| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 14 Sep 2007 18:10:19 +0800
From: lepton <ytht.net@...il.com>
To: reiserfs-dev@...esys.com
Cc: lkm <linux-kernel@...r.kernel.org>
Subject: [PATCH] 2.6.22.6 fix kernel panic on corrupted reiserfs directory
Hi,
When reading corrupted reiserfs directory data, d_reclen
could be a negative number or a big positive number, this
can lead to kernel panic or oop.
The following patch adds a sanity check. (against 2.6.20.4)
Signed-off-by: Lepton Wu <ytht.net@...il.com>
diff -X linux-2.6.22.6-lepton/Documentation/dontdiff -pru linux-2.6.22.6/fs/reiserfs/dir.c linux-2.6.22.6-lepton/fs/reiserfs/dir.c
--- linux-2.6.22.6/fs/reiserfs/dir.c 2007-09-14 17:41:15.000000000 +0800
+++ linux-2.6.22.6-lepton/fs/reiserfs/dir.c 2007-09-14 18:02:10.000000000 +0800
@@ -121,6 +121,16 @@ static int reiserfs_readdir(struct file
continue;
d_reclen = entry_length(bh, ih, entry_num);
d_name = B_I_DEH_ENTRY_FILE_NAME(bh, ih, deh);
+
+ if (d_reclen <= 0 ||
+ d_name + d_reclen > bh->b_data + bh->b_size) {
+ /* There is corrupted data in entry,
+ * We'd better stop here */
+ pathrelse(&path_to_entry);
+ ret = -EIO;
+ goto out;
+ }
+
if (!d_name[d_reclen - 1])
d_reclen = strlen(d_name);
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists