Patchwork [3.5.yuz,extended,stable] Patch "libceph: fix overflow in osdmap_decode()" has been added to staging queue

mail settings
Submitter Herton Ronaldo Krzesinski
Date Nov. 20, 2012, 5:16 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/200427/
State New
Headers show


Herton Ronaldo Krzesinski - Nov. 20, 2012, 5:16 p.m.
This is a note to let you know that I have just added a patch titled

    libceph: fix overflow in osdmap_decode()

to the linux-3.5.y-queue branch of the 3.5.yuz extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.yuz tree, see



From a97bc8762b8ae43f3ce0f119c7f3e3187b9eb2e7 Mon Sep 17 00:00:00 2001
From: Xi Wang <>
Date: Wed, 6 Jun 2012 19:35:55 -0500
Subject: [PATCH 20/78] libceph: fix overflow in osdmap_decode()

commit e91a9b639a691e0982088b5954eaafb5a25c8f1c upstream.

On 32-bit systems, a large `n' would overflow `n * sizeof(u32)' and bypass
the check ceph_decode_need(p, end, n * sizeof(u32), bad).  It would also
overflow the subsequent kmalloc() size, leading to out-of-bounds write.

Signed-off-by: Xi Wang <>
Reviewed-by: Alex Elder <>
Signed-off-by: Herton Ronaldo Krzesinski <>
 net/ceph/osdmap.c |    3 +++
 1 file changed, 3 insertions(+)



diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index 95b2762..bc73341 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -667,6 +667,9 @@  struct ceph_osdmap *osdmap_decode(void **p, void *end)
 		ceph_decode_need(p, end, sizeof(u32) + sizeof(u64), bad);
 		ceph_decode_copy(p, &pgid, sizeof(pgid));
 		n = ceph_decode_32(p);
+		err = -EINVAL;
+		if (n > (UINT_MAX - sizeof(*pg)) / sizeof(u32))
+			goto bad;
 		ceph_decode_need(p, end, n * sizeof(u32), bad);
 		err = -ENOMEM;
 		pg = kmalloc(sizeof(*pg) + n*sizeof(u32), GFP_NOFS);