[PATCH 1/1] [HARDY] [LUCID] [CVE-2012-2319] hfsplus: Fix potential buffer overflows

Herton Ronaldo Krzesinski herton.krzesinski at canonical.com
Thu May 24 13:15:35 UTC 2012 

On Wed, May 23, 2012 at 05:26:27PM -0700, Brad Figg wrote:
> From: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> 
> CVE-2012-2319
> 
> Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
> potential buffer overflows in the hfs filesystem.  But as Timo Warns
> pointed out, these changes also need to be made on the hfsplus
> filesystem as well.
> 
> Reported-by: Timo Warns <warns at pre-sense.de>
> Acked-by: WANG Cong <amwang at redhat.com>
> Cc: Alexey Khoroshilov <khoroshilov at ispras.ru>
> Cc: Miklos Szeredi <mszeredi at suse.cz>
> Cc: Sage Weil <sage at newdream.net>
> Cc: Eugene Teo <eteo at redhat.com>
> Cc: Roman Zippel <zippel at linux-m68k.org>
> Cc: Al Viro <viro at zeniv.linux.org.uk>
> Cc: Christoph Hellwig <hch at lst.de>
> Cc: Alexey Dobriyan <adobriyan at gmail.com>
> Cc: Dave Anderson <anderson at redhat.com>
> Cc: stable <stable at vger.kernel.org>
> Cc: Andrew Morton <akpm at linux-foundation.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (backported from commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream)
> Signed-off-by: Brad Figg <brad.figg at canonical.com>
> ---
>  fs/hfsplus/catalog.c |    4 ++++
>  fs/hfsplus/dir.c     |   11 +++++++++++
>  2 files changed, 15 insertions(+)
> 
> diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
> index f6874ac..8a7cbcf 100644
> --- a/fs/hfsplus/catalog.c
> +++ b/fs/hfsplus/catalog.c
> @@ -329,6 +329,10 @@ int hfsplus_rename_cat(u32 cnid,
>  	err = hfs_brec_find(&src_fd);
>  	if (err)
>  		goto out;
> +    if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
> +        err = -EIO;
> +        goto out;
> +    }

Just minor nitpicking, identation is odd here. But Ack on both patches.

>  
>  	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
>  				src_fd.entrylength);
> diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
> index 5f40236..f4300ff7 100644
> --- a/fs/hfsplus/dir.c
> +++ b/fs/hfsplus/dir.c
> @@ -138,6 +138,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
>  		filp->f_pos++;
>  		/* fall through */
>  	case 1:
> +		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
> +			err = -EIO;
> +			goto out;
> +		}
> +
>  		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
>  		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
>  			printk(KERN_ERR "hfs: bad catalog folder thread\n");
> @@ -168,6 +173,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
>  			err = -EIO;
>  			goto out;
>  		}
> +
> +		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
> +			err = -EIO;
> +			goto out;
> +		}
> +
>  		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
>  		type = be16_to_cpu(entry.type);
>  		len = HFSPLUS_MAX_STRLEN;
> -- 
> 1.7.9.5
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 

-- 
[]'s
Herton

More information about the kernel-team mailing list