The patch titled hfs: fix a potential buffer overflow has been added to the -mm tree. Its filename is hfs-fix-a-potential-buffer-overflow.patch Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** See http://userweb.kernel.org/~akpm/stuff/added-to-mm.txt to find out what to do about this The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: hfs: fix a potential buffer overflow From: Amerigo Wang <amwang@xxxxxxxxxx> A specially-crafted Hierarchical File System (HFS) filesystem could cause a buffer overflow to occur in a process's kernel stack during a memcpy() call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24). The attacker can provide the source buffer and length, and the destination buffer is a local variable of a fixed length. This local variable (passed as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir(). Because the hfs_readdir() function executes upon any attempt to read a directory on the filesystem, it gets called whenever a user attempts to inspect any filesystem contents. [amwang@xxxxxxxxxx: modify this patch and fix coding style problems] Signed-off-by: WANG Cong <amwang@xxxxxxxxxx> Cc: Eugene Teo <eteo@xxxxxxxxxx> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Cc: Roman Zippel <zippel@xxxxxxxxxxxxxx> Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Cc: Christoph Hellwig <hch@xxxxxx> Cc: Alexey Dobriyan <adobriyan@xxxxxxxxx> Cc: Dave Anderson <anderson@xxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/hfs/catalog.c | 4 ++++ fs/hfs/dir.c | 11 +++++++++++ fs/hfs/super.c | 7 ++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff -puN fs/hfs/catalog.c~hfs-fix-a-potential-buffer-overflow fs/hfs/catalog.c --- a/fs/hfs/catalog.c~hfs-fix-a-potential-buffer-overflow +++ a/fs/hfs/catalog.c @@ -289,6 +289,10 @@ int hfs_cat_move(u32 cnid, struct inode err = hfs_brec_find(&src_fd); if (err) goto out; + if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) { + err = -EIO; + goto out; + } hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, src_fd.entrylength); diff -puN fs/hfs/dir.c~hfs-fix-a-potential-buffer-overflow fs/hfs/dir.c --- a/fs/hfs/dir.c~hfs-fix-a-potential-buffer-overflow +++ a/fs/hfs/dir.c @@ -79,6 +79,11 @@ static int hfs_readdir(struct file *filp filp->f_pos++; /* fall through */ case 1: + if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { + err = -EIO; + goto out; + } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength); if (entry.type != HFS_CDR_THD) { printk(KERN_ERR "hfs: bad catalog folder thread\n"); @@ -109,6 +114,12 @@ static int hfs_readdir(struct file *filp err = -EIO; goto out; } + + if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { + err = -EIO; + goto out; + } + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength); type = entry.type; len = hfs_mac2asc(sb, strbuf, &fd.key->cat.CName); diff -puN fs/hfs/super.c~hfs-fix-a-potential-buffer-overflow fs/hfs/super.c --- a/fs/hfs/super.c~hfs-fix-a-potential-buffer-overflow +++ a/fs/hfs/super.c @@ -409,8 +409,13 @@ static int hfs_fill_super(struct super_b /* try to get the root inode */ hfs_find_init(HFS_SB(sb)->cat_tree, &fd); res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd); - if (!res) + if (!res) { + if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) { + res = -EIO; + goto bail; + } hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength); + } if (res) { hfs_find_exit(&fd); goto bail_no_root; _ Patches currently in -mm which might be from amwang@xxxxxxxxxx are linux-next.patch xtensa-use-generic-sys_pipe.patch sysctl_max_map_count-should-be-non-negative.patch rwsem-spinlock-remove-useless-function-exports.patch rwsem-fix-rwsem_is_locked-bugs.patch rwsem-fix-rwsem_is_locked-bugs-fix.patch kallsyms-remove-deprecated-print_fn_descriptor_symbol.patch hfs-fix-a-potential-buffer-overflow.patch ipc-remove-unreachable-code-in-semc.patch ipc-remove-unreachable-code-in-semc-fix.patch kexec-premit-reduction-of-the-reserved-memory-size.patch kexec-premit-reduction-of-the-reserved-memory-size-fix.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html