git.karo-electronics.de Git - karo-tx-linux.git/commit

author	Amerigo Wang <amwang@redhat.com>
	Tue, 15 Dec 2009 01:57:37 +0000 (17:57 -0800)
committer	Greg Kroah-Hartman <gregkh@suse.de>
	Fri, 18 Dec 2009 22:04:08 +0000 (14:04 -0800)
commit	037b7867ec53baa0dea5d05d4201e4fbf2405fc3
tree	f5597e4fe4a1824192185e481248b44790f21832	tree \| snapshot
parent	08d05bad84c4cc91a92ac9aa8c3106610cc0584b	commit \| diff

hfs: fix a potential buffer overflow

commit ec81aecb29668ad71f699f4e7b96ec46691895b6 upstream.

A specially-crafted Hierarchical File System (HFS) filesystem could cause
a buffer overflow to occur in a process's kernel stack during a memcpy()
call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24). The
attacker can provide the source buffer and length, and the destination
buffer is a local variable of a fixed length. This local variable (passed
as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in
the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir().
Because the hfs_readdir() function executes upon any attempt to read a
directory on the filesystem, it gets called whenever a user attempts to
inspect any filesystem contents.

[amwang@redhat.com: modify this patch and fix coding style problems]
Signed-off-by: WANG Cong <amwang@redhat.com>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Dave Anderson <anderson@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

fs/hfs/catalog.c		diff \| blob \| history
fs/hfs/dir.c		diff \| blob \| history
fs/hfs/super.c		diff \| blob \| history