Patchwork [hardy,CVE,1/1] fs/partitions: Validate map_count in Mac partition tables

login
register
mail settings
Submitter Andy Whitcroft
Date July 13, 2011, 2:29 p.m.
Message ID <1310567384-26224-2-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/104512/
State New
Headers show

Comments

Andy Whitcroft - July 13, 2011, 2:29 p.m.
From: Timo Warns <warns@pre-sense.de>

Validate number of blocks in map and remove redundant variable.

Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(backported from commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed)
CVE-2011-1010
BugLink: http://bugs.launchpad.net/bugs/804225
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 fs/partitions/mac.c |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)
Stefan Bader - July 13, 2011, 2:40 p.m.
On 13.07.2011 16:29, Andy Whitcroft wrote:
> From: Timo Warns <warns@pre-sense.de>
> 
> Validate number of blocks in map and remove redundant variable.
> 
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: stable@kernel.org
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> (backported from commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed)
> CVE-2011-1010
> BugLink: http://bugs.launchpad.net/bugs/804225
> Signed-off-by: Andy Whitcroft <apw@canonical.com>
> ---
>  fs/partitions/mac.c |   15 ++++++++-------
>  1 files changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c
> index d4a0fad..ba45eaf 100644
> --- a/fs/partitions/mac.c
> +++ b/fs/partitions/mac.c
> @@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len)
>  
>  int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
>  {
> -	int slot = 1;
>  	Sector sect;
>  	unsigned char *data;
> -	int blk, blocks_in_map;
> +	int slot, blocks_in_map;
>  	unsigned secsize;
>  #ifdef CONFIG_PPC_PMAC
>  	int found_root = 0;
> @@ -61,8 +60,12 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
>  	}
>  	printk(" [mac]");
>  	blocks_in_map = be32_to_cpu(part->map_count);
> -	for (blk = 1; blk <= blocks_in_map; ++blk) {
> -		int pos = blk * secsize;
> +	if (blocks_in_map < 0 || blocks_in_map >= 256) {
> +		put_dev_sector(sect);
> +		return 0;
> +	}
> +	for (slot = 1; slot <= blocks_in_map; ++slot) {
> +		int pos = slot * secsize;
>  		put_dev_sector(sect);
>  		data = read_dev_sector(bdev, pos/512, &sect);
>  		if (!data)
> @@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
>  			}
>  
>  			if (goodness > found_root_goodness) {
> -				found_root = blk;
> +				found_root = slot;
>  				found_root_goodness = goodness;
>  			}
>  		}
>  #endif /* CONFIG_PPC_PMAC */
> -
> -		++slot;
>  	}
>  #ifdef CONFIG_PPC_PMAC
>  	if (found_root_goodness)

Acked-by: Stefan Bader <stefan.bader@canonical.com>
Leann Ogasawara - July 13, 2011, 4:25 p.m.
On Wed, 2011-07-13 at 15:29 +0100, Andy Whitcroft wrote:
> From: Timo Warns <warns@pre-sense.de>
> 
> Validate number of blocks in map and remove redundant variable.
> 
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Cc: stable@kernel.org
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> 
> (backported from commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed)
> CVE-2011-1010
> BugLink: http://bugs.launchpad.net/bugs/804225
> Signed-off-by: Andy Whitcroft <apw@canonical.com>

Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com>

> ---
>  fs/partitions/mac.c |   15 ++++++++-------
>  1 files changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c
> index d4a0fad..ba45eaf 100644
> --- a/fs/partitions/mac.c
> +++ b/fs/partitions/mac.c
> @@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len)
>  
>  int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
>  {
> -	int slot = 1;
>  	Sector sect;
>  	unsigned char *data;
> -	int blk, blocks_in_map;
> +	int slot, blocks_in_map;
>  	unsigned secsize;
>  #ifdef CONFIG_PPC_PMAC
>  	int found_root = 0;
> @@ -61,8 +60,12 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
>  	}
>  	printk(" [mac]");
>  	blocks_in_map = be32_to_cpu(part->map_count);
> -	for (blk = 1; blk <= blocks_in_map; ++blk) {
> -		int pos = blk * secsize;
> +	if (blocks_in_map < 0 || blocks_in_map >= 256) {
> +		put_dev_sector(sect);
> +		return 0;
> +	}
> +	for (slot = 1; slot <= blocks_in_map; ++slot) {
> +		int pos = slot * secsize;
>  		put_dev_sector(sect);
>  		data = read_dev_sector(bdev, pos/512, &sect);
>  		if (!data)
> @@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
>  			}
>  
>  			if (goodness > found_root_goodness) {
> -				found_root = blk;
> +				found_root = slot;
>  				found_root_goodness = goodness;
>  			}
>  		}
>  #endif /* CONFIG_PPC_PMAC */
> -
> -		++slot;
>  	}
>  #ifdef CONFIG_PPC_PMAC
>  	if (found_root_goodness)
> -- 
> 1.7.4.1
> 
>
Andy Whitcroft - July 13, 2011, 4:55 p.m.
Applied to Hardy.

-apw

Patch

diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c
index d4a0fad..ba45eaf 100644
--- a/fs/partitions/mac.c
+++ b/fs/partitions/mac.c
@@ -29,10 +29,9 @@  static inline void mac_fix_string(char *stg, int len)
 
 int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
 {
-	int slot = 1;
 	Sector sect;
 	unsigned char *data;
-	int blk, blocks_in_map;
+	int slot, blocks_in_map;
 	unsigned secsize;
 #ifdef CONFIG_PPC_PMAC
 	int found_root = 0;
@@ -61,8 +60,12 @@  int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
 	}
 	printk(" [mac]");
 	blocks_in_map = be32_to_cpu(part->map_count);
-	for (blk = 1; blk <= blocks_in_map; ++blk) {
-		int pos = blk * secsize;
+	if (blocks_in_map < 0 || blocks_in_map >= 256) {
+		put_dev_sector(sect);
+		return 0;
+	}
+	for (slot = 1; slot <= blocks_in_map; ++slot) {
+		int pos = slot * secsize;
 		put_dev_sector(sect);
 		data = read_dev_sector(bdev, pos/512, &sect);
 		if (!data)
@@ -113,13 +116,11 @@  int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
 			}
 
 			if (goodness > found_root_goodness) {
-				found_root = blk;
+				found_root = slot;
 				found_root_goodness = goodness;
 			}
 		}
 #endif /* CONFIG_PPC_PMAC */
-
-		++slot;
 	}
 #ifdef CONFIG_PPC_PMAC
 	if (found_root_goodness)