Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F7BB827.6020501@redhat.com>
Date: Tue, 03 Apr 2012 20:55:35 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: akuster <akuster@...sta.com>, "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: fix to CVE-2009-4307

On 04/03/2012 04:32 PM, akuster wrote:
> Hello,
> 
> Was there a CVE assigned to commit d50f2ab6f050311dbf7b8f5501b25f0bf64a439b?
> 
> Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
> zero when trying to mount a corrupted file system") fixes CVE-2009-4307
> by performing a sanity check on s_log_groups_per_flex, since it can be
> set to a bogus value by an attacker.
> 
> - Armin

I assume you are talking about this:

http://git.kernel.org/?p=virt/kvm/kvm.git;a=commitdiff;h=d50f2ab6f050311dbf7b8f5501b25f0bf64a439b

================================================
Commit 503358ae01b70ce6909d19dd01287093f6b6271c ("ext4: avoid divide by
zero when trying to mount a corrupted file system") fixes CVE-2009-4307
by performing a sanity check on s_log_groups_per_flex, since it can be
set to a bogus value by an attacker.

sbi->s_log_groups_per_flex = sbi->s_es->s_log_groups_per_flex;
groups_per_flex = 1 << sbi->s_log_groups_per_flex;

if (groups_per_flex < 2) { ... }

This patch fixes two potential issues in the previous commit.

1) The sanity check might only work on architectures like PowerPC.
On x86, 5 bits are used for the shifting amount.  That means, given a
large s_log_groups_per_flex value like 36, groups_per_flex = 1 << 36
is essentially 1 << 4 = 16, rather than 0.  This will bypass the check,
leaving s_log_groups_per_flex and groups_per_flex inconsistent.

2) The sanity check relies on undefined behavior, i.e., oversized shift.
A standard-confirming C compiler could rewrite the check in unexpected
ways.  Consider the following equivalent form, assuming groups_per_flex
is unsigned for simplicity.

groups_per_flex = 1 << sbi->s_log_groups_per_flex;
if (groups_per_flex == 0 || groups_per_flex == 1) {

We compile the code snippet using Clang 3.0 and GCC 4.6.  Clang will
completely optimize away the check groups_per_flex == 0, leaving the
patched code as vulnerable as the original.  GCC keeps the check, but
there is no guarantee that future versions will do the same.

Signed-off-by: Xi Wang <xi.wang@...il.com>
Signed-off-by: "Theodore Ts'o" <tytso@....edu>
Cc: stable@...r.kernel.org
================================================

What specific do you want a CVE assigned for?

For #1 I can see a CVE of the "a previous patch didn't completely fix
the issue, yada yada" type.

For #2 I'm not sure how we handle something like a compiler possibly
mangling code so that an issue is introduced (is that a compiler
problem? a code problem? the intersection of both? Steve: can I get a
comment/referees decision here =)

-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.