udf: Improve table length check to avoid possible overflow
svn path=/dists/sid/linux/; revision=19248
This commit is contained in:
Ben Hutchings
parent
abb330e8bb
commit
0fbbb5a0f2
|
|
@ -31,6 +31,7 @@ linux (3.2.23-1) UNRELEASED; urgency=low
|
|||
* Update Czech debconf template translations (Michal Simunek)
|
||||
(Closes: #679674)
|
||||
* linux-image: Remove versioned relations where stable version is new enough
|
||||
* udf: Improve table length check to avoid possible overflow
|
||||
|
||||
-- Ben Hutchings <ben@decadent.org.uk> Fri, 29 Jun 2012 15:01:22 +0100
|
||||
|
||||
|
|
|
|||
29
debian/patches/bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch
vendored
Normal file
29
debian/patches/bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch
vendored
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Tue, 10 Jul 2012 17:58:04 +0200
|
||||
Subject: udf: Improve table length check to avoid possible overflow
|
||||
|
||||
When a partition table length is corrupted to be close to 1 << 32, the
|
||||
check for its length may overflow on 32-bit systems and we will think
|
||||
the length is valid. Later on the kernel can crash trying to read beyond
|
||||
end of buffer. Fix the check to avoid possible overflow.
|
||||
|
||||
CC: stable@vger.kernel.org
|
||||
Reported-by: Ben Hutchings <ben@decadent.org.uk>
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
---
|
||||
fs/udf/super.c | 2 +-
|
||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/fs/udf/super.c b/fs/udf/super.c
|
||||
index 8a75838..dcbf987 100644
|
||||
--- a/fs/udf/super.c
|
||||
+++ b/fs/udf/super.c
|
||||
@@ -1340,7 +1340,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
|
||||
BUG_ON(ident != TAG_IDENT_LVD);
|
||||
lvd = (struct logicalVolDesc *)bh->b_data;
|
||||
table_len = le32_to_cpu(lvd->mapTableLength);
|
||||
- if (sizeof(*lvd) + table_len > sb->s_blocksize) {
|
||||
+ if (table_len > sb->s_blocksize - sizeof(*lvd)) {
|
||||
udf_err(sb, "error loading logical volume descriptor: "
|
||||
"Partition table too long (%u > %lu)\n", table_len,
|
||||
sb->s_blocksize - sizeof(*lvd));
|
||||
|
|
@ -370,3 +370,4 @@ features/arm/net-drop-NET-dependency-from-HAVE_BPF_JIT.patch
|
|||
debian/driver-core-avoid-ABI-change-for-removal-of-__must_check.patch
|
||||
|
||||
bugfix/all/scsi-Silence-unnecessary-warnings-about-ioctl-to-par.patch
|
||||
bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch
|
||||
|
|
|
|||
Loading…
Reference in New Issue