LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
	Zwane Mwaikambo <zwane@arm.linux.org.uk>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Randy Dunlap <rdunlap@xenotime.net>,
	Dave Jones <davej@redhat.com>,
	Chuck Wolber <chuckw@quantumlinux.com>,
	Chris Wedgwood <reviews@ml.cw.f00f.org>,
	Michael Krufky <mkrufky@linuxtv.org>,
	Chuck Ebbert <cebbert@redhat.com>,
	Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
	Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
	Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
	torvalds@linux-foundation.org, akpm@linux-foundation.org,
	alan@lxorguk.ukuu.org.uk, Eric Sesterhenn <snakebyte@gmx.de>,
	Roman Zippel <zippel@linux-m68k.org>
Subject: [patch 47/49] hfsplus: check read_mapping_page() return value (CVE-2008-4934)
Date: Tue, 11 Nov 2008 16:24:33 -0800	[thread overview]
Message-ID: <20081112002433.GV10989@kroah.com> (raw)
In-Reply-To: <20081112002215.GA10989@kroah.com>

[-- Attachment #1: hfsplus-check-read_mapping_page-return-value.patch --]
[-- Type: text/plain, Size: 4750 bytes --]

2.6.27-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Eric Sesterhenn <snakebyte@gmx.de>

commit 649f1ee6c705aab644035a7998d7b574193a598a upstream.

While testing more corrupted images with hfsplus, i came across
one which triggered the following bug:

[15840.675016] BUG: unable to handle kernel paging request at fffffffb
[15840.675016] IP: [<c0116a4f>] kmap+0x15/0x56
[15840.675016] *pde = 00008067 *pte = 00000000
[15840.675016] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
[15840.675016] Modules linked in:
[15840.675016]
[15840.675016] Pid: 11575, comm: ln Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #29)
[15840.675016] EIP: 0060:[<c0116a4f>] EFLAGS: 00010202 CPU: 0
[15840.675016] EIP is at kmap+0x15/0x56
[15840.675016] EAX: 00000246 EBX: fffffffb ECX: 00000000 EDX: cab919c0
[15840.675016] ESI: 000007dd EDI: cab0bcf4 EBP: cab0bc98 ESP: cab0bc94
[15840.675016]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[15840.675016] Process ln (pid: 11575, ti=cab0b000 task=cab919c0 task.ti=cab0b000)
[15840.675016] Stack: 00000000 cab0bcdc c0231cfb 00000000 cab0bce0 00000800 ca9290c0 fffffffb
[15840.675016]        cab145d0 cab919c0 cab15998 22222222 22222222 22222222 00000001 cab15960
[15840.675016]        000007dd cab0bcf4 cab0bd04 c022cb3a cab0bcf4 cab15a6c ca9290c0 00000000
[15840.675016] Call Trace:
[15840.675016]  [<c0231cfb>] ? hfsplus_block_allocate+0x6f/0x2d3
[15840.675016]  [<c022cb3a>] ? hfsplus_file_extend+0xc4/0x1db
[15840.675016]  [<c022ce41>] ? hfsplus_get_block+0x8c/0x19d
[15840.675016]  [<c06adde4>] ? sub_preempt_count+0x9d/0xab
[15840.675016]  [<c019ece6>] ? __block_prepare_write+0x147/0x311
[15840.675016]  [<c0161934>] ? __grab_cache_page+0x52/0x73
[15840.675016]  [<c019ef4f>] ? block_write_begin+0x79/0xd5
[15840.675016]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
[15840.675016]  [<c019f22a>] ? cont_write_begin+0x27f/0x2af
[15840.675016]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
[15840.675016]  [<c0139ebe>] ? tick_program_event+0x28/0x4c
[15840.675016]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[15840.675016]  [<c022b723>] ? hfsplus_write_begin+0x2d/0x32
[15840.675016]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
[15840.675016]  [<c0161988>] ? pagecache_write_begin+0x33/0x107
[15840.675016]  [<c01879e5>] ? __page_symlink+0x3c/0xae
[15840.675016]  [<c019ad34>] ? __mark_inode_dirty+0x12f/0x137
[15840.675016]  [<c0187a70>] ? page_symlink+0x19/0x1e
[15840.675016]  [<c022e6eb>] ? hfsplus_symlink+0x41/0xa6
[15840.675016]  [<c01886a9>] ? vfs_symlink+0x99/0x101
[15840.675016]  [<c018a2f6>] ? sys_symlinkat+0x6b/0xad
[15840.675016]  [<c018a348>] ? sys_symlink+0x10/0x12
[15840.675016]  [<c01038bd>] ? sysenter_do_call+0x12/0x31
[15840.675016]  =======================
[15840.675016] Code: 00 00 75 10 83 3d 88 2f ec c0 02 75 07 89 d0 e8 12 56 05 00 5d c3 55 ba 06 00 00 00 89 e5 53 89 c3 b8 3d eb 7e c0 e8 16 74 00 00 <8b> 03 c1 e8 1e 69 c0 d8 02 00 00 05 b8 69 8e c0 2b 80 c4 02 00
[15840.675016] EIP: [<c0116a4f>] kmap+0x15/0x56 SS:ESP 0068:cab0bc94
[15840.675016] ---[ end trace 4fea40dad6b70e5f ]---

This happens because the return value of read_mapping_page() is passed on
to kmap unchecked.  The bug is triggered after the first
read_mapping_page() in hfsplus_block_allocate(), this patch fixes all
three usages in this functions but leaves the ones further down in the
file unchanged.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 fs/hfsplus/bitmap.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/fs/hfsplus/bitmap.c
+++ b/fs/hfsplus/bitmap.c
@@ -32,6 +32,10 @@ int hfsplus_block_allocate(struct super_
 	mutex_lock(&HFSPLUS_SB(sb).alloc_file->i_mutex);
 	mapping = HFSPLUS_SB(sb).alloc_file->i_mapping;
 	page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, NULL);
+	if (IS_ERR(page)) {
+		start = size;
+		goto out;
+	}
 	pptr = kmap(page);
 	curr = pptr + (offset & (PAGE_CACHE_BITS - 1)) / 32;
 	i = offset % 32;
@@ -73,6 +77,10 @@ int hfsplus_block_allocate(struct super_
 			break;
 		page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
 					 NULL);
+		if (IS_ERR(page)) {
+			start = size;
+			goto out;
+		}
 		curr = pptr = kmap(page);
 		if ((size ^ offset) / PAGE_CACHE_BITS)
 			end = pptr + PAGE_CACHE_BITS / 32;
@@ -120,6 +128,10 @@ found:
 		offset += PAGE_CACHE_BITS;
 		page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
 					 NULL);
+		if (IS_ERR(page)) {
+			start = size;
+			goto out;
+		}
 		pptr = kmap(page);
 		curr = pptr;
 		end = pptr + PAGE_CACHE_BITS / 32;

-- 

  parent reply	other threads:[~2008-11-12  0:44 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20081112001401.926965113@mini.kroah.org>
2008-11-12  0:22 ` [patch 00/49] 2.6.27.5 stable review Greg KH
2008-11-12  0:22   ` [patch 01/49] ext3: wait on all pending commits in ext3_sync_fs Greg KH
2008-11-12  0:22   ` [patch 02/49] x86: add DMI quirk for AMI BIOS which corrupts address 0xc000 during resume Greg KH
2008-11-12  0:22   ` [patch 03/49] x86: reserve low 64K on AMI and Phoenix BIOS boxen Greg KH
2008-11-12  0:22   ` [patch 04/49] x86: add X86_RESERVE_LOW_64K Greg KH
2008-11-12  0:23   ` [patch 05/49] x86: fix CONFIG_X86_RESERVE_LOW_64K=y Greg KH
2008-11-12  0:23   ` [patch 06/49] x86: fix macro with bad_bios_dmi_table Greg KH
2008-11-12  0:23   ` [patch 07/49] cgroups: fix invalid cgrp->dentry before cgroup has been completely removed Greg KH
2008-11-12  0:23   ` [patch 08/49] hugetlb: pull gigantic page initialisation out of the default path Greg KH
2008-11-12  0:23   ` [patch 09/49] hugetlbfs: handle pages higher order than MAX_ORDER Greg KH
2008-11-12  0:23   ` [patch 10/49] cciss: fix regression firmware not displayed in procfs Greg KH
2008-11-12  0:23   ` [patch 11/49] cciss: fix sysfs broken symlink regression Greg KH
2008-11-12  0:23   ` [patch 12/49] cciss: new hardware support Greg KH
2008-11-12  0:23   ` [patch 13/49] md: linear: Fix a division by zero bug for very small arrays Greg KH
2008-11-12  0:23   ` [patch 14/49] md: fix bug in raid10 recovery Greg KH
2008-11-12  0:23   ` [patch 15/49] JFFS2: fix race condition in jffs2_lzo_compress() Greg KH
2008-11-12  0:23   ` [patch 16/49] JFFS2: Fix lack of locking in thread_should_wake() Greg KH
2008-11-12  0:23   ` [patch 17/49] ARM: xsc3: fix xsc3_l2_inv_range Greg KH
2008-11-12  0:23   ` [patch 18/49] MTD: Fix cfi_send_gen_cmd handling of x16 devices in x8 mode (v4) Greg KH
2008-11-12  0:23   ` [patch 19/49] x86: dont use tsc_khz to calculate lpj if notsc is passed Greg KH
2008-11-12  0:23   ` [patch 20/49] net: unix: fix inflight counting bug in garbage collector Greg KH
2008-11-12  0:23   ` [patch 21/49] r8169: get ethtool settings through the generic mii helper Greg KH
2008-11-12  0:23   ` [patch 22/49] r8169: fix RxMissed register access Greg KH
2008-11-12  0:23   ` [patch 23/49] r8169: wake up the PHY of the 8168 Greg KH
2008-11-12  0:23   ` [patch 24/49] I/OAT: fix channel resources free for not allocated channels Greg KH
2008-11-12  0:23   ` [patch 25/49] I/OAT: fix dma_pin_iovec_pages() error handling Greg KH
2008-11-12  0:23   ` [patch 26/49] I/OAT: fix async_tx.callback checking Greg KH
2008-11-12  0:23   ` [patch 27/49] dca: fixup initialization dependency Greg KH
2008-11-12  0:23   ` [patch 28/49] iwlwifi: allow consecutive scans in unassociated state Greg KH
2008-11-12  0:23   ` [patch 29/49] iwlwifi: allow association on radar channel in power save Greg KH
2008-11-12  0:23   ` [patch 30/49] iwlwifi: remove HT flags from RXON when not in HT anymore Greg KH
2008-11-12  0:23   ` [patch 31/49] iwlwifi: dont fail if scan is issued too early Greg KH
2008-11-12  0:24   ` [patch 32/49] iwlwifi: use correct DMA_MASK Greg KH
2008-11-12  0:24   ` [patch 33/49] iwlwifi: fix suspend to RAM in iwlwifi Greg KH
2008-11-12  0:24   ` [patch 34/49] iwlwifi: generic init calibrations framework Greg KH
2008-11-12  0:24   ` [patch 35/49] zd1211rw: Add 2 device IDs Greg KH
2008-11-12  0:24   ` [patch 36/49] iwl3945: fix deadlock on suspend Greg KH
2008-11-12  0:24   ` [patch 37/49] iwl3945: do not send scan command if channel count zero Greg KH
2008-11-12  0:24   ` [patch 38/49] cpqarry: fix return value of cpqarray_init() Greg KH
2008-11-12  0:24   ` [patch 39/49] ACPI: dock: avoid check _STA method Greg KH
2008-11-12  0:24   ` [patch 40/49] ARM: 5300/1: fixup spitz reset during boot Greg KH
2008-11-12  0:24   ` [patch 41/49] KEYS: Make request key instantiate the per-user keyrings Greg KH
2008-11-12  0:24   ` [patch 42/49] libata: fix last_reset timestamp handling Greg KH
2008-11-12  0:24   ` [patch 43/49] ALSA: hda: make a STAC_DELL_EQ option Greg KH
2008-11-12  0:24   ` [patch 44/49] Fix __pfn_to_page(pfn) for CONFIG_DISCONTIGMEM=y Greg KH
2008-11-12  0:24   ` [patch 45/49] mmc: increase SD write timeout for crappy cards Greg KH
2008-11-12  0:24   ` [patch 46/49] hfsplus: fix Buffer overflow with a corrupted image (CVE-2008-4933) Greg KH
2008-11-12  0:24   ` Greg KH [this message]
2008-11-12  0:24   ` [patch 48/49] hfs: fix namelength memory corruption (CVE-2008-5025) Greg KH
2008-11-12  0:24   ` [patch 49/49] HID: fix incorrent length condition in hidraw_write() Greg KH
2008-11-12  0:44   ` [patch 00/49] 2.6.27.5 stable review Gabriel C
2008-11-12  1:07     ` Greg KH
2008-11-12  0:54   ` Willy Tarreau
2008-11-12 14:08   ` Frans Pop
2008-11-12 17:03     ` [stable] " Greg KH
2008-11-13 22:07     ` Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20081112002433.GV10989@kroah.com \
    --to=gregkh@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=cavokz@gmail.com \
    --cc=cebbert@redhat.com \
    --cc=chuckw@quantumlinux.com \
    --cc=davej@redhat.com \
    --cc=eteo@redhat.com \
    --cc=jake@lwn.net \
    --cc=jmforbes@linuxtx.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mkrufky@linuxtv.org \
    --cc=rbranco@la.checkpoint.com \
    --cc=rdunlap@xenotime.net \
    --cc=reviews@ml.cw.f00f.org \
    --cc=snakebyte@gmx.de \
    --cc=stable@kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=w@1wt.eu \
    --cc=zippel@linux-m68k.org \
    --cc=zwane@arm.linux.org.uk \
    --subject='Re: [patch 47/49] hfsplus: check read_mapping_page() return value (CVE-2008-4934)' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).