3.0-stable patches

added patches:
	hfsplus-fix-potential-buffer-overflows.patch

diff --git a/queue-3.0/hfsplus-fix-potential-buffer-overflows.patch b/queue-3.0/hfsplus-fix-potential-buffer-overflows.patch
new file mode 100644 (file)
index 0000000..3e761fd
--- /dev/null
+++ b/queue-3.0/hfsplus-fix-potential-buffer-overflows.patch
@@ -0,0 +1,74 @@
+From 6f24f892871acc47b40dd594c63606a17c714f77 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 4 May 2012 12:09:39 -0700
+Subject: hfsplus: Fix potential buffer overflows
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream.
+
+Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few
+potential buffer overflows in the hfs filesystem.  But as Timo Warns
+pointed out, these changes also need to be made on the hfsplus
+filesystem as well.
+
+Reported-by: Timo Warns <warns@pre-sense.de>
+Acked-by: WANG Cong <amwang@redhat.com>
+Cc: Alexey Khoroshilov <khoroshilov@ispras.ru>
+Cc: Miklos Szeredi <mszeredi@suse.cz>
+Cc: Sage Weil <sage@newdream.net>
+Cc: Eugene Teo <eteo@redhat.com>
+Cc: Roman Zippel <zippel@linux-m68k.org>
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Alexey Dobriyan <adobriyan@gmail.com>
+Cc: Dave Anderson <anderson@redhat.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+---
+ fs/hfsplus/catalog.c |    4 ++++
+ fs/hfsplus/dir.c     |   11 +++++++++++
+ 2 files changed, 15 insertions(+)
+
+--- a/fs/hfsplus/catalog.c
++++ b/fs/hfsplus/catalog.c
+@@ -360,6 +360,10 @@ int hfsplus_rename_cat(u32 cnid,
+       err = hfs_brec_find(&src_fd);
+       if (err)
+               goto out;
++      if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) {
++              err = -EIO;
++              goto out;
++      }
+ 
+       hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
+                               src_fd.entrylength);
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -146,6 +146,11 @@ static int hfsplus_readdir(struct file *
+               filp->f_pos++;
+               /* fall through */
+       case 1:
++              if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++                      err = -EIO;
++                      goto out;
++              }
++
+               hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
+                       fd.entrylength);
+               if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) {
+@@ -177,6 +182,12 @@ static int hfsplus_readdir(struct file *
+                       err = -EIO;
+                       goto out;
+               }
++
++              if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) {
++                      err = -EIO;
++                      goto out;
++              }
++
+               hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
+                       fd.entrylength);
+               type = be16_to_cpu(entry.type);

diff --git a/queue-3.0/series b/queue-3.0/series
index 8d07de8c174646a3120856a9cf6710921c9e5fc2..6abe1fa8a66af5bd55f3f690d789c08d6635cea7 100644 (file)
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -45,3 +45,4 @@ rtlwifi-fix-oops-on-unload.patch
 wl1251-fix-crash-on-remove-due-to-premature-kfree.patch
 wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch
 sched-fix-nohz-load-accounting-again.patch
+hfsplus-fix-potential-buffer-overflows.patch

diff --git a/queue-3.0/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch b/queue-3.0/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch
index 248b8826c49d14ddcf0f2fbb763cd6d1d887f856..f022281faebdea50702a94b39523af88b008cb58 100644 (file)
--- a/queue-3.0/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch
+++ b/queue-3.0/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch
@@ -17,7 +17,7 @@ are nonzero.  All the bits in the mask should be set, not just eight
 of them.
 
 Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
-CC: <Michal Nazarewicz <mina86@mina86.com>
+CC: Michal Nazarewicz <mina86@mina86.com>
 Signed-off-by: Felipe Balbi <balbi@ti.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>