This is a note to let you know that I've just added the patch titled
hfsplus: Fix potential buffer overflows
to the 3.0-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
hfsplus-fix-potential-buffer-overflows.patch
and it can be found in the queue-3.0 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 6f24f892871acc47b40dd594c63606a17c714f77 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <[email protected]>
Date: Fri, 4 May 2012 12:09:39 -0700
Subject: hfsplus: Fix potential buffer overflows
From: Greg Kroah-Hartman <[email protected]>
commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream.
Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
potential buffer overflows in the hfs filesystem. But as Timo Warns
pointed out, these changes also need to be made on the hfsplus
filesystem as well.
Reported-by: Timo Warns <[email protected]>
Acked-by: WANG Cong <[email protected]>
Cc: Alexey Khoroshilov <[email protected]>
Cc: Miklos Szeredi <[email protected]>
Cc: Sage Weil <[email protected]>
Cc: Eugene Teo <[email protected]>
Cc: Roman Zippel <[email protected]>
Cc: Al Viro <[email protected]>
Cc: Christoph Hellwig <[email protected]>
Cc: Alexey Dobriyan <[email protected]>
Cc: Dave Anderson <[email protected]>
Cc: Andrew Morton <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
---
fs/hfsplus/catalog.c | 4 ++++
fs/hfsplus/dir.c | 11 +++++++++++
2 files changed, 15 insertions(+)
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -360,6 +360,10 @@ int hfsplus_rename_cat(u32 cnid,
err = hfs_brec_find(&src_fd);
if (err)
goto out;
+ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
+ err = -EIO;
+ goto out;
+ }
hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
src_fd.entrylength);
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -146,6 +146,11 @@ static int hfsplus_readdir(struct file *
filp->f_pos++;
/* fall through */
case 1:
+ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+ err = -EIO;
+ goto out;
+ }
+
hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
fd.entrylength);
if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
@@ -177,6 +182,12 @@ static int hfsplus_readdir(struct file *
err = -EIO;
goto out;
}
+
+ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+ err = -EIO;
+ goto out;
+ }
+
hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
fd.entrylength);
type = be16_to_cpu(entry.type);
Patches currently in stable-queue which might be from
[email protected] are
queue-3.0/rtlwifi-fix-oops-on-unload.patch
queue-3.0/mmc-unbreak-sdhci-esdhc-imx-on-i.mx25.patch
queue-3.0/nfsv4-ensure-that-we-check-lock-exclusive-shared-type-against-open-modes.patch
queue-3.0/usb-ehci-fix-crash-during-suspend-on-asus-computers.patch
queue-3.0/autofs-make-the-autofsv5-packet-file-descriptor-use-a-packetized-pipe.patch
queue-3.0/drm-i915-fix-integer-overflow-in-i915_gem_do_execbuffer.patch
queue-3.0/usb-gadget-uvc-uvc_request_data-length-field-must-be-signed.patch
queue-3.0/ipw2200-fix-race-condition-in-the-command-completion-acknowledge.patch
queue-3.0/libata-skip-old-error-history-when-counting-probe-trials.patch
queue-3.0/revert-usb-fix-build-error-due-to-dma_mask-is-not-at.patch
queue-3.0/ehci-fix-criterion-for-resuming-the-root-hub.patch
queue-3.0/x86-apic-apic-code-touches-invalid-msr-on-p5-class-machines.patch
queue-3.0/brcm80211-smac-resume-transmit-fifo-upon-receiving-frames.patch
queue-3.0/nfsd-fix-b0rken-error-value-for-setattr-on-read-only-mount.patch
queue-3.0/drm-i915-handle-input-output-sdvo-timings-separately-in-mode_set.patch
queue-3.0/hwmon-coretemp-increase-cpu-core-limit.patch
queue-3.0/hwmon-fam15h_power-fix-bogus-values-with-current-bioses.patch
queue-3.0/nfsv4-ensure-that-the-lock-code-sets-exception-inode.patch
queue-3.0/nfsd-fix-error-values-returned-by-nfsd4_lockt-when-nfsd_open-fails.patch
queue-3.0/revert-autofs-work-around-unhappy-compat-problem-on-x86-64.patch
queue-3.0/nfs-enclose-hostname-in-brackets-when-needed-in.patch
queue-3.0/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch
queue-3.0/hwmon-fam15h_power-fix-pci_device_id-array.patch
queue-3.0/nl80211-ensure-interface-is-up-in-various-apis.patch
queue-3.0/scsi-libsas-fix-false-positive-device-attached-conditions.patch
queue-3.0/xen-correctly-check-for-pending-events-when-restoring-irq-flags.patch
queue-3.0/efi-add-new-variable-attributes.patch
queue-3.0/scsi-libsas-fix-sas_find_bcast_phy-in-the-presence-of-vacant-phys.patch
queue-3.0/mac80211-fix-ap-mode-eap-tx-for-vlan-stations.patch
queue-3.0/xen-smp-fix-crash-when-booting-with-acpi-hotplug-cpus.patch
queue-3.0/usb-cdc-wdm-fix-race-leading-leading-to-memory-corruption.patch
queue-3.0/arm-7403-1-tls-remove-covert-channel-via-tpidrurw.patch
queue-3.0/pipes-add-a-packetized-pipe-mode-for-writing.patch
queue-3.0/hfsplus-fix-potential-buffer-overflows.patch
queue-3.0/efi-validate-uefi-boot-variables.patch
queue-3.0/efivars-fix-warnings-when-config_pstore-n.patch
queue-3.0/sched-fix-nohz-load-accounting-again.patch
queue-3.0/dmaengine-at_hdmac-remove-clear-on-read-in-atc_dostart.patch
queue-3.0/wl1251-fix-crash-on-remove-due-to-premature-kfree.patch
queue-3.0/fix-modpost-failures-in-fedora-17.patch
queue-3.0/efivars-improve-variable-validation.patch
queue-3.0/wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch
queue-3.0/drm-i915-fix-integer-overflow-in-i915_gem_execbuffer2.patch
queue-3.0/i2c-pnx-disable-clk-in-suspend.patch
queue-3.0/asoc-dapm-ensure-power-gets-managed-for-line-widgets.patch
queue-3.0/hwmon-coretemp-fix-oops-on-cpu-unplug.patch
queue-3.0/efivars-string-functions.patch
queue-3.0/kvm-unmap-pages-from-the-iommu-when-slots-are-removed.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
