]>
Commit | Line | Data |
---|---|---|
2ce07e76 GKH |
1 | From cae13fe4cc3f24820ffb990c09110626837e85d4 Mon Sep 17 00:00:00 2001 |
2 | From: Timo Warns <Warns@pre-sense.de> | |
3 | Date: Thu, 19 May 2011 09:24:17 +0200 | |
4 | Subject: Fix for buffer overflow in ldm_frag_add not sufficient | |
5 | ||
6 | From: Timo Warns <Warns@pre-sense.de> | |
7 | ||
8 | commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream. | |
9 | ||
10 | As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer | |
11 | overflow in ldm_frag_add) is not sufficient. The original patch in | |
12 | commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted | |
13 | partition table") does not consider that, for subsequent fragments, | |
14 | previously allocated memory is used. | |
15 | ||
16 | [1] http://lkml.org/lkml/2011/5/6/407 | |
17 | ||
18 | Reported-by: Ben Hutchings <ben@decadent.org.uk> | |
19 | Signed-off-by: Timo Warns <warns@pre-sense.de> | |
20 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | |
21 | Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> | |
22 | ||
23 | --- | |
24 | fs/partitions/ldm.c | 5 +++++ | |
25 | 1 file changed, 5 insertions(+) | |
26 | ||
27 | --- a/fs/partitions/ldm.c | |
28 | +++ b/fs/partitions/ldm.c | |
29 | @@ -1335,6 +1335,11 @@ static bool ldm_frag_add (const u8 *data | |
30 | ||
31 | list_add_tail (&f->list, frags); | |
32 | found: | |
33 | + if (rec >= f->num) { | |
34 | + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num); | |
35 | + return false; | |
36 | + } | |
37 | + | |
38 | if (f->map & (1 << rec)) { | |
39 | ldm_error ("Duplicate VBLK, part %d.", rec); | |
40 | f->map &= 0x7F; /* Mark the group as broken */ |