diff --git a/debian/changelog b/debian/changelog index 7ba31f772..972583f74 100644 --- a/debian/changelog +++ b/debian/changelog @@ -31,6 +31,7 @@ linux (3.2.23-1) UNRELEASED; urgency=low * Update Czech debconf template translations (Michal Simunek) (Closes: #679674) * linux-image: Remove versioned relations where stable version is new enough + * udf: Improve table length check to avoid possible overflow -- Ben Hutchings Fri, 29 Jun 2012 15:01:22 +0100 diff --git a/debian/patches/bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch b/debian/patches/bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch new file mode 100644 index 000000000..2c6588a86 --- /dev/null +++ b/debian/patches/bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch @@ -0,0 +1,29 @@ +From: Jan Kara +Date: Tue, 10 Jul 2012 17:58:04 +0200 +Subject: udf: Improve table length check to avoid possible overflow + +When a partition table length is corrupted to be close to 1 << 32, the +check for its length may overflow on 32-bit systems and we will think +the length is valid. Later on the kernel can crash trying to read beyond +end of buffer. Fix the check to avoid possible overflow. + +CC: stable@vger.kernel.org +Reported-by: Ben Hutchings +Signed-off-by: Jan Kara +--- + fs/udf/super.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 8a75838..dcbf987 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1340,7 +1340,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block, + BUG_ON(ident != TAG_IDENT_LVD); + lvd = (struct logicalVolDesc *)bh->b_data; + table_len = le32_to_cpu(lvd->mapTableLength); +- if (sizeof(*lvd) + table_len > sb->s_blocksize) { ++ if (table_len > sb->s_blocksize - sizeof(*lvd)) { + udf_err(sb, "error loading logical volume descriptor: " + "Partition table too long (%u > %lu)\n", table_len, + sb->s_blocksize - sizeof(*lvd)); diff --git a/debian/patches/series b/debian/patches/series index 05f7b9d4e..116a35545 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -370,3 +370,4 @@ features/arm/net-drop-NET-dependency-from-HAVE_BPF_JIT.patch debian/driver-core-avoid-ABI-change-for-removal-of-__must_check.patch bugfix/all/scsi-Silence-unnecessary-warnings-about-ioctl-to-par.patch +bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch