git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Timo Warns <Warns@pre-sense.de>
	Thu, 26 May 2011 23:25:57 +0000 (16:25 -0700)
committer	Paul Gortmaker <paul.gortmaker@windriver.com>
	Wed, 14 Mar 2012 14:58:04 +0000 (10:58 -0400)
commit	f875dea27cc5e837d9db340269e0d0126303f1fb
tree	3e8f653c5ca7a32015828411bb55f0510251ecc2	tree \| snapshot
parent	e1ca28e57055949c9e644e7bb77f218849aac2be	commit \| diff

fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops

commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde upstream.

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
a bug that causes a kernel oops on certain corrupted GUID partition
tables.

This bug has security impacts, because it allows, for example, to
prepare a storage device that crashes a kernel subsystem upon connecting
the device (e.g., a "USB Stick of (Partial) Death").

crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));

computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
There is no validation of (*gpt)->header_size before the efi_crc32 call.

A corrupted partition table may have large values for (*gpt)->header_size.
In this case, the CRC32 computation access memory beyond the memory
allocated for gpt, which may cause a kernel heap overflow.

Validate value of GUID partition table header size.

[akpm@linux-foundation.org: fix layout and indenting]
[PG: replace state->bdev with bdev, since 1493bf217f7f isn't in 34]

Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: Matt Domsch <Matt_Domsch@dell.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>