diff options
| author | Timo Warns <Warns@pre-sense.de> | 2011-03-14 09:59:33 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-14 13:14:28 -0400 |
| commit | 1eafbfeb7bdf59cfe173304c76188f3fd5f1fd05 (patch) | |
| tree | eae0a7cdf358b1b0396e9c3ec935d0e6be72bdb2 /fs/partitions | |
| parent | 2fbfac4e053861925fa3fffcdc327649b09af54c (diff) | |
Fix corrupted OSF partition table parsing
The kernel automatically evaluates partition tables of storage devices.
The code for evaluating OSF partitions contains a bug that leaks data
from kernel heap memory to userspace for certain corrupted OSF
partitions.
In more detail:
for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
iterates from 0 to d_npartitions - 1, where d_npartitions is read from
the partition table without validation and partition is a pointer to an
array of at most 8 d_partitions.
Add the proper and obvious validation.
Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: stable@kernel.org
[ Changed the patch trivially to not repeat the whole le16_to_cpu()
thing, and to use an explicit constant for the magic value '8' ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/partitions')
| -rw-r--r-- | fs/partitions/osf.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/fs/partitions/osf.c b/fs/partitions/osf.c index 48cec7cbca17..be03a0b08b47 100644 --- a/fs/partitions/osf.c +++ b/fs/partitions/osf.c | |||
| @@ -10,10 +10,13 @@ | |||
| 10 | #include "check.h" | 10 | #include "check.h" |
| 11 | #include "osf.h" | 11 | #include "osf.h" |
| 12 | 12 | ||
| 13 | #define MAX_OSF_PARTITIONS 8 | ||
| 14 | |||
| 13 | int osf_partition(struct parsed_partitions *state) | 15 | int osf_partition(struct parsed_partitions *state) |
| 14 | { | 16 | { |
| 15 | int i; | 17 | int i; |
| 16 | int slot = 1; | 18 | int slot = 1; |
| 19 | unsigned int npartitions; | ||
| 17 | Sector sect; | 20 | Sector sect; |
| 18 | unsigned char *data; | 21 | unsigned char *data; |
| 19 | struct disklabel { | 22 | struct disklabel { |
| @@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitions *state) | |||
| 45 | u8 p_fstype; | 48 | u8 p_fstype; |
| 46 | u8 p_frag; | 49 | u8 p_frag; |
| 47 | __le16 p_cpg; | 50 | __le16 p_cpg; |
| 48 | } d_partitions[8]; | 51 | } d_partitions[MAX_OSF_PARTITIONS]; |
| 49 | } * label; | 52 | } * label; |
| 50 | struct d_partition * partition; | 53 | struct d_partition * partition; |
| 51 | 54 | ||
| @@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitions *state) | |||
| 63 | put_dev_sector(sect); | 66 | put_dev_sector(sect); |
| 64 | return 0; | 67 | return 0; |
| 65 | } | 68 | } |
| 66 | for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) { | 69 | npartitions = le16_to_cpu(label->d_npartitions); |
| 70 | if (npartitions > MAX_OSF_PARTITIONS) { | ||
| 71 | put_dev_sector(sect); | ||
| 72 | return 0; | ||
| 73 | } | ||
| 74 | for (i = 0 ; i < npartitions; i++, partition++) { | ||
| 67 | if (slot == state->limit) | 75 | if (slot == state->limit) |
| 68 | break; | 76 | break; |
| 69 | if (le32_to_cpu(partition->p_size)) | 77 | if (le32_to_cpu(partition->p_size)) |