From patchwork Thu May 24 13:21:44 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 161137
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id F1353B6FA5
	for <incoming@patchwork.ozlabs.org>;
	Thu, 24 May 2012 23:22:59 +1000 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1SXY0A-0000os-6V; Thu, 24 May 2012 13:22:50 +0000
Received: from mail.tpi.com ([70.99.223.143])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <tim.gardner@canonical.com>) id 1SXY07-0000ob-Pg
	for kernel-team@lists.ubuntu.com; Thu, 24 May 2012 13:22:48 +0000
Received: from [10.0.2.6] (host-174-45-43-11.hln-mt.client.bresnan.net
	[174.45.43.11])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mail.tpi.com (Postfix) with ESMTP id 4001631D0B1;
	Thu, 24 May 2012 06:22:21 -0700 (PDT)
Message-ID: <4FBE35E8.2030200@canonical.com>
Date: Thu, 24 May 2012 07:21:44 -0600
From: Tim Gardner <tim.gardner@canonical.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:12.0) Gecko/20120430 Thunderbird/12.0.1
MIME-Version: 1.0
To: Brad Figg <brad.figg@canonical.com>
Subject: Re: [PATCH 0/1] [CVE-2012-2319] hfsplus: Fix potential buffer
	overflows
References: <1337829716-17315-1-git-send-email-brad.figg@canonical.com>
In-Reply-To: <1337829716-17315-1-git-send-email-brad.figg@canonical.com>
X-Enigmail-Version: 1.5pre
Cc: kernel-team@lists.ubuntu.com
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

On 05/23/2012 09:21 PM, Brad Figg wrote:
> Following this cover-letter is a single patch that applies the same CVE
> fix to the xen and openvz sections of the Hardy git tree.
> 
> CVE-2012-2319
> 
> Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
> potential buffer overflows in the hfs filesystem.  But as Timo Warns
> pointed out, these changes also need to be made on the hfsplus
> filesystem as well.
> 
> Greg Kroah-Hartman (1):
>   hfsplus: Fix potential buffer overflows
> 
>  fs/hfsplus/catalog.c |    4 ++++
>  fs/hfsplus/dir.c     |   11 +++++++++++
>  2 files changed, 15 insertions(+)
> 

I'm a bit confused. Is there any reason that this patch shouldn't also
apply to the regular hfsplus files, e.g., as in the attached patch ?

rtg

From fe5fe1b526c410aa7a4daffca6fcf82b8c879db3 Mon Sep 17 00:00:00 2001
From: Brad Figg <brad.figg@canonical.com>
Date: Wed, 23 May 2012 20:21:56 -0700
Subject: [PATCH] hfsplus: Fix potential buffer overflows

CVE-2012-2319

Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
potential buffer overflows in the hfs filesystem.  But as Timo Warns
pointed out, these changes also need to be made on the hfsplus
filesystem as well.

Reported-by: Timo Warns <warns@pre-sense.de>
Acked-by: WANG Cong <amwang@redhat.com>
Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
Cc: Miklos Szeredi <mszeredi@suse.cz>
Cc: Sage Weil <sage@newdream.net>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Dave Anderson <anderson@redhat.com>
Cc: stable <stable@vger.kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(backported from commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream)
Signed-off-by: Brad Figg <brad.figg@canonical.com>

Acked-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 .../openvz/src/fs/hfsplus/catalog.c                |    4 ++++
 debian/binary-custom.d/openvz/src/fs/hfsplus/dir.c |   11 +++++++++++
 .../binary-custom.d/xen/src/fs/hfsplus/catalog.c   |    4 ++++
 debian/binary-custom.d/xen/src/fs/hfsplus/dir.c    |   11 +++++++++++
 fs/hfsplus/catalog.c                               |    4 ++++
 fs/hfsplus/dir.c                                   |   11 +++++++++++
 6 files changed, 45 insertions(+)

diff --git a/debian/binary-custom.d/openvz/src/fs/hfsplus/catalog.c b/debian/binary-custom.d/openvz/src/fs/hfsplus/catalog.c
index f6874ac..8a7cbcf 100644
--- a/debian/binary-custom.d/openvz/src/fs/hfsplus/catalog.c
+++ b/debian/binary-custom.d/openvz/src/fs/hfsplus/catalog.c
@@ -329,6 +329,10 @@ int hfsplus_rename_cat(u32 cnid,
 	err = hfs_brec_find(&src_fd);
 	if (err)
 		goto out;
+    if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
+        err = -EIO;
+        goto out;
+    }
 
 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
 				src_fd.entrylength);
diff --git a/debian/binary-custom.d/openvz/src/fs/hfsplus/dir.c b/debian/binary-custom.d/openvz/src/fs/hfsplus/dir.c
index 078684f..2d57b2b 100644
--- a/debian/binary-custom.d/openvz/src/fs/hfsplus/dir.c
+++ b/debian/binary-custom.d/openvz/src/fs/hfsplus/dir.c
@@ -138,6 +138,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
 		filp->f_pos++;
 		/* fall through */
 	case 1:
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
 			printk(KERN_ERR "hfs: bad catalog folder thread\n");
@@ -168,6 +173,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
 			err = -EIO;
 			goto out;
 		}
+
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		type = be16_to_cpu(entry.type);
 		len = HFSPLUS_MAX_STRLEN;
diff --git a/debian/binary-custom.d/xen/src/fs/hfsplus/catalog.c b/debian/binary-custom.d/xen/src/fs/hfsplus/catalog.c
index f6874ac..8a7cbcf 100644
--- a/debian/binary-custom.d/xen/src/fs/hfsplus/catalog.c
+++ b/debian/binary-custom.d/xen/src/fs/hfsplus/catalog.c
@@ -329,6 +329,10 @@ int hfsplus_rename_cat(u32 cnid,
 	err = hfs_brec_find(&src_fd);
 	if (err)
 		goto out;
+    if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
+        err = -EIO;
+        goto out;
+    }
 
 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
 				src_fd.entrylength);
diff --git a/debian/binary-custom.d/xen/src/fs/hfsplus/dir.c b/debian/binary-custom.d/xen/src/fs/hfsplus/dir.c
index 078684f..2d57b2b 100644
--- a/debian/binary-custom.d/xen/src/fs/hfsplus/dir.c
+++ b/debian/binary-custom.d/xen/src/fs/hfsplus/dir.c
@@ -138,6 +138,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
 		filp->f_pos++;
 		/* fall through */
 	case 1:
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
 			printk(KERN_ERR "hfs: bad catalog folder thread\n");
@@ -168,6 +173,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
 			err = -EIO;
 			goto out;
 		}
+
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		type = be16_to_cpu(entry.type);
 		len = HFSPLUS_MAX_STRLEN;
diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
index f6874ac..8a7cbcf 100644
--- a/fs/hfsplus/catalog.c
+++ b/fs/hfsplus/catalog.c
@@ -329,6 +329,10 @@ int hfsplus_rename_cat(u32 cnid,
 	err = hfs_brec_find(&src_fd);
 	if (err)
 		goto out;
+    if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
+        err = -EIO;
+        goto out;
+    }
 
 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
 				src_fd.entrylength);
diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
index 078684f..2d57b2b 100644
--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
@@ -138,6 +138,11 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
 		filp->f_pos++;
 		/* fall through */
 	case 1:
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
 			printk(KERN_ERR "hfs: bad catalog folder thread\n");
@@ -168,6 +173,12 @@ static int hfsplus_readdir(struct file *filp, void *dirent, filldir_t filldir)
 			err = -EIO;
 			goto out;
 		}
+
+		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
+			err = -EIO;
+			goto out;
+		}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		type = be16_to_cpu(entry.type);
 		len = HFSPLUS_MAX_STRLEN;
-- 
1.7.9.5