[patch 48/49] hfs: fix namelength memory corruption (CVE-2008-5025)

From: Greg KH <gregkh@xxxxxxx>
Date: Tue, 11 Nov 2008 16:24:35 -0800

2.6.27-stable review patch. If anyone has any objections, please let us know.

------------------

From: Eric Sesterhenn <snakebyte@xxxxxx>

commit d38b7aa7fc3371b52d036748028db50b585ade2e upstream

Fix a stack corruption caused by a corrupted hfs filesystem. If the
catalog name length is corrupted the memcpy overwrites the catalog btree
structure. Since the field is limited to HFS_NAMELEN bytes in the
structure and the file format, we throw an error if it is too long.

Cc: Roman Zippel <zippel@xxxxxxxxxxxxxx>
Signed-off-by: Eric Sesterhenn <snakebyte@xxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
fs/hfs/catalog.c | 4 ++++
1 file changed, 4 insertions(+)

--- a/fs/hfs/catalog.c
+++ b/fs/hfs/catalog.c
@@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block

fd->search_key->cat.ParID = rec.thread.ParID;
len = fd->search_key->cat.CName.len = rec.thread.CName.len;
+ if (len > HFS_NAMELEN) {
+ printk(KERN_ERR "hfs: bad catalog namelength\n");
+ return -EIO;
+ }
memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len);
return hfs_brec_find(fd);
}

--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

References:
- [patch 00/49] 2.6.27.5 stable review
  - From: Greg KH

Prev by Date: [patch 49/49] HID: fix incorrent length condition in hidraw_write()
Next by Date: [patch 47/49] hfsplus: check read_mapping_page() return value (CVE-2008-4934)
Previous by thread: [patch 49/49] HID: fix incorrent length condition in hidraw_write()
Next by thread: [patch 47/49] hfsplus: check read_mapping_page() return value (CVE-2008-4934)
Index(es):
- Date
- Thread

Relevant Pages

Re: Error copying files to flash drive
... to a 2 gig USB flash drive I got the following error: Error copying file or folder ... The file format is the same jpeg file as all the rest that copied successfully with the same attributes. ... I ran error check and defrag on the flash drive, no luck. ... This might be sufficient to offset the corruption. ...
(microsoft.public.windowsxp.hardware)
Re: Corrupt files
... "Excel cannot open the file Payments 20089 because the file format or ... file extension matches the format of the file." ... Stellar Phoenix Excel Repair Software to resolve your corruption ...
(microsoft.public.excel.misc)
Re: Word 2007
... Note that saving to a different file format and then back is standard ... I'd say that you usually cannot tell the nature of the corruption; ... Microsoft Word MVP ... Barbara R ...
(microsoft.public.word.docmanagement)
Re: Corrupt Access File
... No corruption isn.t a big problem, ... Jet database file format so that you can check each bit for what it's ... If database corruption is common enough in your ...
(microsoft.public.access.formscoding)
Re: word 2003 cant open word 2000 docs
... corruption remaining. ... Try a Maggie first though: ... try Save As HTML before using the file format you ... Steve Hudson - Word Heretic ...
(microsoft.public.word.formatting.longdocs)