From patchwork Tue Nov 20 17:16:13 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [3.5.yuz, extended, stable] Patch "libceph: fix overflow in osdmap_apply_incremental()" has been added to staging queue From: Herton Ronaldo Krzesinski X-Patchwork-Id: 200428 Message-Id: <1353431773-8163-1-git-send-email-herton.krzesinski@canonical.com> To: Xi Wang Cc: Alex Elder , kernel-team@lists.ubuntu.com Date: Tue, 20 Nov 2012 15:16:13 -0200 This is a note to let you know that I have just added a patch titled libceph: fix overflow in osdmap_apply_incremental() to the linux-3.5.y-queue branch of the 3.5.yuz extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.yuz tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Herton ------ >From 04db2317595ec2d605e0013a85e2ef0e4f0843e6 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Wed, 6 Jun 2012 19:35:55 -0500 Subject: [PATCH 21/78] libceph: fix overflow in osdmap_apply_incremental() commit a5506049500b30dbc5edb4d07a3577477c1f3643 upstream. On 32-bit systems, a large `pglen' would overflow `pglen*sizeof(u32)' and bypass the check ceph_decode_need(p, end, pglen*sizeof(u32), bad). It would also overflow the subsequent kmalloc() size, leading to out-of-bounds write. Signed-off-by: Xi Wang Reviewed-by: Alex Elder Signed-off-by: Herton Ronaldo Krzesinski --- net/ceph/osdmap.c | 4 ++++ 1 file changed, 4 insertions(+) -- 1.7.9.5 diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c index bc73341..9600674 100644 --- a/net/ceph/osdmap.c +++ b/net/ceph/osdmap.c @@ -893,6 +893,10 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, (void) __remove_pg_mapping(&map->pg_temp, pgid); /* insert */ + if (pglen > (UINT_MAX - sizeof(*pg)) / sizeof(u32)) { + err = -EINVAL; + goto bad; + } pg = kmalloc(sizeof(*pg) + sizeof(u32)*pglen, GFP_NOFS); if (!pg) { err = -ENOMEM;