| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4614A692.5020605@ums.usu.ru>
Date: Thu, 05 Apr 2007 13:34:42 +0600
From: "Alexander E. Patrakov" <patrakov@....usu.ru>
To: lepton <ytht.net@...il.com>, lkm <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] 2.6.20.4 fix kernel panic on corrupted reiserfs directory
lepton wrote:
> Hi,
> When reading corrupted reiserfs directory data, d_reclen
> could be a negative number, then memcpy will overflow
> kernel stack. This can lead to kernel panic.
> The following patch adds a sanity check. (against 2.6.20.4)
Is it possible to get a large positive number here due to other fs
corruption and bypass your sanity check? If I read the code correctly, this
would still oops in the "if" statement just below the part you patched.
> Signed-off-by: Lepton Wu <ytht.net@...il.com>
>
> diff -pru linux-2.6/fs/reiserfs/dir.c linux-2.6-lepton/fs/reiserfs/dir.c
> --- linux-2.6/fs/reiserfs/dir.c 2007-02-20 14:34:32.000000000 +0800
> +++ linux-2.6-lepton/fs/reiserfs/dir.c 2007-04-05 14:35:58.000000000 +0800
> @@ -121,6 +121,11 @@ static int reiserfs_readdir(struct file
> /* it is hidden entry */
> continue;
> d_reclen = entry_length(bh, ih, entry_num);
> + if (d_reclen < 0) {
> + pathrelse(&path_to_entry);
> + ret = -EIO;
> + goto out;
> + }
> d_name = B_I_DEH_ENTRY_FILE_NAME(bh, ih, deh);
> if (!d_name[d_reclen - 1])
> d_reclen = strlen(d_name);
> O
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists