-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

PRE-CERT Security Advisory
==========================

* Advisory: PRE-SA-2012-04
* Released on: 18 July 2012
* Last updated on: 3 Aug 2012
* Affected product: Linux Kernel 3.x <= 3.4.4
                                 2.6.x
                                 2.4.x
* Impact: code execution / privilege escalation
* Origin: UDF file system
* CVSS Base Score: 7.2
    Impact Subscor: 10
    Exploitability Subscore: 3.9
  CVSS Vector: (AV:L/AC:L/Au:N/C:C/I:C/A:C)
* Credit: Timo Warns (PRESENSE Technologies GmbH)
* CVE Identifier: CVE-2012-3400


Summary
- -------

The Linux kernel contains a vulnerability in the driver for UDF file
systems that may be exploited for code execution or privilege
escalation.

udf_load_logicalvol() in fs/udf/super.c parses the number of sparing tables and
stores the sparing tables in the map variable, which is allocated on the heap:


    for (j = 0; j < spm->numSparingTables; j++) {
        [...]
        map->s_type_specific.s_sparing.
            s_spar_map[j] = bh2;

map is of type udf_part_map, whose s_type_specific.s_sparing.s_spar_map
member can hold up to 4 pointers to buffer_head structs.

spm->numSparingTables is read from the file system and not further
validated. A corrupted file system with numSparingTables > 4 causes
a heap overflow.


Workaround
- ----------

Compile and use a kernel that does not support the UDF file system.
The corresponding configuration key is CONFIG_UDF_FS.


Solution
- --------

The issue has been fixed in Linux 3.4.5


References
- ----------

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2012-04.txt


ChangeLog
- ---------

* 3 Aug 2012
    - 3.4.5 is not affected by the bug.


Contact
- --------

PRE-CERT can be reached under precert@pre-secure.de. For PGP key
information, refer to http://www.pre-cert.de/.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)

iQEcBAEBCAAGBQJQGzscAAoJEI9qFXJ0Ecg6sd0H/jAIG8tXqX9DOof9PbyFPr2m
/pZ2mS296VN0TubifVl3i879UxqjkJQbInlxiEfLsCy3HKad20GloZBs5TjhMthB
9F6eyqxaWQQxQVnZTgma7spTyqff011j+ORNVbMZf2z1wv0yXNOmFGM/v9tXGW05
CiSvyNnAmrlNU8+mkO8h5r9pgFLjk6A6Ptj4uxEFCOkz4DJm32ADQqflZCyNDLmU
AaIFAwlHR0Z2KARWIu70Sl4WyaBKn6aj5Kmfx3ELyHfZQCtcRqQ/oKEbgwBadP2Q
yIGZlfwhB1Hl8Xr2sX6wNxE83eBBLIAPkzaiZ891AtThlbYqWn4rKjpakpiCpvw=
=Ov1P
-----END PGP SIGNATURE-----