[Acked] Re: [hardy CVE 1/1] fs/partitions: Validate map_count in Mac partition tables

Leann Ogasawara leann.ogasawara at canonical.com
Wed Jul 13 16:25:01 UTC 2011 

On Wed, 2011-07-13 at 15:29 +0100, Andy Whitcroft wrote:
> From: Timo Warns <warns at pre-sense.de>
> 
> Validate number of blocks in map and remove redundant variable.
> 
> Signed-off-by: Timo Warns <warns at pre-sense.de>
> Cc: stable at kernel.org
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> 
> (backported from commit fa7ea87a057958a8b7926c1a60a3ca6d696328ed)
> CVE-2011-1010
> BugLink: http://bugs.launchpad.net/bugs/804225
> Signed-off-by: Andy Whitcroft <apw at canonical.com>

Acked-by: Leann Ogasawara <leann.ogasawara at canonical.com>

> ---
>  fs/partitions/mac.c |   15 ++++++++-------
>  1 files changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/fs/partitions/mac.c b/fs/partitions/mac.c
> index d4a0fad..ba45eaf 100644
> --- a/fs/partitions/mac.c
> +++ b/fs/partitions/mac.c
> @@ -29,10 +29,9 @@ static inline void mac_fix_string(char *stg, int len)
>  
>  int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
>  {
> -	int slot = 1;
>  	Sector sect;
>  	unsigned char *data;
> -	int blk, blocks_in_map;
> +	int slot, blocks_in_map;
>  	unsigned secsize;
>  #ifdef CONFIG_PPC_PMAC
>  	int found_root = 0;
> @@ -61,8 +60,12 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
>  	}
>  	printk(" [mac]");
>  	blocks_in_map = be32_to_cpu(part->map_count);
> -	for (blk = 1; blk <= blocks_in_map; ++blk) {
> -		int pos = blk * secsize;
> +	if (blocks_in_map < 0 || blocks_in_map >= 256) {
> +		put_dev_sector(sect);
> +		return 0;
> +	}
> +	for (slot = 1; slot <= blocks_in_map; ++slot) {
> +		int pos = slot * secsize;
>  		put_dev_sector(sect);
>  		data = read_dev_sector(bdev, pos/512, &sect);
>  		if (!data)
> @@ -113,13 +116,11 @@ int mac_partition(struct parsed_partitions *state, struct block_device *bdev)
>  			}
>  
>  			if (goodness > found_root_goodness) {
> -				found_root = blk;
> +				found_root = slot;
>  				found_root_goodness = goodness;
>  			}
>  		}
>  #endif /* CONFIG_PPC_PMAC */
> -
> -		++slot;
>  	}
>  #ifdef CONFIG_PPC_PMAC
>  	if (found_root_goodness)
> -- 
> 1.7.4.1
> 
>

More information about the kernel-team mailing list