• Timo Warns's avatar
    fs/partitions/efi.c: corrupted GUID partition tables can cause kernel oops · 3eb8e74e
    Timo Warns authored
    The kernel automatically evaluates partition tables of storage devices.
    The code for evaluating GUID partitions (in fs/partitions/efi.c) contains
    a bug that causes a kernel oops on certain corrupted GUID partition
    tables.
    
    This bug has security impacts, because it allows, for example, to
    prepare a storage device that crashes a kernel subsystem upon connecting
    the device (e.g., a "USB Stick of (Partial) Death").
    
    	crc = efi_crc32((const unsigned char *) (*gpt), le32_to_cpu((*gpt)->header_size));
    
    computes a CRC32 checksum over gpt covering (*gpt)->header_size bytes.
    There is no validation of (*gpt)->header_size before the efi_crc32 call.
    
    A corrupted partition table may have large values for (*gpt)->header_size.
     In this case, the CRC32 computation access memory beyond the memory
    allocated for gpt, which may cause a kernel heap overflow.
    
    Validate value of GUID partition table header size.
    
    [akpm@linux-foundation.org: fix layout and indenting]
    Signed-off-by: default avatarTimo Warns <warns@pre-sense.de>
    Cc: Matt Domsch <Matt_Domsch@dell.com>
    Cc: Eugene Teo <eugeneteo@kernel.sg>
    Cc: Dave Jones <davej@codemonkey.org.uk>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    3eb8e74e
efi.c 20.7 KB