[kernel] r15160 - in dists/etch-security/linux-2.6/debian: . patches/bugfix/all patches/series
Dann Frazier
dannf at alioth.debian.org
Tue Feb 16 01:56:45 UTC 2010
Author: dannf
Date: Tue Feb 16 01:56:43 2010
New Revision: 15160
Log:
hfs: fix a potential buffer overflow (CVE-2009-4020)
Added:
dists/etch-security/linux-2.6/debian/patches/bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
Modified:
dists/etch-security/linux-2.6/debian/changelog
dists/etch-security/linux-2.6/debian/patches/series/26etch2
Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog Tue Feb 16 01:54:12 2010 (r15159)
+++ dists/etch-security/linux-2.6/debian/changelog Tue Feb 16 01:56:43 2010 (r15160)
@@ -4,6 +4,7 @@
* NFSv4: Fix a problem whereby a buggy server can oops the kernel
(CVE-2009-3726)
* isdn: hfc_usb: Fix read buffer overflow (CVE-2009-4005)
+ * hfs: fix a potential buffer overflow (CVE-2009-4020)
-- dann frazier <dannf at debian.org> Mon, 15 Feb 2010 18:32:14 -0700
Added: dists/etch-security/linux-2.6/debian/patches/bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/all/hfs-fix-a-potential-buffer-overflow.patch Tue Feb 16 01:56:43 2010 (r15160)
@@ -0,0 +1,74 @@
+commit 915e0d61e40ee2999377d6ce5d6426b6fce7f7e8
+Author: dann frazier <dannf at hp.com>
+Date: Mon Feb 15 18:54:55 2010 -0700
+
+ [Adjusted to apply to Debian's 2.6.18]
+ commit ec81aecb29668ad71f699f4e7b96ec46691895b6
+ Author: Amerigo Wang <amwang at redhat.com>
+ Date: Mon Dec 14 17:57:37 2009 -0800
+
+ hfs: fix a potential buffer overflow
+
+diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c
+index 6d98f11..424b033 100644
+--- a/fs/hfs/catalog.c
++++ b/fs/hfs/catalog.c
+@@ -289,6 +289,10 @@ int hfs_cat_move(u32 cnid, struct inode *src_dir, struct qstr *src_name,
+ err = hfs_brec_find(&src_fd);
+ if (err)
+ goto out;
++ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
+
+ hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+ src_fd.entrylength);
+diff --git a/fs/hfs/dir.c b/fs/hfs/dir.c
+index 7cd8cc0..9a10af6 100644
+--- a/fs/hfs/dir.c
++++ b/fs/hfs/dir.c
+@@ -79,6 +79,11 @@ static int hfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ filp->f_pos++;
+ /* fall through */
+ case 1:
++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
++
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ if (entry.type != HFS_CDR_THD) {
+ printk(KERN_ERR "hfs: bad catalog folder thread\n");
+@@ -109,6 +114,12 @@ static int hfs_readdir(struct file *filp, void *dirent, filldir_t filldir)
+ err = -EIO;
+ goto out;
+ }
++
++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++ err = -EIO;
++ goto out;
++ }
++
+ hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
+ type = entry.type;
+ len = hfs_mac2asc(sb, strbuf, &fd.key->cat.CName);
+diff --git a/fs/hfs/super.c b/fs/hfs/super.c
+index 9882a90..b633b66 100644
+--- a/fs/hfs/super.c
++++ b/fs/hfs/super.c
+@@ -385,8 +385,13 @@ static int hfs_fill_super(struct super_block *sb, void *data, int silent)
+ /* try to get the root inode */
+ hfs_find_init(HFS_SB(sb)->cat_tree, &fd);
+ res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd);
+- if (!res)
++ if (!res) {
++ if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) {
++ res = -EIO;
++ goto bail;
++ }
+ hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
++ }
+ if (res) {
+ hfs_find_exit(&fd);
+ goto bail_no_root;
Modified: dists/etch-security/linux-2.6/debian/patches/series/26etch2
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/26etch2 Tue Feb 16 01:54:12 2010 (r15159)
+++ dists/etch-security/linux-2.6/debian/patches/series/26etch2 Tue Feb 16 01:56:43 2010 (r15160)
@@ -1,3 +1,4 @@
+ bugfix/all/gdth-prevent-negative-offsets-in-ioctl.patch
+ bugfix/all/nfsv4-buggy-server-oops.patch
+ bugfix/all/isdn-hfc_usb-fix-read-buffer-overflow.patch
++ bugfix/all/hfs-fix-a-potential-buffer-overflow.patch
More information about the Kernel-svn-changes
mailing list