From: Jan Kara <jack@suse.cz>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Jan Kara <jack@suse.cz>
Subject: Re: [ 26/48] udf: Avoid run away loop when partition table length is corrupted
Date: Tue, 10 Jul 2012 18:04:52 +0200 [thread overview]
Message-ID: <20120710160452.GB19005@quack.suse.cz> (raw)
In-Reply-To: <20120710155226.GH1894@decadent.org.uk>
[-- Attachment #1: Type: text/plain, Size: 1657 bytes --]
On Tue 10-07-12 16:52:26, Ben Hutchings wrote:
> On Mon, Jul 09, 2012 at 03:31:42PM +0100, Ben Hutchings wrote:
> > 3.2-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Jan Kara <jack@suse.cz>
> >
> > commit adee11b2085bee90bd8f4f52123ffb07882d6256 upstream.
> >
> > Check provided length of partition table so that (possibly maliciously)
> > corrupted partition table cannot cause accessing data beyond current buffer.
> >
> > Signed-off-by: Jan Kara <jack@suse.cz>
> > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > ---
> > fs/udf/super.c | 10 +++++++++-
> > 1 file changed, 9 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/udf/super.c b/fs/udf/super.c
> > index 9da6f4e..ce911f5 100644
> > --- a/fs/udf/super.c
> > +++ b/fs/udf/super.c
> [...]
> > @@ -1232,13 +1233,20 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
> > return 1;
> > BUG_ON(ident != TAG_IDENT_LVD);
> > lvd = (struct logicalVolDesc *)bh->b_data;
> > + table_len = le32_to_cpu(lvd->mapTableLength);
> > + if (sizeof(*lvd) + table_len > sb->s_blocksize) {
> [...]
>
> I don't think this is sufficient, unless there has been some prior
> validation of lvd->mapTableLength. On a 32-bit machine, the addition
> may overflow. The untrusted value has to be validated before doing
> any arithmetic on it, e.g.:
>
> if (table_len > sb->s_blocksize - sizeof(*lv)) {
Yeah, thanks for spotting this! I've queued the attached patch. I don't
find this really pressing so I'll push it in the next merge window. OK?
Honza
--
Jan Kara <jack@suse.cz>
SUSE Labs, CR
[-- Attachment #2: 0001-udf-Improve-table-length-check-to-avoid-possible-ove.patch --]
[-- Type: text/x-patch, Size: 1289 bytes --]
>From 57b9655d01ef057a523e810d29c37ac09b80eead Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Tue, 10 Jul 2012 17:58:04 +0200
Subject: [PATCH] udf: Improve table length check to avoid possible overflow
When a partition table length is corrupted to be close to 1 << 32, the
check for its length may overflow on 32-bit systems and we will think
the length is valid. Later on the kernel can crash trying to read beyond
end of buffer. Fix the check to avoid possible overflow.
CC: stable@vger.kernel.org
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Jan Kara <jack@suse.cz>
---
fs/udf/super.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/fs/udf/super.c b/fs/udf/super.c
index 8a75838..dcbf987 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1340,7 +1340,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
BUG_ON(ident != TAG_IDENT_LVD);
lvd = (struct logicalVolDesc *)bh->b_data;
table_len = le32_to_cpu(lvd->mapTableLength);
- if (sizeof(*lvd) + table_len > sb->s_blocksize) {
+ if (table_len > sb->s_blocksize - sizeof(*lvd)) {
udf_err(sb, "error loading logical volume descriptor: "
"Partition table too long (%u > %lu)\n", table_len,
sb->s_blocksize - sizeof(*lvd));
--
1.7.1
next prev parent reply other threads:[~2012-07-10 16:04 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-09 14:31 [ 00/48] 3.2.23-stable review Ben Hutchings
2012-07-09 14:31 ` [ 01/48] splice: fix racy pipe->buffers uses Ben Hutchings
2012-07-09 14:31 ` [ 02/48] umem: fix up unplugging Ben Hutchings
2012-07-09 14:31 ` [ 03/48] mwifiex: fix 11n rx packet drop issue Ben Hutchings
2012-07-09 14:31 ` [ 04/48] mwifiex: fix WPS eapol handshake failure Ben Hutchings
2012-07-09 14:31 ` [ 05/48] NFC: Prevent multiple buffer overflows in NCI Ben Hutchings
2012-07-09 14:31 ` [ 06/48] ath9k: fix dynamic WEP related regression Ben Hutchings
2012-07-09 14:31 ` [ 07/48] NFC: Return from rawsock_release when sk is NULL Ben Hutchings
2012-07-09 14:31 ` [ 08/48] rtlwifi: rtl8192cu: New USB IDs Ben Hutchings
2012-07-09 14:31 ` [ 09/48] ath9k: enable serialize_regmode for non-PCIE AR9287 Ben Hutchings
2012-07-09 14:31 ` [ 10/48] mac80211: correct behaviour on unrecognised action frames Ben Hutchings
2012-07-09 14:31 ` [ 11/48] ASoC: tlv320aic3x: Fix codec pll configure bug Ben Hutchings
2012-07-09 14:31 ` [ 12/48] powerpc/xmon: Use cpumask iterator to avoid warning Ben Hutchings
2012-07-09 14:31 ` [ 13/48] powerpc/kvm: sldi should be sld Ben Hutchings
2012-07-09 14:31 ` [ 14/48] md/raid10: Dont try to recovery unmatched (and unused) chunks Ben Hutchings
2012-07-09 14:31 ` [ 15/48] md/raid5: Do not add data_offset before call to is_badblock Ben Hutchings
2012-07-09 14:31 ` [ 16/48] md/raid5: In ops_run_io, inc nr_pending before calling md_wait_for_blocked_rdev Ben Hutchings
2012-07-09 14:31 ` [ 17/48] md/raid10: fix failure when trying to repair a read error Ben Hutchings
2012-07-09 14:31 ` [ 18/48] drm/i915: kick any firmware framebuffers before claiming the gtt Ben Hutchings
2012-07-09 14:31 ` [ 19/48] dm persistent data: fix shadow_info_leak on dm_tm_destroy Ben Hutchings
2012-07-09 14:31 ` [ 20/48] dm persistent data: handle space map checker creation failure Ben Hutchings
2012-07-09 14:31 ` [ 21/48] dm persistent data: fix allocation failure in space map checker init Ben Hutchings
2012-07-09 14:31 ` [ 22/48] ALSA: hda - Fix power-map regression for HP dv6 & co Ben Hutchings
2012-07-09 14:31 ` [ 23/48] tracing: change CPU ring buffer state from tracing_cpumask Ben Hutchings
2012-07-09 14:31 ` [ 24/48] mwifiex: fix wrong return values in add_virtual_intf() error cases Ben Hutchings
2012-07-09 14:31 ` [ 25/48] udf: Use ret instead of abusing i in udf_load_logicalvol() Ben Hutchings
2012-07-09 14:31 ` [ 26/48] udf: Avoid run away loop when partition table length is corrupted Ben Hutchings
2012-07-10 15:52 ` Ben Hutchings
2012-07-10 16:04 ` Jan Kara [this message]
2012-07-11 1:36 ` Ben Hutchings
2012-07-09 14:31 ` [ 27/48] udf: Fortify loading of sparing table Ben Hutchings
2012-07-09 14:31 ` [ 28/48] ARM: fix rcu stalls on SMP platforms Ben Hutchings
2012-07-09 14:31 ` [ 29/48] net: sock: validate data_len before allocating skb in sock_alloc_send_pskb() Ben Hutchings
2012-07-09 14:31 ` [ 30/48] cipso: handle CIPSO options correctly when NetLabel is disabled Ben Hutchings
2012-07-09 14:31 ` [ 31/48] net: l2tp_eth: fix kernel panic on rmmod l2tp_eth Ben Hutchings
2012-07-09 14:31 ` [ 32/48] l2tp: fix a race in l2tp_ip_sendmsg() Ben Hutchings
2012-07-09 14:31 ` [ 33/48] sky2: fix checksum bit management on some chips Ben Hutchings
2012-07-09 14:31 ` [ 34/48] be2net: fix a race in be_xmit() Ben Hutchings
2012-07-09 14:31 ` [ 35/48] dummy: fix rcu_sched self-detected stalls Ben Hutchings
2012-07-09 23:39 ` Herton Ronaldo Krzesinski
2012-07-09 23:47 ` Ben Hutchings
2012-07-09 23:49 ` David Miller
2012-07-10 0:20 ` Ben Hutchings
2012-07-09 14:31 ` [ 36/48] bonding: Fix corrupted queue_mapping Ben Hutchings
2012-07-09 14:31 ` [ 37/48] ethtool: allow ETHTOOL_GSSET_INFO for users Ben Hutchings
2012-07-09 14:31 ` [ 38/48] netpoll: fix netpoll_send_udp() bugs Ben Hutchings
2012-07-09 14:31 ` [ 39/48] ipv6: Move ipv6 proc file registration to end of init order Ben Hutchings
2012-07-09 14:31 ` [ 40/48] bridge: Assign rtnl_link_ops to bridge devices created via ioctl (v2) Ben Hutchings
2012-07-09 14:31 ` [ 41/48] Btrfs: run delayed directory updates during log replay Ben Hutchings
2012-07-09 14:31 ` [ 42/48] cifs: when server doesnt set CAP_LARGE_READ_X, cap default rsize at MaxBufferSize Ben Hutchings
2012-07-09 14:31 ` [ 43/48] ocfs2: clear unaligned io flag when dio fails Ben Hutchings
2012-07-09 14:32 ` [ 44/48] aio: make kiocb->private NUll in init_sync_kiocb() Ben Hutchings
2012-07-09 14:32 ` [ 45/48] mtd: cafe_nand: fix an & vs | mistake Ben Hutchings
2012-07-09 14:32 ` [ 46/48] mm: Hold a file reference in madvise_remove Ben Hutchings
2012-07-09 14:32 ` [ 47/48] tcm_fc: Resolve suspicious RCU usage warnings Ben Hutchings
2012-07-09 14:32 ` [ 48/48] vfs: make O_PATH file descriptors usable for fchdir() Ben Hutchings
2012-07-11 1:33 ` [ 00/48] 3.2.23-stable review Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120710160452.GB19005@quack.suse.cz \
--to=jack@suse.cz \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ben@decadent.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).