From patchwork Tue Nov 20 17:16:13 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Herton Ronaldo Krzesinski X-Patchwork-Id: 200428 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from chlorine.canonical.com (chlorine.canonical.com [91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 760C42C0093 for ; Wed, 21 Nov 2012 04:16:40 +1100 (EST) Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1TarR2-0001YJ-LZ; Tue, 20 Nov 2012 17:16:32 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by chlorine.canonical.com with esmtp (Exim 4.71) (envelope-from ) id 1TarQm-0001Nd-WE for kernel-team@lists.ubuntu.com; Tue, 20 Nov 2012 17:16:17 +0000 Received: from [177.132.111.71] (helo=canonical.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1TarQm-0002to-AV; Tue, 20 Nov 2012 17:16:16 +0000 From: Herton Ronaldo Krzesinski To: Xi Wang Subject: [ 3.5.yuz extended stable ] Patch "libceph: fix overflow in osdmap_apply_incremental()" has been added to staging queue Date: Tue, 20 Nov 2012 15:16:13 -0200 Message-Id: <1353431773-8163-1-git-send-email-herton.krzesinski@canonical.com> X-Mailer: git-send-email 1.7.9.5 Cc: Alex Elder , kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.13 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: kernel-team-bounces@lists.ubuntu.com Errors-To: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled libceph: fix overflow in osdmap_apply_incremental() to the linux-3.5.y-queue branch of the 3.5.yuz extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.yuz tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Herton ------ From 04db2317595ec2d605e0013a85e2ef0e4f0843e6 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Wed, 6 Jun 2012 19:35:55 -0500 Subject: [PATCH 21/78] libceph: fix overflow in osdmap_apply_incremental() commit a5506049500b30dbc5edb4d07a3577477c1f3643 upstream. On 32-bit systems, a large `pglen' would overflow `pglen*sizeof(u32)' and bypass the check ceph_decode_need(p, end, pglen*sizeof(u32), bad). It would also overflow the subsequent kmalloc() size, leading to out-of-bounds write. Signed-off-by: Xi Wang Reviewed-by: Alex Elder Signed-off-by: Herton Ronaldo Krzesinski --- net/ceph/osdmap.c | 4 ++++ 1 file changed, 4 insertions(+) -- 1.7.9.5 diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c index bc73341..9600674 100644 --- a/net/ceph/osdmap.c +++ b/net/ceph/osdmap.c @@ -893,6 +893,10 @@ struct ceph_osdmap *osdmap_apply_incremental(void **p, void *end, (void) __remove_pg_mapping(&map->pg_temp, pgid); /* insert */ + if (pglen > (UINT_MAX - sizeof(*pg)) / sizeof(u32)) { + err = -EINVAL; + goto bad; + } pg = kmalloc(sizeof(*pg) + sizeof(u32)*pglen, GFP_NOFS); if (!pg) { err = -ENOMEM;