| Message ID | 1310567384-26224-2-git-send-email-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 13.07.2011 16:29, Andy Whitcroft wrote: > From: Timo Warns <warns@pre-sense.de> > > Validate number of blocks in map and remove redundant variable. > > Signed-off-by: Timo Warns <warns@pre-sense.de> > Cc: stable@kernel.org > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (backported from commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed) > CVE-2011-1010 > BugLink: http://bugs.launchpad.net/bugs/804225 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > fs/partitions/mac.c | 15 ++++++++------- > 1 files changed, 8 insertions(+), 7 deletions(-) > > diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c > index d4a0fad..ba45eaf 100644 > --- a/fs/partitions/mac.c > +++ b/fs/partitions/mac.c > @@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len) > > int mac_partition(struct parsed_partitions *state, struct block_device *bdev) > { > - int slot = 1; > Sector sect; > unsigned char *data; > - int blk, blocks_in_map; > + int slot, blocks_in_map; > unsigned secsize; > #ifdef CONFIG_PPC_PMAC > int found_root = 0; > @@ -61,8 +60,12 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev) > } > printk(" [mac]"); > blocks_in_map = be32_to_cpu(part->map_count); > - for (blk = 1; blk <= blocks_in_map; ++blk) { > - int pos = blk * secsize; > + if (blocks_in_map < 0 || blocks_in_map >= 256) { > + put_dev_sector(sect); > + return 0; > + } > + for (slot = 1; slot <= blocks_in_map; ++slot) { > + int pos = slot * secsize; > put_dev_sector(sect); > data = read_dev_sector(bdev, pos/512, §); > if (!data) > @@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev) > } > > if (goodness > found_root_goodness) { > - found_root = blk; > + found_root = slot; > found_root_goodness = goodness; > } > } > #endif /* CONFIG_PPC_PMAC */ > - > - ++slot; > } > #ifdef CONFIG_PPC_PMAC > if (found_root_goodness) Acked-by: Stefan Bader <stefan.bader@canonical.com>
On Wed, 2011-07-13 at 15:29 +0100, Andy Whitcroft wrote: > From: Timo Warns <warns@pre-sense.de> > > Validate number of blocks in map and remove redundant variable. > > Signed-off-by: Timo Warns <warns@pre-sense.de> > Cc: stable@kernel.org > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (backported from commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed) > CVE-2011-1010 > BugLink: http://bugs.launchpad.net/bugs/804225 > Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > fs/partitions/mac.c | 15 ++++++++------- > 1 files changed, 8 insertions(+), 7 deletions(-) > > diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c > index d4a0fad..ba45eaf 100644 > --- a/fs/partitions/mac.c > +++ b/fs/partitions/mac.c > @@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len) > > int mac_partition(struct parsed_partitions *state, struct block_device *bdev) > { > - int slot = 1; > Sector sect; > unsigned char *data; > - int blk, blocks_in_map; > + int slot, blocks_in_map; > unsigned secsize; > #ifdef CONFIG_PPC_PMAC > int found_root = 0; > @@ -61,8 +60,12 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev) > } > printk(" [mac]"); > blocks_in_map = be32_to_cpu(part->map_count); > - for (blk = 1; blk <= blocks_in_map; ++blk) { > - int pos = blk * secsize; > + if (blocks_in_map < 0 || blocks_in_map >= 256) { > + put_dev_sector(sect); > + return 0; > + } > + for (slot = 1; slot <= blocks_in_map; ++slot) { > + int pos = slot * secsize; > put_dev_sector(sect); > data = read_dev_sector(bdev, pos/512, §); > if (!data) > @@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev) > } > > if (goodness > found_root_goodness) { > - found_root = blk; > + found_root = slot; > found_root_goodness = goodness; > } > } > #endif /* CONFIG_PPC_PMAC */ > - > - ++slot; > } > #ifdef CONFIG_PPC_PMAC > if (found_root_goodness) > -- > 1.7.4.1 > >
Applied to Hardy. -apw
diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c index d4a0fad..ba45eaf 100644 --- a/fs/partitions/mac.c +++ b/fs/partitions/mac.c @@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len) int mac_partition(struct parsed_partitions *state, struct block_device *bdev) { - int slot = 1; Sector sect; unsigned char *data; - int blk, blocks_in_map; + int slot, blocks_in_map; unsigned secsize; #ifdef CONFIG_PPC_PMAC int found_root = 0; @@ -61,8 +60,12 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev) } printk(" [mac]"); blocks_in_map = be32_to_cpu(part->map_count); - for (blk = 1; blk <= blocks_in_map; ++blk) { - int pos = blk * secsize; + if (blocks_in_map < 0 || blocks_in_map >= 256) { + put_dev_sector(sect); + return 0; + } + for (slot = 1; slot <= blocks_in_map; ++slot) { + int pos = slot * secsize; put_dev_sector(sect); data = read_dev_sector(bdev, pos/512, §); if (!data) @@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev) } if (goodness > found_root_goodness) { - found_root = blk; + found_root = slot; found_root_goodness = goodness; } } #endif /* CONFIG_PPC_PMAC */ - - ++slot; } #ifdef CONFIG_PPC_PMAC if (found_root_goodness)