add ldm CVE patch

Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

2 files changed, 70 insertions, 0 deletions

diff --git a/queue/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-par.patch b/queue/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-par.patch
new file mode 100644
index 0000000..f160a94
--- /dev/null
+++ b/queue/fs-partitions-ldm.c-fix-oops-caused-by-corrupted-par.patch
@@ -0,0 +1,69 @@
+From 8bf35fe73f55193f3fd895864749a78825f0abdd Mon Sep 17 00:00:00 2001
+From: Timo Warns <Warns@pre-sense.de>
+Date: Thu, 14 Apr 2011 15:21:56 -0700
+Subject: [PATCH] fs/partitions/ldm.c: fix oops caused by corrupted partition
+ table
+
+commit c340b1d640001c8c9ecff74f68fd90422ae2448a upstream.
+
+The kernel automatically evaluates partition tables of storage devices.
+The code for evaluating LDM partitions (in fs/partitions/ldm.c) contains
+a bug that causes a kernel oops on certain corrupted LDM partitions.
+A kernel subsystem seems to crash, because, after the oops, the kernel no
+longer recognizes newly connected storage devices.
+
+The patch validates the value of vblk_size.
+
+[akpm@linux-foundation.org: coding-style fixes]
+Signed-off-by: Timo Warns <warns@pre-sense.de>
+Cc: Eugene Teo <eugeneteo@kernel.sg>
+Cc: Harvey Harrison <harvey.harrison@gmail.com>
+Cc: Richard Russon <rich@flatcap.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
+
+diff --git a/fs/partitions/ldm.c b/fs/partitions/ldm.c
+index 8652fb9..a67063f 100644
+--- a/fs/partitions/ldm.c
++++ b/fs/partitions/ldm.c
+@@ -1294,6 +1294,11 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags)
+ 
+ 	BUG_ON (!data || !frags);
+ 
++	if (size < 2 * VBLK_SIZE_HEAD) {
++		ldm_error("Value of size is to small.");
++		return false;
++	}
++
+ 	group = get_unaligned_be32(data + 0x08);
+ 	rec   = get_unaligned_be16(data + 0x0C);
+ 	num   = get_unaligned_be16(data + 0x0E);
+@@ -1301,6 +1306,10 @@ static bool ldm_frag_add (const u8 *data, int size, struct list_head *frags)
+ 		ldm_error ("A VBLK claims to have %d parts.", num);
+ 		return false;
+ 	}
++	if (rec >= num) {
++		ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
++		return false;
++	}
+ 
+ 	list_for_each (item, frags) {
+ 		f = list_entry (item, struct frag, list);
+@@ -1329,10 +1338,9 @@ found:
+ 
+ 	f->map |= (1 << rec);
+ 
+-	if (num > 0) {
+-		data += VBLK_SIZE_HEAD;
+-		size -= VBLK_SIZE_HEAD;
+-	}
++	data += VBLK_SIZE_HEAD;
++	size -= VBLK_SIZE_HEAD;
++
+ 	memcpy (f->data+rec*(size-VBLK_SIZE_HEAD)+VBLK_SIZE_HEAD, data, size);
+ 
+ 	return true;
+-- 
+1.7.4.4
+
diff --git a/queue/series b/queue/series
index 07be2fd..17a0bad 100644
--- a/queue/series
+++ b/queue/series
@@ -235,6 +235,7 @@ PCI-return-correct-value-when-writing-to-the-reset-a.patch
 
 # Content taken from v2.6.32.40
 mpt2sas-prevent-heap-overflows-and-unchecked-reads.patch
+fs-partitions-ldm.c-fix-oops-caused-by-corrupted-par.patch
 
 # Content taken from v2.6.35.11
 arch-x86-oprofile-op_model_amd.c-Perform-initialisat.patch