[no subject]

From: Naohiro Aota
Date: Mon Jul 11 2011 - 13:54:13 EST

Next message: Stefan Hajnoczi: "[PATCH] ACPI / Battery: propagate sysfs error in acpi_battery_add()"
Previous message: Kirill Smelkov: "[PATCH] Revert "drm/i915: Initialise ring vfuncs for old DRI paths""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

'recoff' is read from disk and used for an argument to memcpy, so if
the value read from disk is larger than the page size, it result to
"general protection fault". This patch add additional range check for
the value, so that disk fuzz won't cause such fault.

Signed-off-by: Naohiro Aota <naota@xxxxxxxxx>
---
fs/hfsplus/brec.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c
index 2312de3..2a734cf 100644
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
node->tree->node_size - (rec + 1) * 2);
if (!recoff)
return 0;
+ if (recoff > node->tree->node_size - 2) {
+ printk(KERN_ERR "hfs: recoff %d too large\n", recoff);
+ return 0;
+ }

retval = hfs_bnode_read_u16(node, recoff) + 2;
if (retval > node->tree->max_key_len + 2) {
--
1.7.6

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stefan Hajnoczi: "[PATCH] ACPI / Battery: propagate sysfs error in acpi_battery_add()"
Previous message: Kirill Smelkov: "[PATCH] Revert "drm/i915: Initialise ring vfuncs for old DRI paths""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]