[kernel] r19248 - in dists/sid/linux/debian: . patches patches/bugfix/all

Ben Hutchings benh at alioth.debian.org
Fri Jul 13 03:19:27 UTC 2012 

Author: benh
Date: Fri Jul 13 03:19:25 2012
New Revision: 19248

Log:
udf: Improve table length check to avoid possible overflow

Added:
   dists/sid/linux/debian/patches/bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch
Modified:
   dists/sid/linux/debian/changelog
   dists/sid/linux/debian/patches/series

Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog	Fri Jul 13 03:18:35 2012	(r19247)
+++ dists/sid/linux/debian/changelog	Fri Jul 13 03:19:25 2012	(r19248)
@@ -31,6 +31,7 @@
   * Update Czech debconf template translations (Michal Simunek)
     (Closes: #679674)
   * linux-image: Remove versioned relations where stable version is new enough
+  * udf: Improve table length check to avoid possible overflow
 
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 29 Jun 2012 15:01:22 +0100
 

Added: dists/sid/linux/debian/patches/bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch	Fri Jul 13 03:19:25 2012	(r19248)
@@ -0,0 +1,29 @@
+From: Jan Kara <jack at suse.cz>
+Date: Tue, 10 Jul 2012 17:58:04 +0200
+Subject: udf: Improve table length check to avoid possible overflow
+
+When a partition table length is corrupted to be close to 1 << 32, the
+check for its length may overflow on 32-bit systems and we will think
+the length is valid. Later on the kernel can crash trying to read beyond
+end of buffer. Fix the check to avoid possible overflow.
+
+CC: stable at vger.kernel.org
+Reported-by: Ben Hutchings <ben at decadent.org.uk>
+Signed-off-by: Jan Kara <jack at suse.cz>
+---
+ fs/udf/super.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/fs/udf/super.c b/fs/udf/super.c
+index 8a75838..dcbf987 100644
+--- a/fs/udf/super.c
++++ b/fs/udf/super.c
+@@ -1340,7 +1340,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
+ 	BUG_ON(ident != TAG_IDENT_LVD);
+ 	lvd = (struct logicalVolDesc *)bh->b_data;
+ 	table_len = le32_to_cpu(lvd->mapTableLength);
+-	if (sizeof(*lvd) + table_len > sb->s_blocksize) {
++	if (table_len > sb->s_blocksize - sizeof(*lvd)) {
+ 		udf_err(sb, "error loading logical volume descriptor: "
+ 			"Partition table too long (%u > %lu)\n", table_len,
+ 			sb->s_blocksize - sizeof(*lvd));

Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series	Fri Jul 13 03:18:35 2012	(r19247)
+++ dists/sid/linux/debian/patches/series	Fri Jul 13 03:19:25 2012	(r19248)
@@ -370,3 +370,4 @@
 debian/driver-core-avoid-ABI-change-for-removal-of-__must_check.patch
 
 bugfix/all/scsi-Silence-unnecessary-warnings-about-ioctl-to-par.patch
+bugfix/all/udf-Improve-table-length-check-to-avoid-possible-underflow.patch

More information about the Kernel-svn-changes mailing list