diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-31916/0001-dm-ioctl-fix-out-of-bounds-array-access-when-no-devi.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-31916/0001-dm-ioctl-fix-out-of-bounds-array-access-when-no-devi.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-31916/0001-dm-ioctl-fix-out-of-bounds-array-access-when-no-devi.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-31916/0001-dm-ioctl-fix-out-of-bounds-array-access-when-no-devi.patch new file mode 100644 index 000000000..95def3832 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2021-31916/0001-dm-ioctl-fix-out-of-bounds-array-access-when-no-devi.patch @@ -0,0 +1,40 @@ +From 921aae17bb0f02181fa05cf5580ebc855fdbd74d Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka <mpatocka@redhat.com> +Date: Fri, 26 Mar 2021 14:32:32 -0400 +Subject: [PATCH] dm ioctl: fix out of bounds array access when no devices + +commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a upstream. + +If there are not any dm devices, we need to zero the "dev" argument in +the first structure dm_name_list. However, this can cause out of +bounds write, because the "needed" variable is zero and len may be +less than eight. + +Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is +too small to hold the "nl->dev" value. + +Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> +Reported-by: Dan Carpenter <dan.carpenter@oracle.com> +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer <snitzer@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + drivers/md/dm-ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c +index 5e306bba4375..1ca65b434f1f 100644 +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -529,7 +529,7 @@ static int list_devices(struct file *filp, struct dm_ioctl *param, size_t param_ + * Grab our output buffer. + */ + nl = orig_nl = get_result_buffer(param, param_size, &len); +- if (len < needed) { ++ if (len < needed || len < sizeof(nl->dev)) { + param->flags |= DM_BUFFER_FULL_FLAG; + goto out; + } +-- +2.17.1 + |