lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20250325132947.55401-1-aaro@tuxera.com>
Date: Tue, 25 Mar 2025 15:29:47 +0200
From: Aaro Mäkinen <aaro@...era.com>
To: linux-kernel@...r.kernel.org,
	akpm@...ux-foundation.org
Cc: linux-fsdevel@...r.kernel.org,
	stable@...r.kernel.org,
	anton@...era.com,
	Aaro Mäkinen <aaro@...era.com>
Subject: [PATCH] hfsplus: Return null terminated string from hfsplus_uni2asc()

In case hfsplus_uni2asc() is called with reused buffer there is a
possibility that the buffer contains remains of the last string and the
null character is only after that. This can and has caused problems in
functions that call hfsplus_uni2asc().

Also correct the error handling for call to copy_name() where the above
problem caused error to be not passed in hfsplus_listxattr().

Fixes: 7dcbf17e3f91 ("hfsplus: refactor copy_name to not use strncpy")
Signed-off-by: Aaro Mäkinen <aaro@...era.com>
Reviewed-by: Anton Altaparmakov <anton@...era.com>
---
 fs/hfsplus/unicode.c |  1 +
 fs/hfsplus/xattr.c   | 13 ++++++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/fs/hfsplus/unicode.c b/fs/hfsplus/unicode.c
index 73342c925a4b..1f122e3c9583 100644
--- a/fs/hfsplus/unicode.c
+++ b/fs/hfsplus/unicode.c
@@ -246,6 +246,7 @@ int hfsplus_uni2asc(struct super_block *sb,
 	res = 0;
 out:
 	*len_p = (char *)op - astr;
+	*op = '\0';
 	return res;
 }
 
diff --git a/fs/hfsplus/xattr.c b/fs/hfsplus/xattr.c
index 9a1a93e3888b..f20487ad4e8a 100644
--- a/fs/hfsplus/xattr.c
+++ b/fs/hfsplus/xattr.c
@@ -746,9 +746,16 @@ ssize_t hfsplus_listxattr(struct dentry *dentry, char *buffer, size_t size)
 			if (size < (res + name_len(strbuf, xattr_name_len))) {
 				res = -ERANGE;
 				goto end_listxattr;
-			} else
-				res += copy_name(buffer + res,
-						strbuf, xattr_name_len);
+			} else {
+				err = copy_name(buffer + res,
+					strbuf, xattr_name_len);
+				if (err < 0) {
+					res = err;
+					goto end_listxattr;
+				}
+				else
+					res += err;
+			}
 		}
 
 		if (hfs_brec_goto(&fd, 1))
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ