diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-24 09:34:22 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-06-24 09:34:22 -0400 |
commit | ea1c4249cd8dac905e83a8dfae87abf17d147b14 (patch) | |
tree | 8bfc3f8b09e1cec84f7513f6dd7c119f05d4f41c | |
parent | 089ba422528530140fa8ac41d6942d5d33226839 (diff) | |
download | longterm-queue-2.6.34-ea1c4249cd8dac905e83a8dfae87abf17d147b14.tar.gz |
ldm CVE fix: also needs 2nd commit
Thanks to Ben Hutchings for pointing this out.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/Fix-for-buffer-overflow-in-ldm_frag_add-not-sufficie.patch | 39 | ||||
-rw-r--r-- | queue/series | 1 |
2 files changed, 40 insertions, 0 deletions
diff --git a/queue/Fix-for-buffer-overflow-in-ldm_frag_add-not-sufficie.patch b/queue/Fix-for-buffer-overflow-in-ldm_frag_add-not-sufficie.patch new file mode 100644 index 0000000..fa10e3c --- /dev/null +++ b/queue/Fix-for-buffer-overflow-in-ldm_frag_add-not-sufficie.patch @@ -0,0 +1,39 @@ +From 55fbe6f6fcf0b4290a22b917fadeb543f3f3abcb Mon Sep 17 00:00:00 2001 +From: Timo Warns <Warns@pre-sense.de> +Date: Thu, 19 May 2011 09:24:17 +0200 +Subject: [PATCH] Fix for buffer overflow in ldm_frag_add not sufficient + +commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream. + +As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer +overflow in ldm_frag_add) is not sufficient. The original patch in +commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted +partition table") does not consider that, for subsequent fragments, +previously allocated memory is used. + +[1] http://lkml.org/lkml/2011/5/6/407 + +Reported-by: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Timo Warns <warns@pre-sense.de> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c +index 8652fb9..39bcb2e 100644 +--- a/fs/partitions/ldm.c ++++ b/fs/partitions/ldm.c +@@ -1321,6 +1321,11 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags) + + list_add_tail (&f->list, frags); + found: ++ if (rec >= f->num) { ++ ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num); ++ return false; ++ } ++ + if (f->map & (1 << rec)) { + ldm_error ("Duplicate VBLK, part %d.", rec); + f->map &= 0x7F; /* Mark the group as broken */ +-- +1.7.4.4 + diff --git a/queue/series b/queue/series index 82a9b5c..4b700e9 100644 --- a/queue/series +++ b/queue/series @@ -244,6 +244,7 @@ PCI-return-correct-value-when-writing-to-the-reset-a.patch # Content taken from v2.6.32.40 mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch fs-partitions-ldm.c-fix-oops-caused-by-corrupted-par.patch +Fix-for-buffer-overflow-in-ldm_frag_add-not-sufficie.patch agp-fix-arbitrary-kernel-memory-writes.patch agp-fix-OOM-and-buffer-overflow.patch udp-Fix-bogus-UFO-packet-generation.patch |