing.
+
Fixed-by: 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05
-
- commit 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05
- Author: Timo Warns <wa...@pre-sense.de>
- Date: Mon Mar 14 14:59:33 2011 +0100
-
- Fix corrupted OSF partition table parsing
-
- The kernel automatically evaluates partition tables of storage devices.
- The code for evaluating OSF partitions contains a bug that leaks data
- from kernel heap memory to userspace for certain corrupted OSF
- partitions.
-
- In more detail:
-
- for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
-
- iterates from 0 to d_npartitions - 1, where d_npartitions is read from
- the partition table without validation and partition is a pointer to an
- array of at most 8 d_partitions.
-
- Add the proper and obvious validation.
-
- Signed-off-by: Timo Warns <wa...@pre-sense.de>
- Cc: sta...@kernel.org
- [ Changed the patch trivially to not repeat the whole le16_to_cpu()
- thing, and to use an explicit constant for the magic value '8' ]
- Signed-off-by: Linus Torvalds <torva...@linux-foundation.org>
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/796606
Title:
CVE-2011-1163
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/796606/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
