CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670)

This commit is contained in:
Josh Boyer 2013-11-26 12:20:03 -05:00
parent df86f70991
commit c3ad71cb77
2 changed files with 158 additions and 0 deletions

View File

@ -827,6 +827,9 @@ Patch25155: libertas-potential-oops-in-debugfs.patch
#CVE-2013-6380 rhbz 1033593 1034304
Patch25156: aacraid-prevent-invalid-pointer-dereference.patch
#CVE-2013-6382 rhbz 1033603 1034670
Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
# END OF PATCH DEFINITIONS
%endif
@ -1612,6 +1615,9 @@ ApplyPatch libertas-potential-oops-in-debugfs.patch
#CVE-2013-6380 rhbz 1033593 1034304
ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch
#CVE-2013-6382 rhbz 1033603 1034670
ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
# END OF PATCH APPLICATIONS
%endif
@ -2414,6 +2420,9 @@ fi
# ||----w |
# || ||
%changelog
* Tue Nov 26 2013 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670)
* Mon Nov 25 2013 Josh Boyer <jwboyer@fedoraproject.org>
- CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304)
- CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183)

View File

@ -0,0 +1,149 @@
Bugzilla: 1033603
Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654
Path: news.gmane.org!not-for-mail
From: Dan Carpenter <dan.carpenter@oracle.com>
Newsgroups: gmane.comp.file-systems.xfs.general
Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
Date: Thu, 31 Oct 2013 21:00:10 +0300
Lines: 43
Approved: news@gmane.org
Message-ID: <20131031180010.GA24839@longonot.mountain>
References: <20131025144452.GA28451@ngolde.de>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC)
Cc: Fabian Yamaguchi <fabs@goesec.de>, security@kernel.org,
Alex Elder <elder@kernel.org>, Nico Golde <nico@ngolde.de>, xfs@oss.sgi.com
To: Ben Myers <bpm@sgi.com>
Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013
Return-path: <xfs-bounces@oss.sgi.com>
Envelope-to: sgi-linux-xfs@gmane.org
Original-Received: from oss.sgi.com ([192.48.182.195])
by plane.gmane.org with esmtp (Exim 4.69)
(envelope-from <xfs-bounces@oss.sgi.com>)
id 1Vbwag-0001Ow-Sv
for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100
Original-Received: from oss.sgi.com (localhost [IPv6:::1])
by oss.sgi.com (Postfix) with ESMTP id DB14A7F85;
Thu, 31 Oct 2013 13:03:28 -0500 (CDT)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
autolearn=ham version=3.3.1
X-Original-To: xfs@oss.sgi.com
Delivered-To: xfs@oss.sgi.com
Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111])
by oss.sgi.com (Postfix) with ESMTP id A0ED87F83
for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT)
Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11])
by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B
for <xfs@oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT)
X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ
Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by
cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1
cipher=AES256-SHA bits=256 verify=NO);
Thu, 31 Oct 2013 11:03:20 -0700 (PDT)
X-Barracuda-Envelope-From: dan.carpenter@oracle.com
X-Barracuda-Apparent-Source-IP: 156.151.31.81
Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
ESMTP id r9VI3AZn009606
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
Thu, 31 Oct 2013 18:03:11 GMT
Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
r9VI39qG016923
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Thu, 31 Oct 2013 18:03:10 GMT
Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53])
by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT
Original-Received: from longonot.mountain (/105.160.144.228)
by default (Oracle Beehive Gateway v4.0)
with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700
X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
Content-Disposition: inline
In-Reply-To: <20131025144452.GA28451@ngolde.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Source-IP: acsinet22.oracle.com [141.146.126.238]
X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81]
X-Barracuda-Start-Time: 1383242600
X-Barracuda-Encrypted: AES256-SHA
X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at sgi.com
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No,
SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937
Rule breakdown below
pts rule name description
---- ----------------------
--------------------------------------------------
0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
X-BeenThere: xfs@oss.sgi.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com>
List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>,
<mailto:xfs-request@oss.sgi.com?subject=unsubscribe>
List-Archive: <http://oss.sgi.com/pipermail/xfs>
List-Post: <mailto:xfs@oss.sgi.com>
List-Help: <mailto:xfs-request@oss.sgi.com?subject=help>
List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>,
<mailto:xfs-request@oss.sgi.com?subject=subscribe>
Errors-To: xfs-bounces@oss.sgi.com
Original-Sender: xfs-bounces@oss.sgi.com
Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654
Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654>
If we allocate less than sizeof(struct attrlist) then we end up
corrupting memory or doing a ZERO_PTR_SIZE dereference.
This can only be triggered with CAP_SYS_ADMIN.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index 4d61340..33ad9a7 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
return -XFS_ERROR(EPERM);
if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
return -XFS_ERROR(EFAULT);
- if (al_hreq.buflen > XATTR_LIST_MAX)
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
+ al_hreq.buflen > XATTR_LIST_MAX)
return -XFS_ERROR(EINVAL);
/*
diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
index e8fb123..a7992f8 100644
--- a/fs/xfs/xfs_ioctl32.c
+++ b/fs/xfs/xfs_ioctl32.c
@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
if (copy_from_user(&al_hreq, arg,
sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
return -XFS_ERROR(EFAULT);
- if (al_hreq.buflen > XATTR_LIST_MAX)
+ if (al_hreq.buflen < sizeof(struct attrlist) ||
+ al_hreq.buflen > XATTR_LIST_MAX)
return -XFS_ERROR(EINVAL);
/*
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs