From: Greg Kroah-Hartman Date: Tue, 2 Apr 2013 19:03:41 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.8.6~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7b27ed24b36033b1a6abb37efad02686a1d2e9b9;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: nfsd4-reject-negative-acl-lengths.patch --- diff --git a/queue-3.0/nfsd4-reject-negative-acl-lengths.patch b/queue-3.0/nfsd4-reject-negative-acl-lengths.patch new file mode 100644 index 00000000000..70137bb2a04 --- /dev/null +++ b/queue-3.0/nfsd4-reject-negative-acl-lengths.patch @@ -0,0 +1,34 @@ +From 64a817cfbded8674f345d1117b117f942a351a69 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 26 Mar 2013 14:11:13 -0400 +Subject: nfsd4: reject "negative" acl lengths + +From: "J. Bruce Fields" + +commit 64a817cfbded8674f345d1117b117f942a351a69 upstream. + +Since we only enforce an upper bound, not a lower bound, a "negative" +length can get through here. + +The symptom seen was a warning when we attempt to a kmalloc with an +excessive size. + +Reported-by: Toralf Förster +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -262,7 +262,7 @@ nfsd4_decode_fattr(struct nfsd4_compound + iattr->ia_valid |= ATTR_SIZE; + } + if (bmval[0] & FATTR4_WORD0_ACL) { +- int nace; ++ u32 nace; + struct nfs4_ace *ace; + + READ_BUF(4); len += 4; diff --git a/queue-3.0/series b/queue-3.0/series index f9959d665d1..3003ca9ca16 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -30,3 +30,4 @@ kvm-fix-buffer-overflow-in-kvm_set_irq.patch mm-hotplug-correctly-add-new-zone-to-all-other-nodes-zone-lists.patch kvm-x86-invalid-opcode-oops-on-set_sregs-with-osxsave-bit-set-cve-2012-4461.patch loop-prevent-bdev-freeing-while-device-in-use.patch +nfsd4-reject-negative-acl-lengths.patch