[kernel] r15075 - in dists/etch-security/linux-2.6.24/debian: . patches/bugfix/all patches/series

Mon Feb 1 04:34:37 UTC 2010

Author: dannf
Date: Mon Feb  1 04:34:34 2010
New Revision: 15075

Log:
hfs: fix a potential buffer overflow (CVE-2009-4020)

Added:
   dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
      - copied unchanged from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
Modified:
   dists/etch-security/linux-2.6.24/debian/changelog
   dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2

Modified: dists/etch-security/linux-2.6.24/debian/changelog
==============================================================================

--- dists/etch-security/linux-2.6.24/debian/changelog	Mon Feb  1 02:55:42 2010	(r15074)
+++ dists/etch-security/linux-2.6.24/debian/changelog	Mon Feb  1 04:34:34 2010	(r15075)
@@ -10,6 +10,7 @@
   * [SCSI] megaraid_sas: remove sysfs dbg_lvl world writeable permissions
     (CVE-2009-3889)
   * isdn: hfc_usb: Fix read buffer overflow (CVE-2009-4005)
+  * hfs: fix a potential buffer overflow (CVE-2009-4020)
 
  -- dann frazier <dannf at debian.org>  Sun, 31 Jan 2010 17:17:52 -0700
 

Copied: dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/hfs-fix-a-potential-buffer-overflow.patch (from r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/hfs-fix-a-potential-buffer-overflow.patch)
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/etch-security/linux-2.6.24/debian/patches/bugfix/all/hfs-fix-a-potential-buffer-overflow.patch	Mon Feb  1 04:34:34 2010	(r15075, copy of r15068, dists/lenny-security/linux-2.6/debian/patches/bugfix/all/hfs-fix-a-potential-buffer-overflow.patch)
@@ -0,0 +1,92 @@
+commit ec81aecb29668ad71f699f4e7b96ec46691895b6
+Author: Amerigo Wang <amwang at redhat.com>
+Date:   Mon Dec 14 17:57:37 2009 -0800
+
+    hfs: fix a potential buffer overflow
+    
+    A specially-crafted Hierarchical File System (HFS) filesystem could cause
+    a buffer overflow to occur in a process's kernel stack during a memcpy()
+    call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24).  The
+    attacker can provide the source buffer and length, and the destination
+    buffer is a local variable of a fixed length.  This local variable (passed
+    as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in
+    the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir().
+    Because the hfs_readdir() function executes upon any attempt to read a
+    directory on the filesystem, it gets called whenever a user attempts to
+    inspect any filesystem contents.
+    
+    [amwang at redhat.com: modify this patch and fix coding style problems]
+    Signed-off-by: WANG Cong <amwang at redhat.com>
+    Cc: Eugene Teo <eteo at redhat.com>
+    Cc: Roman Zippel <zippel at linux-m68k.org>
+    Cc: Al Viro <viro at zeniv.linux.org.uk>
+    Cc: Christoph Hellwig <hch at lst.de>
+    Cc: Alexey Dobriyan <adobriyan at gmail.com>
+    Cc: Dave Anderson <anderson at redhat.com>
+    Cc: <stable at kernel.org>
+    Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+
+diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
+index 6d98f11..424b033 100644
+--- a/fs/hfs/catalog.c
++++ b/fs/hfs/catalog.c
+@@ -289,6 +289,10 @@ int hfs_cat_move(u32 cnid, struct inode *src_dir, struct qstr *src_name,
+ 	err = hfs_brec_find(&src_fd);
+ 	if (err)
+ 		goto out;
++	if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++		err = -EIO;
++		goto out;
++	}
+ 
+ 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+ 			    src_fd.entrylength);
+diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
+index 7c69b98..2b3b861 100644
+--- a/fs/hfs/dir.c
++++ b/fs/hfs/dir.c
+@@ -79,6 +79,11 @@ static int hfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 		filp->f_pos++;
+ 		/* fall through */
+ 	case 1:
++		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++			err = -EIO;
++			goto out;
++		}
++
+ 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ 		if (entry.type != HFS_CDR_THD) {
+ 			printk(KERN_ERR "hfs: bad catalog folder thread\n");
+@@ -109,6 +114,12 @@ static int hfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ 			err = -EIO;
+ 			goto out;
+ 		}
++
++		if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++			err = -EIO;
++			goto out;
++		}
++
+ 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ 		type = entry.type;
+ 		len = hfs_mac2asc(sb, strbuf, &fd.key->cat.CName);
+diff --git a/fs/hfs/super.c b/fs/hfs/super.c
+index f7fcbe4..5ed7252 100644
+--- a/fs/hfs/super.c
++++ b/fs/hfs/super.c
+@@ -409,8 +409,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent)
+ 	/* try to get the root inode */
+ 	hfs_find_init(HFS_SB(sb)->cat_tree, &fd);
+ 	res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd);
+-	if (!res)
++	if (!res) {
++		if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) {
++			res =  -EIO;
++			goto bail;
++		}
+ 		hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
++	}
+ 	if (res) {
+ 		hfs_find_exit(&fd);
+ 		goto bail_no_root;

Modified: dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2
==============================================================================
--- dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Mon Feb  1 02:55:42 2010	(r15074)
+++ dists/etch-security/linux-2.6.24/debian/patches/series/6~etchnhalf.9etch2	Mon Feb  1 04:34:34 2010	(r15075)
@@ -9,3 +9,4 @@
 + bugfix/all/nfsv4-buggy-server-oops.patch
 + bugfix/all/megaraid_sas-fix-sysfs-dbg_lvl-permissions.patch
 + bugfix/all/isdn-hfc_usb-fix-read-buffer-overflow.patch
++ bugfix/all/hfs-fix-a-potential-buffer-overflow.patch

