summaryrefslogtreecommitdiff
path: root/fs/readdir.c
diff options
context:
space:
mode:
authorAmerigo Wang <amwang@redhat.com>2009-12-14 17:57:37 -0800
committerGreg Kroah-Hartman <gregkh@suse.de>2009-12-18 14:04:08 -0800
commit037b7867ec53baa0dea5d05d4201e4fbf2405fc3 (patch)
treef5597e4fe4a1824192185e481248b44790f21832 /fs/readdir.c
parent08d05bad84c4cc91a92ac9aa8c3106610cc0584b (diff)
downloadlwn-037b7867ec53baa0dea5d05d4201e4fbf2405fc3.tar.gz
lwn-037b7867ec53baa0dea5d05d4201e4fbf2405fc3.zip
hfs: fix a potential buffer overflow
commit ec81aecb29668ad71f699f4e7b96ec46691895b6 upstream. A specially-crafted Hierarchical File System (HFS) filesystem could cause a buffer overflow to occur in a process's kernel stack during a memcpy() call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24). The attacker can provide the source buffer and length, and the destination buffer is a local variable of a fixed length. This local variable (passed as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir(). Because the hfs_readdir() function executes upon any attempt to read a directory on the filesystem, it gets called whenever a user attempts to inspect any filesystem contents. [amwang@redhat.com: modify this patch and fix coding style problems] Signed-off-by: WANG Cong <amwang@redhat.com> Cc: Eugene Teo <eteo@redhat.com> Cc: Roman Zippel <zippel@linux-m68k.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Dave Anderson <anderson@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'fs/readdir.c')
0 files changed, 0 insertions, 0 deletions