Patch "libceph: fix overflow in osdmap_decode()" has been added to the 3.4-stable tree

Wed, 21 Nov 2012 12:05:43 -0800 

This is a note to let you know that I've just added the patch titled

    libceph: fix overflow in osdmap_decode()

to the 3.4-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     0057-libceph-fix-overflow-in-osdmap_decode.patch
and it can be found in the queue-3.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From cc725c099f905095dfa2fe50c46575096ff0052d Mon Sep 17 00:00:00 2001
From: Xi Wang <[email protected]>
Date: Wed, 6 Jun 2012 19:35:55 -0500
Subject: libceph: fix overflow in osdmap_decode()

From: Xi Wang <[email protected]>

(cherry picked from commit e91a9b639a691e0982088b5954eaafb5a25c8f1c)

On 32-bit systems, a large `n' would overflow `n * sizeof(u32)' and bypass
the check ceph_decode_need(p, end, n * sizeof(u32), bad).  It would also
overflow the subsequent kmalloc() size, leading to out-of-bounds write.

Signed-off-by: Xi Wang <[email protected]>
Reviewed-by: Alex Elder <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
 net/ceph/osdmap.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -674,6 +674,9 @@ struct ceph_osdmap *osdmap_decode(void *
                ceph_decode_need(p, end, sizeof(u32) + sizeof(u64), bad);
                ceph_decode_copy(p, &pgid, sizeof(pgid));
                n = ceph_decode_32(p);
+               err = -EINVAL;
+               if (n > (UINT_MAX - sizeof(*pg)) / sizeof(u32))
+                       goto bad;
                ceph_decode_need(p, end, n * sizeof(u32), bad);
                err = -ENOMEM;
                pg = kmalloc(sizeof(*pg) + n*sizeof(u32), GFP_NOFS);


Patches currently in stable-queue which might be from [email protected] are

queue-3.4/ipv4-avoid-undefined-behavior-in-do_ip_setsockopt.patch
queue-3.4/0058-libceph-fix-overflow-in-osdmap_apply_incremental.patch
queue-3.4/0057-libceph-fix-overflow-in-osdmap_decode.patch
queue-3.4/0056-libceph-fix-overflow-in-__decode_pool_names.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to