From: Anton Arapov <aarapov@redhat.com>
Date: Thu, 13 Nov 2008 16:05:39 +0100
Subject: [fs] hfs: fix namelength memory corruption
Message-id: 20081113150539.GA10438@redhat.com
O-Subject: [RHEL5.4 PATCH] BZ470773: CVE-2008-5025 kernel: hfs: fix namelength memory corruption
Bugzilla: 470773
RH-Acked-by: Jiri Pirko <jpirko@redhat.com>
RH-Acked-by: Eugene Teo <eteo@redhat.com>
CVE: CVE-2008-5025
Bugzilla: 470773
Description:
Fix a stack corruption caused by a corrupted hfs filesystem. If
the catalog name length is corrupted the memcpy overwrites the catalog
btree structure. Since the field is limited to HFS_NAMELEN bytes in the
structure and the file format, we throw an error if it is too long.
Upstream status:
commit# d38b7aa7fc3371b52d036748028db50b585ade2e
Test status:
patched kernel has been successfuly built, tested for boot.
hfs module successfully inserts and removes in/from kernel.
https://brewweb.devel.redhat.com/taskinfo?taskID=1572148
Notice:
CVE-2008-5025
BZ470771 clone of this bug for RHEL4.8
==
diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
index ba85157..6d98f11 100644
--- a/fs/hfs/catalog.c
+++ b/fs/hfs/catalog.c
@@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block *sb, u32 cnid,
fd->search_key->cat.ParID = rec.thread.ParID;
len = fd->search_key->cat.CName.len = rec.thread.CName.len;
+ if (len > HFS_NAMELEN) {
+ printk(KERN_ERR "hfs: bad catalog namelength\n");
+ return -EIO;
+ }
memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len);
return hfs_brec_find(fd);
}
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
1072
