[thirdparty/kernel/stable-queue.git] / releases / 2.6.38.8 / fix-for-buffer-overflow-in-ldm_frag_add-not-sufficient.patch

From cae13fe4cc3f24820ffb990c09110626837e85d4 Mon Sep 17 00:00:00 2001
From: Timo Warns <Warns@pre-sense.de>
Date: Thu, 19 May 2011 09:24:17 +0200
Subject: Fix for buffer overflow in ldm_frag_add not sufficient

From: Timo Warns <Warns@pre-sense.de>

commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream.

As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer
overflow in ldm_frag_add) is not sufficient.  The original patch in
commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted
partition table") does not consider that, for subsequent fragments,
previously allocated memory is used.

[1] http://lkml.org/lkml/2011/5/6/407

Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Timo Warns <warns@pre-sense.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/partitions/ldm.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/fs/partitions/ldm.c
+++ b/fs/partitions/ldm.c
@@ -1335,6 +1335,11 @@ static bool ldm_frag_add (const u8 *data
 
 	list_add_tail (&f->list, frags);
 found:
+	if (rec >= f->num) {
+		ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num);
+		return false;
+	}
+
 	if (f->map & (1 << rec)) {
 		ldm_error ("Duplicate VBLK, part %d.", rec);
 		f->map &= 0x7F;			/* Mark the group as broken */
Commit	Line	Data
2ce07e76 GKH	1	From cae13fe4cc3f24820ffb990c09110626837e85d4 Mon Sep 17 00:00:00 2001
	2	From: Timo Warns <Warns@pre-sense.de>
	3	Date: Thu, 19 May 2011 09:24:17 +0200
	4	Subject: Fix for buffer overflow in ldm_frag_add not sufficient
	5
	6	From: Timo Warns <Warns@pre-sense.de>
	7
	8	commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream.
	9
	10	As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer
	11	overflow in ldm_frag_add) is not sufficient. The original patch in
	12	commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted
	13	partition table") does not consider that, for subsequent fragments,
	14	previously allocated memory is used.
	15
	16	[1] http://lkml.org/lkml/2011/5/6/407
	17
	18	Reported-by: Ben Hutchings <ben@decadent.org.uk>
	19	Signed-off-by: Timo Warns <warns@pre-sense.de>
	20	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	21	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	22
	23	---
	24	fs/partitions/ldm.c \| 5 +++++
	25	1 file changed, 5 insertions(+)
	26
	27	--- a/fs/partitions/ldm.c
	28	+++ b/fs/partitions/ldm.c
	29	@@ -1335,6 +1335,11 @@ static bool ldm_frag_add (const u8 *data
	30
	31	list_add_tail (&f->list, frags);
	32	found:
	33	+ if (rec >= f->num) {
	34	+ ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num);
	35	+ return false;
	36	+ }
	37	+
	38	if (f->map & (1 << rec)) {
	39	ldm_error ("Duplicate VBLK, part %d.", rec);
	40	f->map &= 0x7F; /* Mark the group as broken */