This is a note to let you know that I've just added the patch titled
hfsplus: Fix potential buffer overflows
to the 3.3-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
hfsplus-fix-potential-buffer-overflows.patch
and it can be found in the queue-3.3 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 6f24f892871acc47b40dd594c63606a17c714f77 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <[email protected]>
Date: Fri, 4 May 2012 12:09:39 -0700
Subject: hfsplus: Fix potential buffer overflows
From: Greg Kroah-Hartman <[email protected]>
commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream.
Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
potential buffer overflows in the hfs filesystem. But as Timo Warns
pointed out, these changes also need to be made on the hfsplus
filesystem as well.
Reported-by: Timo Warns <[email protected]>
Acked-by: WANG Cong <[email protected]>
Cc: Alexey Khoroshilov <[email protected]>
Cc: Miklos Szeredi <[email protected]>
Cc: Sage Weil <[email protected]>
Cc: Eugene Teo <[email protected]>
Cc: Roman Zippel <[email protected]>
Cc: Al Viro <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Cc: Alexey Dobriyan <[email protected]>
Cc: Dave Anderson <[email protected]>
Cc: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
---
fs/hfsplus/catalog.c | 4 ++++
fs/hfsplus/dir.c | 11 +++++++++++
2 files changed, 15 insertions(+)
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid,
err = hfs_brec_find(&src_fd);
if (err)
goto out;
+ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
+ err = -EIO;
+ goto out;
+ }
hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
src_fd.entrylength);
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file *
filp->f_pos++;
/* fall through */
case 1:
+ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+ err = -EIO;
+ goto out;
+ }
+
hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
fd.entrylength);
if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file *
err = -EIO;
goto out;
}
+
+ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+ err = -EIO;
+ goto out;
+ }
+
hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
fd.entrylength);
type = be16_to_cpu(entry.type);
Patches currently in stable-queue which might be from
[email protected] are
queue-3.3/rtlwifi-fix-oops-on-unload.patch
queue-3.3/x86-boot-restrict-cflags-for-hostprogs.patch
queue-3.3/nfsv4-ensure-that-we-check-lock-exclusive-shared-type-against-open-modes.patch
queue-3.3/nouveau-initialise-has_optimus-variable.patch
queue-3.3/usb-ehci-fix-crash-during-suspend-on-asus-computers.patch
queue-3.3/autofs-make-the-autofsv5-packet-file-descriptor-use-a-packetized-pipe.patch
queue-3.3/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
queue-3.3/usb-gadget-uvc-uvc_request_data-length-field-must-be-signed.patch
queue-3.3/ipw2200-fix-race-condition-in-the-command-completion-acknowledge.patch
queue-3.3/libata-skip-old-error-history-when-counting-probe-trials.patch
queue-3.3/crypto-talitos-properly-lock-access-to-global-talitos-registers.patch
queue-3.3/x86-apic-apic-code-touches-invalid-msr-on-p5-class-machines.patch
queue-3.3/mips-ath79-fix-ar933x-wmac-reset-code.patch
queue-3.3/exit_signal-simplify-the-we-have-changed-execution-domain-logic.patch
queue-3.3/sched-fix-oops-when-build_sched_domains-percpu-allocation-fails.patch
queue-3.3/iwlwifi-fix-hardware-queue-programming.patch
queue-3.3/dell-laptop-terminate-quirks-list-properly.patch
queue-3.3/x86-efi-fix-endian-issues-and-unaligned-accesses.patch
queue-3.3/powerpc-85xx-don-t-call-of_platform_bus_probe-twice.patch
queue-3.3/iwlwifi-use-6000g2b-for-6030-device-series.patch
queue-3.3/drm-i915-handle-input-output-sdvo-timings-separately-in-mode_set.patch
queue-3.3/pm-hibernate-fix-the-number-of-pages-used-for-hibernate-thaw-buffering.patch
queue-3.3/hwmon-coretemp-increase-cpu-core-limit.patch
queue-3.3/hwmon-fam15h_power-fix-bogus-values-with-current-bioses.patch
queue-3.3/nfsv4-ensure-that-the-lock-code-sets-exception-inode.patch
queue-3.3/asoc-wm8994-improve-sequencing-of-aif-channel-enables.patch
queue-3.3/x86-efi-fix-pointer-math-issue-in-handle_ramdisks.patch
queue-3.3/revert-autofs-work-around-unhappy-compat-problem-on-x86-64.patch
queue-3.3/nfs-enclose-hostname-in-brackets-when-needed-in.patch
queue-3.3/input-synaptics-fix-regression-with-image-sensor-trackpads.patch
queue-3.3/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch
queue-3.3/md-raid5-fix-a-bug-about-judging-if-the-operation-is-syncing-or-replacing.patch
queue-3.3/hwmon-fam15h_power-fix-pci_device_id-array.patch
queue-3.3/nl80211-ensure-interface-is-up-in-various-apis.patch
queue-3.3/iwlwifi-do-not-nulify-ctx-vif-on-reset.patch
queue-3.3/scsi-libsas-fix-false-positive-device-attached-conditions.patch
queue-3.3/xen-correctly-check-for-pending-events-when-restoring-irq-flags.patch
queue-3.3/usb-gadget-dummy-do-not-call-pullup-on-udc_stop.patch
queue-3.3/efi-add-new-variable-attributes.patch
queue-3.3/scsi-libsas-fix-sas_find_bcast_phy-in-the-presence-of-vacant-phys.patch
queue-3.3/mac80211-fix-ap-mode-eap-tx-for-vlan-stations.patch
queue-3.3/i387-ptrace-breaks-the-lazy-fpu-restore-logic.patch
queue-3.3/nfs-put-open-context-on-error-in-nfs_pagein_multi.patch
queue-3.3/x86-microcode-fix-sysfs-warning-during-module-unload-on-unsupported-cpus.patch
queue-3.3/tools-include-add-byteshift-headers-for-endian-access.patch
queue-3.3/xen-smp-fix-crash-when-booting-with-acpi-hotplug-cpus.patch
queue-3.3/usb-ehci-tegra-remove-redundant-gpio_set_value.patch
queue-3.3/arm-7396-1-errata-only-handle-arm-erratum-326103-on-affected-cores.patch
queue-3.3/usb-cdc-wdm-fix-race-leading-leading-to-memory-corruption.patch
queue-3.3/arm-7403-1-tls-remove-covert-channel-via-tpidrurw.patch
queue-3.3/x86-platform-remove-incorrect-error-message-in-x86_default_fixup_cpu_id.patch
queue-3.3/x86-microcode-ensure-that-module-is-only-loaded-on-supported-amd-cpus.patch
queue-3.3/x86-mkpiggy-don-t-open-code-put_unaligned_le32.patch
queue-3.3/pipes-add-a-packetized-pipe-mode-for-writing.patch
queue-3.3/hfsplus-fix-potential-buffer-overflows.patch
queue-3.3/tracing-fix-stacktrace-of-latency-tracers-irqsoff-and-friends.patch
queue-3.3/exit_signal-fix-the-parent-has-changed-security-domain-logic.patch
queue-3.3/b43-only-reload-config-after-successful-initialization.patch
queue-3.3/drm-radeon-kms-need-to-set-up-ss-on-dp-bridges-as-well.patch
queue-3.3/efi-validate-uefi-boot-variables.patch
queue-3.3/x86-boot-correct-cflags-for-hostprogs.patch
queue-3.3/alsa-hda-add-external-mic-quirk-for-asus-zenbook-ux31e.patch
queue-3.3/arm-7406-1-hotplug-copy-the-affinity-mask-when-forcefully-migrating-irqs.patch
queue-3.3/nfs-put-open-context-on-error-in-nfs_flush_multi.patch
queue-3.3/sched-fix-nohz-load-accounting-again.patch
queue-3.3/dmaengine-at_hdmac-remove-clear-on-read-in-atc_dostart.patch
queue-3.3/wl1251-fix-crash-on-remove-due-to-premature-kfree.patch
queue-3.3/efivars-improve-variable-validation.patch
queue-3.3/wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch
queue-3.3/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
queue-3.3/i2c-pnx-disable-clk-in-suspend.patch
queue-3.3/iwlwifi-use-correct-released-ucode-version.patch
queue-3.3/drm-i915-set-the-stencil-cache-eviction-policy-to-non-lra-mode.patch
queue-3.3/asoc-dapm-ensure-power-gets-managed-for-line-widgets.patch
queue-3.3/x86-efi-add-dedicated-efi-stub-entry-point.patch
queue-3.3/hwmon-coretemp-fix-oops-on-cpu-unplug.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
