[kernel] CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670)
Josh Boyer
jwboyer at fedoraproject.org
Tue Nov 26 17:22:35 UTC 2013
commit 761de8d1ef0e1cb1d370987d8d6485132b52b22c
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Tue Nov 26 12:20:03 2013 -0500
CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670)
kernel.spec | 9 ++
xfs-underflow-bug-in-xfs_attrlist_by_handle.patch | 149 +++++++++++++++++++++
2 files changed, 158 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 61554e0..760bf06 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -707,6 +707,9 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
Patch25142: 0001-staging-imx-drm-Fix-modular-build-of-DRM_IMX_IPUV3.patch
+#CVE-2013-6382 rhbz 1033603 1034670
+Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -1380,6 +1383,9 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch
ApplyPatch 0001-staging-imx-drm-Fix-modular-build-of-DRM_IMX_IPUV3.patch
+#CVE-2013-6382 rhbz 1033603 1034670
+ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -2192,6 +2198,9 @@ fi
# ||----w |
# || ||
%changelog
+* Tue Nov 26 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670)
+
* Mon Nov 25 2013 Josh Boyer <jwboyer at fedoraproject.org> - 3.13.0-0.rc1.git2.1
- Linux v3.13-rc1-85-g7e3528c
diff --git a/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch b/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
new file mode 100644
index 0000000..6c7f60d
--- /dev/null
+++ b/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch
@@ -0,0 +1,149 @@
+Bugzilla: 1033603
+Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654
+
+Path: news.gmane.org!not-for-mail
+From: Dan Carpenter <dan.carpenter at oracle.com>
+Newsgroups: gmane.comp.file-systems.xfs.general
+Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
+Date: Thu, 31 Oct 2013 21:00:10 +0300
+Lines: 43
+Approved: news at gmane.org
+Message-ID: <20131031180010.GA24839 at longonot.mountain>
+References: <20131025144452.GA28451 at ngolde.de>
+NNTP-Posting-Host: plane.gmane.org
+Mime-Version: 1.0
+Content-Type: text/plain; charset="us-ascii"
+Content-Transfer-Encoding: 7bit
+X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT)
+X-Complaints-To: usenet at ger.gmane.org
+NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC)
+Cc: Fabian Yamaguchi <fabs at goesec.de>, security at kernel.org,
+ Alex Elder <elder at kernel.org>, Nico Golde <nico at ngolde.de>, xfs at oss.sgi.com
+To: Ben Myers <bpm at sgi.com>
+Original-X-From: xfs-bounces at oss.sgi.com Thu Oct 31 19:03:33 2013
+Return-path: <xfs-bounces at oss.sgi.com>
+Envelope-to: sgi-linux-xfs at gmane.org
+Original-Received: from oss.sgi.com ([192.48.182.195])
+ by plane.gmane.org with esmtp (Exim 4.69)
+ (envelope-from <xfs-bounces at oss.sgi.com>)
+ id 1Vbwag-0001Ow-Sv
+ for sgi-linux-xfs at gmane.org; Thu, 31 Oct 2013 19:03:31 +0100
+Original-Received: from oss.sgi.com (localhost [IPv6:::1])
+ by oss.sgi.com (Postfix) with ESMTP id DB14A7F85;
+ Thu, 31 Oct 2013 13:03:28 -0500 (CDT)
+X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com
+X-Spam-Level:
+X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY
+ autolearn=ham version=3.3.1
+X-Original-To: xfs at oss.sgi.com
+Delivered-To: xfs at oss.sgi.com
+Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111])
+ by oss.sgi.com (Postfix) with ESMTP id A0ED87F83
+ for <xfs at oss.sgi.com>; Thu, 31 Oct 2013 13:03:27 -0500 (CDT)
+Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11])
+ by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B
+ for <xfs at oss.sgi.com>; Thu, 31 Oct 2013 11:03:24 -0700 (PDT)
+X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ
+Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by
+ cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1
+ cipher=AES256-SHA bits=256 verify=NO);
+ Thu, 31 Oct 2013 11:03:20 -0700 (PDT)
+X-Barracuda-Envelope-From: dan.carpenter at oracle.com
+X-Barracuda-Apparent-Source-IP: 156.151.31.81
+Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
+ by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with
+ ESMTP id r9VI3AZn009606
+ (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
+ Thu, 31 Oct 2013 18:03:11 GMT
+Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231])
+ by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
+ r9VI39qG016923
+ (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
+ Thu, 31 Oct 2013 18:03:10 GMT
+Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53])
+ by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
+ r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT
+Original-Received: from longonot.mountain (/105.160.144.228)
+ by default (Oracle Beehive Gateway v4.0)
+ with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700
+X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle()
+Content-Disposition: inline
+In-Reply-To: <20131025144452.GA28451 at ngolde.de>
+User-Agent: Mutt/1.5.21 (2010-09-15)
+X-Source-IP: acsinet22.oracle.com [141.146.126.238]
+X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81]
+X-Barracuda-Start-Time: 1383242600
+X-Barracuda-Encrypted: AES256-SHA
+X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi
+X-Virus-Scanned: by bsmtpd at sgi.com
+X-Barracuda-BRTS-Status: 1
+X-Barracuda-Spam-Score: 0.00
+X-Barracuda-Spam-Status: No,
+ SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0
+ QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY
+X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937
+ Rule breakdown below
+ pts rule name description
+ ---- ----------------------
+ --------------------------------------------------
+ 0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay
+ lines
+X-BeenThere: xfs at oss.sgi.com
+X-Mailman-Version: 2.1.14
+Precedence: list
+List-Id: XFS Filesystem from SGI <xfs.oss.sgi.com>
+List-Unsubscribe: <http://oss.sgi.com/mailman/options/xfs>,
+ <mailto:xfs-request at oss.sgi.com?subject=unsubscribe>
+List-Archive: <http://oss.sgi.com/pipermail/xfs>
+List-Post: <mailto:xfs at oss.sgi.com>
+List-Help: <mailto:xfs-request at oss.sgi.com?subject=help>
+List-Subscribe: <http://oss.sgi.com/mailman/listinfo/xfs>,
+ <mailto:xfs-request at oss.sgi.com?subject=subscribe>
+Errors-To: xfs-bounces at oss.sgi.com
+Original-Sender: xfs-bounces at oss.sgi.com
+Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654
+Archived-At: <http://permalink.gmane.org/gmane.comp.file-systems.xfs.general/57654>
+
+If we allocate less than sizeof(struct attrlist) then we end up
+corrupting memory or doing a ZERO_PTR_SIZE dereference.
+
+This can only be triggered with CAP_SYS_ADMIN.
+
+Reported-by: Nico Golde <nico at ngolde.de>
+Reported-by: Fabian Yamaguchi <fabs at goesec.de>
+Signed-off-by: Dan Carpenter <dan.carpenter at oracle.com>
+
+diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
+index 4d61340..33ad9a7 100644
+--- a/fs/xfs/xfs_ioctl.c
++++ b/fs/xfs/xfs_ioctl.c
+@@ -442,7 +442,8 @@ xfs_attrlist_by_handle(
+ return -XFS_ERROR(EPERM);
+ if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t)))
+ return -XFS_ERROR(EFAULT);
+- if (al_hreq.buflen > XATTR_LIST_MAX)
++ if (al_hreq.buflen < sizeof(struct attrlist) ||
++ al_hreq.buflen > XATTR_LIST_MAX)
+ return -XFS_ERROR(EINVAL);
+
+ /*
+diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c
+index e8fb123..a7992f8 100644
+--- a/fs/xfs/xfs_ioctl32.c
++++ b/fs/xfs/xfs_ioctl32.c
+@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle(
+ if (copy_from_user(&al_hreq, arg,
+ sizeof(compat_xfs_fsop_attrlist_handlereq_t)))
+ return -XFS_ERROR(EFAULT);
+- if (al_hreq.buflen > XATTR_LIST_MAX)
++ if (al_hreq.buflen < sizeof(struct attrlist) ||
++ al_hreq.buflen > XATTR_LIST_MAX)
+ return -XFS_ERROR(EINVAL);
+
+ /*
+
+_______________________________________________
+xfs mailing list
+xfs at oss.sgi.com
+http://oss.sgi.com/mailman/listinfo/xfs
+
More information about the scm-commits
mailing list