diff options
| author | Timo Warns <[email protected]> | 2011-05-26 16:25:57 -0700 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2011-05-26 17:12:37 -0700 |
| commit | 3eb8e74ec72736b9b9d728bad30484ec89c91dde (patch) | |
| tree | 851f9165816e28ce43594a562698dd234e53d486 /lib/mpi/mpiutil.c | |
| parent | 658c74cf3c98b1c9bc21e26731052db66251dfd8 (diff) | |
fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops
The kernel automatically evaluates partition tables of storage devices.
The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
a bug that causes a kernel oops on certain corrupted GUID partition
tables.
This bug has security impacts, because it allows, for example, to
prepare a storage device that crashes a kernel subsystem upon connecting
the device (e.g., a "USB Stick of (Partial) Death").
crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
There is no validation of (*gpt)->header_size before the efi_crc32 call.
A corrupted partition table may have large values for (*gpt)->header_size.
In this case, the CRC32 computation access memory beyond the memory
allocated for gpt, which may cause a kernel heap overflow.
Validate value of GUID partition table header size.
[[email protected]: fix layout and indenting]
Signed-off-by: Timo Warns <[email protected]>
Cc: Matt Domsch <[email protected]>
Cc: Eugene Teo <[email protected]>
Cc: Dave Jones <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'lib/mpi/mpiutil.c')
0 files changed, 0 insertions, 0 deletions