CVE-2010-4163 CVE-2010-4668: panic when submitting 0-length I/O requests
This commit is contained in:
parent
5bd23aa290
commit
16efe059d7
|
@ -0,0 +1,38 @@
|
|||
From: Xiaotian Feng <dfeng@redhat.com>
|
||||
Date: Mon, 29 Nov 2010 09:03:55 +0000 (+0100)
|
||||
Subject: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
|
||||
X-Git-Tag: v2.6.37-rc7~10^2~5
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=54787556
|
||||
|
||||
block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
|
||||
|
||||
commit 9284bcf checks for proper length of iov entries in
|
||||
blk_rq_map_user_iov(). But if the map is unaligned, kernel
|
||||
will break out the loop without checking for the proper length.
|
||||
So we need to check the proper length before the unalign check.
|
||||
|
||||
Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
|
||||
---
|
||||
|
||||
diff --git a/block/blk-map.c b/block/blk-map.c
|
||||
index 5d5dbe4..e663ac2 100644
|
||||
--- a/block/blk-map.c
|
||||
+++ b/block/blk-map.c
|
||||
@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||
for (i = 0; i < iov_count; i++) {
|
||||
unsigned long uaddr = (unsigned long)iov[i].iov_base;
|
||||
|
||||
+ if (!iov[i].iov_len)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
if (uaddr & queue_dma_alignment(q)) {
|
||||
unaligned = 1;
|
||||
break;
|
||||
}
|
||||
- if (!iov[i].iov_len)
|
||||
- return -EINVAL;
|
||||
}
|
||||
|
||||
if (unaligned || (q->dma_pad_mask & len) || map_data)
|
|
@ -0,0 +1,29 @@
|
|||
From: Jens Axboe <jaxboe@fusionio.com>
|
||||
Date: Fri, 29 Oct 2010 14:10:18 +0000 (-0600)
|
||||
Subject: block: check for proper length of iov entries in blk_rq_map_user_iov()
|
||||
X-Git-Tag: v2.6.37-rc4~22^2~17
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9284bcf
|
||||
|
||||
block: check for proper length of iov entries in blk_rq_map_user_iov()
|
||||
|
||||
Ensure that we pass down properly validated iov segments before
|
||||
calling into the mapping or copy functions.
|
||||
|
||||
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Cc: stable@kernel.org
|
||||
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
|
||||
---
|
||||
|
||||
diff --git a/block/blk-map.c b/block/blk-map.c
|
||||
index d4a586d..5d5dbe4 100644
|
||||
--- a/block/blk-map.c
|
||||
+++ b/block/blk-map.c
|
||||
@@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
|
||||
unaligned = 1;
|
||||
break;
|
||||
}
|
||||
+ if (!iov[i].iov_len)
|
||||
+ return -EINVAL;
|
||||
}
|
||||
|
||||
if (unaligned || (q->dma_pad_mask & len) || map_data)
|
15
kernel.spec
15
kernel.spec
|
@ -908,7 +908,12 @@ Patch13921: can-bcm-fix-minor-heap-overflow.patch
|
|||
Patch13922: patch-2.6.38-afpacket-vmalloc.patch
|
||||
|
||||
# rhbz#662344
|
||||
Patch12922: fs-call-security_d_instantiate-in-d_obtain_alias.patch
|
||||
Patch13923: fs-call-security_d_instantiate-in-d_obtain_alias.patch
|
||||
|
||||
# CVE-2010-4163
|
||||
Patch13924: block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
|
||||
# CVE-2010-4668
|
||||
Patch13925: block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
@ -1743,6 +1748,11 @@ ApplyPatch patch-2.6.38-afpacket-vmalloc.patch
|
|||
# rhbz#662344
|
||||
ApplyPatch fs-call-security_d_instantiate-in-d_obtain_alias.patch
|
||||
|
||||
# CVE-2010-4163
|
||||
ApplyPatch block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
|
||||
# CVE-2010-4668
|
||||
ApplyPatch block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2364,6 +2374,9 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Jan 10 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- CVE-2010-4163 CVE-2010-4668: panic when submitting 0-length I/O requests
|
||||
|
||||
* Sat Dec 18 2010 Kyle McMartin <kyle@redhat.com>
|
||||
- Fix SELinux issues with NFS/btrfs and/or xfsdump. (#662344)
|
||||
|
||||
|
|
Loading…
Reference in New Issue