From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue, 10 Jan 2012 19:24:20 +0000 (-0800)
Subject: 3.1-stable patches
X-Git-Tag: v3.2.1~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=06c321dde9109643a420b23a5e2db8d63d34b008;p=thirdparty%2Fkernel%2Fstable-queue.git

3.1-stable patches

added patches:
	xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch
	xfs-validate-acl-count.patch
---

diff --git a/queue-3.1/series b/queue-3.1/series
index ac28edb8021..445977e668e 100644
--- a/queue-3.1/series
+++ b/queue-3.1/series
@@ -38,3 +38,5 @@ bonding-fix-error-handling-if-slave-is-busy-v2.patch
 pm-sleep-fix-race-between-cpu-hotplug-and-freezer.patch
 scsi-mpt2sas-added-missing-mpt2sas_base_detach-call-from-scsih_remove-context.patch
 usb-cdc-acm-fix-acm_tty_hangup-vs.-acm_tty_close-race.patch
+xfs-validate-acl-count.patch
+xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch
diff --git a/queue-3.1/xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch b/queue-3.1/xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch
new file mode 100644
index 00000000000..b8a71e4f022
--- /dev/null
+++ b/queue-3.1/xfs-fix-acl-count-validation-in-xfs_acl_from_disk.patch
@@ -0,0 +1,32 @@
+From 093019cf1b18dd31b2c3b77acce4e000e2cbc9ce Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang@gmail.com>
+Date: Mon, 12 Dec 2011 21:55:52 +0000
+Subject: xfs: fix acl count validation in xfs_acl_from_disk()
+
+From: Xi Wang <xi.wang@gmail.com>
+
+commit 093019cf1b18dd31b2c3b77acce4e000e2cbc9ce upstream.
+
+Commit fa8b18ed didn't prevent the integer overflow and possible
+memory corruption.  "count" can go negative and bypass the check.
+
+Signed-off-by: Xi Wang <xi.wang@gmail.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Ben Myers <bpm@sgi.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/xfs/xfs_acl.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/xfs/xfs_acl.c
++++ b/fs/xfs/xfs_acl.c
+@@ -39,7 +39,7 @@ xfs_acl_from_disk(struct xfs_acl *aclp)
+ 	struct posix_acl_entry *acl_e;
+ 	struct posix_acl *acl;
+ 	struct xfs_acl_entry *ace;
+-	int count, i;
++	unsigned int count, i;
+ 
+ 	count = be32_to_cpu(aclp->acl_cnt);
+ 	if (count > XFS_ACL_MAX_ENTRIES)
diff --git a/queue-3.1/xfs-validate-acl-count.patch b/queue-3.1/xfs-validate-acl-count.patch
new file mode 100644
index 00000000000..f06182fc948
--- /dev/null
+++ b/queue-3.1/xfs-validate-acl-count.patch
@@ -0,0 +1,31 @@
+From fa8b18edd752a8b4e9d1ee2cd615b82c93cf8bba Mon Sep 17 00:00:00 2001
+From: Christoph Hellwig <hch@infradead.org>
+Date: Sun, 20 Nov 2011 15:35:32 +0000
+Subject: xfs: validate acl count
+
+From: Christoph Hellwig <hch@infradead.org>
+
+commit fa8b18edd752a8b4e9d1ee2cd615b82c93cf8bba upstream.
+
+This prevents in-memory corruption and possible panics if the on-disk
+ACL is badly corrupted.
+
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Ben Myers <bpm@sgi.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/xfs/xfs_acl.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/xfs/xfs_acl.c
++++ b/fs/xfs/xfs_acl.c
+@@ -42,6 +42,8 @@ xfs_acl_from_disk(struct xfs_acl *aclp)
+ 	int count, i;
+ 
+ 	count = be32_to_cpu(aclp->acl_cnt);
++	if (count > XFS_ACL_MAX_ENTRIES)
++		return ERR_PTR(-EFSCORRUPTED);
+ 
+ 	acl = posix_acl_alloc(count, GFP_KERNEL);
+ 	if (!acl)