From d88073a4e40e647bde3f4cc689a23611d9cf4277 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 4 May 2012 17:33:27 -0700 Subject: [PATCH] 3.3-stable patches added patches: hfsplus-fix-potential-buffer-overflows.patch --- ...splus-fix-potential-buffer-overflows.patch | 74 +++++++++++++++++++ queue-3.3/series | 1 + ...rong-error-code-for-unknown-commands.patch | 2 +- 3 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 queue-3.3/hfsplus-fix-potential-buffer-overflows.patch diff --git a/queue-3.3/hfsplus-fix-potential-buffer-overflows.patch b/queue-3.3/hfsplus-fix-potential-buffer-overflows.patch new file mode 100644 index 00000000000..81e2a573316 --- /dev/null +++ b/queue-3.3/hfsplus-fix-potential-buffer-overflows.patch @@ -0,0 +1,74 @@ +From 6f24f892871acc47b40dd594c63606a17c714f77 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 4 May 2012 12:09:39 -0700 +Subject: hfsplus: Fix potential buffer overflows + +From: Greg Kroah-Hartman + +commit 6f24f892871acc47b40dd594c63606a17c714f77 upstream. + +Commit ec81aecb2966 ("hfs: fix a potential buffer overflow") fixed a few +potential buffer overflows in the hfs filesystem. But as Timo Warns +pointed out, these changes also need to be made on the hfsplus +filesystem as well. + +Reported-by: Timo Warns +Acked-by: WANG Cong +Cc: Alexey Khoroshilov +Cc: Miklos Szeredi +Cc: Sage Weil +Cc: Eugene Teo +Cc: Roman Zippel +Cc: Al Viro +Cc: Christoph Hellwig +Cc: Alexey Dobriyan +Cc: Dave Anderson +Cc: Andrew Morton +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds + +--- + fs/hfsplus/catalog.c | 4 ++++ + fs/hfsplus/dir.c | 11 +++++++++++ + 2 files changed, 15 insertions(+) + +--- a/fs/hfsplus/catalog.c ++++ b/fs/hfsplus/catalog.c +@@ -366,6 +366,10 @@ int hfsplus_rename_cat(u32 cnid, + err = hfs_brec_find(&src_fd); + if (err) + goto out; ++ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } + + hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, + src_fd.entrylength); +--- a/fs/hfsplus/dir.c ++++ b/fs/hfsplus/dir.c +@@ -150,6 +150,11 @@ static int hfsplus_readdir(struct file * + filp->f_pos++; + /* fall through */ + case 1: ++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } ++ + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + fd.entrylength); + if (be16_to_cpu(entry.type) != HFSPLUS_FOLDER_THREAD) { +@@ -181,6 +186,12 @@ static int hfsplus_readdir(struct file * + err = -EIO; + goto out; + } ++ ++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } ++ + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, + fd.entrylength); + type = be16_to_cpu(entry.type); diff --git a/queue-3.3/series b/queue-3.3/series index bce1629cc4b..502df7f93d1 100644 --- a/queue-3.3/series +++ b/queue-3.3/series @@ -73,3 +73,4 @@ iwlwifi-do-not-nulify-ctx-vif-on-reset.patch iwlwifi-use-correct-released-ucode-version.patch iwlwifi-fix-hardware-queue-programming.patch iwlwifi-use-6000g2b-for-6030-device-series.patch +hfsplus-fix-potential-buffer-overflows.patch diff --git a/queue-3.3/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch b/queue-3.3/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch index d209d9d303f..69a869ddf6d 100644 --- a/queue-3.3/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch +++ b/queue-3.3/usb-gadget-storage-gadgets-send-wrong-error-code-for-unknown-commands.patch @@ -17,7 +17,7 @@ are nonzero. All the bits in the mask should be set, not just eight of them. Signed-off-by: Alan Stern -CC: +CC: Michal Nazarewicz Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman -- 2.47.3