unimore/kernel-hacking-2024-linux-steffo
unimore/kernel-hacking-2024-linux-steffo
1
Fork 0
Code Pull requests 5 Wiki Activity
kernel-hacking-2024-linux-s.../fs
History
Eric Sesterhenn efc7ffcb42 hfsplus: fix Buffer overflow with a corrupted image 
When an hfsplus image gets corrupted it might happen that the catalog
namelength field gets b0rked.  If we mount such an image the memcpy() in
hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name
field.  Depending on the size of the overwritten data, we either only get
memory corruption or also trigger an oops like this:

[  221.628020] BUG: unable to handle kernel paging request at c82b0000
[  221.629066] IP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151
[  221.629066] *pde = 0ea29163 *pte = 082b0160
[  221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
[  221.629066] Modules linked in:
[  221.629066]
[  221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)
[  221.629066] EIP: 0060:[<c022d4b1>] EFLAGS: 00010206 CPU: 0
[  221.629066] EIP is at hfsplus_find_cat+0x10d/0x151
[  221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002
[  221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c
[  221.629066]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
[  221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)
[  221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300
[  221.629066]        01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060
[  221.629066]        00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc
[  221.629066] Call Trace:
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c01302d2>] ? __kernel_text_address+0x1b/0x27
[  221.629066]  [<c010487a>] ? dump_trace+0xca/0xd6
[  221.629066]  [<c0109e32>] ? save_stack_address+0x0/0x2c
[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  221.629066]  [<c013b571>] ? save_trace+0x37/0x8d
[  221.629066]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[  221.629066]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[  221.629066]  [<c013553d>] ? down+0xc/0x2f
[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c013da5d>] ? mark_held_locks+0x43/0x5a
[  221.629066]  [<c013dc3a>] ? trace_hardirqs_on+0xb/0xd
[  221.629066]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  221.629066]  [<c06abec8>] ? _spin_unlock_irqrestore+0x42/0x58
[  221.629066]  [<c013555c>] ? down+0x2b/0x2f
[  221.629066]  [<c022aa68>] ? hfsplus_iget+0xa0/0x154
[  221.629066]  [<c022b0b9>] ? hfsplus_fill_super+0x280/0x447
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  221.629066]  [<c041c9e4>] ? string+0x2b/0x74
[  221.629066]  [<c041cd16>] ? vsnprintf+0x2e9/0x512
[  221.629066]  [<c010487a>] ? dump_trace+0xca/0xd6
[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  221.629066]  [<c0109eaf>] ? save_stack_trace+0x1c/0x3a
[  221.629066]  [<c013b571>] ? save_trace+0x37/0x8d
[  221.629066]  [<c013b62e>] ? add_lock_to_list+0x67/0x8d
[  221.629066]  [<c013ea1c>] ? validate_chain+0x8a4/0x9f4
[  221.629066]  [<c01354d3>] ? up+0xc/0x2f
[  221.629066]  [<c013f1f6>] ? __lock_acquire+0x68a/0x6e0
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c013bca3>] ? trace_hardirqs_off_caller+0x14/0x9b
[  221.629066]  [<c013bd35>] ? trace_hardirqs_off+0xb/0xd
[  221.629066]  [<c0107aa3>] ? native_sched_clock+0x82/0x96
[  221.629066]  [<c041cfb7>] ? snprintf+0x1b/0x1d
[  221.629066]  [<c01ba466>] ? disk_name+0x25/0x67
[  221.629066]  [<c0183960>] ? get_sb_bdev+0xcd/0x10b
[  221.629066]  [<c016ad92>] ? kstrdup+0x2a/0x4c
[  221.629066]  [<c022a7b3>] ? hfsplus_get_sb+0x13/0x15
[  221.629066]  [<c022ae39>] ? hfsplus_fill_super+0x0/0x447
[  221.629066]  [<c0183583>] ? vfs_kern_mount+0x3b/0x76
[  221.629066]  [<c0183602>] ? do_kern_mount+0x32/0xba
[  221.629066]  [<c01960d4>] ? do_new_mount+0x46/0x74
[  221.629066]  [<c0196277>] ? do_mount+0x175/0x193
[  221.629066]  [<c013dbf4>] ? trace_hardirqs_on_caller+0xf4/0x12f
[  221.629066]  [<c01663b2>] ? __get_free_pages+0x1e/0x24
[  221.629066]  [<c06ac07b>] ? lock_kernel+0x19/0x8c
[  221.629066]  [<c01962e6>] ? sys_mount+0x51/0x9b
[  221.629066]  [<c01962f9>] ? sys_mount+0x64/0x9b
[  221.629066]  [<c01038bd>] ? sysenter_do_call+0x12/0x31
[  221.629066]  =======================
[  221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 <f3> a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f
[  221.629066] EIP: [<c022d4b1>] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c
[  221.629066] ---[ end trace e417a1d67f0d0066 ]---

Since hfsplus_cat_build_key_uni() returns void and only has one callsite,
the check is performed at the callsite.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-10-16 11:21:46 -07:00
..
9p vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
adfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
affs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
afs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
autofs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
autofs4 autofs4: add miscellaneous device for ioctls 2008-10-16 11:21:39 -07:00
befs befs: annotate fs32 on tests for superblock endianness 2008-10-16 11:21:46 -07:00
bfs bfs: fix Lockdep warning 2008-09-13 14:41:51 -07:00
cifs [CIFS] cifs: remove pointless lock and unlock of GlobalMid_Lock in header_assemble 2008-10-12 13:34:11 +00:00
coda
configfs [PATCH] configfs: Consolidate locking around configfs_detach_prep() in configfs_rmdir() 2008-08-22 11:09:02 -07:00
cramfs cramfs: fix named-pipe handling 2008-08-20 15:40:32 -07:00
debugfs integrity: special fs magic 2008-10-13 09:47:43 +11:00
devpts vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
dlm dlm: choose better identifiers 2008-09-05 09:51:30 -05:00
ecryptfs eCryptfs: remove netlink transport 2008-10-16 11:21:39 -07:00
efs EFS: Don't set f_fsid in statfs(). 2008-09-02 23:15:22 +01:00
exportfs
ext2 ext2: avoid printk floods in the face of directory corruption 2008-10-16 11:21:46 -07:00
ext3 vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
ext4 vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
fat vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
freevxfs
fuse vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
gfs2 vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
hfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
hfsplus hfsplus: fix Buffer overflow with a corrupted image 2008-10-16 11:21:46 -07:00
hostfs
hpfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
hppfs
hugetlbfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
isofs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
jbd
jbd2 ext4: add an option to control error handling on file data 2008-10-10 22:12:43 -04:00
jffs2 removed unused #include <linux/version.h>'s 2008-08-23 12:14:12 -07:00
jfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
lockd NLM: Remove "proto" argument from lockd_up() 2008-10-04 17:12:27 -04:00
minix
msdos
ncpfs
nfs Merge branch 'for-2.6.28' of git://linux-nfs.org/~bfields/linux 2008-10-14 12:31:14 -07:00
nfs_common
nfsd NLM: Remove unused argument from svc_addsock() function 2008-10-04 17:12:27 -04:00
nls
ntfs NTFS: update homepage 2008-09-02 19:21:37 -07:00
ocfs2 ocfs2: fix build error 2008-10-14 18:31:46 -07:00
omfs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
openpromfs
partitions Check for device resize when rescanning partitions 2008-10-09 08:56:12 +02:00
proc Merge branch 'for-2.6.28' of git://linux-nfs.org/~bfields/linux 2008-10-14 12:31:14 -07:00
qnx4
ramfs mm: tiny-shmem nommu fix 2008-10-02 15:53:13 -07:00
reiserfs
romfs
smbfs
sysfs
sysv
ubifs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
udf vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
ufs vfs: Use const for kernel parser table 2008-10-13 10:10:37 -07:00
vfat
xfs xfs: fix remount rw with unrecognized options 2008-10-15 10:00:00 -07:00
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c
binfmt_elf_fdpic.c
binfmt_em86.c Allow recursion in binfmt_script and binfmt_misc 2008-10-16 11:21:38 -07:00
binfmt_flat.c uclinux: fix gzip header parsing in binfmt_flat.c 2008-10-16 11:21:29 -07:00
binfmt_misc.c Allow recursion in binfmt_script and binfmt_misc 2008-10-16 11:21:38 -07:00
binfmt_script.c Allow recursion in binfmt_script and binfmt_misc 2008-10-16 11:21:38 -07:00
binfmt_som.c binfmt_som.c: add MODULE_LICENSE 2008-10-16 11:21:38 -07:00
bio-integrity.c block: Introduce integrity data ownership flag 2008-10-09 08:56:21 +02:00
bio.c block: mark bio_split_pool static 2008-10-09 08:57:05 +02:00
block_dev.c block_dev: fix kernel-doc in new functions 2008-10-09 10:42:38 +02:00
buffer.c block: submit_bh() inadvertently discards barrier flag on a sync write 2008-08-27 09:50:19 +02:00
char_dev.c
compat.c compat: move cp_compat_stat to common code 2008-10-16 11:21:33 -07:00
compat_binfmt_elf.c
compat_ioctl.c
dcache.c Fix NULL pointer dereference in proc_sys_compare 2008-09-29 07:42:57 -07:00
dcookies.c
direct-io.c Remove Andrew Morton's old email accounts 2008-10-16 11:21:32 -07:00
dnotify.c
dquot.c tty: Redo current tty locking 2008-10-13 09:51:41 -07:00
drop_caches.c
eventfd.c
eventpoll.c epoll: drop unnecessary test 2008-10-16 11:21:32 -07:00
exec.c alpha: introduce field 'taso' into struct linux_binprm 2008-10-16 11:21:38 -07:00
fcntl.c
fifo.c
file.c
file_table.c
filesystems.c
fs-writeback.c Remove Andrew Morton's old email accounts 2008-10-16 11:21:32 -07:00
generic_acl.c
inode.c fs/inode.c: properly init address_space->writeback_index 2008-08-15 08:35:44 -07:00
inotify.c
inotify_user.c inotify: fix lock ordering wrt do_page_fault's mmap_sem 2008-10-02 15:53:13 -07:00
internal.h
ioctl.c provide generic_block_fiemap() only with BLOCK=y 2008-10-12 11:44:37 -07:00
ioprio.c fix setpriority(PRIO_PGRP) thread iterator breakage 2008-08-20 15:40:32 -07:00
Kconfig Merge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mfasheh/ocfs2 2008-10-14 16:34:11 -07:00
Kconfig.binfmt Introduce HAVE_AOUT symbol to remove hard-coded arch list for BINFMT_AOUT 2008-09-06 19:30:22 +01:00
libfs.c
locks.c
Makefile Merge branch 'for-2.6.28' of git://linux-nfs.org/~bfields/linux 2008-10-14 12:31:14 -07:00
mbcache.c
mpage.c Remove Andrew Morton's old email accounts 2008-10-16 11:21:32 -07:00
namei.c
namespace.c
nfsctl.c
no-block.c
open.c tty: the vhangup syscall is racy 2008-10-13 09:51:41 -07:00
pipe.c
pnode.c
pnode.h
posix_acl.c
quota.c
quota_v1.c
quota_v2.c
read_write.c
read_write.h
readdir.c [PATCH] fix regular readdir() and friends 2008-08-25 01:18:08 -04:00
select.c
seq_file.c [PATCH] deal with the first call of ->show() generating no output 2008-08-25 01:18:10 -04:00
signalfd.c
splice.c Don't allow splice() to files opened with O_APPEND 2008-10-09 14:26:38 -07:00
stack.c
stat.c
super.c
sync.c
timerfd.c
utimes.c
xattr.c
xattr_acl.c