[gentoo-commits] linux-patches r1382 - genpatches-2.6/trunk/2.6.26 - gentoo-commits

From:	"Daniel Drake (dsd)" <dsd@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] linux-patches r1382 - genpatches-2.6/trunk/2.6.26
Date:	Wed, 19 Nov 2008 11:35:28
Message-Id:	`E1L2lLC-00074E-4P@stork.gentoo.org`

1

Author: dsd

2

Date: 2008-11-19 11:35:25 +0000 (Wed, 19 Nov 2008)

3

New Revision: 1382

4

5

Added:

6

   genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch

7

   genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch

8

Modified:

9

   genpatches-2.6/trunk/2.6.26/0000_README

10

Log:

11

hfsplus security fixes

12

13

Modified: genpatches-2.6/trunk/2.6.26/0000_README

14

===================================================================

15

--- genpatches-2.6/trunk/2.6.26/0000_README	2008-11-19 11:31:08 UTC (rev 1381)

16

+++ genpatches-2.6/trunk/2.6.26/0000_README	2008-11-19 11:35:25 UTC (rev 1382)

17

@@ -79,6 +79,14 @@

18

 From:	http://bugs.gentoo.org/246710

19

 Desc:	Fix hfs security issue with long catalog names

20

21

+Patch:	1910_hfsplus-unchecked-page-mapping.patch

22

+From:	http://bugs.gentoo.org/245650

23

+Desc:	Fix hfsplus security issue with corrupted images

24

+

25

+Patch:	1915_hfsplus-buffer-overflow.patch

26

+From:	http://bugs.gentoo.org/245650

27

+Desc:	Fix hfsplus potential buffer overflow

28

+

29

 Patch:	2400_libertas-scan-buffer-overflow.patch

30

 From:	http://bugs.gentoo.org/247541

31

 Desc:	Fix libertas buffer overflow

32

33

Added: genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch

34

===================================================================

35

--- genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch	                        (rev 0)

36

+++ genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch	2008-11-19 11:35:25 UTC (rev 1382)

37

@@ -0,0 +1,106 @@

38

+From: Eric Sesterhenn <snakebyte@×××.de>

39

+Date: Thu, 16 Oct 2008 05:04:10 +0000 (-0700)

40

+Subject: hfsplus: check read_mapping_page() return value

41

+X-Git-Tag: v2.6.27.5~4

42

+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6-stable.git;a=commitdiff_plain;h=c4305ddcd753bd84a465a2a319e7846f7783b439

43

+

44

+hfsplus: check read_mapping_page() return value

45

+

46

+While testing more corrupted images with hfsplus, i came across

47

+one which triggered the following bug:

48

+

49

+[15840.675016] BUG: unable to handle kernel paging request at fffffffb

50

+[15840.675016] IP: [<c0116a4f>] kmap+0x15/0x56

51

+[15840.675016] *pde = 00008067 *pte = 00000000

52

+[15840.675016] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC

53

+[15840.675016] Modules linked in:

54

+[15840.675016]

55

+[15840.675016] Pid: 11575, comm: ln Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #29)

56

+[15840.675016] EIP: 0060:[<c0116a4f>] EFLAGS: 00010202 CPU: 0

57

+[15840.675016] EIP is at kmap+0x15/0x56

58

+[15840.675016] EAX: 00000246 EBX: fffffffb ECX: 00000000 EDX: cab919c0

59

+[15840.675016] ESI: 000007dd EDI: cab0bcf4 EBP: cab0bc98 ESP: cab0bc94

60

+[15840.675016]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068

61

+[15840.675016] Process ln (pid: 11575, ti=cab0b000 task=cab919c0 task.ti=cab0b000)

62

+[15840.675016] Stack: 00000000 cab0bcdc c0231cfb 00000000 cab0bce0 00000800 ca9290c0 fffffffb

63

+[15840.675016]        cab145d0 cab919c0 cab15998 22222222 22222222 22222222 00000001 cab15960

64

+[15840.675016]        000007dd cab0bcf4 cab0bd04 c022cb3a cab0bcf4 cab15a6c ca9290c0 00000000

65

+[15840.675016] Call Trace:

66

+[15840.675016]  [<c0231cfb>] ? hfsplus_block_allocate+0x6f/0x2d3

67

+[15840.675016]  [<c022cb3a>] ? hfsplus_file_extend+0xc4/0x1db

68

+[15840.675016]  [<c022ce41>] ? hfsplus_get_block+0x8c/0x19d

69

+[15840.675016]  [<c06adde4>] ? sub_preempt_count+0x9d/0xab

70

+[15840.675016]  [<c019ece6>] ? __block_prepare_write+0x147/0x311

71

+[15840.675016]  [<c0161934>] ? __grab_cache_page+0x52/0x73

72

+[15840.675016]  [<c019ef4f>] ? block_write_begin+0x79/0xd5

73

+[15840.675016]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d

74

+[15840.675016]  [<c019f22a>] ? cont_write_begin+0x27f/0x2af

75

+[15840.675016]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d

76

+[15840.675016]  [<c0139ebe>] ? tick_program_event+0x28/0x4c

77

+[15840.675016]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd

78

+[15840.675016]  [<c022b723>] ? hfsplus_write_begin+0x2d/0x32

79

+[15840.675016]  [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d

80

+[15840.675016]  [<c0161988>] ? pagecache_write_begin+0x33/0x107

81

+[15840.675016]  [<c01879e5>] ? __page_symlink+0x3c/0xae

82

+[15840.675016]  [<c019ad34>] ? __mark_inode_dirty+0x12f/0x137

83

+[15840.675016]  [<c0187a70>] ? page_symlink+0x19/0x1e

84

+[15840.675016]  [<c022e6eb>] ? hfsplus_symlink+0x41/0xa6

85

+[15840.675016]  [<c01886a9>] ? vfs_symlink+0x99/0x101

86

+[15840.675016]  [<c018a2f6>] ? sys_symlinkat+0x6b/0xad

87

+[15840.675016]  [<c018a348>] ? sys_symlink+0x10/0x12

88

+[15840.675016]  [<c01038bd>] ? sysenter_do_call+0x12/0x31

89

+[15840.675016]  =======================

90

+[15840.675016] Code: 00 00 75 10 83 3d 88 2f ec c0 02 75 07 89 d0 e8 12 56 05 00 5d c3 55 ba 06 00 00 00 89 e5 53 89 c3 b8 3d eb 7e c0 e8 16 74 00 00 <8b> 03 c1 e8 1e 69 c0 d8 02 00 00 05 b8 69 8e c0 2b 80 c4 02 00

91

+[15840.675016] EIP: [<c0116a4f>] kmap+0x15/0x56 SS:ESP 0068:cab0bc94

92

+[15840.675016] ---[ end trace 4fea40dad6b70e5f ]---

93

+

94

+This happens because the return value of read_mapping_page() is passed on

95

+to kmap unchecked.  The bug is triggered after the first

96

+read_mapping_page() in hfsplus_block_allocate(), this patch fixes all

97

+three usages in this functions but leaves the ones further down in the

98

+file unchanged.

99

+

100

+Signed-off-by: Eric Sesterhenn <snakebyte@×××.de>

101

+Cc: Roman Zippel <zippel@××××××××××.org>

102

+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org>

103

+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>

104

+Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>

105

+---

106

+

107

+diff --git a/fs/hfsplus/bitmap.c b/fs/hfsplus/bitmap.c

108

+index d128a25..ea30afc 100644

109

+--- a/fs/hfsplus/bitmap.c

110

++++ b/fs/hfsplus/bitmap.c

111

+@@ -32,6 +32,10 @@ int hfsplus_block_allocate(struct super_block *sb, u32 size, u32 offset, u32 *ma

112

+ 	mutex_lock(&HFSPLUS_SB(sb).alloc_file->i_mutex);

113

+ 	mapping = HFSPLUS_SB(sb).alloc_file->i_mapping;

114

+ 	page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, NULL);

115

++	if (IS_ERR(page)) {

116

++		start = size;

117

++		goto out;

118

++	}

119

+ 	pptr = kmap(page);

120

+ 	curr = pptr + (offset & (PAGE_CACHE_BITS - 1)) / 32;

121

+ 	i = offset % 32;

122

+@@ -73,6 +77,10 @@ int hfsplus_block_allocate(struct super_block *sb, u32 size, u32 offset, u32 *ma

123

+ 			break;

124

+ 		page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,

125

+ 					 NULL);

126

++		if (IS_ERR(page)) {

127

++			start = size;

128

++			goto out;

129

++		}

130

+ 		curr = pptr = kmap(page);

131

+ 		if ((size ^ offset) / PAGE_CACHE_BITS)

132

+ 			end = pptr + PAGE_CACHE_BITS / 32;

133

+@@ -120,6 +128,10 @@ found:

134

+ 		offset += PAGE_CACHE_BITS;

135

+ 		page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,

136

+ 					 NULL);

137

++		if (IS_ERR(page)) {

138

++			start = size;

139

++			goto out;

140

++		}

141

+ 		pptr = kmap(page);

142

+ 		curr = pptr;

143

+ 		end = pptr + PAGE_CACHE_BITS / 32;

144

145

Added: genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch

146

===================================================================

147

--- genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch	                        (rev 0)

148

+++ genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch	2008-11-19 11:35:25 UTC (rev 1382)

149

@@ -0,0 +1,125 @@

150

+From: Eric Sesterhenn <snakebyte@×××.de>

151

+Date: Thu, 16 Oct 2008 05:04:08 +0000 (-0700)

152

+Subject: hfsplus: fix Buffer overflow with a corrupted image

153

+X-Git-Tag: v2.6.27.5~5

154

+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6-stable.git;a=commitdiff_plain;h=e04d4d12ec20c70485c3410219704dd1ffb0ec15

155

+

156

+hfsplus: fix Buffer overflow with a corrupted image

157

+

158

+commit efc7ffcb4237f8cb9938909041c4ed38f6e1bf40 upstream

159

+

160

+When an hfsplus image gets corrupted it might happen that the catalog

161

+namelength field gets b0rked.  If we mount such an image the memcpy() in

162

+hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name

163

+field.  Depending on the size of the overwritten data, we either only get

164

+memory corruption or also trigger an oops like this:

165

+

166

+[  221.628020] BUG: unable to handle kernel paging request at c82b0000

167

+[  221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151

168

+[  221.629066] *pde = 0ea29163 *pte = 082b0160

169

+[  221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC

170

+[  221.629066] Modules linked in:

171

+[  221.629066]

172

+[  221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)

173

+[  221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0

174

+[  221.629066] EIP is at hfsplus_find_cat+0x10d/0x151

175

+[  221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002

176

+[  221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c

177

+[  221.629066]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068

178

+[  221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)

179

+[  221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300

180

+[  221.629066]        01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060

181

+[  221.629066]        00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc

182

+[  221.629066] Call Trace:

183

+[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd

184

+[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b

185

+[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd

186

+[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b

187

+[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd

188

+[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96

189

+[  221.629066]  [<c01302d2>] ? __kernel_text_address+0x1b/0x27

190

+[  221.629066]  [<c010487a>] ? dump_trace+0xca/0xd6

191

+[  221.629066]  [<c0109e32>] ? save_stack_address+0x0/0x2c

192

+[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a

193

+[  221.629066]  [<c013b571>] ? save_trace+0x37/0x8d

194

+[  221.629066]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d

195

+[  221.629066]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4

196

+[  221.629066]  [<c013553d>] ? down+0xc/0x2f

197

+[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0

198

+[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd

199

+[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b

200

+[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd

201

+[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96

202

+[  221.629066]  [<c013da5d>] ? mark_held_locks+0x43/0x5a

203

+[  221.629066]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd

204

+[  221.629066]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f

205

+[  221.629066]  [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58

206

+[  221.629066]  [<c013555c>] ? down+0x2b/0x2f

207

+[  221.629066]  [<c022aa68>] ? hfsplus_iget+0xa0/0x154

208

+[  221.629066]  [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447

209

+[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96

210

+[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b

211

+[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b

212

+[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0

213

+[  221.629066]  [<c041c9e4>] ? string+0x2b/0x74

214

+[  221.629066]  [<c041cd16>] ? vsnprintf+0x2e9/0x512

215

+[  221.629066]  [<c010487a>] ? dump_trace+0xca/0xd6

216

+[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a

217

+[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a

218

+[  221.629066]  [<c013b571>] ? save_trace+0x37/0x8d

219

+[  221.629066]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d

220

+[  221.629066]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4

221

+[  221.629066]  [<c01354d3>] ? up+0xc/0x2f

222

+[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0

223

+[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd

224

+[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b

225

+[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd

226

+[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96

227

+[  221.629066]  [<c041cfb7>] ? snprintf+0x1b/0x1d

228

+[  221.629066]  [<c01ba466>] ? disk_name+0x25/0x67

229

+[  221.629066]  [<c0183960>] ? get_sb_bdev+0xcd/0x10b

230

+[  221.629066]  [<c016ad92>] ? kstrdup+0x2a/0x4c

231

+[  221.629066]  [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15

232

+[  221.629066]  [<c022ae39>] ? hfsplus_fill_super+0x0/0x447

233

+[  221.629066]  [<c0183583>] ? vfs_kern_mount+0x3b/0x76

234

+[  221.629066]  [<c0183602>] ? do_kern_mount+0x32/0xba

235

+[  221.629066]  [<c01960d4>] ? do_new_mount+0x46/0x74

236

+[  221.629066]  [<c0196277>] ? do_mount+0x175/0x193

237

+[  221.629066]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f

238

+[  221.629066]  [<c01663b2>] ? __get_free_pages+0x1e/0x24

239

+[  221.629066]  [<c06ac07b>] ? lock_kernel+0x19/0x8c

240

+[  221.629066]  [<c01962e6>] ? sys_mount+0x51/0x9b

241

+[  221.629066]  [<c01962f9>] ? sys_mount+0x64/0x9b

242

+[  221.629066]  [<c01038bd>] ? sysenter_do_call+0x12/0x31

243

+[  221.629066]  =======================

244

+[  221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f

245

+[  221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c

246

+[  221.629066] ---[ end trace e417a1d67f0d0066 ]---

247

+

248

+Since hfsplus_cat_build_key_uni() returns void and only has one callsite,

249

+the check is performed at the callsite.

250

+

251

+Signed-off-by: Eric Sesterhenn <snakebyte@×××.de>

252

+Reviewed-by: Pekka Enberg <penberg@×××××××××××.fi>

253

+Cc: Roman Zippel <zippel@××××××××××.org>

254

+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org>

255

+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>

256

+Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>

257

+---

258

+

259

+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c

260

+index ba117c4..f6874ac 100644

261

+--- a/fs/hfsplus/catalog.c

262

++++ b/fs/hfsplus/catalog.c

263

+@@ -168,6 +168,11 @@ int hfsplus_find_cat(struct super_block *sb, u32 cnid,

264

+ 		return -EIO;

265

+ 	}

266

+

267

++	if (be16_to_cpu(tmp.thread.nodeName.length) > 255) {

268

++		printk(KERN_ERR "hfs: catalog name length corrupted\n");

269

++		return -EIO;

270

++	}

271

++

272

+ 	hfsplus_cat_build_key_uni(fd->search_key, be32_to_cpu(tmp.thread.parentID),

273

+ 				 &tmp.thread.nodeName);

274

+ 	return hfs_brec_find(fd);

1	Author: dsd
2	Date: 2008-11-19 11:35:25 +0000 (Wed, 19 Nov 2008)
3	New Revision: 1382
4
5	Added:
6	genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch
7	genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch
8	Modified:
9	genpatches-2.6/trunk/2.6.26/0000_README
10	Log:
11	hfsplus security fixes
12
13	Modified: genpatches-2.6/trunk/2.6.26/0000_README
14	===================================================================
15	--- genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:31:08 UTC (rev 1381)
16	+++ genpatches-2.6/trunk/2.6.26/0000_README 2008-11-19 11:35:25 UTC (rev 1382)
17	@@ -79,6 +79,14 @@
18	From: http://bugs.gentoo.org/246710
19	Desc: Fix hfs security issue with long catalog names
20
21	+Patch: 1910_hfsplus-unchecked-page-mapping.patch
22	+From: http://bugs.gentoo.org/245650
23	+Desc: Fix hfsplus security issue with corrupted images
24	+
25	+Patch: 1915_hfsplus-buffer-overflow.patch
26	+From: http://bugs.gentoo.org/245650
27	+Desc: Fix hfsplus potential buffer overflow
28	+
29	Patch: 2400_libertas-scan-buffer-overflow.patch
30	From: http://bugs.gentoo.org/247541
31	Desc: Fix libertas buffer overflow
32
33	Added: genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch
34	===================================================================
35	--- genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch (rev 0)
36	+++ genpatches-2.6/trunk/2.6.26/1910_hfsplus-unchecked-page-mapping.patch 2008-11-19 11:35:25 UTC (rev 1382)
37	@@ -0,0 +1,106 @@
38	+From: Eric Sesterhenn <snakebyte@×××.de>
39	+Date: Thu, 16 Oct 2008 05:04:10 +0000 (-0700)
40	+Subject: hfsplus: check read_mapping_page() return value
41	+X-Git-Tag: v2.6.27.5~4
42	+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6-stable.git;a=commitdiff_plain;h=c4305ddcd753bd84a465a2a319e7846f7783b439
43	+
44	+hfsplus: check read_mapping_page() return value
45	+
46	+While testing more corrupted images with hfsplus, i came across
47	+one which triggered the following bug:
48	+
49	+[15840.675016] BUG: unable to handle kernel paging request at fffffffb
50	+[15840.675016] IP: [<c0116a4f>] kmap+0x15/0x56
51	+[15840.675016] pde = 00008067 pte = 00000000
52	+[15840.675016] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
53	+[15840.675016] Modules linked in:
54	+[15840.675016]
55	+[15840.675016] Pid: 11575, comm: ln Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #29)
56	+[15840.675016] EIP: 0060:[<c0116a4f>] EFLAGS: 00010202 CPU: 0
57	+[15840.675016] EIP is at kmap+0x15/0x56
58	+[15840.675016] EAX: 00000246 EBX: fffffffb ECX: 00000000 EDX: cab919c0
59	+[15840.675016] ESI: 000007dd EDI: cab0bcf4 EBP: cab0bc98 ESP: cab0bc94
60	+[15840.675016] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
61	+[15840.675016] Process ln (pid: 11575, ti=cab0b000 task=cab919c0 task.ti=cab0b000)
62	+[15840.675016] Stack: 00000000 cab0bcdc c0231cfb 00000000 cab0bce0 00000800 ca9290c0 fffffffb
63	+[15840.675016] cab145d0 cab919c0 cab15998 22222222 22222222 22222222 00000001 cab15960
64	+[15840.675016] 000007dd cab0bcf4 cab0bd04 c022cb3a cab0bcf4 cab15a6c ca9290c0 00000000
65	+[15840.675016] Call Trace:
66	+[15840.675016] [<c0231cfb>] ? hfsplus_block_allocate+0x6f/0x2d3
67	+[15840.675016] [<c022cb3a>] ? hfsplus_file_extend+0xc4/0x1db
68	+[15840.675016] [<c022ce41>] ? hfsplus_get_block+0x8c/0x19d
69	+[15840.675016] [<c06adde4>] ? sub_preempt_count+0x9d/0xab
70	+[15840.675016] [<c019ece6>] ? __block_prepare_write+0x147/0x311
71	+[15840.675016] [<c0161934>] ? __grab_cache_page+0x52/0x73
72	+[15840.675016] [<c019ef4f>] ? block_write_begin+0x79/0xd5
73	+[15840.675016] [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
74	+[15840.675016] [<c019f22a>] ? cont_write_begin+0x27f/0x2af
75	+[15840.675016] [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
76	+[15840.675016] [<c0139ebe>] ? tick_program_event+0x28/0x4c
77	+[15840.675016] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
78	+[15840.675016] [<c022b723>] ? hfsplus_write_begin+0x2d/0x32
79	+[15840.675016] [<c022cdb5>] ? hfsplus_get_block+0x0/0x19d
80	+[15840.675016] [<c0161988>] ? pagecache_write_begin+0x33/0x107
81	+[15840.675016] [<c01879e5>] ? __page_symlink+0x3c/0xae
82	+[15840.675016] [<c019ad34>] ? __mark_inode_dirty+0x12f/0x137
83	+[15840.675016] [<c0187a70>] ? page_symlink+0x19/0x1e
84	+[15840.675016] [<c022e6eb>] ? hfsplus_symlink+0x41/0xa6
85	+[15840.675016] [<c01886a9>] ? vfs_symlink+0x99/0x101
86	+[15840.675016] [<c018a2f6>] ? sys_symlinkat+0x6b/0xad
87	+[15840.675016] [<c018a348>] ? sys_symlink+0x10/0x12
88	+[15840.675016] [<c01038bd>] ? sysenter_do_call+0x12/0x31
89	+[15840.675016] =======================
90	+[15840.675016] Code: 00 00 75 10 83 3d 88 2f ec c0 02 75 07 89 d0 e8 12 56 05 00 5d c3 55 ba 06 00 00 00 89 e5 53 89 c3 b8 3d eb 7e c0 e8 16 74 00 00 <8b> 03 c1 e8 1e 69 c0 d8 02 00 00 05 b8 69 8e c0 2b 80 c4 02 00
91	+[15840.675016] EIP: [<c0116a4f>] kmap+0x15/0x56 SS:ESP 0068:cab0bc94
92	+[15840.675016] ---[ end trace 4fea40dad6b70e5f ]---
93	+
94	+This happens because the return value of read_mapping_page() is passed on
95	+to kmap unchecked. The bug is triggered after the first
96	+read_mapping_page() in hfsplus_block_allocate(), this patch fixes all
97	+three usages in this functions but leaves the ones further down in the
98	+file unchanged.
99	+
100	+Signed-off-by: Eric Sesterhenn <snakebyte@×××.de>
101	+Cc: Roman Zippel <zippel@××××××××××.org>
102	+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org>
103	+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
104	+Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
105	+---
106	+
107	+diff --git a/fs/hfsplus/bitmap.c b/fs/hfsplus/bitmap.c
108	+index d128a25..ea30afc 100644
109	+--- a/fs/hfsplus/bitmap.c
110	++++ b/fs/hfsplus/bitmap.c
111	+@@ -32,6 +32,10 @@ int hfsplus_block_allocate(struct super_block sb, u32 size, u32 offset, u32 ma
112	+ mutex_lock(&HFSPLUS_SB(sb).alloc_file->i_mutex);
113	+ mapping = HFSPLUS_SB(sb).alloc_file->i_mapping;
114	+ page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, NULL);
115	++ if (IS_ERR(page)) {
116	++ start = size;
117	++ goto out;
118	++ }
119	+ pptr = kmap(page);
120	+ curr = pptr + (offset & (PAGE_CACHE_BITS - 1)) / 32;
121	+ i = offset % 32;
122	+@@ -73,6 +77,10 @@ int hfsplus_block_allocate(struct super_block sb, u32 size, u32 offset, u32 ma
123	+ break;
124	+ page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
125	+ NULL);
126	++ if (IS_ERR(page)) {
127	++ start = size;
128	++ goto out;
129	++ }
130	+ curr = pptr = kmap(page);
131	+ if ((size ^ offset) / PAGE_CACHE_BITS)
132	+ end = pptr + PAGE_CACHE_BITS / 32;
133	+@@ -120,6 +128,10 @@ found:
134	+ offset += PAGE_CACHE_BITS;
135	+ page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
136	+ NULL);
137	++ if (IS_ERR(page)) {
138	++ start = size;
139	++ goto out;
140	++ }
141	+ pptr = kmap(page);
142	+ curr = pptr;
143	+ end = pptr + PAGE_CACHE_BITS / 32;
144
145	Added: genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch
146	===================================================================
147	--- genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch (rev 0)
148	+++ genpatches-2.6/trunk/2.6.26/1915_hfsplus-buffer-overflow.patch 2008-11-19 11:35:25 UTC (rev 1382)
149	@@ -0,0 +1,125 @@
150	+From: Eric Sesterhenn <snakebyte@×××.de>
151	+Date: Thu, 16 Oct 2008 05:04:08 +0000 (-0700)
152	+Subject: hfsplus: fix Buffer overflow with a corrupted image
153	+X-Git-Tag: v2.6.27.5~5
154	+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fstable%2Flinux-2.6-stable.git;a=commitdiff_plain;h=e04d4d12ec20c70485c3410219704dd1ffb0ec15
155	+
156	+hfsplus: fix Buffer overflow with a corrupted image
157	+
158	+commit efc7ffcb4237f8cb9938909041c4ed38f6e1bf40 upstream
159	+
160	+When an hfsplus image gets corrupted it might happen that the catalog
161	+namelength field gets b0rked. If we mount such an image the memcpy() in
162	+hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name
163	+field. Depending on the size of the overwritten data, we either only get
164	+memory corruption or also trigger an oops like this:
165	+
166	+[ 221.628020] BUG: unable to handle kernel paging request at c82b0000
167	+[ 221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151
168	+[ 221.629066] pde = 0ea29163 pte = 082b0160
169	+[ 221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
170	+[ 221.629066] Modules linked in:
171	+[ 221.629066]
172	+[ 221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)
173	+[ 221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0
174	+[ 221.629066] EIP is at hfsplus_find_cat+0x10d/0x151
175	+[ 221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002
176	+[ 221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c
177	+[ 221.629066] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
178	+[ 221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)
179	+[ 221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300
180	+[ 221.629066] 01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060
181	+[ 221.629066] 00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc
182	+[ 221.629066] Call Trace:
183	+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
184	+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
185	+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
186	+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
187	+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
188	+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
189	+[ 221.629066] [<c01302d2>] ? __kernel_text_address+0x1b/0x27
190	+[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
191	+[ 221.629066] [<c0109e32>] ? save_stack_address+0x0/0x2c
192	+[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
193	+[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
194	+[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
195	+[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
196	+[ 221.629066] [<c013553d>] ? down+0xc/0x2f
197	+[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
198	+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
199	+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
200	+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
201	+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
202	+[ 221.629066] [<c013da5d>] ? mark_held_locks+0x43/0x5a
203	+[ 221.629066] [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
204	+[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
205	+[ 221.629066] [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58
206	+[ 221.629066] [<c013555c>] ? down+0x2b/0x2f
207	+[ 221.629066] [<c022aa68>] ? hfsplus_iget+0xa0/0x154
208	+[ 221.629066] [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447
209	+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
210	+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
211	+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
212	+[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
213	+[ 221.629066] [<c041c9e4>] ? string+0x2b/0x74
214	+[ 221.629066] [<c041cd16>] ? vsnprintf+0x2e9/0x512
215	+[ 221.629066] [<c010487a>] ? dump_trace+0xca/0xd6
216	+[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
217	+[ 221.629066] [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
218	+[ 221.629066] [<c013b571>] ? save_trace+0x37/0x8d
219	+[ 221.629066] [<c013b62e>] ? add_lock_to_list+0x67/0x8d
220	+[ 221.629066] [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
221	+[ 221.629066] [<c01354d3>] ? up+0xc/0x2f
222	+[ 221.629066] [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
223	+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
224	+[ 221.629066] [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
225	+[ 221.629066] [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
226	+[ 221.629066] [<c0107aa3>] ? native_sched_clock+0x82/0x96
227	+[ 221.629066] [<c041cfb7>] ? snprintf+0x1b/0x1d
228	+[ 221.629066] [<c01ba466>] ? disk_name+0x25/0x67
229	+[ 221.629066] [<c0183960>] ? get_sb_bdev+0xcd/0x10b
230	+[ 221.629066] [<c016ad92>] ? kstrdup+0x2a/0x4c
231	+[ 221.629066] [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
232	+[ 221.629066] [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
233	+[ 221.629066] [<c0183583>] ? vfs_kern_mount+0x3b/0x76
234	+[ 221.629066] [<c0183602>] ? do_kern_mount+0x32/0xba
235	+[ 221.629066] [<c01960d4>] ? do_new_mount+0x46/0x74
236	+[ 221.629066] [<c0196277>] ? do_mount+0x175/0x193
237	+[ 221.629066] [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
238	+[ 221.629066] [<c01663b2>] ? __get_free_pages+0x1e/0x24
239	+[ 221.629066] [<c06ac07b>] ? lock_kernel+0x19/0x8c
240	+[ 221.629066] [<c01962e6>] ? sys_mount+0x51/0x9b
241	+[ 221.629066] [<c01962f9>] ? sys_mount+0x64/0x9b
242	+[ 221.629066] [<c01038bd>] ? sysenter_do_call+0x12/0x31
243	+[ 221.629066] =======================
244	+[ 221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f
245	+[ 221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c
246	+[ 221.629066] ---[ end trace e417a1d67f0d0066 ]---
247	+
248	+Since hfsplus_cat_build_key_uni() returns void and only has one callsite,
249	+the check is performed at the callsite.
250	+
251	+Signed-off-by: Eric Sesterhenn <snakebyte@×××.de>
252	+Reviewed-by: Pekka Enberg <penberg@×××××××××××.fi>
253	+Cc: Roman Zippel <zippel@××××××××××.org>
254	+Signed-off-by: Andrew Morton <akpm@××××××××××××××××.org>
255	+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
256	+Signed-off-by: Greg Kroah-Hartman <gregkh@××××.de>
257	+---
258	+
259	+diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c
260	+index ba117c4..f6874ac 100644
261	+--- a/fs/hfsplus/catalog.c
262	++++ b/fs/hfsplus/catalog.c
263	+@@ -168,6 +168,11 @@ int hfsplus_find_cat(struct super_block *sb, u32 cnid,
264	+ return -EIO;
265	+ }
266	+
267	++ if (be16_to_cpu(tmp.thread.nodeName.length) > 255) {
268	++ printk(KERN_ERR "hfs: catalog name length corrupted\n");
269	++ return -EIO;
270	++ }
271	++
272	+ hfsplus_cat_build_key_uni(fd->search_key, be32_to_cpu(tmp.thread.parentID),
273	+ &tmp.thread.nodeName);
274	+ return hfs_brec_find(fd);

Gentoo Archives: gentoo-commits