From: Greg Kroah-Hartman Date: Sat, 5 May 2012 00:34:14 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.3.5~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5fcf54461262486ac54cd4322b3770bde0c00ad3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: hfsplus-fix-potential-buffer-overflows.patch --- diff --git a/queue-3.0/hfsplus-fix-potential-buffer-overflows.patch b/queue-3.0/hfsplus-fix-potential-buffer-overflows.patch new file mode 100644 index 00000000000..3e761fd8536 --- /dev/null +++ b/queue-3.0/hfsplus-fix-potential-buffer-overflows.patch @@ -0,0 +1,74 @@ +From 6f24f892871acc47b40dd594c63606a17c714f77 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 4 May 2012 12:09:39 -0700 +Subject: hfsplus: Fix potential buffer overflows + +From: Greg Kroah-Hartman + +commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream. + +Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few +potential buffer overflows in the hfs filesystem. But as Timo Warns +pointed out, these changes also need to be made on the hfsplus +filesystem as well. + +Reported-by: Timo Warns +Acked-by: WANG Cong +Cc: Alexey Khoroshilov +Cc: Miklos Szeredi +Cc: Sage Weil +Cc: Eugene Teo +Cc: Roman Zippel +Cc: Al Viro +Cc: Christoph Hellwig +Cc: Alexey Dobriyan +Cc: Dave Anderson +Cc: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds + +--- + fs/hfsplus/catalog.c | 4 ++++ + fs/hfsplus/dir.c | 11 +++++++++++ + 2 files changed, 15 insertions(+) + +--- a/fs/hfsplus/catalog.c ++++ b/fs/hfsplus/catalog.c +@@ -360,6 +360,10 @@ int hfsplus_rename_cat(u32 cnid, + err = hfs_brec_find(&src_fd); + if (err) + goto out; ++ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } + + hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, + src_fd.entrylength); +--- a/fs/hfsplus/dir.c ++++ b/fs/hfsplus/dir.c +@@ -146,6 +146,11 @@ static int hfsplus_readdir(struct file * + filp->f_pos++; + /* fall through */ + case 1: ++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } ++ + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + fd.entrylength); + if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) { +@@ -177,6 +182,12 @@ static int hfsplus_readdir(struct file * + err = -EIO; + goto out; + } ++ ++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } ++ + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + fd.entrylength); + type = be16_to_cpu(entry.type); diff --git a/queue-3.0/series b/queue-3.0/series index 8d07de8c174..6abe1fa8a66 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -45,3 +45,4 @@ rtlwifi-fix-oops-on-unload.patch wl1251-fix-crash-on-remove-due-to-premature-kfree.patch wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch sched-fix-nohz-load-accounting-again.patch +hfsplus-fix-potential-buffer-overflows.patch diff --git a/queue-3.0/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch b/queue-3.0/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch index 248b8826c49..f022281faeb 100644 --- a/queue-3.0/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch +++ b/queue-3.0/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch @@ -17,7 +17,7 @@ are nonzero. All the bits in the mask should be set, not just eight of them. Signed-off-by: Alan Stern -CC: +CC: Michal Nazarewicz Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman