From: Anton Arapov <aarapov@redhat.com> Date: Thu, 13 Nov 2008 16:13:07 +0100 Subject: [fs] hfsplus: fix buffer overflow with a corrupted image Message-id: 20081113151306.GF10438@redhat.com O-Subject: [RHEL5.4 PATCH] BZ469638: CVE-2008-4933 kernel: hfsplus: fix Buffer overflow with a corrupted image Bugzilla: 469638 RH-Acked-by: Jiri Pirko <jpirko@redhat.com> RH-Acked-by: Eugene Teo <eteo@redhat.com> CVE: CVE-2008-4933 Bugzilla: 469638 Description: When an hfsplus image gets corrupted it might happen that the catalog namelength field gets b0rked. If we mount such an image the memcpy() in hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name field. Depending on the size of the overwritten data, we either only get memory corruption or also trigger an oops. Upstream status: commit# efc7ffcb4237f8cb9938909041c4ed38f6e1bf40 Test status: patched kernel has been successfuly built, tested for boot. hfsplus module successfully inserts and removes in/from kernel. https://brewweb.devel.redhat.com/taskinfo?taskID=1572078 Notice: CVE-2008-4933 BZ469636 clone of this bug for RHEL4.8 == diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c index f2d7c49..3de2349 100644 --- a/fs/hfsplus/catalog.c +++ b/fs/hfsplus/catalog.c @@ -169,6 +169,11 @@ int hfsplus_find_cat(struct super_block *sb, u32 cnid, return -EIO; } + if (be16_to_cpu(tmp.thread.nodeName.length) > 255) { + printk(KERN_ERR "hfs: catalog name length corrupted\n"); + return -EIO; + } + hfsplus_cat_build_key_uni(fd->search_key, be32_to_cpu(tmp.thread.parentID), &tmp.thread.nodeName); return hfs_brec_find(fd);