1 |
Author: dsd |
2 |
Date: 2008-11-19 11:31:08 +0000 (Wed, 19 Nov 2008) |
3 |
New Revision: 1381 |
4 |
|
5 |
Added: |
6 |
genpatches-2.6/trunk/2.6.26/1905_hfs-namelength-corruption.patch |
7 |
Modified: |
8 |
genpatches-2.6/trunk/2.6.26/0000_README |
9 |
Log: |
10 |
Fix hfs security issue with long catalog names |
11 |
|
12 |
Modified: genpatches-2.6/trunk/2.6.26/0000_README |
13 |
=================================================================== |
14 |
--- genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:14:34 UTC (rev 1380) |
15 |
+++ genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:31:08 UTC (rev 1381) |
16 |
@@ -75,6 +75,10 @@ |
17 |
From: http://bugs.gentoo.org/233307 |
18 |
Desc: Fix to add UTC timestamp option |
19 |
|
20 |
+Patch: 1905_hfs-namelength-corruption.patch |
21 |
+From: http://bugs.gentoo.org/246710 |
22 |
+Desc: Fix hfs security issue with long catalog names |
23 |
+ |
24 |
Patch: 2400_libertas-scan-buffer-overflow.patch |
25 |
From: http://bugs.gentoo.org/247541 |
26 |
Desc: Fix libertas buffer overflow |
27 |
|
28 |
Added: genpatches-2.6/trunk/2.6.26/1905_hfs-namelength-corruption.patch |
29 |
=================================================================== |
30 |
--- genpatches-2.6/trunk/2.6.26/1905_hfs-namelength-corruption.patch (rev 0) |
31 |
+++ genpatches-2.6/trunk/2.6.26/1905_hfs-namelength-corruption.patch 2008-11-19 11:31:08 UTC (rev 1381) |
32 |
@@ -0,0 +1,37 @@ |
33 |
+From: Eric Sesterhenn <snakebyte@×××.de> |
34 |
+Date: Thu, 16 Oct 2008 05:04:11 +0000 (-0700) |
35 |
+Subject: hfs: fix namelength memory corruption (CVE-2008-5025) |
36 |
+X-Git-Tag: v2.6.27.6~2 |
37 |
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6-stable.git;a=commitdiff_plain;h=3c050502c4166dc12009f35eb41fabe9c900cd43 |
38 |
+ |
39 |
+hfs: fix namelength memory corruption (CVE-2008-5025) |
40 |
+ |
41 |
+commit d38b7aa7fc3371b52d036748028db50b585ade2e upstream |
42 |
+ |
43 |
+Fix a stack corruption caused by a corrupted hfs filesystem. If the |
44 |
+catalog name length is corrupted the memcpy overwrites the catalog btree |
45 |
+structure. Since the field is limited to HFS_NAMELEN bytes in the |
46 |
+structure and the file format, we throw an error if it is too long. |
47 |
+ |
48 |
+Cc: Roman Zippel <zippel@××××××××××.org> |
49 |
+Signed-off-by: Eric Sesterhenn <snakebyte@×××.de> |
50 |
+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org> |
51 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
52 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de> |
53 |
+--- |
54 |
+ |
55 |
+diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c |
56 |
+index ba85157..6d98f11 100644 |
57 |
+--- a/fs/hfs/catalog.c |
58 |
++++ b/fs/hfs/catalog.c |
59 |
+@@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block *sb, u32 cnid, |
60 |
+ |
61 |
+ fd->search_key->cat.ParID = rec.thread.ParID; |
62 |
+ len = fd->search_key->cat.CName.len = rec.thread.CName.len; |
63 |
++ if (len > HFS_NAMELEN) { |
64 |
++ printk(KERN_ERR "hfs: bad catalog namelength\n"); |
65 |
++ return -EIO; |
66 |
++ } |
67 |
+ memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len); |
68 |
+ return hfs_brec_find(fd); |
69 |
+ } |