summaryrefslogtreecommitdiff
path: root/Documentation/kvm
diff options
context:
space:
mode:
authorTimo Warns <Warns@pre-sense.de>2011-05-26 16:25:57 -0700
committerGreg Kroah-Hartman <gregkh@suse.de>2011-08-29 14:32:57 -0700
commit93a4da70df98764e291ef9361851a1df8b38e02a (patch)
tree70129a5db0646fddb05c6a2f3ecbf9670a4d96ad /Documentation/kvm
parent2b3e6af485814965e1cf5177fea492a9c5171e06 (diff)
downloadlwn-93a4da70df98764e291ef9361851a1df8b38e02a.tar.gz
lwn-93a4da70df98764e291ef9361851a1df8b38e02a.zip
fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
commit 3eb8e74ec72736b9b9d728bad30484ec89c91dde upstream. The kernel automatically evaluates partition tables of storage devices. The code for evaluating GUID partitions (in fs/partitions/efi.c) contains a bug that causes a kernel oops on certain corrupted GUID partition tables. This bug has security impacts, because it allows, for example, to prepare a storage device that crashes a kernel subsystem upon connecting the device (e.g., a "USB Stick of (Partial) Death"). crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size)); computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes. There is no validation of (*gpt)->header_size before the efi_crc32 call. A corrupted partition table may have large values for (*gpt)->header_size. In this case, the CRC32 computation access memory beyond the memory allocated for gpt, which may cause a kernel heap overflow. Validate value of GUID partition table header size. [akpm@linux-foundation.org: fix layout and indenting] Signed-off-by: Timo Warns <warns@pre-sense.de> Cc: Matt Domsch <Matt_Domsch@dell.com> Cc: Eugene Teo <eugeneteo@kernel.sg> Cc: Dave Jones <davej@codemonkey.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> [dannf: backported to Debian's 2.6.32] Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'Documentation/kvm')
0 files changed, 0 insertions, 0 deletions