linux-sg2042/fs/hfs
Amerigo Wang ec81aecb29 hfs: fix a potential buffer overflow
A specially-crafted Hierarchical File System (HFS) filesystem could cause
a buffer overflow to occur in a process's kernel stack during a memcpy()
call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24).  The
attacker can provide the source buffer and length, and the destination
buffer is a local variable of a fixed length.  This local variable (passed
as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in
the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir().
Because the hfs_readdir() function executes upon any attempt to read a
directory on the filesystem, it gets called whenever a user attempts to
inspect any filesystem contents.

[amwang@redhat.com: modify this patch and fix coding style problems]
Signed-off-by: WANG Cong <amwang@redhat.com>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Dave Anderson <anderson@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-15 08:53:10 -08:00
..
Kconfig fs/Kconfig: move hfs, hfsplus out 2009-01-22 13:15:57 +03:00
Makefile Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
attr.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
bfind.c address hfs on-disk corruption robustness review comments 2008-02-06 10:41:05 -08:00
bitmap.c hfs: convert bitmap_lock in a mutex 2008-07-25 10:53:33 -07:00
bnode.c [PATCH] fs: Conversions from kmalloc+memset to k(z|c)alloc 2006-09-27 08:26:10 -07:00
brec.c hfs_bnode_find() can fail, resulting in hfs_bnode_split() breakage 2008-03-17 09:46:55 -07:00
btree.c hfs: fix oops on mount with corrupted btree extent records 2009-10-29 07:39:29 -07:00
btree.h Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
catalog.c hfs: fix a potential buffer overflow 2009-12-15 08:53:10 -08:00
dir.c hfs: fix a potential buffer overflow 2009-12-15 08:53:10 -08:00
extent.c hfs: convert extents_lock in a mutex 2008-07-25 10:53:33 -07:00
hfs.h address hfs on-disk corruption robustness review comments 2008-02-06 10:41:05 -08:00
hfs_fs.h constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
inode.c hfs: fix memory leak when unmounting 2009-04-13 15:04:29 -07:00
mdb.c fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
part_tbl.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
string.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
super.c hfs: fix a potential buffer overflow 2009-12-15 08:53:10 -08:00
sysdep.c constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
trans.c [PATCH] hfs: NLS support 2005-09-07 16:57:50 -07:00