Hi,
When reading corrupted reiserfs directory data, d_reclen
could be a negative number, then memcpy will overflow
kernel stack. This can lead to kernel panic.
The following patch adds a sanity check. (against 2.6.20.4)
Signed-off-by: Lepton Wu <ytht.net@xxxxxxxxx>-
diff -pru linux-2.6/fs/reiserfs/dir.c linux-2.6-lepton/fs/reiserfs/dir.c
--- linux-2.6/fs/reiserfs/dir.c 2007-02-20 14:34:32.000000000 +0800
+++ linux-2.6-lepton/fs/reiserfs/dir.c 2007-04-05 14:35:58.000000000 +0800
@@ -121,6 +121,11 @@ static int reiserfs_readdir(struct file /* it is hidden entry */
continue;
d_reclen = entry_length(bh, ih, entry_num);
+ if (d_reclen < 0) {
+ pathrelse(&path_to_entry);
+ ret = -EIO;
+ goto out;
+ }
d_name = B_I_DEH_ENTRY_FILE_NAME(bh, ih, deh);
if (!d_name[d_reclen - 1])
d_reclen = strlen(d_name);
O