CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670)

2013-11-26 12:20:03 -05:00 · 2013-11-26 12:20:03 -05:00 · c3ad71cb77
commit c3ad71cb77
parent df86f70991
2 changed files with 158 additions and 0 deletions
--- a/kernel.spec
+++ b/kernel.spec
@ -827,6 +827,9 @@ Patch25155: libertas-potential-oops-in-debugfs.patch
 #CVE-2013-6380 rhbz 1033593 1034304
 Patch25156: aacraid-prevent-invalid-pointer-dereference.patch

+#CVE-2013-6382 rhbz 1033603 1034670
+Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
+
 # END OF PATCH DEFINITIONS

 %endif
@ -1612,6 +1615,9 @@ ApplyPatch libertas-potential-oops-in-debugfs.patch
 #CVE-2013-6380 rhbz 1033593 1034304
 ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch

+#CVE-2013-6382 rhbz 1033603 1034670
+ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
+
 # END OF PATCH APPLICATIONS

 %endif
@ -2414,6 +2420,9 @@ fi
 #                 ||----w |
 #                 ||     ||
 %changelog
+* Tue Nov 26 2013 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670)
+
 * Mon Nov 25 2013 Josh Boyer <jwboyer@fedoraproject.org>
 - CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)
 - CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)
--- a/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
+++ b/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
@ -0,0 +1,149 @@
+Bugzilla: 1033603
+Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654
+
+Path: news.gmane.org!not-for-mail
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Newsgroups: gmane.comp.file-systems.xfs.general
+Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
+Date: Thu, 31 Oct 2013 21:00:10 +0300
+Lines: 43
+Approved: news@gmane.org
+Message-ID: <20131031180010.GA24839@longonot.mountain>
+References: <20131025144452.GA28451@ngolde.de>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: text/plain; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT)
+X-Complaints-To: usenet@ger.gmane.org
+NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC)
+Cc: Fabian Yamaguchi <fabs@goesec.de>, security@kernel.org,
+	Alex Elder <elder@kernel.org>, Nico Golde <nico@ngolde.de>, xfs@oss.sgi.com
+To: Ben Myers <bpm@sgi.com>
+Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013
+Return-path: <xfs-bounces@oss.sgi.com>
+Envelope-to: sgi-linux-xfs@gmane.org
+Original-Received: from oss.sgi.com ([192.48.182.195])
+	by plane.gmane.org with esmtp (Exim 4.69)
+	(envelope-from <xfs-bounces@oss.sgi.com>)
+	id 1Vbwag-0001Ow-Sv
+	for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100
+Original-Received: from oss.sgi.com (localhost [IPv6:::1])
+	by oss.sgi.com (Postfix) with ESMTP id DB14A7F85;
+	Thu, 31 Oct 2013 13:03:28 -0500 (CDT)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com
+X-Spam-Level: 
+X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
+	autolearn=ham version=3.3.1
+X-Original-To: xfs@oss.sgi.com
+Delivered-To: xfs@oss.sgi.com
+Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111])
+	by oss.sgi.com (Postfix) with ESMTP id A0ED87F83
+	for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT)
+Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11])
+	by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B
+	for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT)
+X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ
+Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by
+	cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1
+	cipher=AES256-SHA bits=256 verify=NO);
+	Thu, 31 Oct 2013 11:03:20 -0700 (PDT)
+X-Barracuda-Envelope-From: dan.carpenter@oracle.com
+X-Barracuda-Apparent-Source-IP: 156.151.31.81
+Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
+	by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
+	ESMTP id r9VI3AZn009606
+	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
+	Thu, 31 Oct 2013 18:03:11 GMT
+Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
+	by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
+	r9VI39qG016923
+	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
+	Thu, 31 Oct 2013 18:03:10 GMT
+Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53])
+	by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
+	r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT
+Original-Received: from longonot.mountain (/105.160.144.228)
+	by default (Oracle Beehive Gateway v4.0)
+	with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700
+X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
+Content-Disposition: inline
+In-Reply-To: <20131025144452.GA28451@ngolde.de>
+User-Agent: Mutt/1.5.21 (2010-09-15)
+X-Source-IP: acsinet22.oracle.com [141.146.126.238]
+X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81]
+X-Barracuda-Start-Time: 1383242600
+X-Barracuda-Encrypted: AES256-SHA
+X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi
+X-Virus-Scanned: by bsmtpd at sgi.com
+X-Barracuda-BRTS-Status: 1
+X-Barracuda-Spam-Score: 0.00
+X-Barracuda-Spam-Status: No,
+	SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
+	QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY
+X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937
+	Rule breakdown below
+	pts rule name              description
+	---- ----------------------
+	--------------------------------------------------
+	0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay
+	lines
+X-BeenThere: xfs@oss.sgi.com
+X-Mailman-Version: 2.1.14
+Precedence: list
+List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com>
+List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>,
+	<mailto:xfs-request@oss.sgi.com?subject=unsubscribe>
+List-Archive: <http://oss.sgi.com/pipermail/xfs>
+List-Post: <mailto:xfs@oss.sgi.com>
+List-Help: <mailto:xfs-request@oss.sgi.com?subject=help>
+List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>,
+	<mailto:xfs-request@oss.sgi.com?subject=subscribe>
+Errors-To: xfs-bounces@oss.sgi.com
+Original-Sender: xfs-bounces@oss.sgi.com
+Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654
+Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654>
+
+If we allocate less than sizeof(struct attrlist) then we end up
+corrupting memory or doing a ZERO_PTR_SIZE dereference.
+
+This can only be triggered with CAP_SYS_ADMIN.
+
+Reported-by: Nico Golde <nico@ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs@goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+
+diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
+index 4d61340..33ad9a7 100644
+--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
+@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
+ 		return -XFS_ERROR(EPERM);
+ 	if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
+ 		return -XFS_ERROR(EFAULT);
+-	if (al_hreq.buflen > XATTR_LIST_MAX)
+	if (al_hreq.buflen < sizeof(struct attrlist) ||
+	    al_hreq.buflen > XATTR_LIST_MAX)
+ 		return -XFS_ERROR(EINVAL);
+ 
+ 	/*
+diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
+index e8fb123..a7992f8 100644
+--- a/fs/xfs/xfs_ioctl32.c
+++ b/fs/xfs/xfs_ioctl32.c
+@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
+ 	if (copy_from_user(&al_hreq, arg,
+ 			   sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
+ 		return -XFS_ERROR(EFAULT);
+-	if (al_hreq.buflen > XATTR_LIST_MAX)
+	if (al_hreq.buflen < sizeof(struct attrlist) ||
+	    al_hreq.buflen > XATTR_LIST_MAX)
+ 		return -XFS_ERROR(EINVAL);
+ 
+ 	/*
+
+_______________________________________________
+xfs mailing list
+xfs@oss.sgi.com
+http://oss.sgi.com/mailman/listinfo/xfs
+