FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 07-13-2011, 02:29 PM
Andy Whitcroft
 
Default fs/partitions: Validate map_count in Mac partition tables

CVE-2011-1010
Buffer overflow in the mac_partition function in
fs/partitions/mac.c in the Linux kernel before 2.6.37.2 allows
local users to cause a denial of service (panic) or possibly have
unspecified other impact via a malformed Mac OS partition table.

The fix for this has hit everything since Hardy already either via
mainline or stable updates. Following this email is a patch for hardy
this is a minor backport of the upstream commit.

Proposing for Hardy.

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 07-13-2011, 02:29 PM
Andy Whitcroft
 
Default fs/partitions: Validate map_count in Mac partition tables

From: Timo Warns <warns@pre-sense.de>

Validate number of blocks in map and remove redundant variable.

Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(backported from commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed)
CVE-2011-1010
BugLink: http://bugs.launchpad.net/bugs/804225
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
fs/partitions/mac.c | 15 ++++++++-------
1 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c
index d4a0fad..ba45eaf 100644
--- a/fs/partitions/mac.c
+++ b/fs/partitions/mac.c
@@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len)

int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
{
- int slot = 1;
Sector sect;
unsigned char *data;
- int blk, blocks_in_map;
+ int slot, blocks_in_map;
unsigned secsize;
#ifdef CONFIG_PPC_PMAC
int found_root = 0;
@@ -61,8 +60,12 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
}
printk(" [mac]");
blocks_in_map = be32_to_cpu(part->map_count);
- for (blk = 1; blk <= blocks_in_map; ++blk) {
- int pos = blk * secsize;
+ if (blocks_in_map < 0 || blocks_in_map >= 256) {
+ put_dev_sector(sect);
+ return 0;
+ }
+ for (slot = 1; slot <= blocks_in_map; ++slot) {
+ int pos = slot * secsize;
put_dev_sector(sect);
data = read_dev_sector(bdev, pos/512, &sect);
if (!data)
@@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
}

if (goodness > found_root_goodness) {
- found_root = blk;
+ found_root = slot;
found_root_goodness = goodness;
}
}
#endif /* CONFIG_PPC_PMAC */
-
- ++slot;
}
#ifdef CONFIG_PPC_PMAC
if (found_root_goodness)
--
1.7.4.1


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 07:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org