Linux Kernel Buffer Overflow ldm_frag_add() Elevated Privileges

2011-03-03 / 2011-03-04
Credit: PRE
Risk: High
Local: Yes
Remote: No

# PRE-CERT Security Advisory # * Advisory: PRE-SA-2011-01 * Released on: 23 Feb 2011 * Last updated on: 24 Feb 2011 * Affected product: Linux Kernel 2.4 and 2.6 * Impact: - privilege Escalation - denial-of-service - disclosure of sensitive information * Origin: storage devices * CVE Identifier: - CVE-2011-1010 - CVE-2011-1012 - CVE-2011-1017 ## Summary ## Timo Warns (PRESENSE Technologies GmbH) reported some vulnerabilities in the Linux kernel that may lead to privilege escalation, denial-of-service, or information leakage via corrupted partition tables. Exploiting these vulnerabilities has been demonstrated by a "USB Stick of Death" that crashes the Linux kernel upon connecting the stick. The kernel automatically evaluates partition tables of storage devices. Note that this happens independently of whether auto-mounting is enabled or not. The code for evaluating MAC and LDM partition tables contains the following vulnerabilities: * CVE-2011-1010 A buffer overflow bug in mac_partition in fs/partitions/mac.c (for MAC partition tables) allows to cause a denial-of-service (kernel panic) via a corrupted MAC partition table. For a patch, see http://git.kernel.org/linus/fa7ea87a057958a8b7926c1a60a3ca6d696328ed * CVE-2011-1012 A division-by-zero bug in ldm_get_vblks in fs/partitions/ldm.c (for LDM partition tables) allows to cause a denial-of-service (kernel oops) via a corrupted LDM partition table. For a patch, see http://www.spinics.net/lists/mm-commits/msg82429.html * CVE-2011-1017 A buffer overflow bug in ldm_frag_add in fs/partitions/ldm.c (for LDM partition tables) may allow to escalate privileges or to disclose sensitive information via a corrupted LDM partition table. ## Workaround ## Compile and use a kernel that does not evaluate MAC and LDM partition tables. The corresponding configuration keys are CONFIG_MAC_PARTITION and CONFIG_LDM_PARTITION. ## References ## https://bugzilla.redhat.com/show_bug.cgi?id=679282 When further information becomes available, this advisory will be updated. The most recent version of this advisory is available at: http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt ## ChangeLog ## * 24 Feb 2011: - Added CVE ID to second vulnerability (CVE-2011-1012) * 25 Feb 2011: - Added CVE ID to third vulnerability (CVE-2011-1017) ## Contact ## PRE-CERT can be reached under precert@pre-secure.de. For PGP key information, refer to http://www.pre-cert.de.

References:

http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt
http://securitytracker.com/id?1025128
http://openwall.com/lists/oss-security/2011/02/24/4
http://openwall.com/lists/oss-security/2011/02/24/14
http://openwall.com/lists/oss-security/2011/02/23/16


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top