linux/fs
Amerigo Wang ec81aecb29 hfs: fix a potential buffer overflow
A specially-crafted Hierarchical File System (HFS) filesystem could cause
a buffer overflow to occur in a process's kernel stack during a memcpy()
call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24).  The
attacker can provide the source buffer and length, and the destination
buffer is a local variable of a fixed length.  This local variable (passed
as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in
the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir().
Because the hfs_readdir() function executes upon any attempt to read a
directory on the filesystem, it gets called whenever a user attempts to
inspect any filesystem contents.

[amwang@redhat.com: modify this patch and fix coding style problems]
Signed-off-by: WANG Cong <amwang@redhat.com>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Dave Anderson <anderson@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-12-15 08:53:10 -08:00
..
9p 9p: fix build breakage introduced by FS-Cache 2009-12-01 07:35:11 -08:00
adfs adfs: remove redundant test on unsigned 2009-09-24 07:21:05 -07:00
affs affs: add ->sync_fs 2009-06-11 21:36:14 -04:00
afs afs: remove manual O_SYNC handling 2009-12-10 15:02:50 +01:00
autofs trivial: remove unnecessary semicolons 2009-09-21 15:14:58 +02:00
autofs4 autofs4 - fix missed case when changing to use struct path 2009-08-31 17:44:05 -10:00
befs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
bfs headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
btrfs vfs: Implement proper O_SYNC semantics 2009-12-10 15:02:50 +01:00
cachefiles CacheFiles: Update IMA counters when using dentry_open 2009-12-01 07:35:11 -08:00
cifs vfs: Implement proper O_SYNC semantics 2009-12-10 15:02:50 +01:00
coda sysctl: Drop & in front of every proc_handler. 2009-11-18 08:37:40 -08:00
configfs writeback: add name to backing_dev_info 2009-09-11 09:20:26 +02:00
cramfs
debugfs debugfs: fix create mutex racy fops and private data 2009-12-11 11:24:53 -08:00
devpts devpts_get_tty() should validate inode 2009-12-11 15:18:05 -08:00
dlm Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm 2009-12-10 09:33:59 -08:00
ecryptfs ima: ecryptfs fix imbalance message 2009-10-08 11:31:38 -05:00
efs get rid of BKL in fs/efs 2009-06-17 00:36:36 -04:00
exofs exofs: Multi-device mirror support 2009-12-10 09:59:23 +02:00
exportfs
ext2 ext2: fix comment in ext2_find_entry about return values 2009-12-10 15:02:53 +01:00
ext3 ext3: PTR_ERR return of wrong pointer in setup_new_group_blocks() 2009-12-10 15:02:55 +01:00
ext4 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2009-12-14 09:58:24 -08:00
fat Merge git://git.kernel.org/pub/scm/linux/kernel/git/hirofumi/fatfs-2.6 2009-09-30 09:31:14 -07:00
freevxfs headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
fscache FS-Cache: Provide nop fscache_stat_d() if CONFIG_FSCACHE_STATS=n 2009-11-20 21:50:44 +00:00
fuse fuse: reject O_DIRECT flag also in fuse_create 2009-11-27 16:37:13 +01:00
gfs2 GFS2: Fix glock refcount issues 2009-12-03 12:00:12 +00:00
hfs hfs: fix a potential buffer overflow 2009-12-15 08:53:10 -08:00
hfsplus hfsplus: refuse to mount volumes larger than 2TB 2009-10-29 07:39:27 -07:00
hostfs hostfs: set maximum filesize in superblock for proper LFS support 2009-06-30 18:56:03 -07:00
hpfs headers: smp_lock.h redux 2009-07-12 12:22:34 -07:00
hppfs
hugetlbfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-09-24 08:32:11 -07:00
isofs zisofs: Implement reading of compressed files when PAGE_CACHE_SIZE > compress block size 2009-12-10 15:02:49 +01:00
jbd fs/jbd: Export log_start_commit to fix ext3 build. 2009-11-12 10:24:12 +01:00
jbd2 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2009-12-11 15:31:13 -08:00
jffs2 Merge branch 'for-next' into for-linus 2009-12-07 18:36:35 +01:00
jfs tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
lockd sysctl: Drop & in front of every proc_handler. 2009-11-18 08:37:40 -08:00
minix V3 minixfs: add missing directory type checking 2009-09-23 07:39:57 -07:00
ncpfs tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
nfs Merge git://git.linux-nfs.org/projects/trondmy/nfs-2.6 2009-12-14 10:00:24 -08:00
nfs_common
nfsd Fix memory corruption caused by nfsd readdir+ 2009-11-14 12:55:55 -08:00
nilfs2 nilfs2: separate wait function from nilfs_segctor_write 2009-11-30 21:17:52 +09:00
nls Merge git://git.kernel.org/pub/scm/linux/kernel/git/hirofumi/fatfs-2.6 2009-09-30 09:31:14 -07:00
notify Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
ntfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
ocfs2 quota: Move definition of QFMT_OCFS2 to linux/quota.h 2009-12-10 15:02:53 +01:00
omfs tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
openpromfs
partitions partitions: read whole sector with EFI GPT header 2009-11-23 09:29:58 +01:00
proc Merge commit 'origin/master' into next 2009-12-09 17:14:38 +11:00
qnx4 qnx4fs: add missing KERN_xxx to printk() calls 2009-11-09 09:40:57 +01:00
quota quota: Implement quota format with 64-bit space and inode limits 2009-12-10 15:02:54 +01:00
ramfs truncate: use new helpers 2009-09-24 08:41:47 -04:00
reiserfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
romfs ROMFS: fix length used with romfs_dev_strnlen() function 2009-10-11 11:33:56 -07:00
smbfs fs: Make unload_nls() NULL pointer safe 2009-09-24 07:47:42 -04:00
squashfs const: mark remaining super_operations const 2009-09-22 07:17:24 -07:00
sysfs sysfs: sysfs_setattr remove unnecessary permission check. 2009-12-11 11:24:54 -08:00
sysv get rid of BKL in fs/sysv 2009-06-17 00:36:37 -04:00
ubifs Merge git://git.infradead.org/ubifs-2.6 2009-12-10 09:31:45 -08:00
udf udf: Avoid IO in udf_clear_inode 2009-12-14 21:40:04 +01:00
ufs ufs: sector_t cannot be negative 2009-06-18 13:03:46 -07:00
xfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2009-12-14 09:58:24 -08:00
Kconfig powerpc: Cleanup Kconfig selection of hugetlbfs support 2009-10-30 15:03:54 +11:00
Kconfig.binfmt
Makefile
aio.c block: move bdi/address_space unplug functions to backing-dev.h 2009-10-29 13:59:26 +01:00
anon_inodes.c headers: remove sched.h from poll.h 2009-10-04 15:05:10 -07:00
attr.c truncate: new helpers 2009-09-24 08:41:47 -04:00
bad_inode.c
binfmt_aout.c
binfmt_elf.c tree-wide: fix assorted typos all over the place 2009-12-04 15:39:55 +01:00
binfmt_elf_fdpic.c fdpic: ignore the loader's PT_GNU_STACK when calculating the stack size 2009-09-24 07:21:02 -07:00
binfmt_em86.c
binfmt_flat.c flat: use IS_ERR_VALUE() helper macro 2009-09-24 07:21:03 -07:00
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c block: Create bip slabs with embedded integrity vectors 2009-07-01 10:56:25 +02:00
bio.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2009-12-09 19:43:33 -08:00
block_dev.c Merge branch 'for-linus' into for-2.6.33 2009-11-03 21:14:39 +01:00
buffer.c Merge branch 'writeback' of git://git.kernel.dk/linux-2.6-block 2009-09-25 09:27:30 -07:00
char_dev.c fs/char_dev.c: remove useless loop 2009-09-24 07:21:03 -07:00
compat.c x86, fs: Fix x86 procfs stack information for threads on 64-bit 2009-11-04 13:25:03 +01:00
compat_binfmt_elf.c
compat_ioctl.c md: move compat_ioctl handling into md.c 2009-12-14 12:51:41 +11:00
dcache.c sched: Pull up the might_sleep() check into cond_resched() 2009-07-18 15:51:44 +02:00
dcookies.c
direct-io.c Fix regression in direct writes performance due to WRITE_ODIRECT flag removal 2009-11-26 09:46:46 +01:00
drop_caches.c sysctl: remove "struct file *" argument of ->proc_handler 2009-09-24 07:21:04 -07:00
eventfd.c anonfd: split interface into file creation and install 2009-09-23 07:39:29 -07:00
eventpoll.c sysctl: Drop & in front of every proc_handler. 2009-11-18 08:37:40 -08:00
exec.c Merge branch 'master' into next 2009-12-03 12:03:40 +05:30
fcntl.c fcntl: rename F_OWNER_GID to F_OWNER_PGRP 2009-11-17 17:40:33 -08:00
fifo.c
file.c headers: remove sched.h from interrupt.h 2009-10-11 11:20:58 -07:00
file_table.c LSM: imbed ima calls in the security hooks 2009-10-25 12:22:48 +08:00
filesystems.c
fs-writeback.c writeback: remove unused nonblocking and congestion checks 2009-12-03 13:54:25 +01:00
fs_struct.c
generic_acl.c
inode.c LSM: imbed ima calls in the security hooks 2009-10-25 12:22:48 +08:00
internal.h fs: fix overflow in sys_mount() for in-kernel calls 2009-09-24 08:40:15 -04:00
ioctl.c __generic_block_fiemap(): fix for files bigger than 4GB 2009-11-12 07:26:01 -08:00
ioprio.c
libfs.c libfs: return error code on failed attr set 2009-09-24 07:47:30 -04:00
locks.c const: make lock_manager_operations const 2009-09-22 07:17:25 -07:00
mbcache.c
mpage.c
namei.c Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs-2.6 2009-12-11 15:31:13 -08:00
namespace.c LSM: Pass original mount flags to security_sb_mount(). 2009-10-12 10:56:03 +11:00
nfsctl.c
no-block.c
open.c LSM: Move security_path_chmod()/security_path_chown() to after mutex_lock(). 2009-11-24 08:49:26 +11:00
pipe.c fs: pipe.c null pointer dereference 2009-10-22 08:11:44 +09:00
pnode.c
pnode.h
posix_acl.c
read_write.c sendfile(): check f_op.splice_write() rather than f_op.sendpage() 2009-11-04 09:09:52 +01:00
read_write.h
readdir.c
select.c headers: remove sched.h from poll.h 2009-10-04 15:05:10 -07:00
seq_file.c vfs: seq_file: add helpers for data filling 2009-09-24 07:47:35 -04:00
signalfd.c
splice.c sendfile(): check f_op.splice_write() rather than f_op.sendpage() 2009-11-04 09:09:52 +01:00
stack.c
stat.c
super.c freeze_bdev: grab active reference to frozen superblocks 2009-09-24 07:47:41 -04:00
sync.c kill wait_on_page_writeback_range 2009-12-10 15:02:50 +01:00
timerfd.c
utimes.c
xattr.c VFS: Factor out part of vfs_setxattr so it can be called from the SELinux hook for inode_setsecctx. 2009-09-10 10:11:22 +10:00
xattr_acl.c VFS: Use GFP_NOFS in posix_acl_from_xattr() 2009-12-03 11:48:07 +00:00