• Amerigo Wang's avatar
    hfs: fix a potential buffer overflow · ec81aecb
    Amerigo Wang authored
    A specially-crafted Hierarchical File System (HFS) filesystem could cause
    a buffer overflow to occur in a process's kernel stack during a memcpy()
    call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24).  The
    attacker can provide the source buffer and length, and the destination
    buffer is a local variable of a fixed length.  This local variable (passed
    as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in
    the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir().
    Because the hfs_readdir() function executes upon any attempt to read a
    directory on the filesystem, it gets called whenever a user attempts to
    inspect any filesystem contents.
    
    [amwang@redhat.com: modify this patch and fix coding style problems]
    Signed-off-by: default avatarWANG Cong <amwang@redhat.com>
    Cc: Eugene Teo <eteo@redhat.com>
    Cc: Roman Zippel <zippel@linux-m68k.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: Christoph Hellwig <hch@lst.de>
    Cc: Alexey Dobriyan <adobriyan@gmail.com>
    Cc: Dave Anderson <anderson@redhat.com>
    Cc: <stable@kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    ec81aecb
catalog.c 9.16 KB