Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25798
HistoryFeb 26, 2011 - 12:00 a.m.

[PRE-SA-2011-01] Multiple Linux kernel vulnerabilities in partition handling code of LDM and MAC partition tables

2011-02-2600:00:00
vulners.com
16

PRE-CERT Security Advisory

  • Advisory: PRE-SA-2011-01
  • Released on: 23 Feb 2011
  • Last updated on: 23 Feb 2011
  • Affected product: Linux Kernel 2.4 and 2.6
  • Impact: - privilege Escalation
    - denial-of-service
    - disclosure of sensitive information
  • Origin: storage devices
  • CVE Identifier: - CVE-2011-1010

Summary

Timo Warns (PRESENSE Technologies GmbH) reported some vulnerabilities in
the Linux kernel that may lead to privilege escalation,
denial-of-service, or information leakage via corrupted partition
tables. Exploiting these vulnerabilities has been demonstrated by a "USB
Stick of Death" that crashes the Linux kernel upon connecting the stick.

The kernel automatically evaluates partition tables of storage devices.
Note that this happens independently of whether auto-mounting is enabled
or not. The code for evaluating MAC and LDM partition tables contains the
following vulnerabilities:

  • CVE-2011-1010
    A buffer overflow bug in mac_partition in fs/partitions/mac.c (for MAC
    partition tables) allows to cause a denial-of-service (kernel panic)
    via a corrupted MAC partition table.

    For a patch, see
    http://git.kernel.org/linus/fa7ea87a057958a8b7926c1a60a3ca6d696328ed

  • A division-by-zero bug in ldm_get_vblks in fs/partitions/ldm.c (for
    LDM partition tables) allows to cause a denial-of-service (kernel
    oops) via a corrupted LDM partition table.

    For a patch, see
    http://www.spinics.net/lists/mm-commits/msg82429.html

  • A buffer overflow bug in ldm_frag_add in fs/partitions/ldm.c (for LDM
    partition tables) may allow to escalate privileges or to disclose
    sensitive information via a corrupted LDM partition table.

Workaround

Compile and use a kernel that does not evaluate MAC and LDM partition
tables. The corresponding configuration keys are CONFIG_MAC_PARTITION
and CONFIG_LDM_PARTITION.

References

https://bugzilla.redhat.com/show_bug.cgi?id=679282

When further information becomes available, this advisory will be
updated. The most recent version of this advisory is available at:

http://www.pre-cert.de/advisories/PRE-SA-2011-01.txt

Contact

PRE-CERT can be reached under [email protected]. For PGP
key information, refer to http://www.pre-cert.de

Related for SECURITYVULNS:DOC:25798