[kernel] r16952 - in dists/squeeze/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at alioth.debian.org
Mon Feb 28 04:35:24 UTC 2011 

Author: benh
Date: Mon Feb 28 04:35:20 2011
New Revision: 16952

Log:
fs/partitions: Validate map_count in Mac partition tables (CVE-2011-1010)

Added:
   dists/squeeze/linux-2.6/debian/patches/bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-ta.patch
Modified:
   dists/squeeze/linux-2.6/debian/changelog
   dists/squeeze/linux-2.6/debian/patches/series/31

Modified: dists/squeeze/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze/linux-2.6/debian/changelog	Mon Feb 28 04:34:16 2011	(r16951)
+++ dists/squeeze/linux-2.6/debian/changelog	Mon Feb 28 04:35:20 2011	(r16952)
@@ -35,6 +35,7 @@
     (variant of CVE-2010-4249)
   * iowarrior: Don't trust report_size for buffer size (CVE-2010-4656)
   * ALSA: caiaq - Fix possible string-buffer overflow (CVE-2011-0712)
+  * fs/partitions: Validate map_count in Mac partition tables (CVE-2011-1010)
 
   [ dann frazier ]
   * xfs: fix information leak using stale NFS handle (CVE-2010-2943)

Added: dists/squeeze/linux-2.6/debian/patches/bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-ta.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze/linux-2.6/debian/patches/bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-ta.patch	Mon Feb 28 04:35:20 2011	(r16952)
@@ -0,0 +1,68 @@
+From: Timo Warns <warns at pre-sense.de>
+Date: Thu, 17 Feb 2011 22:27:40 +0100
+Subject: [PATCH] fs/partitions: Validate map_count in Mac partition tables
+
+commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed upstream.
+
+Validate number of blocks in map and remove redundant variable.
+
+Signed-off-by: Timo Warns <warns at pre-sense.de>
+Cc: stable at kernel.org
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+[bwh: Adjust for 2.6.32]
+---
+ fs/partitions/mac.c |   17 +++++++++--------
+ 1 files changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c
+index 68d6a21..11f688b 100644
+--- a/fs/partitions/mac.c
++++ b/fs/partitions/mac.c
+@@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len)
+ 
+ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
+ {
+-	int slot = 1;
+ 	Sector sect;
+ 	unsigned char *data;
+-	int blk, blocks_in_map;
++	int slot, blocks_in_map;
+ 	unsigned secsize;
+ #ifdef CONFIG_PPC_PMAC
+ 	int found_root = 0;
+@@ -59,10 +58,14 @@ int mac_partition(struct parsed_partitions *state)
+ 		put_dev_sector(sect);
+ 		return 0;		/* not a MacOS disk */
+ 	}
+-	printk(" [mac]");
+ 	blocks_in_map = be32_to_cpu(part->map_count);
+-	for (blk = 1; blk <= blocks_in_map; ++blk) {
+-		int pos = blk * secsize;
++	if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
++		put_dev_sector(sect);
++		return 0;
++	}
++	printk(" [mac]");
++	for (slot = 1; slot <= blocks_in_map; ++slot) {
++		int pos = slot * secsize;
+ 		put_dev_sector(sect);
+ 		data = read_dev_sector(bdev, pos/512, &sect);
+ 		if (!data)
+@@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state)
+ 			}
+ 
+ 			if (goodness > found_root_goodness) {
+-				found_root = blk;
++				found_root = slot;
+ 				found_root_goodness = goodness;
+ 			}
+ 		}
+ #endif /* CONFIG_PPC_PMAC */
+-
+-		++slot;
+ 	}
+ #ifdef CONFIG_PPC_PMAC
+ 	if (found_root_goodness)
+-- 
+1.7.4.1
+

Modified: dists/squeeze/linux-2.6/debian/patches/series/31
==============================================================================
--- dists/squeeze/linux-2.6/debian/patches/series/31	Mon Feb 28 04:34:16 2011	(r16951)
+++ dists/squeeze/linux-2.6/debian/patches/series/31	Mon Feb 28 04:35:20 2011	(r16952)
@@ -40,3 +40,4 @@
 + debian/af_unix-Avoid-ABI-change-from-introduction-of-recursion-limit.patch
 + bugfix/all/usb-iowarrior-don-t-trust-report_size-for-buffer-siz.patch
 + bugfix/all/ALSA-caiaq-Fix-possible-string-buffer-overflow.patch
++ bugfix/all/fs-partitions-Validate-map_count-in-Mac-partition-ta.patch

More information about the Kernel-svn-changes mailing list