Fix corrupted OSF partition table parsing

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The kernel automatically evaluates partition tables of storage devices.
The code for evaluating OSF partitions contains a bug that leaks data
from kernel heap memory to userspace for certain corrupted OSF
partitions.

In more detail:

for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {

iterates from 0 to d_npartitions - 1, where d_npartitions is read from
the partition table without validation and partition is a pointer to an
array of at most 8 d_partitions.

Add the proper and obvious validation.

Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: stable@kernel.org
[ Changed the patch trivially to not repeat the whole le16_to_cpu()
thing, and to use an explicit constant for the magic value '8' ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Timo Warns and committed by

Linus Torvalds 15 years ago 1eafbfeb 2fbfac4e

+10 -2

1 changed file

expand all

partitions

osf.c

+10 -2

fs/partitions/osf.c

··· 10 10 #include "check.h" 11 11 #include "osf.h" 12 12 13 + #define MAX_OSF_PARTITIONS 8 14 + 13 15 int osf_partition(struct parsed_partitions *state) 14 16 { 15 17 int i; 16 18 int slot = 1; 19 + unsigned int npartitions; 17 20 Sector sect; 18 21 unsigned char *data; 19 22 struct disklabel { ··· 48 45 u8 p_fstype; 49 46 u8 p_frag; 50 47 __le16 p_cpg; 51 - } d_partitions[8]; 48 + } d_partitions[MAX_OSF_PARTITIONS]; 52 49 } * label; 53 50 struct d_partition * partition; 54 51 ··· 66 63 put_dev_sector(sect); 67 64 return 0; 68 65 } 69 - for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) { 66 + npartitions = le16_to_cpu(label->d_npartitions); 67 + if (npartitions > MAX_OSF_PARTITIONS) { 68 + put_dev_sector(sect); 69 + return 0; 70 + } 71 + for (i = 0 ; i < npartitions; i++, partition++) { 70 72 if (slot == state->limit) 71 73 break; 72 74 if (le32_to_cpu(partition->p_size))

Configure Feed

Configure Feed