+ hfsplus-fix-another-bug-when-reading-a-corrupted-image.patch added to -mm tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The patch titled
     hfsplus: fix another bug when reading a corrupted image
has been added to the -mm tree.  Its filename is
     hfsplus-fix-another-bug-when-reading-a-corrupted-image.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/

------------------------------------------------------
Subject: hfsplus: fix another bug when reading a corrupted image
From: Eric Sesterhenn <snakebyte@xxxxxx>

Another bug that popped up when testing hfsplus with corrupted images.

[  144.632017] BUG: unable to handle kernel NULL pointer dereference at 00000034
[  144.633047] IP: [<c0230c55>] hfsplus_find_init+0x24/0x5a
[  144.633047] *pde = 00000000
[  144.633047] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
[  144.633047] Modules linked in:
[  144.633047]
[  144.633047] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00131-g83097ac-dirty #32)
[  144.633047] EIP: 0060:[<c0230c55>] EFLAGS: 00010202 CPU: 0
[  144.633047] EIP is at hfsplus_find_init+0x24/0x5a
[  144.633047] EAX: 0000001d EBX: c6eaca84 ECX: c011bf0c EDX: 000000d0
[  144.633047] ESI: 00000000 EDI: c6eb810c EBP: c6eaca74 ESP: c6eaca60
[  144.633047]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  144.633047] Process mount (pid: 4845, ti=c6eac000 task=c6e80000 task.ti=c6eac000)
[  144.633047] Stack: c0801a93 00000000 c6eaca84 c6eaca84 c6eb8000 c6eacab4 c022c900 00000000
[  144.633047]        c022ce68 00000000 c6eb8004 00000000 00000000 22222222 22222222 22222222
[  144.633047]        22222222 22222222 00000000 c1098a40 c6eb8000 c6eacae0 c022ce72 c6eb82ac
[  144.633047] Call Trace:
[  144.633047]  [<c022c900>] ? hfsplus_ext_read_extent+0x47/0x12a
[  144.633047]  [<c022ce68>] ? hfsplus_get_block+0xb3/0x19d
[  144.633047]  [<c022ce72>] ? hfsplus_get_block+0xbd/0x19d
[  144.633047]  [<c01a042d>] ? block_read_full_page+0x172/0x2b4
[  144.633047]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
[  144.633047]  [<c0161899>] ? add_to_page_cache_locked+0xa9/0xc4
[  144.633047]  [<c0168922>] ? lru_cache_add+0x53/0x69
[  144.633047]  [<c022b737>] ? hfsplus_readpage+0xf/0x11
[  144.633047]  [<c0161ad5>] ? read_cache_page_async+0x79/0x108
[  144.633047]  [<c022b728>] ? hfsplus_readpage+0x0/0x11
[  144.633048]  [<c0162d59>] ? read_cache_page+0xc/0x3f
[  144.633048]  [<c022e85b>] ? hfsplus_btree_open+0x104/0x267
[  144.633048]  [<c022b04a>] ? hfsplus_fill_super+0x211/0x447
[  144.633048]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  144.633048]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  144.633048]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  144.633048]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[  144.633048]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[  144.633048]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  144.633048]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[  144.633048]  [<c06aa5c6>] ? mutex_unlock+0x8/0xa
[  144.633048]  [<c01a28da>] ? do_open+0x20b/0x280
[  144.633048]  [<c01a29cc>] ? __blkdev_get+0x7d/0x88
[  144.633048]  [<c041c9c4>] ? string+0x2b/0x74
[  144.633048]  [<c041ccf6>] ? vsnprintf+0x2e9/0x512
[  144.633048]  [<c010487a>] ? dump_trace+0xca/0xd6
[  144.633048]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  144.633048]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  144.633048]  [<c013b571>] ? save_trace+0x37/0x8d
[  144.633048]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[  144.633048]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[  144.633048]  [<c01354d3>] ? up+0xc/0x2f
[  144.633048]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  144.633048]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  144.633048]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  144.633048]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  144.633048]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  144.633048]  [<c041cf97>] ? snprintf+0x1b/0x1d
[  144.633048]  [<c01ba466>] ? disk_name+0x25/0x67
[  144.633048]  [<c0183960>] ? get_sb_bdev+0xcd/0x10b
[  144.633048]  [<c016ad92>] ? kstrdup+0x2a/0x4c
[  144.633048]  [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
[  144.633048]  [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
[  144.633048]  [<c0183583>] ? vfs_kern_mount+0x3b/0x76
[  144.633048]  [<c0183602>] ? do_kern_mount+0x32/0xba
[  144.633048]  [<c01960d4>] ? do_new_mount+0x46/0x74
[  144.633048]  [<c0196277>] ? do_mount+0x175/0x193
[  144.633048]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  144.633048]  [<c01663b2>] ? __get_free_pages+0x1e/0x24
[  144.633048]  [<c06ac09b>] ? lock_kernel+0x19/0x8c
[  144.633048]  [<c01962e6>] ? sys_mount+0x51/0x9b
[  144.633048]  [<c01962f9>] ? sys_mount+0x64/0x9b
[  144.633048]  [<c01038bd>] ? sysenter_do_call+0x12/0x31
[  144.633048]  =======================
[  144.633048] Code: 00 00 00 00 5b 5d c3 55 89 e5 56 89 c6 53 89 d3 52 50 68 93 1a 80 c0 e8 f2 24 ef ff
ba d0 00 00 00 89 73 08 c7 43 0c 00 00 00 00 <8b> 46 34 8d 44 00 04 e8 f9 e0 f4 ff ba f4 ff ff ff 83 c4 0
c 85
[  144.633048] EIP: [<c0230c55>] hfsplus_find_init+0x24/0x5a SS:ESP 0068:c6eaca60
[  144.659114] ---[ end trace 3e5c566484eaaae5 ]---

Problem is that there is no ext_tree, causing the NULL-pointer dereference
in hfsplus_init().  This fixes the issue by checking the ext_tree in
hfsplus_get_block() and aborting early enoug.

Signed-off-by: Eric Sesterhenn <snakebyte@xxxxxx>
Cc: Roman Zippel <zippel@xxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/hfsplus/extents.c |    3 +++
 1 file changed, 3 insertions(+)

diff -puN fs/hfsplus/extents.c~hfsplus-fix-another-bug-when-reading-a-corrupted-image fs/hfsplus/extents.c
--- a/fs/hfsplus/extents.c~hfsplus-fix-another-bug-when-reading-a-corrupted-image
+++ a/fs/hfsplus/extents.c
@@ -199,6 +199,9 @@ int hfsplus_get_block(struct inode *inod
 		goto done;
 	}
 
+	if (HFSPLUS_SB(inode->i_sb).ext_tree == NULL)
+		return -EIO;
+
 	mutex_lock(&HFSPLUS_I(inode).extents_lock);
 	res = hfsplus_ext_read_extent(inode, ablock);
 	if (!res) {
diff -puN /dev/null /dev/null
_

Patches currently in -mm which might be from snakebyte@xxxxxx are

linux-next.patch
hfsplus-fix-buffer-overflow-with-a-corrupted-image.patch
hfsplus-check-read_mapping_page-return-value.patch
hfsplus-fix-another-bug-when-reading-a-corrupted-image.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Kernel Newbies FAQ]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Photo]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux