-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 PRE-CERT Security Advisory ========================== * Advisory: PRE-SA-2011-01 * Released on: 23 Feb 2011 * Last updated on: 11 Jun 2011 * Affected product: Linux Kernel 2.4 and 2.6 * Impact: - privilege escalation - denial-of-service - disclosure of sensitive information * Origin: storage devices * Credit: Timo Warns (PRESENSE Technologies GmbH) * CVE Identifier: - CVE-2011-1010 - CVE-2011-1012 - CVE-2011-1017 - CVE-2011-2182 Summary - ------- The Linux kernel contains some vulnerabilities that may lead to privilege escalation, denial-of-service, or information leakage via corrupted partition tables. Exploiting these vulnerabilities has been demonstrated by a "USB Stick of Death" that crashes the Linux kernel upon connecting the stick. The kernel automatically evaluates partition tables of storage devices. Note that this happens independently of whether auto-mounting is enabled or not. The code for evaluating MAC and LDM partition tables contains the following vulnerabilities: * CVE-2011-1010 A buffer overflow bug in mac_partition in fs/partitions/mac.c (for MAC partition tables) allows to cause a denial-of-service (kernel panic) via a corrupted MAC partition table. For a patch, see http://git.kernel.org/linus/fa7ea87a057958a8b7926c1a60a3ca6d696328ed * CVE-2011-1012 A division-by-zero bug in ldm_get_vblks in fs/partitions/ldm.c (for LDM partition tables) allows to cause a denial-of-service (kernel oops) via a corrupted LDM partition table. For a patch, see http://git.kernel.org/linus/294f6cf48666825d23c9372ef37631232746e40d * CVE-2011-1017 A buffer overflow bug in ldm_frag_add in fs/partitions/ldm.c (for LDM partition tables) may allow to escalate privileges or to disclose sensitive information via a corrupted LDM partition table. For a patch, see http://git.kernel.org/linus/c340b1d640001c8c9ecff74f68fd90422ae2448a * CVE-2011-2182 As Ben Hutchings discovered (http://lkml.org/lkml/2011/5/6/407), the patch for CVE-2011-1017 (buffer overflow in ldm_frag_add) is not sufficient. The original patch in commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted partition table") does not consider that, for subsequent fragments, previously allocated memory is used. For a patch, see http://git.kernel.org/linus/cae13fe4cc3f24820ffb990c09110626837e85d4 Workaround - ---------- Compile and use a kernel that does not evaluate MAC and LDM partition tables. The corresponding configuration keys are CONFIG_MAC_PARTITION and CONFIG_LDM_PARTITION. Solution - -------- * CVE-2011-1010 The MAC buffer overflow bug has been fixed in Linux kernel 2.6.37.2. * CVE-2011-1012 The LDM division-by-zero bug has been fixed in Linux kernel 2.6.37.3. * CVE-2011-1017 The LDM buffer overflow bug has been fixed in Linux kernel 2.6.38.6. * CVE-2011-2182 The missing LDM buffer overflow case has been fixed in Linux kernel 2.6.38.8. References - ---------- https://bugzilla.redhat.com/show_bug.cgi?id=679282 When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt ChangeLog - --------- * 24 Feb 2011 - Added CVE ID to second vulnerability (CVE-2011-1012) * 25 Feb 2011 - Added CVE ID to third vulnerability (CVE-2011-1017) * 9 Mar 2011 - CVE-2011-1010 and CVE-2011-1012 have been fixed in Linux kernel 2.6. * 10 May 2011 - CVE-2011-1017 has been fixed in Linux kernel 2.6. - Added/updated URLs to patches. * 30 May 2011 - Added second patch to CVE-2011-1017. As Ben Hutchings discovered (http://lkml.org/lkml/2011/5/6/407), the first patch for CVE-2011-1017 was not sufficient. A second patch considers that, for subsequent fragments, previously allocated memory is used. * 11 Jun 2011 - CVE-2011-2182 has been assigned to the subsequent LDM patch. Contact - ------- PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de/. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) iQEcBAEBAgAGBQJN9O7lAAoJEJreX/O/+ER1NyQH/j/xrxYCrZ1dB/syTlgbIEv2 NQZZ2WAm4AhrUTL4Im80ZPvsCrSYjnwGLiavSFLKLDJaDMBILISeSn9yUlBYi9N9 7OdnIG1P8AfMtNIYSS1OO02tt61ZqCP2qke4+PMKsn/TWi02IuTkMnLaW5nMWsG4 o/xNOmd6eVvbgopPNkb9tYJL4dJunJRv2fKO+XL43t2oHp+ow8oyWnZJhuzPfkg/ yrw78ZI5xjjjOY4QDUlMDxi9rBUBn/b2Um6YUjotsTwHM7Am3sC1SFN8kD1VKHZz A90e7Wcc5xtFgA+lvtGkBDPOIXzozZ+MXHVsoV0W09/dtcVjpdZo3c6JOCH5ZLU= =xewM -----END PGP SIGNATURE-----