Sophie: kernel-2.6.18-238.el5 src

kernel-2.6.18-238.el5.src.rpm

From: Amerigo Wang <amwang@redhat.com>
Date: Fri, 4 Dec 2009 09:26:22 -0500
Subject: [fs] hfs: fix a potential buffer overflow
Message-id: <20091204092922.4639.92542.sendpatchset@localhost.localdomain>
Patchwork-id: 21677
O-Subject: [PATCH RHEL5.x][CVE-2009-4020] hfs: fix a potential buffer overflow
Bugzilla: 540741
CVE: CVE-2009-4020
RH-Acked-by: Eric Sandeen <sandeen@redhat.com>

CVE-2009-4020
(This bug is public now.)

BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=540741

Description:
A specially-crafted Hierarchical File System (HFS) filesystem could cause a
buffer overflow to occur in a process's kernel stack during a memcpy() call
within the hfs_bnode_read() function (at fs/hfs/bnode.c:24). The attacker can
provide the source buffer and length, and the destination buffer is a local
variable of a fixed length. This local variable (passed as "&entry" from
fs/hfs/dir.c:112 and allocated on line 60) is stored in the stack frame of
hfs_bnode_read()'s caller, which is hfs_readdir(). Because the hfs_readdir()
function executes upon any attempt to read a directory on the filesystem, it
gets called whenever a user attempts to inspect any filesystem contents.

Brew:
https://brewweb.devel.redhat.com/taskinfo?taskID=2125860

Upstream status:
http://marc.info/?l=linux-mm-commits&m=125987755823047&w=2

Test status:
With the test image from Eugene, I can confirm it fixes the
problem.

Signed-off-by: WANG Cong <amwang@redhat.com>


diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
index 6d98f11..424b033 100644
--- a/fs/hfs/catalog.c
+++ b/fs/hfs/catalog.c
@@ -289,6 +289,10 @@ int hfs_cat_move(u32 cnid, struct inode *src_dir, struct qstr *src_name,
 	err = hfs_brec_find(&src_fd);
 	if (err)
 		goto out;
+	if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
+		err = -EIO;
+		goto out;
+	}
 
 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
 			    src_fd.entrylength);
diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
index 7cd8cc0..9a10af6 100644
--- a/fs/hfs/dir.c
+++ b/fs/hfs/dir.c
@@ -79,6 +79,11 @@ static int hfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
 		filp->f_pos++;
 		/* fall through */
 	case 1:
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		if (entry.type != HFS_CDR_THD) {
 			printk(KERN_ERR "hfs: bad catalog folder thread\n");
@@ -109,6 +114,12 @@ static int hfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
 			err = -EIO;
 			goto out;
 		}
+
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		type = entry.type;
 		len = hfs_mac2asc(sb, strbuf, &fd.key->cat.CName);
diff --git a/fs/hfs/super.c b/fs/hfs/super.c
index 9882a90..b633b66 100644
--- a/fs/hfs/super.c
+++ b/fs/hfs/super.c
@@ -385,8 +385,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent)
 	/* try to get the root inode */
 	hfs_find_init(HFS_SB(sb)->cat_tree, &fd);
 	res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd);
-	if (!res)
+	if (!res) {
+		if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) {
+			res =  -EIO;
+			goto bail;
+		}
 		hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
+	}
 	if (res) {
 		hfs_find_exit(&fd);
 		goto bail_no_root;