From patchwork Wed Jan 18 11:28:30 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [maverick, maverick/ti-omap4, natty, natty/ti-omap4, CVE, 2/2] xfs: fix acl count validation in xfs_acl_from_disk() From: Andy Whitcroft X-Patchwork-Id: 136591 Message-Id: <1326886110-1911-3-git-send-email-apw@canonical.com> To: kernel-team@lists.ubuntu.com Cc: Andy Whitcroft Date: Wed, 18 Jan 2012 11:28:30 +0000 From: Xi Wang Commit fa8b18ed didn't prevent the integer overflow and possible memory corruption. "count" can go negative and bypass the check. Signed-off-by: Xi Wang Reviewed-by: Christoph Hellwig Signed-off-by: Ben Myers (cherry-picked from commit 093019cf1b18dd31b2c3b77acce4e000e2cbc9ce) CVE-2012-0038 BugLink: http://bugs.launchpad.net/bugs/917706 Signed-off-by: Andy Whitcroft --- fs/xfs/linux-2.6/xfs_acl.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/fs/xfs/linux-2.6/xfs_acl.c b/fs/xfs/linux-2.6/xfs_acl.c index 46556ee..3423aba 100644 --- a/fs/xfs/linux-2.6/xfs_acl.c +++ b/fs/xfs/linux-2.6/xfs_acl.c @@ -39,7 +39,7 @@ xfs_acl_from_disk(struct xfs_acl *aclp) struct posix_acl_entry *acl_e; struct posix_acl *acl; struct xfs_acl_entry *ace; - int count, i; + unsigned int count, i; count = be32_to_cpu(aclp->acl_cnt); if (count > XFS_ACL_MAX_ENTRIES)