block: partitions: bound sysv68 slice table count#951
Open
blktests-ci[bot] wants to merge 1 commit into
Open
Conversation
Author
|
Upstream branch: 9716c08 |
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
c3a084b to
5f78e5d
Compare
Author
|
Upstream branch: 2a2974b |
blktests-ci
Bot
force-pushed
the
series/1109453=>linus-master
branch
from
f4c6ba4 to
b1a450b
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
5f78e5d to
e48f9db
Compare
Author
|
Upstream branch: 062871f |
blktests-ci
Bot
force-pushed
the
series/1109453=>linus-master
branch
from
b1a450b to
c0352d9
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
2 times, most recently
from
199644a to
e6d9eb8
Compare
Author
|
Upstream branch: 66affa3 |
blktests-ci
Bot
force-pushed
the
series/1109453=>linus-master
branch
from
c0352d9 to
6b799ac
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
e6d9eb8 to
7d8604f
Compare
Author
|
Upstream branch: bade58e |
blktests-ci
Bot
force-pushed
the
series/1109453=>linus-master
branch
from
6b799ac to
0629326
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
7d8604f to
4cc45a3
Compare
Author
|
Upstream branch: 4edcdef |
blktests-ci
Bot
force-pushed
the
series/1109453=>linus-master
branch
from
0629326 to
976cbef
Compare
blktests-ci
Bot
force-pushed
the
linus-master_base
branch
from
4cc45a3 to
90ffd56
Compare
sysv68_partition() reads a single sector for the slice table, but it trusts ios_slccnt from disk and walks that many entries after skipping the synthetic whole-disk slice. A crafted image can set ios_slccnt larger than the 64 struct slice records that fit in one sector and trigger an out-of-bounds read while scanning partitions. Limit the slice count to the number of records that fit in the sector returned by read_part_sector(), then drop the whole-disk entry only when the bounded count is non-zero. Fixes: 19d0e8c ("partition: add support for sysv68 partitions") Cc: stable@vger.kernel.org Reported-by: Yuan Tan <yuantan098@gmail.com> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com> Reported-by: Xin Liu <bird@lzu.edu.cn> Assisted-by: Codex:GPT-5.4 Signed-off-by: Zhao Zhang <zzhan461@ucr.edu> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn> Reviewed-by: Philippe De Muyter <phdm@macqel.be>
Author
|
Upstream branch: dc59e4f |
blktests-ci
Bot
force-pushed
the
series/1109453=>linus-master
branch
from
976cbef to
3ae236e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: block: partitions: bound sysv68 slice table count
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1109453