mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-18 22:14:16 +00:00 
			
		
		
		
	mac: validate mac_partition is within sector
If md->signature == MAC_DRIVER_MAGIC and md->block_size == 1023, a single 512 byte sector would be read (secsize / 512). However the partition structure would be located past the end of the buffer (secsize % 512). Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe <axboe@fb.com>
This commit is contained in:
		
							parent
							
								
									8aeea03195
								
							
						
					
					
						commit
						02e2a5bfeb
					
				
					 1 changed files with 7 additions and 3 deletions
				
			
		|  | @ -32,7 +32,7 @@ int mac_partition(struct parsed_partitions *state) | ||||||
| 	Sector sect; | 	Sector sect; | ||||||
| 	unsigned char *data; | 	unsigned char *data; | ||||||
| 	int slot, blocks_in_map; | 	int slot, blocks_in_map; | ||||||
| 	unsigned secsize; | 	unsigned secsize, datasize, partoffset; | ||||||
| #ifdef CONFIG_PPC_PMAC | #ifdef CONFIG_PPC_PMAC | ||||||
| 	int found_root = 0; | 	int found_root = 0; | ||||||
| 	int found_root_goodness = 0; | 	int found_root_goodness = 0; | ||||||
|  | @ -50,10 +50,14 @@ int mac_partition(struct parsed_partitions *state) | ||||||
| 	} | 	} | ||||||
| 	secsize = be16_to_cpu(md->block_size); | 	secsize = be16_to_cpu(md->block_size); | ||||||
| 	put_dev_sector(sect); | 	put_dev_sector(sect); | ||||||
| 	data = read_part_sector(state, secsize/512, §); | 	datasize = round_down(secsize, 512); | ||||||
|  | 	data = read_part_sector(state, datasize / 512, §); | ||||||
| 	if (!data) | 	if (!data) | ||||||
| 		return -1; | 		return -1; | ||||||
| 	part = (struct mac_partition *) (data + secsize%512); | 	partoffset = secsize % 512; | ||||||
|  | 	if (partoffset + sizeof(*part) > datasize) | ||||||
|  | 		return -1; | ||||||
|  | 	part = (struct mac_partition *) (data + partoffset); | ||||||
| 	if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) { | 	if (be16_to_cpu(part->signature) != MAC_PARTITION_MAGIC) { | ||||||
| 		put_dev_sector(sect); | 		put_dev_sector(sect); | ||||||
| 		return 0;		/* not a MacOS disk */ | 		return 0;		/* not a MacOS disk */ | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		
		Reference in a new issue
	
	 Kees Cook
						Kees Cook