From: Ben Hutchings <ben@decadent.org.uk>
To: Greg KH <gregkh@suse.de>
Cc: linux-kernel@vger.kernel.org, stable@kernel.org,
Timo Warns <warns@pre-sense.de>,
akpm@linux-foundation.org, torvalds@linux-foundation.org,
stable-review@kernel.org, alan@lxorguk.ukuu.org.uk
Subject: Re: [Stable-review] [087/165] Fix for buffer overflow in ldm_frag_add not sufficient
Date: Fri, 03 Jun 2011 03:31:29 +0100 [thread overview]
Message-ID: <1307068289.22348.42.camel@localhost> (raw)
In-Reply-To: <20110601081141.803241093@blue.kroah.org>
[-- Attachment #1: Type: text/plain, Size: 1892 bytes --]
On Wed, 2011-06-01 at 17:10 +0900, Greg KH wrote:
> 2.6.39-stable review patch. If anyone has any objections, please let us know.
>
> ------------------
> Content-Length: 1139
> Lines: 36
>
> From: Timo Warns <Warns@pre-sense.de>
>
> commit cae13fe4cc3f24820ffb990c09110626837e85d4 upstream.
>
> As Ben Hutchings discovered [1], the patch for CVE-2011-1017 (buffer
> overflow in ldm_frag_add) is not sufficient. The original patch in
> commit c340b1d64000 ("fs/partitions/ldm.c: fix oops caused by corrupted
> partition table") does not consider that, for subsequent fragments,
> previously allocated memory is used.
>
> [1] http://lkml.org/lkml/2011/5/6/407
I still assert that the function is broken because the fragments are
copied to incorrect offsets. However, this change should at least make
it *harmless* junk.
Ben.
> Reported-by: Ben Hutchings <ben@decadent.org.uk>
> Signed-off-by: Timo Warns <warns@pre-sense.de>
> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
>
> ---
> fs/partitions/ldm.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> --- a/fs/partitions/ldm.c
> +++ b/fs/partitions/ldm.c
> @@ -1335,6 +1335,11 @@ static bool ldm_frag_add (const u8 *data
>
> list_add_tail (&f->list, frags);
> found:
> + if (rec >= f->num) {
> + ldm_error("REC value (%d) exceeds NUM value (%d)", rec, f->num);
> + return false;
> + }
> +
> if (f->map & (1 << rec)) {
> ldm_error ("Duplicate VBLK, part %d.", rec);
> f->map &= 0x7F; /* Mark the group as broken */
>
>
> _______________________________________________
> Stable-review mailing list
> Stable-review@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/stable-review
>
--
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]
next prev parent reply other threads:[~2011-06-03 2:31 UTC|newest]
Thread overview: 167+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-01 8:13 [000/165] 2.6.39.1-stable review Greg KH
2011-06-01 8:09 ` [001/165] tmpfs: fix highmem swapoff crash regression Greg KH
2011-06-01 8:09 ` [002/165] m68k: Really wire up sys_pselect6 and sys_ppoll Greg KH
2011-06-01 8:09 ` [003/165] kmemleak: Do not return a pointer to an object that kmemleak did not get Greg KH
2011-06-01 8:09 ` [004/165] kmemleak: Initialise kmemleak after debug_objects_mem_init() Greg KH
2011-06-01 8:09 ` [005/165] [CPUFREQ] Fix _OSC UUID in pcc-cpufreq Greg KH
2011-06-01 8:09 ` [006/165] [CPUFREQ] CPU hotplug, re-create sysfs directory and symlinks Greg KH
2011-06-01 8:09 ` [007/165] [CPUFREQ] Fix memory leak in cpufreq_stat Greg KH
2011-06-01 8:09 ` [008/165] net: recvmmsg: Strip MSG_WAITFORONE when calling recvmsg Greg KH
2011-06-01 8:09 ` [009/165] ftrace: Only update the function code on write to filter files Greg KH
2011-06-01 8:09 ` [010/165] [SCSI] qla2xxx: Properly set the dsd_list_len for dsd_chaining in cmd type 6 Greg KH
2011-06-01 8:09 ` [011/165] [SCSI] qla2xxx: Fix hang during driver unload when vport is active Greg KH
2011-06-01 8:09 ` [012/165] [SCSI] qla2xxx: Fix virtual port failing to login after chip reset Greg KH
2011-06-01 8:09 ` [013/165] [SCSI] qla2xxx: Fix vport delete hang when logins are outstanding Greg KH
2011-06-01 8:09 ` [014/165] powerpc/kdump64: Dont reference freed memory as pacas Greg KH
2011-06-01 8:09 ` [015/165] powerpc/kexec: Fix memory corruption from unallocated slaves Greg KH
2011-06-01 8:09 ` [016/165] x86, cpufeature: Fix cpuid leaf 7 feature detection Greg KH
2011-06-01 8:09 ` [017/165] ath9k_hw: do noise floor calibration only on required chains Greg KH
2011-06-01 8:09 ` [018/165] ath9k_hw: fix power for the HT40 duplicate frames Greg KH
2011-06-01 8:09 ` [019/165] ath9k_hw: fix dual band assumption for XB113 Greg KH
2011-06-01 8:09 ` [020/165] ath9k_hw: Fix STA connection issues with AR9380 (XB113) Greg KH
2011-06-01 8:09 ` [021/165] powerpc/oprofile: Handle events that raise an exception without overflowing Greg KH
2011-06-01 8:09 ` [022/165] iwlagn: fix iwl_is_any_associated Greg KH
2011-06-01 8:09 ` [023/165] ext4: dont set PageUptodate in ext4_end_bio() Greg KH
2011-06-01 8:09 ` [024/165] block: move bd_set_size() above rescan_partitions() in Greg KH
2011-06-01 8:09 ` [025/165] block: add a non-queueable flush flag Greg KH
2011-06-01 8:09 ` [026/165] block: hold queue if flush is running for non-queueable Greg KH
2011-06-01 8:09 ` [027/165] block: Fix discard topology stacking and reporting Greg KH
2011-06-01 8:09 ` [028/165] block: add proper state guards to __elv_next_request Greg KH
2011-06-01 8:09 ` [029/165] block: always allocate genhd->ev if check_events is Greg KH
2011-06-01 8:10 ` [030/165] mtd: mtdconcat: fix NAND OOB write Greg KH
2011-06-01 8:10 ` [031/165] mtd: return badblockbits back Greg KH
2011-06-01 8:10 ` [032/165] mtd: omap: fix subpage ecc issue with prefetch Greg KH
2011-06-01 8:10 ` [033/165] SATA: enable non-queueable flush flag Greg KH
2011-06-01 8:10 ` [034/165] x86, 64-bit: Fix copy_[to/from]_user() checks for the Greg KH
2011-06-01 8:10 ` [035/165] libata: Use Maximum Write Same Length to report discard size Greg KH
2011-06-01 8:10 ` [036/165] iwlwifi: fix bugs in change_interface Greg KH
2011-06-01 8:10 ` [037/165] mac80211: use wake_queue to restart trasmit Greg KH
2011-06-01 8:10 ` [038/165] nl80211: Fix set_key regression with some drivers Greg KH
2011-06-01 8:10 ` [039/165] mac80211: fix a few RCU issues Greg KH
2011-06-01 8:10 ` [040/165] VFS: move BUG_ON test for symlink nd->depth after Greg KH
2011-06-01 8:10 ` [041/165] [PARISC] wire up fanotify syscalls Greg KH
2011-06-01 8:10 ` [042/165] [PARISC] wire up clock_adjtime syscall Greg KH
2011-06-01 8:10 ` [043/165] [PARISC] wire up the fhandle syscalls Greg KH
2011-06-01 8:10 ` [044/165] [PARISC] wire up syncfs syscall Greg KH
2011-06-01 8:10 ` [045/165] pata_cm64x: fix boot crash on parisc Greg KH
2011-06-01 8:10 ` [046/165] usb-storage: fix up the unusual_realtek device list Greg KH
2011-06-01 8:10 ` [047/165] ext3: Fix fs corruption when make_indexed_dir() fails Greg KH
2011-06-01 8:10 ` [048/165] jbd: Fix forever sleeping process in do_get_write_access() Greg KH
2011-06-01 8:10 ` [049/165] jbd: fix fsync() tid wraparound bug Greg KH
2011-06-01 8:10 ` [050/165] ext4: release page cache in ext4_mb_load_buddy error path Greg KH
2011-06-01 8:10 ` [051/165] netfilter: nf_ct_sip: validate Content-Length in TCP SIP messages Greg KH
2011-06-01 8:10 ` [052/165] netfilter: nf_ct_sip: fix SDP parsing in TCP SIP messages for some Cisco phones Greg KH
2011-06-01 8:10 ` [053/165] net: use hlist_del_rcu() in dev_change_name() Greg KH
2011-06-01 8:10 ` [054/165] net: Change netdev_fix_features messages loglevel Greg KH
2011-06-01 8:10 ` [055/165] net: ethtool: fix IPV6 checksum feature name string Greg KH
2011-06-01 8:10 ` [056/165] net: add skb_dst_force() in sock_queue_err_skb() Greg KH
2011-06-01 8:10 ` [057/165] macvlan: fix panic if lowerdev in a bond Greg KH
2011-06-01 8:10 ` [058/165] SCTP: fix race between sctp_bind_addr_free() and sctp_bind_addr_conflict() Greg KH
2011-06-01 8:10 ` [059/165] igmp: call ip_mc_clear_src() only when we have no users of ip_mc_list Greg KH
2011-06-01 8:10 ` [060/165] bridge: initialize fake_rtable metrics Greg KH
2011-06-01 8:10 ` [061/165] sctp: fix memory leak of the ASCONF queue when free asoc Greg KH
2011-06-01 8:10 ` [062/165] sch_sfq: fix peek() implementation Greg KH
2011-06-01 8:10 ` [063/165] bonding: prevent deadlock on slave store with alb mode (v3) Greg KH
2011-06-01 8:10 ` [064/165] sch_sfq: avoid giving spurious NET_XMIT_CN signals Greg KH
2011-06-01 8:10 ` [065/165] net: fix __dst_destroy_metrics_generic() Greg KH
2011-06-01 8:10 ` [066/165] dst: catch uninitialized metrics Greg KH
2011-06-01 8:10 ` [067/165] [SCSI] mpt2sas: move even handling of Greg KH
2011-06-01 8:10 ` [068/165] [SCSI] bnx2i: Fixed packet error created when the sq_size is Greg KH
2011-06-01 8:10 ` [069/165] [SCSI] bnx2i: Updated the connection shutdown/cleanup Greg KH
2011-06-01 8:10 ` [070/165] [SCSI] Fix Ultrastor asm snippet Greg KH
2011-06-01 8:10 ` [071/165] [SCSI] target: Fix multi task->task_sg[] chaining logic bug Greg KH
2011-06-01 8:10 ` [072/165] [SCSI] target: Fix interrupt context bug with stats_lock and Greg KH
2011-06-01 8:10 ` [073/165] [SCSI] target: Fix bug with task_sg chained Greg KH
2011-06-01 8:10 ` [074/165] [SCSI] target: Fix task->task_execute_queue=1 clear bug + Greg KH
2011-06-01 8:10 ` [075/165] um: Use RWSEM_GENERIC_SPINLOCK on x86 Greg KH
2011-06-01 8:10 ` [076/165] x86, ioapic: Fix potential resume deadlock Greg KH
2011-06-01 8:10 ` [077/165] x86, amd: Do not enable ARAT feature on AMD processors below Greg KH
2011-06-01 8:10 ` [078/165] x86, amd: Use _safe() msr access for GartTlbWlk disable code Greg KH
2011-06-01 8:10 ` [079/165] x86, efi: Retain boot service code until after switching to Greg KH
2011-06-01 8:10 ` [080/165] x86, cpufeature: Update CPU feature RDRND to RDRAND Greg KH
2011-06-01 8:10 ` [081/165] oprofile, x86: Enable preemption during pci device setup in Greg KH
2011-06-01 8:10 ` [082/165] rcu: Fix unpaired rcu_irq_enter() from locking selftests Greg KH
2011-06-01 8:10 ` [083/165] [CIFS] When mandatory encryption on share, fail mount Greg KH
2011-06-01 8:10 ` [084/165] staging: usbip: fix wrong endian conversion Greg KH
2011-06-01 8:10 ` [085/165] staging: r8712u: Fix driver to support ad-hoc mode Greg KH
2011-06-01 8:10 ` [086/165] staging: brcm80211: bugfix for div by zero in Greg KH
2011-06-01 8:10 ` [087/165] Fix for buffer overflow in ldm_frag_add not sufficient Greg KH
2011-06-03 2:31 ` Ben Hutchings [this message]
2011-06-01 8:10 ` [088/165] seqlock: Dont smp_rmb in seqlock reader spin loop Greg KH
2011-06-01 8:10 ` [089/165] md: Fix race when creating a new md device Greg KH
2011-06-01 8:11 ` [090/165] md/bitmap: fix saving of events_cleared and other state Greg KH
2011-06-01 8:11 ` [091/165] mm: vmscan: correct use of pgdat_balanced in Greg KH
2011-06-01 8:11 ` [092/165] mm: vmscan: correctly check if reclaimer should schedule Greg KH
2011-06-01 8:11 ` [093/165] slub: Make CONFIG_DEBUG_PAGE_ALLOC work with new fastpath Greg KH
2011-06-01 8:11 ` [094/165] ALSA: HDA: Use one dmic only for Dell Studio 1558 Greg KH
2011-06-01 8:11 ` [095/165] ALSA: HDA: Add quirk for Lenovo U350 Greg KH
2011-06-01 8:11 ` [096/165] ALSA: hda - Fix input-src parse in patch_analog.c Greg KH
2011-06-01 8:11 ` [097/165] ALSA: hda - Use LPIB for ATI/AMD chipsets as default Greg KH
2011-06-01 8:11 ` [098/165] ASoC: Ensure output PGA is enabled for line outputs in Greg KH
2011-06-01 8:11 ` [099/165] ASoC: Add some missing volume update bit sets for wm_hubs Greg KH
2011-06-01 8:11 ` [100/165] ASoC: fix raumfeld platform Greg KH
2011-06-01 8:11 ` [101/165] HID: magicmouse: ignore ivalid report id while switching Greg KH
2011-06-01 8:11 ` [102/165] mm/page_alloc.c: prevent unending loop in Greg KH
2011-06-01 8:11 ` [103/165] loop: limit max_part module param to DISK_MAX_PARTS Greg KH
2011-06-01 8:11 ` [104/165] loop: handle on-demand devices correctly Greg KH
2011-06-01 8:11 ` [105/165] i2c: tegra: Enable new slave mode Greg KH
2011-06-01 8:11 ` [106/165] i2c/writing-clients: Fix foo_driver.id_table Greg KH
2011-06-01 8:11 ` [107/165] USB: CP210x Add 4 Device IDs for AC-Services Devices Greg KH
2011-06-01 8:11 ` [108/165] USB: moto_modem: Add USB identifier for the Motorola VE240 Greg KH
2011-06-01 8:11 ` [109/165] USB: serial: ftdi_sio: adding support for TavIR STK500 Greg KH
2011-06-01 8:11 ` [110/165] USB: gadget: g_multi: fixed vendor and product ID in inf Greg KH
2011-06-01 8:11 ` [111/165] USB: gamin_gps: Fix for data transfer problems in native Greg KH
2011-06-01 8:11 ` [112/165] Bind only modem AT command endpoint to option module Greg KH
2011-06-01 8:11 ` [113/165] USB: cdc_acm: Fix oops when Droids MuIn LCD is connected Greg KH
2011-06-01 8:11 ` [114/165] xhci: Fix bug in control transfer cancellation Greg KH
2011-06-01 8:11 ` [115/165] usb/gadget: at91sam9g20 fix end point max packet size Greg KH
2011-06-01 8:11 ` [116/165] usb: gadget: rndis: dont test against req->length Greg KH
2011-06-01 8:11 ` [117/165] xhci: Fix full speed bInterval encoding Greg KH
2011-06-01 8:11 ` [118/165] xhci: Fix memory leak in ring cache deallocation Greg KH
2011-06-01 8:11 ` [119/165] xhci: Fix memory leak bug when dropping endpoints Greg KH
2011-06-01 8:11 ` [120/165] USB: option: add support for Huawei E353 device Greg KH
2011-06-01 8:11 ` [121/165] OHCI: fix regression caused by nVidia shutdown workaround Greg KH
2011-06-01 8:11 ` [122/165] USB: remove remaining usages of hcd->state from usbcore and Greg KH
2011-06-01 8:11 ` [123/165] [media] DiBxxxx: get rid of DMA buffer on stack Greg KH
2011-06-01 8:11 ` [124/165] [media] cx88: protect per-device driver list with device Greg KH
2011-06-01 8:11 ` [125/165] [media] cx88: fix locking of sub-driver operations Greg KH
2011-06-01 8:11 ` [126/165] [media] cx88: hold device lock during sub-driver Greg KH
2011-06-01 8:11 ` [127/165] sh: clkfwk: fixup clk_rate_table_build parameter in div6 Greg KH
2011-06-01 8:11 ` [128/165] sh: fixup fpu.o compile order Greg KH
2011-06-01 8:11 ` [129/165] mfd: Fix omap usbhs crash when rmmoding ehci or ohci Greg KH
2011-06-01 8:11 ` [130/165] p54usb: add zoom 4410 usbid Greg KH
2011-06-01 8:11 ` [131/165] eCryptfs: Clear i_nlink in rmdir Greg KH
2011-06-01 8:11 ` [132/165] eCryptfs: Allow 2 scatterlist entries for encrypted Greg KH
2011-06-01 8:11 ` [133/165] UBIFS: fix a rare memory leak in ro to rw remounting path Greg KH
2011-06-01 8:11 ` [134/165] kbuild: Fix GNU make v3.80 compatibility Greg KH
2011-06-01 8:11 ` [135/165] Set cred->user_ns in key_replace_session_keyring Greg KH
2011-06-01 8:11 ` [136/165] i8k: Avoid lahf in 64-bit code Greg KH
2011-06-01 8:11 ` [137/165] hwmon: (pmbus) Initialize sysfs attributes Greg KH
2011-06-01 8:11 ` [138/165] cpuidle: menu: fixed wrapping timers at 4.294 seconds Greg KH
2011-06-01 8:11 ` [139/165] idle governor: Avoid lock acquisition to read pm_qos before Greg KH
2011-06-01 8:11 ` [140/165] dm table: reject devices without request fns Greg KH
2011-06-01 8:11 ` [141/165] dm mpath: do not fail paths after integrity errors Greg KH
2011-06-01 8:11 ` [142/165] ARM: 6941/1: cache: ensure MVA is cacheline aligned in Greg KH
2011-06-01 8:11 ` [143/165] tmpfs: fix race between truncate and writepage Greg KH
2011-06-01 8:11 ` [144/165] atm: expose ATM device index in sysfs Greg KH
2011-06-01 8:11 ` [145/165] brd: limit max_part module param to DISK_MAX_PARTS Greg KH
2011-06-01 8:11 ` [146/165] brd: handle on-demand devices correctly Greg KH
2011-06-01 8:11 ` [147/165] drm/i915: fix user irq miss in BSD ring on g4x Greg KH
2011-06-01 8:11 ` [148/165] drm/radeon/cayman: setup hdp to invalidate and flush when Greg KH
2011-06-01 8:11 ` [149/165] drm/radeon/evergreen/btc/fusion: setup hdp to invalidate and Greg KH
2011-06-01 8:12 ` [150/165] drm/radeon/kms: fix incorrect comparison in cayman setup Greg KH
2011-06-01 8:12 ` [151/165] drm/radeon/kms: fix tile_config value reported to userspace Greg KH
2011-06-01 8:12 ` [152/165] drm/radeon/kms: add wait idle ioctl for eg->cayman Greg KH
2011-06-01 8:12 ` [153/165] SUNRPC: Deal with the lack of a SYN_SENT sk->sk_state_change Greg KH
2011-06-01 8:12 ` [154/165] NFSv4: Handle expired stateids when the lease is still valid Greg KH
2011-06-01 8:12 ` [155/165] NFSv4.1: Fix the handling of NFS4ERR_SEQ_MISORDERED errors Greg KH
2011-06-01 8:12 ` [156/165] nfs41: Correct offset for LAYOUTCOMMIT Greg KH
2011-06-01 8:12 ` [157/165] PCI: Add quirk for setting valid class for TI816X Endpoint Greg KH
2011-06-01 8:12 ` [158/165] xen/p2m: Create entries in the P2M_MFN treess to track 1-1 Greg KH
2011-06-01 8:12 ` [159/165] xen/setup: Fix for incorrect xen_extra_mem_start Greg KH
2011-06-01 8:12 ` [160/165] xen/setup: Ignore E820_UNUSABLE when setting 1-1 mappings Greg KH
2011-06-01 8:12 ` [161/165] xen mmu: fix a race window causing leave_mm BUG() Greg KH
2011-06-01 8:12 ` [162/165] block: dont block events on excl write for non-optical Greg KH
2011-06-01 8:12 ` [163/165] ext4: fix possible use-after-free in Greg KH
2011-06-01 8:12 ` [164/165] ext4: Use schedule_timeout_interruptible() for waiting in Greg KH
2011-06-01 8:12 ` [165/165] AppArmor: fix oops in apparmor_setprocattr Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1307068289.22348.42.camel@localhost \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=gregkh@suse.de \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=warns@pre-sense.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox