lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6101e8c40709220334v7eefbb8g73128bc315ca07d4@mail.gmail.com>
Date:	Sat, 22 Sep 2007 12:34:45 +0200
From:	"Oliver Pinter" <oliver.pntr@...il.com>
To:	stable@...nel.org, linux-kernel@...r.kernel.org,
	reiserfs-dev@...esys.com
Cc:	lepton <ytht.net@...il.com>, "Greg KH" <greg@...ah.com>
Subject: Re: [stable] [PATCH] 2.6.22.6 fix kernel panic on corrupted reiserfs directory

[snap]

Hi,
  When reading corrupted reiserfs directory data, d_reclen
  could be a negative number or a big positive number, this
  can lead to kernel panic or oop.
  The following patch adds a sanity check. (against 2.6.20.4)

Signed-off-by: Lepton Wu <ytht.net@...il.com>

diff -X linux-2.6.22.6-lepton/Documentation/dontdiff -pru
linux-2.6.22.6/fs/reiserfs/dir.c
linux-2.6.22.6-lepton/fs/reiserfs/dir.c
--- linux-2.6.22.6/fs/reiserfs/dir.c    2007-09-14 17:41:15.000000000 +0800
+++ linux-2.6.22.6-lepton/fs/reiserfs/dir.c     2007-09-14
18:02:10.000000000 +0800
@@ -121,6 +121,16 @@ static int reiserfs_readdir(struct file
                                        continue;
                                d_reclen = entry_length(bh, ih, entry_num);
                                d_name = B_I_DEH_ENTRY_FILE_NAME(bh, ih, deh);
+
+                               if (d_reclen <= 0 ||
+                                   d_name + d_reclen > bh->b_data +
bh->b_size) {
+                                       /* There is corrupted data in entry,
+                                        * We'd better stop here */
+                                       pathrelse(&path_to_entry);
+                                       ret = -EIO;
+                                       goto out;
+                               }
+
                                if (!d_name[d_reclen - 1])
                                        d_reclen = strlen(d_name);

[/snap]

it is Lepton's patch.
Namesys boys, this patch is OK?
Greg, I neither do find this patch in Linus's tree.

-- 
Thanks,
Oliver
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ