CVE-2010-4163 CVE-2010-4668: panic when submitting 0-length I/O requests

block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch

@@ -0,0 +1,38 @@
+From: Xiaotian Feng <dfeng@redhat.com>
+Date: Mon, 29 Nov 2010 09:03:55 +0000 (+0100)
+Subject: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
+X-Git-Tag: v2.6.37-rc7~10^2~5
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=54787556
+
+block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
+
+commit 9284bcf checks for proper length of iov entries in
+blk_rq_map_user_iov(). But if the map is unaligned, kernel
+will break out the loop without checking for the proper length.
+So we need to check the proper length before the unalign check.
+
+Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
+Cc: stable@kernel.org
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+---
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index 5d5dbe4..e663ac2 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ 	for (i = 0; i < iov_count; i++) {
+ 		unsigned long uaddr = (unsigned long)iov[i].iov_base;
+ 
++		if (!iov[i].iov_len)
++			return -EINVAL;
++
+ 		if (uaddr & queue_dma_alignment(q)) {
+ 			unaligned = 1;
+ 			break;
+ 		}
+-		if (!iov[i].iov_len)
+-			return -EINVAL;
+ 	}
+ 
+ 	if (unaligned || (q->dma_pad_mask & len) || map_data)

block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch

@@ -0,0 +1,29 @@
+From: Jens Axboe <jaxboe@fusionio.com>
+Date: Fri, 29 Oct 2010 14:10:18 +0000 (-0600)
+Subject: block: check for proper length of iov entries in blk_rq_map_user_iov()
+X-Git-Tag: v2.6.37-rc4~22^2~17
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=9284bcf
+
+block: check for proper length of iov entries in blk_rq_map_user_iov()
+
+Ensure that we pass down properly validated iov segments before
+calling into the mapping or copy functions.
+
+Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
+Cc: stable@kernel.org
+Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
+---
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index d4a586d..5d5dbe4 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ 			unaligned = 1;
+ 			break;
+ 		}
++		if (!iov[i].iov_len)
++			return -EINVAL;
+ 	}
+ 
+ 	if (unaligned || (q->dma_pad_mask & len) || map_data)

kernel.spec

@@ -908,7 +908,12 @@ Patch13921: can-bcm-fix-minor-heap-overflow.patch
 Patch13922: patch-2.6.38-afpacket-vmalloc.patch 
 
 # rhbz#662344
-Patch12922: fs-call-security_d_instantiate-in-d_obtain_alias.patch
+Patch13923: fs-call-security_d_instantiate-in-d_obtain_alias.patch
+
+# CVE-2010-4163
+Patch13924: block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
+# CVE-2010-4668
+Patch13925: block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
 
 %endif
 
@@ -1743,6 +1748,11 @@ ApplyPatch patch-2.6.38-afpacket-vmalloc.patch
 # rhbz#662344
 ApplyPatch fs-call-security_d_instantiate-in-d_obtain_alias.patch
 
+# CVE-2010-4163
+ApplyPatch block-check-for-proper-length-of-iov-entries-in-blk_rq_map_user_iov.patch
+# CVE-2010-4668
+ApplyPatch block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2364,6 +2374,9 @@ fi
 
 
 %changelog
+* Mon Jan 10 2011 Chuck Ebbert <cebbert@redhat.com>
+- CVE-2010-4163 CVE-2010-4668: panic when submitting 0-length I/O requests
+
 * Sat Dec 18 2010 Kyle McMartin <kyle@redhat.com>
 - Fix SELinux issues with NFS/btrfs and/or xfsdump. (#662344)