Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1161775Ab1FAIN7 (ORCPT ); Wed, 1 Jun 2011 04:13:59 -0400 Received: from cantor2.suse.de ([195.135.220.15]:43146 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756272Ab1FAINw (ORCPT ); Wed, 1 Jun 2011 04:13:52 -0400 X-Mailbox-Line: From linux@blue.kroah.org Wed Jun 1 17:03:51 2011 Message-Id: <20110601080350.307779121@blue.kroah.org> User-Agent: quilt/0.48-16.4 Date: Wed, 01 Jun 2011 17:00:21 +0900 From: Greg KH To: linux-kernel@vger.kernel.org, stable@kernel.org Cc: stable-review@kernel.org, torvalds@linux-foundation.org, akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk, Timo Warns , Greg Kroah-Hartman Subject: [085/146] Fix for buffer overflow in ldm_frag_add not sufficient In-Reply-To: <20110601080606.GA522@kroah.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1485 Lines: 46 2.6.38-stable review patch. If anyone has any objections, please let us know. ------------------ From: Timo Warns commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream. As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer overflow in ldm_frag_add) is not sufficient. The original patch in commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted partition table") does not consider that, for subsequent fragments, previously allocated memory is used. [1] http://lkml.org/lkml/2011/5/6/407 Reported-by: Ben Hutchings Signed-off-by: Timo Warns Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- fs/partitions/ldm.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/fs/partitions/ldm.c +++ b/fs/partitions/ldm.c @@ -1335,6 +1335,11 @@ static bool ldm_frag_add (const u8 *data list_add_tail (&f->list, frags); found: + if (rec >= f->num) { + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num); + return false; + } + if (f->map & (1 << rec)) { ldm_error ("Duplicate VBLK, part %d.", rec); f->map &= 0x7F; /* Mark the group as broken */ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/