From patchwork Mon Feb 24 19:51:01 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kamal Mostafa X-Patchwork-Id: 323749 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 35CDC2C0172 for ; Tue, 25 Feb 2014 06:53:01 +1100 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1WI1aD-00083Y-KN; Mon, 24 Feb 2014 19:52:57 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1WI1YO-0006yB-BI for kernel-team@lists.ubuntu.com; Mon, 24 Feb 2014 19:51:04 +0000 Received: from c-67-160-231-162.hsd1.ca.comcast.net ([67.160.231.162] helo=fourier) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1WI1YN-0006d9-5k; Mon, 24 Feb 2014 19:51:03 +0000 Received: from kamal by fourier with local (Exim 4.80) (envelope-from ) id 1WI1YL-0001vL-7q; Mon, 24 Feb 2014 11:51:01 -0800 From: Kamal Mostafa To: Paul Bolle Subject: [3.8.y.z extended stable] Patch "raw: test against runtime value of max_raw_minors" has been added to staging queue Date: Mon, 24 Feb 2014 11:51:01 -0800 Message-Id: <1393271461-7363-1-git-send-email-kamal@canonical.com> X-Mailer: git-send-email 1.8.3.2 X-Extended-Stable: 3.8 Cc: Greg Kroah-Hartman , Kamal Mostafa , Jan Kara , kernel-team@lists.ubuntu.com X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled raw: test against runtime value of max_raw_minors to the linux-3.8.y-queue branch of the 3.8.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.8.y-queue This patch is scheduled to be released in version 3.8.13.19. If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.8.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Kamal ------ From a4f500306cff1b558d1ab938abecc1a37528c04a Mon Sep 17 00:00:00 2001 From: Paul Bolle Date: Tue, 4 Feb 2014 23:23:12 +0100 Subject: raw: test against runtime value of max_raw_minors commit 5bbb2ae3d6f896f8d2082d1eceb6131c2420b7cf upstream. bind_get() checks the device number it is called with. It uses MAX_RAW_MINORS for the upper bound. But MAX_RAW_MINORS is set at compile time while the actual number of raw devices can be set at runtime. This means the test can either be too strict or too lenient. And if the test ends up being too lenient bind_get() might try to access memory beyond what was allocated for "raw_devices". So check against the runtime value (max_raw_minors) in this function. Signed-off-by: Paul Bolle Acked-by: Jan Kara Signed-off-by: Greg Kroah-Hartman Signed-off-by: Kamal Mostafa --- drivers/char/raw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 1.8.3.2 diff --git a/drivers/char/raw.c b/drivers/char/raw.c index 54a3a6d..5959669 100644 --- a/drivers/char/raw.c +++ b/drivers/char/raw.c @@ -190,7 +190,7 @@ static int bind_get(int number, dev_t *dev) struct raw_device_data *rawdev; struct block_device *bdev; - if (number <= 0 || number >= MAX_RAW_MINORS) + if (number <= 0 || number >= max_raw_minors) return -EINVAL; rawdev = &raw_devices[number];