| From cae13fe4cc3f24820ffb990c09110626837e85d4 Mon Sep 17 00:00:00 2001 |
| From: Timo Warns <Warns@pre-sense.de> |
| Date: Thu, 19 May 2011 09:24:17 +0200 |
| Subject: Fix for buffer overflow in ldm_frag_add not sufficient |
| |
| From: Timo Warns <Warns@pre-sense.de> |
| |
| commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream. |
| |
| As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer |
| overflow in ldm_frag_add) is not sufficient. The original patch in |
| commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted |
| partition table") does not consider that, for subsequent fragments, |
| previously allocated memory is used. |
| |
| [1] http://lkml.org/lkml/2011/5/6/407 |
| |
| Reported-by: Ben Hutchings <ben@decadent.org.uk> |
| Signed-off-by: Timo Warns <warns@pre-sense.de> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| fs/partitions/ldm.c | 5 +++++ |
| 1 file changed, 5 insertions(+) |
| |
| --- a/fs/partitions/ldm.c |
| +++ b/fs/partitions/ldm.c |
| @@ -1335,6 +1335,11 @@ static bool ldm_frag_add (const u8 *data |
| |
| list_add_tail (&f->list, frags); |
| found: |
| + if (rec >= f->num) { |
| + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num); |
| + return false; |
| + } |
| + |
| if (f->map & (1 << rec)) { |
| ldm_error ("Duplicate VBLK, part %d.", rec); |
| f->map &= 0x7F; /* Mark the group as broken */ |