1 |
Author: dsd |
2 |
Date: 2008-11-19 11:35:25 +0000 (Wed, 19 Nov 2008) |
3 |
New Revision: 1382 |
4 |
|
5 |
Added: |
6 |
genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch |
7 |
genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch |
8 |
Modified: |
9 |
genpatches-2.6/trunk/2.6.26/0000_README |
10 |
Log: |
11 |
hfsplus security fixes |
12 |
|
13 |
Modified: genpatches-2.6/trunk/2.6.26/0000_README |
14 |
=================================================================== |
15 |
--- genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:31:08 UTC (rev 1381) |
16 |
+++ genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:35:25 UTC (rev 1382) |
17 |
@@ -79,6 +79,14 @@ |
18 |
From: http://bugs.gentoo.org/246710 |
19 |
Desc: Fix hfs security issue with long catalog names |
20 |
|
21 |
+Patch: 1910_hfsplus-unchecked-page-mapping.patch |
22 |
+From: http://bugs.gentoo.org/245650 |
23 |
+Desc: Fix hfsplus security issue with corrupted images |
24 |
+ |
25 |
+Patch: 1915_hfsplus-buffer-overflow.patch |
26 |
+From: http://bugs.gentoo.org/245650 |
27 |
+Desc: Fix hfsplus potential buffer overflow |
28 |
+ |
29 |
Patch: 2400_libertas-scan-buffer-overflow.patch |
30 |
From: http://bugs.gentoo.org/247541 |
31 |
Desc: Fix libertas buffer overflow |
32 |
|
33 |
Added: genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch |
34 |
=================================================================== |
35 |
--- genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch (rev 0) |
36 |
+++ genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch 2008-11-19 11:35:25 UTC (rev 1382) |
37 |
@@ -0,0 +1,106 @@ |
38 |
+From: Eric Sesterhenn <snakebyte@×××.de> |
39 |
+Date: Thu, 16 Oct 2008 05:04:10 +0000 (-0700) |
40 |
+Subject: hfsplus: check read_mapping_page() return value |
41 |
+X-Git-Tag: v2.6.27.5~4 |
42 |
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6-stable.git;a=commitdiff_plain;h=c4305ddcd753bd84a465a2a319e7846f7783b439 |
43 |
+ |
44 |
+hfsplus: check read_mapping_page() return value |
45 |
+ |
46 |
+While testing more corrupted images with hfsplus, i came across |
47 |
+one which triggered the following bug: |
48 |
+ |
49 |
+[15840.675016] BUG: unable to handle kernel paging request at fffffffb |
50 |
+[15840.675016] IP: [<c0116a4f>] kmap+0x15/0x56 |
51 |
+[15840.675016] *pde = 00008067 *pte = 00000000 |
52 |
+[15840.675016] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC |
53 |
+[15840.675016] Modules linked in: |
54 |
+[15840.675016] |
55 |
+[15840.675016] Pid: 11575, comm: ln Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #29) |
56 |
+[15840.675016] EIP: 0060:[<c0116a4f>] EFLAGS: 00010202 CPU: 0 |
57 |
+[15840.675016] EIP is at kmap+0x15/0x56 |
58 |
+[15840.675016] EAX: 00000246 EBX: fffffffb ECX: 00000000 EDX: cab919c0 |
59 |
+[15840.675016] ESI: 000007dd EDI: cab0bcf4 EBP: cab0bc98 ESP: cab0bc94 |
60 |
+[15840.675016] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 |
61 |
+[15840.675016] Process ln (pid: 11575, ti=cab0b000 task=cab919c0 task.ti=cab0b000) |
62 |
+[15840.675016] Stack: 00000000 cab0bcdc c0231cfb 00000000 cab0bce0 00000800 ca9290c0 fffffffb |
63 |
+[15840.675016] cab145d0 cab919c0 cab15998 22222222 22222222 22222222 00000001 cab15960 |
64 |
+[15840.675016] 000007dd cab0bcf4 cab0bd04 c022cb3a cab0bcf4 cab15a6c ca9290c0 00000000 |
65 |
+[15840.675016] Call Trace: |
66 |
+[15840.675016] [<c0231cfb>] ? hfsplus_block_allocate+0x6f/0x2d3 |
67 |
+[15840.675016] [<c022cb3a>] ? hfsplus_file_extend+0xc4/0x1db |
68 |
+[15840.675016] [<c022ce41>] ? hfsplus_get_block+0x8c/0x19d |
69 |
+[15840.675016] [<c06adde4>] ? sub_preempt_count+0x9d/0xab |
70 |
+[15840.675016] [<c019ece6>] ? __block_prepare_write+0x147/0x311 |
71 |
+[15840.675016] [<c0161934>] ? __grab_cache_page+0x52/0x73 |
72 |
+[15840.675016] [<c019ef4f>] ? block_write_begin+0x79/0xd5 |
73 |
+[15840.675016] [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d |
74 |
+[15840.675016] [<c019f22a>] ? cont_write_begin+0x27f/0x2af |
75 |
+[15840.675016] [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d |
76 |
+[15840.675016] [<c0139ebe>] ? tick_program_event+0x28/0x4c |
77 |
+[15840.675016] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd |
78 |
+[15840.675016] [<c022b723>] ? hfsplus_write_begin+0x2d/0x32 |
79 |
+[15840.675016] [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d |
80 |
+[15840.675016] [<c0161988>] ? pagecache_write_begin+0x33/0x107 |
81 |
+[15840.675016] [<c01879e5>] ? __page_symlink+0x3c/0xae |
82 |
+[15840.675016] [<c019ad34>] ? __mark_inode_dirty+0x12f/0x137 |
83 |
+[15840.675016] [<c0187a70>] ? page_symlink+0x19/0x1e |
84 |
+[15840.675016] [<c022e6eb>] ? hfsplus_symlink+0x41/0xa6 |
85 |
+[15840.675016] [<c01886a9>] ? vfs_symlink+0x99/0x101 |
86 |
+[15840.675016] [<c018a2f6>] ? sys_symlinkat+0x6b/0xad |
87 |
+[15840.675016] [<c018a348>] ? sys_symlink+0x10/0x12 |
88 |
+[15840.675016] [<c01038bd>] ? sysenter_do_call+0x12/0x31 |
89 |
+[15840.675016] ======================= |
90 |
+[15840.675016] Code: 00 00 75 10 83 3d 88 2f ec c0 02 75 07 89 d0 e8 12 56 05 00 5d c3 55 ba 06 00 00 00 89 e5 53 89 c3 b8 3d eb 7e c0 e8 16 74 00 00 <8b> 03 c1 e8 1e 69 c0 d8 02 00 00 05 b8 69 8e c0 2b 80 c4 02 00 |
91 |
+[15840.675016] EIP: [<c0116a4f>] kmap+0x15/0x56 SS:ESP 0068:cab0bc94 |
92 |
+[15840.675016] ---[ end trace 4fea40dad6b70e5f ]--- |
93 |
+ |
94 |
+This happens because the return value of read_mapping_page() is passed on |
95 |
+to kmap unchecked. The bug is triggered after the first |
96 |
+read_mapping_page() in hfsplus_block_allocate(), this patch fixes all |
97 |
+three usages in this functions but leaves the ones further down in the |
98 |
+file unchanged. |
99 |
+ |
100 |
+Signed-off-by: Eric Sesterhenn <snakebyte@×××.de> |
101 |
+Cc: Roman Zippel <zippel@××××××××××.org> |
102 |
+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org> |
103 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
104 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de> |
105 |
+--- |
106 |
+ |
107 |
+diff --git a/fs/hfsplus/bitmap.c b/fs/hfsplus/bitmap.c |
108 |
+index d128a25..ea30afc 100644 |
109 |
+--- a/fs/hfsplus/bitmap.c |
110 |
++++ b/fs/hfsplus/bitmap.c |
111 |
+@@ -32,6 +32,10 @@ int hfsplus_block_allocate(struct super_block *sb, u32 size, u32 offset, u32 *ma |
112 |
+ mutex_lock(&HFSPLUS_SB(sb).alloc_file->i_mutex); |
113 |
+ mapping = HFSPLUS_SB(sb).alloc_file->i_mapping; |
114 |
+ page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, NULL); |
115 |
++ if (IS_ERR(page)) { |
116 |
++ start = size; |
117 |
++ goto out; |
118 |
++ } |
119 |
+ pptr = kmap(page); |
120 |
+ curr = pptr + (offset & (PAGE_CACHE_BITS - 1)) / 32; |
121 |
+ i = offset % 32; |
122 |
+@@ -73,6 +77,10 @@ int hfsplus_block_allocate(struct super_block *sb, u32 size, u32 offset, u32 *ma |
123 |
+ break; |
124 |
+ page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, |
125 |
+ NULL); |
126 |
++ if (IS_ERR(page)) { |
127 |
++ start = size; |
128 |
++ goto out; |
129 |
++ } |
130 |
+ curr = pptr = kmap(page); |
131 |
+ if ((size ^ offset) / PAGE_CACHE_BITS) |
132 |
+ end = pptr + PAGE_CACHE_BITS / 32; |
133 |
+@@ -120,6 +128,10 @@ found: |
134 |
+ offset += PAGE_CACHE_BITS; |
135 |
+ page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, |
136 |
+ NULL); |
137 |
++ if (IS_ERR(page)) { |
138 |
++ start = size; |
139 |
++ goto out; |
140 |
++ } |
141 |
+ pptr = kmap(page); |
142 |
+ curr = pptr; |
143 |
+ end = pptr + PAGE_CACHE_BITS / 32; |
144 |
|
145 |
Added: genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch |
146 |
=================================================================== |
147 |
--- genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch (rev 0) |
148 |
+++ genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch 2008-11-19 11:35:25 UTC (rev 1382) |
149 |
@@ -0,0 +1,125 @@ |
150 |
+From: Eric Sesterhenn <snakebyte@×××.de> |
151 |
+Date: Thu, 16 Oct 2008 05:04:08 +0000 (-0700) |
152 |
+Subject: hfsplus: fix Buffer overflow with a corrupted image |
153 |
+X-Git-Tag: v2.6.27.5~5 |
154 |
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6-stable.git;a=commitdiff_plain;h=e04d4d12ec20c70485c3410219704dd1ffb0ec15 |
155 |
+ |
156 |
+hfsplus: fix Buffer overflow with a corrupted image |
157 |
+ |
158 |
+commit efc7ffcb4237f8cb9938909041c4ed38f6e1bf40 upstream |
159 |
+ |
160 |
+When an hfsplus image gets corrupted it might happen that the catalog |
161 |
+namelength field gets b0rked. If we mount such an image the memcpy() in |
162 |
+hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name |
163 |
+field. Depending on the size of the overwritten data, we either only get |
164 |
+memory corruption or also trigger an oops like this: |
165 |
+ |
166 |
+[ 221.628020] BUG: unable to handle kernel paging request at c82b0000 |
167 |
+[ 221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 |
168 |
+[ 221.629066] *pde = 0ea29163 *pte = 082b0160 |
169 |
+[ 221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC |
170 |
+[ 221.629066] Modules linked in: |
171 |
+[ 221.629066] |
172 |
+[ 221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28) |
173 |
+[ 221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0 |
174 |
+[ 221.629066] EIP is at hfsplus_find_cat+0x10d/0x151 |
175 |
+[ 221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002 |
176 |
+[ 221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c |
177 |
+[ 221.629066] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 |
178 |
+[ 221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000) |
179 |
+[ 221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300 |
180 |
+[ 221.629066] 01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060 |
181 |
+[ 221.629066] 00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc |
182 |
+[ 221.629066] Call Trace: |
183 |
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd |
184 |
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b |
185 |
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd |
186 |
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b |
187 |
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd |
188 |
+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96 |
189 |
+[ 221.629066] [<c01302d2>] ? __kernel_text_address+0x1b/0x27 |
190 |
+[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6 |
191 |
+[ 221.629066] [<c0109e32>] ? save_stack_address+0x0/0x2c |
192 |
+[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a |
193 |
+[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d |
194 |
+[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d |
195 |
+[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4 |
196 |
+[ 221.629066] [<c013553d>] ? down+0xc/0x2f |
197 |
+[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0 |
198 |
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd |
199 |
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b |
200 |
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd |
201 |
+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96 |
202 |
+[ 221.629066] [<c013da5d>] ? mark_held_locks+0x43/0x5a |
203 |
+[ 221.629066] [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd |
204 |
+[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f |
205 |
+[ 221.629066] [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58 |
206 |
+[ 221.629066] [<c013555c>] ? down+0x2b/0x2f |
207 |
+[ 221.629066] [<c022aa68>] ? hfsplus_iget+0xa0/0x154 |
208 |
+[ 221.629066] [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447 |
209 |
+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96 |
210 |
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b |
211 |
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b |
212 |
+[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0 |
213 |
+[ 221.629066] [<c041c9e4>] ? string+0x2b/0x74 |
214 |
+[ 221.629066] [<c041cd16>] ? vsnprintf+0x2e9/0x512 |
215 |
+[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6 |
216 |
+[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a |
217 |
+[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a |
218 |
+[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d |
219 |
+[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d |
220 |
+[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4 |
221 |
+[ 221.629066] [<c01354d3>] ? up+0xc/0x2f |
222 |
+[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0 |
223 |
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd |
224 |
+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b |
225 |
+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd |
226 |
+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96 |
227 |
+[ 221.629066] [<c041cfb7>] ? snprintf+0x1b/0x1d |
228 |
+[ 221.629066] [<c01ba466>] ? disk_name+0x25/0x67 |
229 |
+[ 221.629066] [<c0183960>] ? get_sb_bdev+0xcd/0x10b |
230 |
+[ 221.629066] [<c016ad92>] ? kstrdup+0x2a/0x4c |
231 |
+[ 221.629066] [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15 |
232 |
+[ 221.629066] [<c022ae39>] ? hfsplus_fill_super+0x0/0x447 |
233 |
+[ 221.629066] [<c0183583>] ? vfs_kern_mount+0x3b/0x76 |
234 |
+[ 221.629066] [<c0183602>] ? do_kern_mount+0x32/0xba |
235 |
+[ 221.629066] [<c01960d4>] ? do_new_mount+0x46/0x74 |
236 |
+[ 221.629066] [<c0196277>] ? do_mount+0x175/0x193 |
237 |
+[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f |
238 |
+[ 221.629066] [<c01663b2>] ? __get_free_pages+0x1e/0x24 |
239 |
+[ 221.629066] [<c06ac07b>] ? lock_kernel+0x19/0x8c |
240 |
+[ 221.629066] [<c01962e6>] ? sys_mount+0x51/0x9b |
241 |
+[ 221.629066] [<c01962f9>] ? sys_mount+0x64/0x9b |
242 |
+[ 221.629066] [<c01038bd>] ? sysenter_do_call+0x12/0x31 |
243 |
+[ 221.629066] ======================= |
244 |
+[ 221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f |
245 |
+[ 221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c |
246 |
+[ 221.629066] ---[ end trace e417a1d67f0d0066 ]--- |
247 |
+ |
248 |
+Since hfsplus_cat_build_key_uni() returns void and only has one callsite, |
249 |
+the check is performed at the callsite. |
250 |
+ |
251 |
+Signed-off-by: Eric Sesterhenn <snakebyte@×××.de> |
252 |
+Reviewed-by: Pekka Enberg <penberg@×××××××××××.fi> |
253 |
+Cc: Roman Zippel <zippel@××××××××××.org> |
254 |
+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org> |
255 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
256 |
+Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de> |
257 |
+--- |
258 |
+ |
259 |
+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c |
260 |
+index ba117c4..f6874ac 100644 |
261 |
+--- a/fs/hfsplus/catalog.c |
262 |
++++ b/fs/hfsplus/catalog.c |
263 |
+@@ -168,6 +168,11 @@ int hfsplus_find_cat(struct super_block *sb, u32 cnid, |
264 |
+ return -EIO; |
265 |
+ } |
266 |
+ |
267 |
++ if (be16_to_cpu(tmp.thread.nodeName.length) > 255) { |
268 |
++ printk(KERN_ERR "hfs: catalog name length corrupted\n"); |
269 |
++ return -EIO; |
270 |
++ } |
271 |
++ |
272 |
+ hfsplus_cat_build_key_uni(fd->search_key, be32_to_cpu(tmp.thread.parentID), |
273 |
+ &tmp.thread.nodeName); |
274 |
+ return hfs_brec_find(fd); |