mirror of
https://github.com/torvalds/linux.git
synced 2024-11-12 07:01:57 +00:00
3eb8e74ec7
The kernel automatically evaluates partition tables of storage devices. The code for evaluating GUID partitions (in fs/partitions/efi.c) contains a bug that causes a kernel oops on certain corrupted GUID partition tables. This bug has security impacts, because it allows, for example, to prepare a storage device that crashes a kernel subsystem upon connecting the device (e.g., a "USB Stick of (Partial) Death"). crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size)); computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes. There is no validation of (*gpt)->header_size before the efi_crc32 call. A corrupted partition table may have large values for (*gpt)->header_size. In this case, the CRC32 computation access memory beyond the memory allocated for gpt, which may cause a kernel heap overflow. Validate value of GUID partition table header size. [akpm@linux-foundation.org: fix layout and indenting] Signed-off-by: Timo Warns <warns@pre-sense.de> Cc: Matt Domsch <Matt_Domsch@dell.com> Cc: Eugene Teo <eugeneteo@kernel.sg> Cc: Dave Jones <davej@codemonkey.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|---|---|---|
| .. | ||
| acorn.c | ||
| acorn.h | ||
| amiga.c | ||
| amiga.h | ||
| atari.c | ||
| atari.h | ||
| check.c | ||
| check.h | ||
| efi.c | ||
| efi.h | ||
| ibm.c | ||
| ibm.h | ||
| karma.c | ||
| karma.h | ||
| Kconfig | ||
| ldm.c | ||
| ldm.h | ||
| mac.c | ||
| mac.h | ||
| Makefile | ||
| msdos.c | ||
| msdos.h | ||
| osf.c | ||
| osf.h | ||
| sgi.c | ||
| sgi.h | ||
| sun.c | ||
| sun.h | ||
| sysv68.c | ||
| sysv68.h | ||
| ultrix.c | ||
| ultrix.h | ||