Bugzilla – Bug 672505
VUL-1: CVE-2011-0191: kernel: xfs infoleak
Last modified: 2016-06-06 08:50:52 UTC
Hi. There is a security bug in package 'kernel'. This information is from 'oss-security'. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: https://patchwork.kernel.org/patch/555461/ CVE number: CVE-2011-0191 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0191 Original posting: ---------- Weitergeleitete Nachricht ---------- Betreff: [oss-security] CVE request - kernel: xfs infoleak Datum: Mittwoch 16 Februar 2011 Von: Eugene Teo <eugene@redhat.com> An: oss-security@lists.openwall.com From Dan R0s3nbug5, "The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to xfs_fs_geometry() with a version number of 3. This code path does not fill in the logsunit member of the passed xfs_fsop_geom_t, leading to the leaking of four bytes of uninitialized stack data to potentially unprivileged callers. Since all other members are filled in all code paths and there are no padding bytes in this structure, it's safe to avoid an expensive memset() in favor of just clearing this one field." https://patchwork.kernel.org/patch/555461/ https://bugzilla.redhat.com/show_bug.cgi?id=677260 Eugene ------------------------------------------------------------- buf=0x10010d480 "", occ=2944, s=<value temporarily unavailable, due to optimizations>) at tif_fax3.c:1443 1443 EXPAND2D(EOFG4); (gdb) bt #0 0x000000010002f66e in Fax4Decode (tif=0x1000e4be0, buf=0x10010d480 "", occ=2944, s=<value temporarily unavailable, due to optimizations>) at tif_fax3.c:1443 #1 0x000000010004f11d in TIFFReadEncodedStrip (tif=0x1000e4be0, strip=0, buf=0x10010d060, size=4000) at tif_read.c:161 #2 0x00000001000011a7 in PSDataBW (fd=0x7fff70846198, tif=0x1000e4be0, w=<value temporarily unavailable, due to optimizations>, h=<value temporarily unavailable, due to optimizations>) at tiff2ps.c:1924 #3 0x000000010000426f in PSpage (fd=0x7fff70846198, tif=0x1000e4be0, w=250, h=125) at tiff2ps.c:1664 #4 0x0000000100005451 in TIFF2PS (fd=0x7fff70846198, tif=0x1000e4be0, pw=0, ph=0, lm=0, bm=0, cnt=0) at tiff2ps.c:888 #5 0x0000000100006280 in main (argc=2, argv=0x7fff5fbff198) at tiff2ps.c:312 Our engineering team had this feedback: The crash happens in the SETVALUE macro. The input parameter is b1 - a0 - TabEnt->Param -- for the attached image: 244 - 242 - 3. So SETVALUE is called with '-1'. This patch should work for both 3.8.2 and 3.9.4: --- libtiff/tif_fax3.h.orig 2011-02-11 12:40:06.000000000 -0800 +++ libtiff/tif_fax3.h 2011-02-11 12:47:33.000000000 -0800 @@ -478,6 +478,8 @@ break; \ case S_VL: \ CHECK_b1; \ + if (b1 < a0 + TabEnt->Param) \ + goto eol2d; \ SETVALUE(b1 - a0 - TabEnt->Param); \ b1 -= *--pb; \ break; \ 2) Buffer overflow in vec_ycc_rgb_convert / JPEGDecode CVE-ID: CVE-2011-0191 Credit:Apple This reproduces with libTIFF-3.8.2, but not libTIFF 3.9.4. libTIFF needs to be configured with JPEG enabled in order for this to reproduce. Test case: tiff2ps 00000149.tif You may need valgrind or other tools that can detect small memory corruption. With libgmalloc on Mac OS X 10.6 with libTIFF-3.8.2: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0000000100149000 0x000000010009a863 in ycc_rgb_convert (cinfo=<value temporarily unavailable, due to optimizations>, input_buf=0x10014cf70, input_row=<value temporarily unavailable, due to optimizations>, output_buf=0x7fff5fbfee90, num_rows=0) at jdcolor.c:153 153 outptr[RGB_BLUE] = range_limit[y + Cbbtab[cb]]; (gdb) bt #0 0x000000010009a863 in ycc_rgb_convert (cinfo=<value temporarily unavailable, due to optimizations>, input_buf=0x10014cf70, input_row=<value temporarily unavailable, due to optimizations>, output_buf=0x7fff5fbfee90, num_rows=0) at jdcolor.c:153 #1 0x00000001000a37c6 in sep_upsample (cinfo=0x1000f9b00, input_buf=0x10014d668, in_row_group_ctr=0x10014d6bc, in_row_groups_avail=<value temporarily unavailable, due to optimizations>, output_buf=0x7fff5fbfee90, out_row_ctr=0x7fff5fbfee1c, out_rows_avail=1) at jdsample.c:129 #2 0x000000010009eed3 in process_data_simple_main (cinfo=0x1000f9b00, output_buf=0x7fff5fbfee90, out_row_ctr=0x7fff5fbfee1c, out_rows_avail=1) at jdmainct.c:367 #3 0x0000000100097370 in jpeg_read_scanlines (cinfo=0x1000f9b00, scanlines=0x7fff5fbfee90, max_lines=1) at jdapistd.c:173 #4 0x000000010003c148 in TIFFjpeg_read_scanlines (sp=0x1000f9b00, scanlines=0x7fff5fbfee90, max_lines=1) at tif_jpeg.c:351 #5 0x000000010003c2ed in JPEGDecode (tif=0x1000dad00, buf=0x100148ffe "\001?", 'U' <repeats 198 times>..., cc=<value temporarily unavailable, due to optimizations>, s=<value temporarily unavailable, due to optimizations>) at tif_jpeg.c:928 #6 0x000000010004a58f in TIFFReadScanline (tif=0x1000dad00, buf=0x100148d10, row=0, sample=<value temporarily unavailable, due to optimizations>) at tif_read.c:104 #7 0x0000000100002432 in PSDataColorContig (fd=0x7fff70846198, tif=0x1000dad00, w=<value temporarily unavailable, due to optimizations>, h=125, nc=3) at tiff2ps.c:1476 #8 0x00000001000051ef in PSpage (fd=0x7fff70846198, tif=0x1000dad00, w=250, h=125) at tiff2ps.c:1385 #9 0x0000000100005988 in TIFF2PS (fd=0x7fff70846198, tif=0x1000dad00, pw=0, ph=0, lm=0, bm=0, cnt=0) at tiff2ps.c:671 #10 0x000000010000644e in main (argc=2, argv=0x7fff5fbff198) at tiff2ps.c:271 --- libtiff/tif_dir.c.orig 2011-02-11 13:08:43.000000000 -0800 +++ libtiff/tif_dir.c 2011-02-11 13:12:25.000000000 -0800 @@ -356,6 +356,10 @@ case TIFFTAG_YCBCRSUBSAMPLING: td->td_ycbcrsubsampling[0] = (uint16) va_arg(ap, int); td->td_ycbcrsubsampling[1] = (uint16) va_arg(ap, int); + if (td->td_ycbcrsubsampling[0] > 4) + td->td_ycbcrsubsampling[0] = (td->td_compression == 7) ? 1 : 2; + if (td->td_ycbcrsubsampling[1] > 4) + td->td_ycbcrsubsampling[1] = (td->td_compression == 7) ? 1 : 2; break; case TIFFTAG_TRANSFERFUNCTION: v = (td->td_samplesperpixel - td->td_extrasamples) > 1 ? 3 : 1; These issues should remain embargoed until March 2 2011. If there are any problems with this date, please let us know. ------------------------------------------------------------- -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach
p5->p3 mass change
Thomas, you already reported this bug as 672524. That being said, there has been a followup fix (one of the callers passed too small structure) so I'll commit that fix.
Created attachment 421132 [details] Patch fixing possible kernel stack corruption in xfs_ioc_fsgeometry_v1
Pushed the fix to: openSUSE-11.4 openSUSE-11.3 SLE11-SP1 SLE11 SLES10_SP4_BRANCH SLES10_SP3_BRANCH SLES9_SP4_BRANCH To SLES9_SP4_BRANCH, I've also pushed the original fix since it was missing from there. Closing the bug.
We have just released a kernel update for SUSE Linux Enterprise Server 11 SP1 that fixes/mentions this bugreport. The released kernel version is 2.6.32.36-0.5.2.
Update released for: btrfs-kmp-default, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-xen, hyper-v-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra Products: SLE-DEBUGINFO 11-SP1 (x86_64) SLE-DESKTOP 11-SP1 (x86_64) SLE-HAE 11-SP1 (x86_64) SLE-SERVER 11-SP1 (x86_64) SLES4VMWARE 11-SP1 (x86_64)
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra Products: SLE-DEBUGINFO 11-SP1 (ia64) SLE-HAE 11-SP1 (ia64) SLE-SERVER 11-SP1 (ia64)
Update released for: btrfs-kmp-default, btrfs-kmp-ppc64, cluster-network-kmp-default, cluster-network-kmp-ppc64, ext4dev-kmp-default, ext4dev-kmp-ppc64, gfs2-kmp-default, gfs2-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra Products: SLE-DEBUGINFO 11-SP1 (ppc64) SLE-HAE 11-SP1 (ppc64) SLE-SERVER 11-SP1 (ppc64)
Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra Products: SLE-DEBUGINFO 11-SP1 (i386) SLE-DESKTOP 11-SP1 (i386) SLE-HAE 11-SP1 (i386) SLE-SERVER 11-SP1 (i386) SLES4VMWARE 11-SP1 (i386)
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man Products: SLE-DEBUGINFO 11-SP1 (s390x) SLE-HAE 11-SP1 (s390x) SLE-SERVER 11-SP1 (s390x)
Update released for: kernel-default-extra, kernel-ppc64-extra Products: SLE-SERVER 11-EXTRA (ppc64)
Update released for: kernel-default-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (x86_64)
Update released for: kernel-default-extra Products: SLE-SERVER 11-EXTRA (ia64)
Update released for: kernel-default-extra Products: SLE-SERVER 11-EXTRA (s390x)
Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (i386)
Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-docs, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop Products: openSUSE 11.4 (debug, i586, x86_64)
We have just released a kernel update for SUSE Linux Enterprise 10 SP4 that mentions/fixes this bug. The released version is 2.6.16.60-0.87.1.
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP4 (ppc) SLE-SDK 10-SP4 (ppc) SLE-SERVER 10-SP4 (ppc)
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP4 (ia64) SLE-SDK 10-SP4 (ia64) SLE-SERVER 10-SP4 (ia64)
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-DEBUGINFO 10-SP4 (x86_64) SLE-DESKTOP 10-SP4 (x86_64) SLE-SDK 10-SP4 (x86_64) SLE-SERVER 10-SP4 (x86_64)
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms Products: SLE-DEBUGINFO 10-SP4 (s390x) SLE-SERVER 10-SP4 (s390x)
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo Products: SLE-DEBUGINFO 10-SP4 (i386) SLE-DESKTOP 10-SP4 (i386) SLE-SDK 10-SP4 (i386) SLE-SERVER 10-SP4 (i386)
this is actually http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0711
We have just released a kernel update for SUSE Linux Enterprise Server 10 SP3 that mentions/fixes this bug. The released version is 2.6.16.60-0.79.1.
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP3 (ia64) SLE-SDK 10-SP3 (ia64) SLE-SERVER 10-SP3 (ia64)
Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo Products: SLE-DEBUGINFO 10-SP3 (x86_64) SLE-SAP-APL 10-SP3 (x86_64) SLE-SDK 10-SP3 (x86_64) SLE-SERVER 10-SP3 (x86_64)
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms Products: SLE-DEBUGINFO 10-SP3 (s390x) SLE-SERVER 10-SP3 (s390x)
Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 10-SP3 (ppc) SLE-SDK 10-SP3 (ppc) SLE-SERVER 10-SP3 (ppc)
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo Products: SLE-DEBUGINFO 10-SP3 (i386) SLE-SDK 10-SP3 (i386) SLE-SERVER 10-SP3 (i386)