| Message ID | 1328265263-13991-2-git-send-email-apw@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 03.02.2012 11:34, Andy Whitcroft wrote: > From: Timo Warns <Warns@pre-sense.de> > > As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer > overflow in ldm_frag_add) is not sufficient. The original patch in > commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted > partition table") does not consider that, for subsequent fragments, > previously allocated memory is used. > > [1] http://lkml.org/lkml/2011/5/6/407 > > Reported-by: Ben Hutchings <ben@decadent.org.uk> > Signed-off-by: Timo Warns <warns@pre-sense.de> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit cae13fe4cc3f24820ffb990c09110626837e85d4) > CVE-2011-2182 > BugLink: http://bugs.launchpad.net/bugs/922371 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > fs/partitions/ldm.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c > index f7b6e88..e7a38f3 100644 > --- a/fs/partitions/ldm.c > +++ b/fs/partitions/ldm.c > @@ -1334,6 +1334,11 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags) > > list_add_tail (&f->list, frags); > found: > + if (rec >= f->num) { > + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num); > + return false; > + } > + > if (f->map & (1 << rec)) { > ldm_error ("Duplicate VBLK, part %d.", rec); > f->map &= 0x7F; /* Mark the group as broken */ Looks ok. Acked-by: Stefan Bader <stefan.bader@canonical.com>
On Fri, Feb 03, 2012 at 10:34:23AM +0000, Andy Whitcroft wrote: > From: Timo Warns <Warns@pre-sense.de> > > As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer > overflow in ldm_frag_add) is not sufficient. The original patch in > commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted > partition table") does not consider that, for subsequent fragments, > previously allocated memory is used. > > [1] http://lkml.org/lkml/2011/5/6/407 > > Reported-by: Ben Hutchings <ben@decadent.org.uk> > Signed-off-by: Timo Warns <warns@pre-sense.de> > Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> > > (cherry picked from commit cae13fe4cc3f24820ffb990c09110626837e85d4) > CVE-2011-2182 > BugLink: http://bugs.launchpad.net/bugs/922371 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > fs/partitions/ldm.c | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c > index f7b6e88..e7a38f3 100644 > --- a/fs/partitions/ldm.c > +++ b/fs/partitions/ldm.c > @@ -1334,6 +1334,11 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags) > > list_add_tail (&f->list, frags); > found: > + if (rec >= f->num) { > + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num); > + return false; > + } > + > if (f->map & (1 << rec)) { > ldm_error ("Duplicate VBLK, part %d.", rec); > f->map &= 0x7F; /* Mark the group as broken */ > -- > 1.7.8.3 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c index f7b6e88..e7a38f3 100644 --- a/fs/partitions/ldm.c +++ b/fs/partitions/ldm.c @@ -1334,6 +1334,11 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags) list_add_tail (&f->list, frags); found: + if (rec >= f->num) { + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num); + return false; + } + if (f->map & (1 << rec)) { ldm_error ("Duplicate VBLK, part %d.", rec); f->map &= 0x7F; /* Mark the group as broken */