[kernel/f14/master] CVE-2010-4668: kernel panic with 0-length IOV

Mon Jan 10 21:17:17 UTC 2011

commit aee782a97f02f0759ccc1a344316b70c1cef2e8b
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Mon Jan 10 16:16:28 2011 -0500

    CVE-2010-4668: kernel panic with 0-length IOV

 ...ov-entries-earlier-in-blk_rq_map_user_iov.patch |   38 ++++++++++++++++++++
 kernel.spec                                        |   15 ++++++--
 2 files changed, 50 insertions(+), 3 deletions(-)
---

diff --git a/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch b/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
new file mode 100644
index 0000000..0ad4928
--- /dev/null
+++ b/block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
@@ -0,0 +1,38 @@
+From: Xiaotian Feng <dfeng at redhat.com>
+Date: Mon, 29 Nov 2010 09:03:55 +0000 (+0100)
+Subject: block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
+X-Git-Tag: v2.6.37-rc7~10^2~5
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=54787556
+
+block: check for proper length of iov entries earlier in blk_rq_map_user_iov()
+
+commit 9284bcf checks for proper length of iov entries in
+blk_rq_map_user_iov(). But if the map is unaligned, kernel
+will break out the loop without checking for the proper length.
+So we need to check the proper length before the unalign check.
+
+Signed-off-by: Xiaotian Feng <dfeng at redhat.com>
+Cc: stable at kernel.org
+Signed-off-by: Jens Axboe <jaxboe at fusionio.com>
+---
+
+diff --git a/block/blk-map.c b/block/blk-map.c
+index 5d5dbe4..e663ac2 100644
+--- a/block/blk-map.c
++++ b/block/blk-map.c
+@@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_queue *q, struct request *rq,
+ 	for (i = 0; i < iov_count; i++) {
+ 		unsigned long uaddr = (unsigned long)iov[i].iov_base;
+ 
++		if (!iov[i].iov_len)
++			return -EINVAL;
++
+ 		if (uaddr & queue_dma_alignment(q)) {
+ 			unaligned = 1;
+ 			break;
+ 		}
+-		if (!iov[i].iov_len)
+-			return -EINVAL;
+ 	}
+ 
+ 	if (unaligned || (q->dma_pad_mask & len) || map_data)
diff --git a/kernel.spec b/kernel.spec
index 3bb0e0f..2724d74 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -769,10 +769,10 @@ Patch13651: kvm-fix-fs-gs-reload-oops-with-invalid-ldt.patch
 
 Patch13652: fix-i8k-inline-asm.patch
 
-Patch13702: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
-Patch13704: netlink-make-nlmsg_find_attr-take-a-const-ptr.patch
+Patch13653: inet_diag-make-sure-we-run-the-same-bytecode-we-audited.patch
+Patch13654: netlink-make-nlmsg_find_attr-take-a-const-ptr.patch
 
-Patch13703: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
+Patch13658: posix-cpu-timers-workaround-to-suppress-problems-with-mt-exec.patch
 
 Patch13660: rtl8180-improve-signal-reporting-for-rtl8185-hardware.patch
 Patch13661: rtl8180-improve-signal-reporting-for-actual-rtl8180-hardware.patch
@@ -799,6 +799,9 @@ Patch13698: net-AF_PACKET-vmalloc.patch
 Patch13700: e1000e-cleanup-e1000_sw_lcd_config_ich8lan.patch
 Patch13701: e1000e-82566DC-fails-to-get-link.patch
 
+# CVE-2010-4668
+Patch13702: block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1504,6 +1507,9 @@ ApplyPatch net-AF_PACKET-vmalloc.patch
 ApplyPatch e1000e-cleanup-e1000_sw_lcd_config_ich8lan.patch
 ApplyPatch e1000e-82566DC-fails-to-get-link.patch
 
+# CVE-2010-4668
+ApplyPatch block-check-for-proper-length-of-iov-entries-earlier-in-blk_rq_map_user_iov.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2090,6 +2096,9 @@ fi
 # and build.
 
 %changelog
+* Mon Jan 10 2011 Chuck Ebbert <cebbert at redhat.com>
+- CVE-2010-4668: kernel panic with 0-length IOV
+
 * Thu Jan 06 2011 Chuck Ebbert <cebbert at redhat.com>
 - Fix failure to get link with e1000e model 82576DC (#652744)
 
