WSL2-Linux-Kernel/fs
Eric Sesterhenn efc7ffcb42 hfsplus: fix Buffer overflow with a corrupted image
When an hfsplus image gets corrupted it might happen that the catalog
namelength field gets b0rked.  If we mount such an image the memcpy() in
hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name
field.  Depending on the size of the overwritten data, we either only get
memory corruption or also trigger an oops like this:

[  221.628020] BUG: unable to handle kernel paging request at c82b0000
[  221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151
[  221.629066] *pde = 0ea29163 *pte = 082b0160
[  221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
[  221.629066] Modules linked in:
[  221.629066]
[  221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)
[  221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0
[  221.629066] EIP is at hfsplus_find_cat+0x10d/0x151
[  221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002
[  221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c
[  221.629066]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)
[  221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300
[  221.629066]        01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060
[  221.629066]        00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc
[  221.629066] Call Trace:
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c01302d2>] ? __kernel_text_address+0x1b/0x27
[  221.629066]  [<c010487a>] ? dump_trace+0xca/0xd6
[  221.629066]  [<c0109e32>] ? save_stack_address+0x0/0x2c
[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  221.629066]  [<c013b571>] ? save_trace+0x37/0x8d
[  221.629066]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[  221.629066]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[  221.629066]  [<c013553d>] ? down+0xc/0x2f
[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c013da5d>] ? mark_held_locks+0x43/0x5a
[  221.629066]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[  221.629066]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  221.629066]  [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58
[  221.629066]  [<c013555c>] ? down+0x2b/0x2f
[  221.629066]  [<c022aa68>] ? hfsplus_iget+0xa0/0x154
[  221.629066]  [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  221.629066]  [<c041c9e4>] ? string+0x2b/0x74
[  221.629066]  [<c041cd16>] ? vsnprintf+0x2e9/0x512
[  221.629066]  [<c010487a>] ? dump_trace+0xca/0xd6
[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  221.629066]  [<c013b571>] ? save_trace+0x37/0x8d
[  221.629066]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[  221.629066]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[  221.629066]  [<c01354d3>] ? up+0xc/0x2f
[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c041cfb7>] ? snprintf+0x1b/0x1d
[  221.629066]  [<c01ba466>] ? disk_name+0x25/0x67
[  221.629066]  [<c0183960>] ? get_sb_bdev+0xcd/0x10b
[  221.629066]  [<c016ad92>] ? kstrdup+0x2a/0x4c
[  221.629066]  [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
[  221.629066]  [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
[  221.629066]  [<c0183583>] ? vfs_kern_mount+0x3b/0x76
[  221.629066]  [<c0183602>] ? do_kern_mount+0x32/0xba
[  221.629066]  [<c01960d4>] ? do_new_mount+0x46/0x74
[  221.629066]  [<c0196277>] ? do_mount+0x175/0x193
[  221.629066]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  221.629066]  [<c01663b2>] ? __get_free_pages+0x1e/0x24
[  221.629066]  [<c06ac07b>] ? lock_kernel+0x19/0x8c
[  221.629066]  [<c01962e6>] ? sys_mount+0x51/0x9b
[  221.629066]  [<c01962f9>] ? sys_mount+0x64/0x9b
[  221.629066]  [<c01038bd>] ? sysenter_do_call+0x12/0x31
[  221.629066]  =======================
[  221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f
[  221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c
[  221.629066] ---[ end trace e417a1d67f0d0066 ]---

Since hfsplus_cat_build_key_uni() returns void and only has one callsite,
the check is performed at the callsite.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-10-16 11:21:46 -07:00
..
9p vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
adfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
affs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
afs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
autofs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
autofs4 autofs4: add miscellaneous device for ioctls 2008-10-16 11:21:39 -07:00
befs befs: annotate fs32 on tests for superblock endianness 2008-10-16 11:21:46 -07:00
bfs bfs: fix Lockdep warning 2008-09-13 14:41:51 -07:00
cifs [CIFS] cifs: remove pointless lock and unlock of GlobalMid_Lock in header_assemble 2008-10-12 13:34:11 +00:00
coda [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00
configfs [PATCH] configfs: Consolidate locking around configfs_detach_prep() in configfs_rmdir() 2008-08-22 11:09:02 -07:00
cramfs cramfs: fix named-pipe handling 2008-08-20 15:40:32 -07:00
debugfs integrity: special fs magic 2008-10-13 09:47:43 +11:00
devpts vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
dlm dlm: choose better identifiers 2008-09-05 09:51:30 -05:00
ecryptfs eCryptfs: remove netlink transport 2008-10-16 11:21:39 -07:00
efs EFS: Don't set f_fsid in statfs(). 2008-09-02 23:15:22 +01:00
exportfs fs: replace remaining __FUNCTION__ occurrences 2008-04-30 08:29:54 -07:00
ext2 ext2: avoid printk floods in the face of directory corruption 2008-10-16 11:21:46 -07:00
ext3 vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
ext4 vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
fat vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
freevxfs fs/freevxfs/: proper externs 2008-04-29 08:06:00 -07:00
fuse vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
gfs2 vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
hfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
hfsplus hfsplus: fix Buffer overflow with a corrupted image 2008-10-16 11:21:46 -07:00
hostfs [PATCH] sanitize ->permission() prototype 2008-07-26 20:53:14 -04:00
hpfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
hppfs [patch] hppfs: remove hppfs_permission 2008-07-26 20:53:07 -04:00
hugetlbfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
isofs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
jbd Merge branch 'core/locking' into core/urgent 2008-08-12 00:11:49 +02:00
jbd2 ext4: add an option to control error handling on file data 2008-10-10 22:12:43 -04:00
jffs2 removed unused #include <linux/version.h>'s 2008-08-23 12:14:12 -07:00
jfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
lockd NLM: Remove "proto" argument from lockd_up() 2008-10-04 17:12:27 -04:00
minix SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
msdos fatfs: add UTC timestamp option 2008-07-25 10:53:34 -07:00
ncpfs [PATCH] don't pass nameidata to __ncp_lookup_validate() 2008-07-26 20:53:37 -04:00
nfs Merge branch 'for-2.6.28' of git://linux-nfs.org/~bfields/linux 2008-10-14 12:31:14 -07:00
nfs_common
nfsd NLM: Remove unused argument from svc_addsock() function 2008-10-04 17:12:27 -04:00
nls
ntfs NTFS: update homepage 2008-09-02 19:21:37 -07:00
ocfs2 ocfs2: fix build error 2008-10-14 18:31:46 -07:00
omfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
openpromfs SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
partitions Check for device resize when rescanning partitions 2008-10-09 08:56:12 +02:00
proc Merge branch 'for-2.6.28' of git://linux-nfs.org/~bfields/linux 2008-10-14 12:31:14 -07:00
qnx4 SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
ramfs mm: tiny-shmem nommu fix 2008-10-02 15:53:13 -07:00
reiserfs reiserfs: removed duplicated #include 2008-08-12 16:07:30 -07:00
romfs romfs_readpage: don't report errors for pages beyond i_size 2008-07-30 14:30:34 -07:00
smbfs [PATCH] sanitize ->permission() prototype 2008-07-26 20:53:14 -04:00
sysfs Use WARN() in fs/sysfs 2008-07-26 12:00:07 -07:00
sysv SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
ubifs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
udf vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
ufs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
vfat fatfs: add UTC timestamp option 2008-07-25 10:53:34 -07:00
xfs xfs: fix remount rw with unrecognized options 2008-10-15 10:00:00 -07:00
Kconfig Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mfasheh/ocfs2 2008-10-14 16:34:11 -07:00
Kconfig.binfmt Introduce HAVE_AOUT symbol to remove hard-coded arch list for BINFMT_AOUT 2008-09-06 19:30:22 +01:00
Makefile Merge branch 'for-2.6.28' of git://linux-nfs.org/~bfields/linux 2008-10-14 12:31:14 -07:00
aio.c [PATCH] f_count may wrap around 2008-07-26 20:53:40 -04:00
anon_inodes.c flag parameters: NONBLOCK in anon_inode_getfd 2008-07-24 10:47:28 -07:00
attr.c [patch 4/4] vfs: immutable inode checking cleanup 2008-07-26 20:53:28 -04:00
bad_inode.c [PATCH] sanitize ->permission() prototype 2008-07-26 20:53:14 -04:00
binfmt_aout.c tracehook: exec 2008-07-26 12:00:08 -07:00
binfmt_elf.c tracehook: exec 2008-07-26 12:00:08 -07:00
binfmt_elf_fdpic.c binfmt_elf_fdpic: Magical stack pointer index, for NEW_AUX_ENT compat. 2008-07-28 18:10:28 +09:00
binfmt_em86.c Allow recursion in binfmt_script and binfmt_misc 2008-10-16 11:21:38 -07:00
binfmt_flat.c uclinux: fix gzip header parsing in binfmt_flat.c 2008-10-16 11:21:29 -07:00
binfmt_misc.c Allow recursion in binfmt_script and binfmt_misc 2008-10-16 11:21:38 -07:00
binfmt_script.c Allow recursion in binfmt_script and binfmt_misc 2008-10-16 11:21:38 -07:00
binfmt_som.c binfmt_som.c: add MODULE_LICENSE 2008-10-16 11:21:38 -07:00
bio-integrity.c block: Introduce integrity data ownership flag 2008-10-09 08:56:21 +02:00
bio.c block: mark bio_split_pool static 2008-10-09 08:57:05 +02:00
block_dev.c block_dev: fix kernel-doc in new functions 2008-10-09 10:42:38 +02:00
buffer.c block: submit_bh() inadvertently discards barrier flag on a sync write 2008-08-27 09:50:19 +02:00
char_dev.c Remove the lock_kernel() call from chrdev_open() 2008-06-20 14:05:53 -06:00
compat.c compat: move cp_compat_stat to common code 2008-10-16 11:21:33 -07:00
compat_binfmt_elf.c
compat_ioctl.c remove unused #include <linux/dirent.h>'s 2008-07-25 10:53:34 -07:00
dcache.c Fix NULL pointer dereference in proc_sys_compare 2008-09-29 07:42:57 -07:00
dcookies.c d_path: Make d_path() use a struct path 2008-02-14 21:17:09 -08:00
direct-io.c Remove Andrew Morton's old email accounts 2008-10-16 11:21:32 -07:00
dnotify.c [PATCH] split linux/file.h 2008-05-01 13:08:16 -04:00
dquot.c tty: Redo current tty locking 2008-10-13 09:51:41 -07:00
drop_caches.c vfs: skip inodes without pages to free in drop_pagecache_sb() 2008-04-29 08:06:05 -07:00
eventfd.c flag parameters: check magic constants 2008-07-24 10:47:29 -07:00
eventpoll.c epoll: drop unnecessary test 2008-10-16 11:21:32 -07:00
exec.c alpha: introduce field 'taso' into struct linux_binprm 2008-10-16 11:21:38 -07:00
fcntl.c [PATCH] clean dup2() up a bit 2008-08-01 11:25:24 -04:00
fifo.c [PATCH] reuse xxx_fifo_fops for xxx_pipe_fops 2008-07-26 20:53:06 -04:00
file.c [PATCH] merge locate_fd() and get_unused_fd() 2008-08-01 11:25:23 -04:00
file_table.c [PATCH] f_count may wrap around 2008-07-26 20:53:40 -04:00
filesystems.c
fs-writeback.c Remove Andrew Morton's old email accounts 2008-10-16 11:21:32 -07:00
generic_acl.c
inode.c fs/inode.c: properly init address_space->writeback_index 2008-08-15 08:35:44 -07:00
inotify.c inotify: remove debug code 2008-02-06 10:41:07 -08:00
inotify_user.c inotify: fix lock ordering wrt do_page_fault's mmap_sem 2008-10-02 15:53:13 -07:00
internal.h [PATCH] move a bunch of declarations to fs/internal.h 2008-04-21 23:11:01 -04:00
ioctl.c provide generic_block_fiemap() only with BLOCK=y 2008-10-12 11:44:37 -07:00
ioprio.c fix setpriority(PRIO_PGRP) thread iterator breakage 2008-08-20 15:40:32 -07:00
libfs.c VFS: increase pseudo-filesystem block size to PAGE_SIZE 2008-07-30 09:41:44 -07:00
locks.c SL*B: drop kmem cache argument from constructor 2008-07-26 12:00:07 -07:00
mbcache.c vfs: fix possible deadlock in ext2, ext3, ext4 when using xattrs 2008-04-15 19:35:41 -07:00
mpage.c Remove Andrew Morton's old email accounts 2008-10-16 11:21:32 -07:00
namei.c [patch 3/4] vfs: remove unused nameidata argument of may_create() 2008-08-01 11:25:30 -04:00
namespace.c [PATCH] pass struct path * to do_add_mount() 2008-08-01 11:25:32 -04:00
nfsctl.c Introduce path_put() 2008-02-14 21:13:33 -08:00
no-block.c
open.c tty: the vhangup syscall is racy 2008-10-13 09:51:41 -07:00
pipe.c [PATCH] reuse xxx_fifo_fops for xxx_pipe_fops 2008-07-26 20:53:06 -04:00
pnode.c [patch 7/7] vfs: mountinfo: show dominating group id 2008-04-23 00:05:09 -04:00
pnode.h [patch 7/7] vfs: mountinfo: show dominating group id 2008-04-23 00:05:09 -04:00
posix_acl.c
quota.c quota: cleanup loop in sync_dquots() 2008-07-25 10:53:35 -07:00
quota_v1.c quota: move function-macros from quota.h to quotaops.h 2008-07-25 10:53:35 -07:00
quota_v2.c quota: move function-macros from quota.h to quotaops.h 2008-07-25 10:53:35 -07:00
read_write.c Remove BKL from remote_llseek v2 2008-07-02 15:06:27 -06:00
read_write.h
readdir.c [PATCH] fix regular readdir() and friends 2008-08-25 01:18:08 -04:00
select.c Fix performance regression on lmbench select benchmark 2008-06-22 12:23:15 -07:00
seq_file.c [PATCH] deal with the first call of ->show() generating no output 2008-08-25 01:18:10 -04:00
signalfd.c flag parameters: check magic constants 2008-07-24 10:47:29 -07:00
splice.c Don't allow splice() to files opened with O_APPEND 2008-10-09 14:26:38 -07:00
stack.c
stat.c [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00
super.c fix soft lock up at NFS mount via per-SB LRU-list of unused dentries 2008-07-24 10:47:15 -07:00
sync.c SYNC_FILE_RANGE_WRITE may and will block. Document that. 2008-07-24 10:47:17 -07:00
timerfd.c flag parameters: check magic constants 2008-07-24 10:47:29 -07:00
utimes.c [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00
xattr.c [PATCH] sanitize __user_walk_fd() et.al. 2008-07-26 20:53:34 -04:00
xattr_acl.c