Commit 1eafbfeb authored Mar 14, 2011 by Timo Warns Committed by Linus Torvalds Mar 14, 2011

Fix corrupted OSF partition table parsing



The kernel automatically evaluates partition tables of storage devices.
The code for evaluating OSF partitions contains a bug that leaks data
from kernel heap memory to userspace for certain corrupted OSF
partitions.

In more detail:

  for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {

iterates from 0 to d_npartitions - 1, where d_npartitions is read from
the partition table without validation and partition is a pointer to an
array of at most 8 d_partitions.

Add the proper and obvious validation.

Signed-off-by: Timo Warns <warns@pre-sense.de>
Cc: stable@kernel.org
[ Changed the patch trivially to not repeat the whole le16_to_cpu()
  thing, and to use an explicit constant for the magic value '8' ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 2fbfac4e

fs/partitions/osf.c

+10 −2

Original line number	Diff line number	Diff line
		@@ -10,10 +10,13 @@
		#include "check.h"
		#include "osf.h"

		#define MAX_OSF_PARTITIONS 8

		int osf_partition(struct parsed_partitions *state)
		{
		int i;
		int slot = 1;
		unsigned int npartitions;
		Sector sect;
		unsigned char *data;
		struct disklabel {
		@@ -45,7 +48,7 @@ int osf_partition(struct parsed_partitions *state)
		u8 p_fstype;
		u8 p_frag;
		__le16 p_cpg;
		} d_partitions[8];
		} d_partitions[MAX_OSF_PARTITIONS];
		} * label;
		struct d_partition * partition;

		@@ -63,7 +66,12 @@ int osf_partition(struct parsed_partitions *state)
		put_dev_sector(sect);
		return 0;
		}
		for (i = 0 ; i < le16_to_cpu(label->d_npartitions); i++, partition++) {
		npartitions = le16_to_cpu(label->d_npartitions);
		if (npartitions > MAX_OSF_PARTITIONS) {
		put_dev_sector(sect);
		return 0;
		}
		for (i = 0 ; i < npartitions; i++, partition++) {
		if (slot == state->limit)
		break;
		if (le32_to_cpu(partition->p_size))