Patch "libceph: fix overflow in osdmap_apply_incremental()" has been added to the 3.4-stable tree

Wed, 21 Nov 2012 12:05:44 -0800 

This is a note to let you know that I've just added the patch titled

    libceph: fix overflow in osdmap_apply_incremental()

to the 3.4-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     0058-libceph-fix-overflow-in-osdmap_apply_incremental.patch
and it can be found in the queue-3.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From 1edb6147d0adbb0d51bed7c7432f59bbc41f8c82 Mon Sep 17 00:00:00 2001
From: Xi Wang <[email protected]>
Date: Wed, 6 Jun 2012 19:35:55 -0500
Subject: libceph: fix overflow in osdmap_apply_incremental()

From: Xi Wang <[email protected]>

(cherry picked from commit a5506049500b30dbc5edb4d07a3577477c1f3643)

On 32-bit systems, a large `pglen' would overflow `pglen*sizeof(u32)'
and bypass the check ceph_decode_need(p, end, pglen*sizeof(u32), bad).
It would also overflow the subsequent kmalloc() size, leading to
out-of-bounds write.

Signed-off-by: Xi Wang <[email protected]>
Reviewed-by: Alex Elder <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
 net/ceph/osdmap.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -900,6 +900,10 @@ struct ceph_osdmap *osdmap_apply_increme
                        (void) __remove_pg_mapping(&map->pg_temp, pgid);
 
                        /* insert */
+                       if (pglen > (UINT_MAX - sizeof(*pg)) / sizeof(u32)) {
+                               err = -EINVAL;
+                               goto bad;
+                       }
                        pg = kmalloc(sizeof(*pg) + sizeof(u32)*pglen, GFP_NOFS);
                        if (!pg) {
                                err = -ENOMEM;


Patches currently in stable-queue which might be from [email protected] are

queue-3.4/ipv4-avoid-undefined-behavior-in-do_ip_setsockopt.patch
queue-3.4/0058-libceph-fix-overflow-in-osdmap_apply_incremental.patch
queue-3.4/0057-libceph-fix-overflow-in-osdmap_decode.patch
queue-3.4/0056-libceph-fix-overflow-in-__decode_pool_names.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to