LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
	Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
	Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Eric Sesterhenn <snakebyte@gmx.de>,
	Roman Zippel <zippel@linux-m68k.org>
Subject: [patch 54/57] hfsplus: fix Buffer overflow with a corrupted image
Date: Tue, 4 Nov 2008 15:33:32 -0800	[thread overview]
Message-ID: <20081104233332.GC659@suse.de> (raw)
In-Reply-To: <20081104233028.GA659@suse.de>

[-- Attachment #1: hfsplus-fix-buffer-overflow-with-a-corrupted-image.patch --]
[-- Type: text/plain, Size: 6366 bytes --]

2.6.27-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Eric Sesterhenn <snakebyte@gmx.de>

commit efc7ffcb4237f8cb9938909041c4ed38f6e1bf40 upstream

When an hfsplus image gets corrupted it might happen that the catalog
namelength field gets b0rked.  If we mount such an image the memcpy() in
hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name
field.  Depending on the size of the overwritten data, we either only get
memory corruption or also trigger an oops like this:

[  221.628020] BUG: unable to handle kernel paging request at c82b0000
[  221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151
[  221.629066] *pde = 0ea29163 *pte = 082b0160
[  221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
[  221.629066] Modules linked in:
[  221.629066]
[  221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)
[  221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0
[  221.629066] EIP is at hfsplus_find_cat+0x10d/0x151
[  221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002
[  221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c
[  221.629066]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)
[  221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300
[  221.629066]        01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060
[  221.629066]        00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc
[  221.629066] Call Trace:
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c01302d2>] ? __kernel_text_address+0x1b/0x27
[  221.629066]  [<c010487a>] ? dump_trace+0xca/0xd6
[  221.629066]  [<c0109e32>] ? save_stack_address+0x0/0x2c
[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  221.629066]  [<c013b571>] ? save_trace+0x37/0x8d
[  221.629066]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[  221.629066]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[  221.629066]  [<c013553d>] ? down+0xc/0x2f
[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c013da5d>] ? mark_held_locks+0x43/0x5a
[  221.629066]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[  221.629066]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  221.629066]  [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58
[  221.629066]  [<c013555c>] ? down+0x2b/0x2f
[  221.629066]  [<c022aa68>] ? hfsplus_iget+0xa0/0x154
[  221.629066]  [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  221.629066]  [<c041c9e4>] ? string+0x2b/0x74
[  221.629066]  [<c041cd16>] ? vsnprintf+0x2e9/0x512
[  221.629066]  [<c010487a>] ? dump_trace+0xca/0xd6
[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  221.629066]  [<c013b571>] ? save_trace+0x37/0x8d
[  221.629066]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[  221.629066]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[  221.629066]  [<c01354d3>] ? up+0xc/0x2f
[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c041cfb7>] ? snprintf+0x1b/0x1d
[  221.629066]  [<c01ba466>] ? disk_name+0x25/0x67
[  221.629066]  [<c0183960>] ? get_sb_bdev+0xcd/0x10b
[  221.629066]  [<c016ad92>] ? kstrdup+0x2a/0x4c
[  221.629066]  [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
[  221.629066]  [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
[  221.629066]  [<c0183583>] ? vfs_kern_mount+0x3b/0x76
[  221.629066]  [<c0183602>] ? do_kern_mount+0x32/0xba
[  221.629066]  [<c01960d4>] ? do_new_mount+0x46/0x74
[  221.629066]  [<c0196277>] ? do_mount+0x175/0x193
[  221.629066]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  221.629066]  [<c01663b2>] ? __get_free_pages+0x1e/0x24
[  221.629066]  [<c06ac07b>] ? lock_kernel+0x19/0x8c
[  221.629066]  [<c01962e6>] ? sys_mount+0x51/0x9b
[  221.629066]  [<c01962f9>] ? sys_mount+0x64/0x9b
[  221.629066]  [<c01038bd>] ? sysenter_do_call+0x12/0x31
[  221.629066]  =======================
[  221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f
[  221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c
[  221.629066] ---[ end trace e417a1d67f0d0066 ]---

Since hfsplus_cat_build_key_uni() returns void and only has one callsite,
the check is performed at the callsite.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/hfsplus/catalog.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -168,6 +168,11 @@ int hfsplus_find_cat(struct super_block 
 		return -EIO;
 	}
 
+	if (be16_to_cpu(tmp.thread.nodeName.length) > 255) {
+		printk(KERN_ERR "hfs: catalog name length corrupted\n");
+		return -EIO;
+	}
+
 	hfsplus_cat_build_key_uni(fd->search_key, be32_to_cpu(tmp.thread.parentID),
 				 &tmp.thread.nodeName);
 	return hfs_brec_find(fd);

-- 

  parent reply	other threads:[~2008-11-04 23:57 UTC|newest]

Thread overview: 60+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20081104232144.186593464@mini.kroah.org>
2008-11-04 23:30 ` [patch 00/57] 2.6.27-stable review Greg KH
2008-11-04 23:30   ` [patch 01/57] agp: Fix stolen memory counting on G4X Greg KH
2008-11-04 23:30   ` [patch 02/57] SCSI: sd: Fix handling of NO_SENSE check condition Greg KH
2008-11-04 23:31   ` [patch 03/57] S390: Fix sysdev class file creation Greg KH
2008-11-04 23:31   ` [patch 04/57] sysfs: Fix return values for sysdev_store_{ulong, int} Greg KH
2008-11-04 23:31   ` [patch 05/57] ipmi: add MODULE_ALIAS to load ipmi_devintf with ipmi_si Greg KH
2008-11-04 23:31   ` [patch 06/57] USB: fix crash when URBs are unlinked after the device is gone Greg KH
2008-11-04 23:31   ` [patch 07/57] ALSA: hda - Add reboot notifier Greg KH
2008-11-04 23:31   ` [patch 08/57] kbuild: mkspec - fix build rpm Greg KH
2008-11-04 23:31   ` [patch 09/57] x86: fix /dev/mem mmap breakage when PAT is disabled Greg KH
2008-11-04 23:31   ` [patch 10/57] atl1: fix vlan tag regression Greg KH
2008-11-04 23:31   ` [patch 11/57] libertas: fix buffer overrun Greg KH
2008-11-04 23:31   ` [patch 12/57] Revert "HID: Invert HWHEEL mappings for some Logitech mice" Greg KH
2008-11-04 23:31   ` [patch 13/57] libata: initialize port_task when !CONFIG_ATA_SFF Greg KH
2008-11-04 23:31   ` [patch 14/57] syncookies: fix inclusion of tcp options in syn-ack Greg KH
2008-11-04 23:31   ` [patch 15/57] tcp: Restore ordering of TCP options for the sake of inter-operability Greg KH
2008-11-04 23:31   ` [patch 16/57] tcpv6: fix option space offsets with md5 Greg KH
2008-11-04 23:31   ` [patch 17/57] pkt_sched: sch_generic: Fix oops in sch_teql Greg KH
2008-11-04 23:31   ` [patch 18/57] sparc64: Fix race in arch/sparc64/kernel/trampoline.S Greg KH
2008-11-04 23:31   ` [patch 19/57] math-emu: Fix signalling of underflow and inexact while packing result Greg KH
2008-11-04 23:31   ` [patch 20/57] firewire: fix setting tag and sy in iso transmission Greg KH
2008-11-04 23:31   ` [patch 21/57] firewire: fix ioctl() return code Greg KH
2008-11-04 23:31   ` [patch 22/57] firewire: Survive more than 256 bus resets Greg KH
2008-11-04 23:31   ` [patch 23/57] firewire: fix struct fw_node memory leak Greg KH
2008-11-04 23:31   ` [patch 24/57] firewire: fw-sbp2: delay first login to avoid retries Greg KH
2008-11-04 23:31   ` [patch 25/57] firewire: fw-sbp2: fix races Greg KH
2008-11-04 23:31   ` [patch 26/57] ACPI: Always report a sync event after a lid state change Greg KH
2008-11-04 23:31   ` [patch 27/57] powerpc: fix i2c on PPC linkstation / kurobox machines Greg KH
2008-11-04 23:31   ` [patch 28/57] powerpc: Reserve in bootmem lmb reserved regions that cross NUMA nodes Greg KH
2008-11-04 23:32   ` [patch 29/57] powerpc/numa: Make memory reserve code more robust Greg KH
2008-11-04 23:32   ` [patch 30/57] powerpc: Dont use a 16G page if beyond mem= limits Greg KH
2008-11-04 23:32   ` [patch 31/57] i2c: The i2c mailing list is moving Greg KH
2008-11-04 23:32   ` [patch 32/57] scx200_i2c: Add missing class parameter Greg KH
2008-11-04 23:32   ` [patch 33/57] ALSA: use correct lock in snd_ctl_dev_disconnect() Greg KH
2008-11-04 23:32   ` [patch 34/57] V4L: pvrusb2: Keep MPEG PTSs from drifting away Greg KH
2008-11-04 23:32   ` [patch 35/57] DVB: s5h1411: bugfix: Setting serial or parallel mode could destroy bits Greg KH
2008-11-04 23:32   ` [patch 36/57] DVB: s5h1411: Perform s5h1411 soft reset after tuning Greg KH
2008-11-04 23:32   ` [patch 37/57] DVB: s5h1411: Power down s5h1411 when not in use Greg KH
2008-11-04 23:32   ` [patch 38/57] PCI: fix 64-vbit prefetchable memory resource BARs Greg KH
2008-11-04 23:32   ` [patch 39/57] sched: disable the hrtick for now Greg KH
2008-11-04 23:33   ` [patch 40/57] sched_clock: prevent scd->clock from moving backwards Greg KH
2008-11-04 23:33   ` [patch 41/57] x86: avoid dereferencing beyond stack + THREAD_SIZE Greg KH
2008-11-04 23:33   ` [patch 42/57] rtc-cmos: look for PNP RTC first, then for platform RTC Greg KH
2008-11-04 23:33   ` [patch 43/57] USB: storage: Avoid I/O errors when issuing SCSI ioctls to JMicron USB/ATA bridge Greg KH
2008-11-04 23:33   ` [patch 44/57] x86: register a platform RTC device if PNP doesnt describe it Greg KH
2008-11-04 23:33   ` [patch 45/57] sata_promise: add ATA engine reset to reset ops Greg KH
2008-11-04 23:33   ` [patch 46/57] sata_nv: fix generic, nf2/3 detection regression Greg KH
2008-11-04 23:33   ` [patch 47/57] ACPI: EC: do transaction from interrupt context Greg KH
2008-11-04 23:33   ` [patch 48/57] ACPI: EC: Rename some variables Greg KH
2008-11-04 23:33   ` [patch 49/57] ACPI: EC: Check for IBF=0 periodically if not in GPE mode Greg KH
2008-11-04 23:33   ` [patch 50/57] libata: Fix LBA48 on pata_it821x RAID volumes Greg KH
2008-11-04 23:33   ` [patch 51/57] ACPI: Ingore the RESET_REG_SUP bit when using ACPI reset mechanism Greg KH
2008-11-05  0:48     ` Zhao Yakui
2008-11-05  1:02       ` Greg KH
2008-11-04 23:33   ` [patch 52/57] ACPI: Clear WAK_STS on resume Greg KH
2008-11-04 23:33   ` [patch 53/57] Input: atkbd - expand Latitudes force release quirk to other Dells Greg KH
2008-11-04 23:33   ` Greg KH [this message]
2008-11-04 23:33   ` [patch 55/57] hfsplus: check read_mapping_page() return value Greg KH
2008-11-04 23:33   ` [patch 56/57] bonding: fix panic when taking bond interface down before removing module Greg KH
2008-11-04 23:33   ` [patch 57/57] file caps: always start with clear bprm->caps_* Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20081104233332.GC659@suse.de \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=eteo@redhat.com \
    --cc=jake@lwn.net \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=rbranco@la.checkpoint.com \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=snakebyte@gmx.de \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=w@1wt.eu \
    --cc=zippel@linux-m68k.org \
    --cc=zwane@arm.linux.org.uk \
    --subject='Re: [patch 54/57] hfsplus: fix Buffer overflow with a corrupted image' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).