-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2011-01
* Released on: 23 Feb 2011
* Last updated on: 11 Jun 2011
* Affected product: Linux Kernel 2.4 and 2.6
* Impact: - privilege escalation
          - denial-of-service
          - disclosure of sensitive information
* Origin: storage devices
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: - CVE-2011-1010
                  - CVE-2011-1012
                  - CVE-2011-1017
                  - CVE-2011-2182


Summary
- -------

The Linux kernel contains some vulnerabilities that may lead to
privilege escalation, denial-of-service, or information leakage via
corrupted partition tables. Exploiting these vulnerabilities has been
demonstrated by a "USB Stick of Death" that crashes the Linux kernel
upon connecting the stick.

The kernel automatically evaluates partition tables of storage devices.
Note that this happens independently of whether auto-mounting is enabled
or not. The code for evaluating MAC and LDM partition tables contains the
following vulnerabilities:

* CVE-2011-1010
  A buffer overflow bug in mac_partition in fs/partitions/mac.c (for MAC
  partition tables) allows to cause a denial-of-service (kernel panic)
  via a corrupted MAC partition table.

  For a patch, see
  http://git.kernel.org/linus/fa7ea87a057958a8b7926c1a60a3ca6d696328ed

* CVE-2011-1012
  A division-by-zero bug in ldm_get_vblks in fs/partitions/ldm.c (for
  LDM partition tables) allows to cause a denial-of-service (kernel
  oops) via a corrupted LDM partition table.

  For a patch, see
  http://git.kernel.org/linus/294f6cf48666825d23c9372ef37631232746e40d

* CVE-2011-1017
  A buffer overflow bug in ldm_frag_add in fs/partitions/ldm.c (for LDM
  partition tables) may allow to escalate privileges or to disclose
  sensitive information via a corrupted LDM partition table.

  For a patch, see
  http://git.kernel.org/linus/c340b1d640001c8c9ecff74f68fd90422ae2448a

* CVE-2011-2182
  As Ben Hutchings discovered (http://lkml.org/lkml/2011/5/6/407), the
  patch for CVE-2011-1017 (buffer overflow in ldm_frag_add) is not
  sufficient. The original patch in commit c340b1d64000
  ("fs/partitions/ldm.c: fix oops caused by corrupted partition table")
  does not consider that, for subsequent fragments, previously allocated
  memory is used.

  For a patch, see
  http://git.kernel.org/linus/cae13fe4cc3f24820ffb990c09110626837e85d4


Workaround
- ----------

Compile and use a kernel that does not evaluate MAC and LDM partition
tables. The corresponding configuration keys are CONFIG_MAC_PARTITION
and CONFIG_LDM_PARTITION.


Solution
- --------

* CVE-2011-1010
  The MAC buffer overflow bug has been fixed in Linux kernel 2.6.37.2.

* CVE-2011-1012
  The LDM division-by-zero bug has been fixed in Linux kernel 2.6.37.3.

* CVE-2011-1017
  The LDM buffer overflow bug has been fixed in Linux kernel 2.6.38.6.

* CVE-2011-2182
  The missing LDM buffer overflow case has been fixed in Linux kernel
  2.6.38.8.


References
- ----------

https://bugzilla.redhat.com/show_bug.cgi?id=679282

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt


ChangeLog
- ---------

* 24 Feb 2011
    - Added CVE ID to second vulnerability (CVE-2011-1012)

* 25 Feb 2011
    - Added CVE ID to third vulnerability (CVE-2011-1017)

* 9 Mar 2011
    - CVE-2011-1010 and CVE-2011-1012 have been fixed in Linux
      kernel 2.6.

* 10 May 2011
    - CVE-2011-1017 has been fixed in Linux kernel 2.6.
    - Added/updated URLs to patches.

* 30 May 2011
    - Added second patch to CVE-2011-1017.
      As Ben Hutchings discovered (http://lkml.org/lkml/2011/5/6/407),
      the first patch for CVE-2011-1017 was not sufficient. A second patch
      considers that, for subsequent fragments, previously allocated
      memory is used.

* 11 Jun 2011
    - CVE-2011-2182 has been assigned to the subsequent LDM patch.


Contact
- -------

PRE-CERT can be reached under precert@pre-secure.de. For PGP
key information, refer to http://www.pre-cert.de/.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)

iQEcBAEBAgAGBQJN9O7lAAoJEJreX/O/+ER1NyQH/j/xrxYCrZ1dB/syTlgbIEv2
NQZZ2WAm4AhrUTL4Im80ZPvsCrSYjnwGLiavSFLKLDJaDMBILISeSn9yUlBYi9N9
7OdnIG1P8AfMtNIYSS1OO02tt61ZqCP2qke4+PMKsn/TWi02IuTkMnLaW5nMWsG4
o/xNOmd6eVvbgopPNkb9tYJL4dJunJRv2fKO+XL43t2oHp+ow8oyWnZJhuzPfkg/
yrw78ZI5xjjjOY4QDUlMDxi9rBUBn/b2Um6YUjotsTwHM7Am3sC1SFN8kD1VKHZz
A90e7Wcc5xtFgA+lvtGkBDPOIXzozZ+MXHVsoV0W09/dtcVjpdZo3c6JOCH5ZLU=
=xewM
-----END PGP SIGNATURE-----