[kernel/f16] Fix 2 CVEs

Josh Boyer jwboyer at fedoraproject.org
Mon Nov 14 15:05:59 UTC 2011 

commit 68b031c163448494779e02f48d72cc79fdeef30b
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Mon Nov 14 10:03:45 2011 -0500

    Fix 2 CVEs
    
    CVE-2011-4131: nfs4_getfacl decoding kernel oops (rhbz 753236)
    CVE-2011-4132: jbd/jbd2: invalid value of first log block leads to oops (rhbz 753346)

 ...lidate-sb-s_first-in-journal_get_superblo.patch |   95 ++++++++++++++++
 kernel.spec                                        |   15 +++-
 nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch   |  118 ++++++++++++++++++++
 3 files changed, 227 insertions(+), 1 deletions(-)
---
diff --git a/jbd-jbd2-validate-sb-s_first-in-journal_get_superblo.patch b/jbd-jbd2-validate-sb-s_first-in-journal_get_superblo.patch
new file mode 100644
index 0000000..f5d8291
--- /dev/null
+++ b/jbd-jbd2-validate-sb-s_first-in-journal_get_superblo.patch
@@ -0,0 +1,95 @@
+From 8762202dd0d6e46854f786bdb6fb3780a1625efe Mon Sep 17 00:00:00 2001
+From: Eryu Guan <guaneryu at gmail.com>
+Date: Tue, 1 Nov 2011 19:04:59 -0400
+Subject: [PATCH] jbd/jbd2: validate sb->s_first in journal_get_superblock()
+
+I hit a J_ASSERT(blocknr != 0) failure in cleanup_journal_tail() when
+mounting a fsfuzzed ext3 image. It turns out that the corrupted ext3
+image has s_first = 0 in journal superblock, and the 0 is passed to
+journal->j_head in journal_reset(), then to blocknr in
+cleanup_journal_tail(), in the end the J_ASSERT failed.
+
+So validate s_first after reading journal superblock from disk in
+journal_get_superblock() to ensure s_first is valid.
+
+The following script could reproduce it:
+
+fstype=ext3
+blocksize=1024
+img=$fstype.img
+offset=0
+found=0
+magic="c0 3b 39 98"
+
+dd if=/dev/zero of=$img bs=1M count=8
+mkfs -t $fstype -b $blocksize -F $img
+filesize=`stat -c %s $img`
+while [ $offset -lt $filesize ]
+do
+        if od -j $offset -N 4 -t x1 $img | grep -i "$magic";then
+                echo "Found journal: $offset"
+                found=1
+                break
+        fi
+        offset=`echo "$offset+$blocksize" | bc`
+done
+
+if [ $found -ne 1 ];then
+        echo "Magic \"$magic\" not found"
+        exit 1
+fi
+
+dd if=/dev/zero of=$img seek=$(($offset+23)) conv=notrunc bs=1 count=1
+
+mkdir -p ./mnt
+mount -o loop $img ./mnt
+
+Cc: Jan Kara <jack at suse.cz>
+Signed-off-by: Eryu Guan <guaneryu at gmail.com>
+Signed-off-by: "Theodore Ts'o" <tytso at mit.edu>
+---
+ fs/jbd/journal.c  |    8 ++++++++
+ fs/jbd2/journal.c |    8 ++++++++
+ 2 files changed, 16 insertions(+), 0 deletions(-)
+
+diff --git a/fs/jbd/journal.c b/fs/jbd/journal.c
+index 9fe061f..fea8dd6 100644
+--- a/fs/jbd/journal.c
++++ b/fs/jbd/journal.c
+@@ -1135,6 +1135,14 @@ static int journal_get_superblock(journal_t *journal)
+ 		goto out;
+ 	}
+ 
++	if (be32_to_cpu(sb->s_first) == 0 ||
++	    be32_to_cpu(sb->s_first) >= journal->j_maxlen) {
++		printk(KERN_WARNING
++			"JBD: Invalid start block of journal: %u\n",
++			be32_to_cpu(sb->s_first));
++		goto out;
++	}
++
+ 	return 0;
+ 
+ out:
+diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
+index f24df13..d6e93d0 100644
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -1251,6 +1251,14 @@ static int journal_get_superblock(journal_t *journal)
+ 		goto out;
+ 	}
+ 
++	if (be32_to_cpu(sb->s_first) == 0 ||
++	    be32_to_cpu(sb->s_first) >= journal->j_maxlen) {
++		printk(KERN_WARNING
++			"JBD2: Invalid start block of journal: %u\n",
++			be32_to_cpu(sb->s_first));
++		goto out;
++	}
++
+ 	return 0;
+ 
+ out:
+-- 
+1.7.7.1
+
diff --git a/kernel.spec b/kernel.spec
index 49cdf4e..40d3bf2 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -719,8 +719,14 @@ Patch3000: rcutree-avoid-false-quiescent-states.patch
 
 # fs fixes
 
+#rhbz 753346
+Patch3500: jbd-jbd2-validate-sb-s_first-in-journal_get_superblo.patch
+
 # NFSv4
 
+#rhbz 753236
+Patch4000: nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
+
 # patches headed upstream
 Patch12010: add-appleir-usb-driver.patch
 
@@ -1270,6 +1276,8 @@ ApplyPatch linux-2.6-i386-nx-emulation.patch
 #
 
 # ext4
+#rhbz 753346
+ApplyPatch jbd-jbd2-validate-sb-s_first-in-journal_get_superblo.patch
 
 # xfs
 ApplyPatch xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch
@@ -1280,6 +1288,7 @@ ApplyPatch xfs-Fix-possible-memory-corruption-in-xfs_readlink.patch
 # eCryptfs
 
 # NFSv4
+ApplyPatch nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
 
 # USB
 
@@ -2124,6 +2133,10 @@ fi
 # and build.
 
 %changelog
+* Mon Nov 14 2011 Josh Boyer <jwboyer at redhat.com> 3.1.1-2
+- CVE-2011-4131: nfs4_getfacl decoding kernel oops (rhbz 753236)
+- CVE-2011-4132: jbd/jbd2: invalid value of first log block leads to oops (rhbz 753346)
+
 * Fri Nov 11 2011 Chuck Ebbert <cebbert at redhat.com>
 - Use the same naming scheme as rawhide for -stable RC kernels
   (e.g. 3.1.1-0.rc1.1 instead of 3.1.1-1.rc1)
diff --git a/nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch b/nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
new file mode 100644
index 0000000..1b795e9
--- /dev/null
+++ b/nfsv4-include-bitmap-in-nfsv4_get_acl_data.patch
@@ -0,0 +1,118 @@
+From: Andy Adamson <andros at xxxxxxxxxx>
+
+The NFSv4 bitmap size is unbounded: a server can return an arbitrary
+sized bitmap in an FATTR4_WORD0_ACL request.  Replace using the
+nfs4_fattr_bitmap_maxsz as a guess to the maximum bitmask returned by a server
+with the inclusion of the bitmap (xdr length plus bitmasks) and the acl data
+xdr length to the (cached) acl page data.
+
+This is a general solution to commit e5012d1f "NFSv4.1: update
+nfs4_fattr_bitmap_maxsz" and fixes hitting a BUG_ON in xdr_shrink_bufhead
+when getting ACLs.
+
+Cc:stable at xxxxxxxxxx
+Signed-off-by: Andy Adamson <andros at xxxxxxxxxx>
+---
+ fs/nfs/nfs4proc.c |   20 ++++++++++++++++++--
+ fs/nfs/nfs4xdr.c  |   15 ++++++++++++---
+ 2 files changed, 30 insertions(+), 5 deletions(-)
+
+diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
+index deb88d9..97014dd 100644
+--- a/fs/nfs/nfs4proc.c
++++ b/fs/nfs/nfs4proc.c
+@@ -3671,6 +3671,22 @@ static void nfs4_zap_acl_attr(struct inode *inode)
+ 	nfs4_set_cached_acl(inode, NULL);
+ }
+ 
++/*
++ * The bitmap xdr length, bitmasks, and the attr xdr length are stored in
++ * the acl cache to handle variable length bitmasks. Just copy the acl data.
++ */
++static void nfs4_copy_acl(char *buf, char *acl_data, size_t acl_len)
++{
++	__be32 *q, *p = (__be32 *)acl_data;
++	int32_t len;
++
++	len = be32_to_cpup(p); /* number of bitmasks */
++	len += 2;  /* add words for bitmap and attr xdr len */
++	q = p + len;
++	len = len << 2; /* convert to bytes for acl_len math */
++	memcpy(buf, (char *)q, acl_len - len);
++}
++
+ static inline ssize_t nfs4_read_cached_acl(struct inode *inode, char *buf, size_t buflen)
+ {
+ 	struct nfs_inode *nfsi = NFS_I(inode);
+@@ -3688,7 +3704,7 @@ static inline ssize_t nfs4_read_cached_acl(struct inode *inode, char *buf, size_
+ 	ret = -ERANGE; /* see getxattr(2) man page */
+ 	if (acl->len > buflen)
+ 		goto out;
+-	memcpy(buf, acl->data, acl->len);
++	nfs4_copy_acl(buf, acl->data, acl->len);
+ out_len:
+ 	ret = acl->len;
+ out:
+@@ -3763,7 +3779,7 @@ static ssize_t __nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t bu
+ 		if (res.acl_len > buflen)
+ 			goto out_free;
+ 		if (localpage)
+-			memcpy(buf, resp_buf, res.acl_len);
++			nfs4_copy_acl(buf, resp_buf, res.acl_len);
+ 	}
+ 	ret = res.acl_len;
+ out_free:
+diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c
+index f9fd96d..9c07380 100644
+--- a/fs/nfs/nfs4xdr.c
++++ b/fs/nfs/nfs4xdr.c
+@@ -2513,7 +2513,7 @@ static void nfs4_xdr_enc_getacl(struct rpc_rqst *req, struct xdr_stream *xdr,
+ 	encode_compound_hdr(xdr, req, &hdr);
+ 	encode_sequence(xdr, &args->seq_args, &hdr);
+ 	encode_putfh(xdr, args->fh, &hdr);
+-	replen = hdr.replen + op_decode_hdr_maxsz + nfs4_fattr_bitmap_maxsz + 1;
++	replen = hdr.replen + op_decode_hdr_maxsz + 1;
+ 	encode_getattr_two(xdr, FATTR4_WORD0_ACL, 0, &hdr);
+ 
+ 	xdr_inline_pages(&req->rq_rcv_buf, replen << 2,
+@@ -4955,7 +4955,7 @@ decode_restorefh(struct xdr_stream *xdr)
+ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ 		size_t *acl_len)
+ {
+-	__be32 *savep;
++	__be32 *savep, *bm_p;
+ 	uint32_t attrlen,
+ 		 bitmap[3] = {0};
+ 	struct kvec *iov = req->rq_rcv_buf.head;
+@@ -4964,6 +4964,7 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ 	*acl_len = 0;
+ 	if ((status = decode_op_hdr(xdr, OP_GETATTR)) != 0)
+ 		goto out;
++	bm_p = xdr->p;
+ 	if ((status = decode_attr_bitmap(xdr, bitmap)) != 0)
+ 		goto out;
+ 	if ((status = decode_attr_length(xdr, &attrlen, &savep)) != 0)
+@@ -4972,12 +4973,20 @@ static int decode_getacl(struct xdr_stream *xdr, struct rpc_rqst *req,
+ 	if (unlikely(bitmap[0] & (FATTR4_WORD0_ACL - 1U)))
+ 		return -EIO;
+ 	if (likely(bitmap[0] & FATTR4_WORD0_ACL)) {
+-		size_t hdrlen;
++		size_t hdrlen, len;
+ 		u32 recvd;
+ 
++		/*The bitmap (xdr len + bitmasks) and the attr xdr len words
++		 * are stored with the acl data to handle the problem of
++		 * variable length bitmasks.*/
++		xdr->p = bm_p;
++		len = be32_to_cpup(bm_p);
++		len += 2; /* add bitmap and attr xdr len words */
++
+ 		/* We ignore &savep and don't do consistency checks on
+ 		 * the attr length.  Let userspace figure it out.... */
+ 		hdrlen = (u8 *)xdr->p - (u8 *)iov->iov_base;
++		attrlen += len << 2; /* attrlen is in bytes */
+ 		recvd = req->rq_rcv_buf.len - hdrlen;
+ 		if (attrlen > recvd) {
+ 			dprintk("NFS: server cheating in getattr"
+-- 
+1.7.6.4

More information about the scm-commits mailing list