linux/fs
Phillip Lougher 434a964daa hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops
Clement Lecigne reports a filesystem which causes a kernel oops in
hfs_find_init() trying to dereference sb->ext_tree which is NULL.

This proves to be because the filesystem has a corrupted MDB extent
record, where the extents file does not fit into the first three extents
in the file record (the first blocks).

In hfs_get_block() when looking up the blocks for the extent file
(HFS_EXT_CNID), it fails the first blocks special case, and falls
through to the extent code (which ultimately calls hfs_find_init())
which is in the process of being initialised.

Hfs avoids this scenario by always having the extents b-tree fitting
into the first blocks (the extents B-tree can't have overflow extents).

The fix is to check at mount time that the B-tree fits into first
blocks, i.e.  fail if HFS_I(inode)->alloc_blocks >=
HFS_I(inode)->first_blocks

Note, the existing commit 47f365eb57 ("hfs: fix oops on mount with
corrupted btree extent records") becomes subsumed into this as a special
case, but only for the extents B-tree (HFS_EXT_CNID), it is perfectly
acceptable for the catalog B-Tree file to grow beyond three extents,
with the remaining extent descriptors in the extents overfow.

This fixes CVE-2011-2203

Reported-by: Clement LECIGNE <clement.lecigne@netasq.com>
Signed-off-by: Phillip Lougher <plougher@redhat.com>
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: Christoph Hellwig <hch@lst.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-11-02 16:06:59 -07:00
..
9p net/9p: Convert net/9p protocol dumps to tracepoints 2011-10-24 11:13:12 -05:00
adfs Fix common misspellings 2011-03-31 11:26:23 -03:00
affs fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
afs AFS: Fix silly characters in a comment 2011-07-20 20:48:03 -04:00
autofs4 autofs4: fix debug printk warning uncovered by cleanup 2011-08-08 12:02:43 -07:00
befs befs: Validate length of long symbolic links. 2011-08-17 13:31:24 -07:00
bfs bfs: remove unnecessary dentry_unhash on dir rename 2011-05-28 01:02:50 -04:00
btrfs Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/vfs-queue 2011-10-28 10:49:34 -07:00
cachefiles kill useless checks for sb->s_op == NULL 2011-07-20 01:44:21 -04:00
ceph libceph: fix double-free of page vector 2011-10-25 16:10:17 -07:00
cifs Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/vfs-queue 2011-10-28 10:49:34 -07:00
coda fs: Convert vmalloc/memset to vzalloc 2011-09-15 13:56:28 +02:00
configfs doc: fix broken references 2011-09-27 18:08:04 +02:00
cramfs cramfs: get_cramfs_inode() returns ERR_PTR() on failure 2011-07-17 23:22:02 -04:00
debugfs debugfs: Fix a comment mistake 2011-08-22 17:41:48 -07:00
devpts fs/devpts/inode.c: correctly check d_alloc_name() return code in devpts_pty_new() 2011-03-22 17:44:17 -07:00
dlm Merge branch 'for-3.1' of git://linux-nfs.org/~bfields/linux 2011-07-25 22:49:19 -07:00
ecryptfs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
efs make d_splice_alias(ERR_PTR(err), dentry) = ERR_PTR(err) 2011-07-20 01:44:26 -04:00
exofs ore: Enable RAID5 mounts 2011-10-24 17:22:29 -07:00
exportfs
ext2 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
ext3 Merge branch 'next' of git://selinuxproject.org/~jmorris/linux-security 2011-10-25 09:45:31 +02:00
ext4 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
fat fat: follow rename pack_hex_byte() to hex_byte_pack() 2011-10-31 17:30:57 -07:00
freevxfs treewide: fix a few typos in comments 2011-05-10 10:16:21 +02:00
fscache FS-Cache: Fix __fscache_uncache_all_inode_pages()'s outer loop 2011-07-21 10:59:16 -07:00
fuse fuse: fix memory leak 2011-09-12 11:47:10 -07:00
gfs2 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
hfs hfs: fix hfs_find_init() sb->ext_tree NULL ptr oops 2011-11-02 16:06:59 -07:00
hfsplus hfsplus: fix filesystem size checks 2011-09-15 09:03:17 -07:00
hostfs fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
hpfs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
hppfs hppfs: missing include 2011-07-27 22:21:58 -04:00
hugetlbfs lockdep: Add helper function for dir vs file i_mutex annotation 2011-08-25 10:50:18 -07:00
isofs isofs: add readpages support 2011-11-02 16:06:59 -07:00
jbd jbd: Use WRITE_SYNC in journal checkpoint. 2011-06-28 00:06:41 +02:00
jbd2 jbd2: remove jbd2_dev_to_name() from jbd2 tracepoints 2011-07-10 22:05:08 -04:00
jffs2 Merge branch 'next-evm' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next 2011-08-09 10:31:03 +10:00
jfs Merge branch 'next' of git://selinuxproject.org/~jmorris/linux-security 2011-10-25 09:45:31 +02:00
lockd SUNRPC: Replace svc_addr_u by sockaddr_storage 2011-09-14 08:21:48 -04:00
logfs lib/string.c: introduce memchr_inv() 2011-10-31 17:30:47 -07:00
minix minix_getattr(): don't bother with ->d_parent 2011-07-20 20:47:53 -04:00
ncpfs fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
nfs Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/vfs-queue 2011-10-28 10:49:34 -07:00
nfs_common Fix common misspellings 2011-03-31 11:26:23 -03:00
nfsd nfs41: implement DESTROY_CLIENTID operation 2011-10-24 04:24:30 -04:00
nilfs2 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
nls
notify atomic: use <linux/atomic.h> 2011-07-26 16:49:47 -07:00
ntfs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
ocfs2 treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
omfs omfs: fix (mode & S_IFDIR) abuse 2011-07-26 13:05:28 -04:00
openpromfs
partitions treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
proc mm: distinguish between mlocked and pinned pages 2011-10-31 17:30:46 -07:00
pstore pstore: make pstore write function return normal success/fail value 2011-10-12 09:17:24 -07:00
qnx4
quota VFS: Fix the remaining automounter semantics regressions 2011-09-26 19:16:46 -07:00
ramfs ramfs: remove module leftovers 2011-11-02 16:06:58 -07:00
reiserfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2011-10-25 12:11:02 +02:00
romfs romfs: fix romfs_get_unmapped_area() argument check 2011-06-27 18:00:12 -07:00
squashfs doc: fix broken references 2011-09-27 18:08:04 +02:00
sysfs sysfs: Make sysfs_rename safe with sysfs_dirents in rbtrees. 2011-11-01 09:16:14 -07:00
sysv sysv: remove unnecessary dentry_unhash from rmdir, dir rename 2011-05-28 01:02:50 -04:00
ubifs UBIFS: not build debug messages with CONFIG_UBIFS_FS_DEBUG disabled 2011-08-19 18:58:58 +03:00
udf treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
ufs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
xfs treewide: use __printf not __attribute__((format(printf,...))) 2011-10-31 17:30:54 -07:00
aio.c Cross Memory Attach 2011-10-31 17:30:44 -07:00
anon_inodes.c vfs: dont chain pipe/anon/socket on superblock s_inodes list 2011-07-26 12:57:09 -04:00
attr.c Merge branch 'next-evm' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/ima-2.6 into next 2011-08-09 10:31:03 +10:00
bad_inode.c fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
binfmt_aout.c
binfmt_elf_fdpic.c consolidate BINPRM_FLAGS_ENFORCE_NONDUMP handling 2011-07-20 01:43:10 -04:00
binfmt_elf.c binfmt_elf: fix PIE execution with randomization disabled 2011-11-02 16:06:58 -07:00
binfmt_em86.c
binfmt_flat.c CRED: Fix load_flat_shared_library() to initialise bprm correctly 2011-05-03 10:10:51 +10:00
binfmt_misc.c consolidate BINPRM_FLAGS_ENFORCE_NONDUMP handling 2011-07-20 01:43:10 -04:00
binfmt_script.c
binfmt_som.c
bio-integrity.c block: Require subsystems to explicitly allocate bio_set integrity mempool 2011-03-17 11:11:05 +01:00
bio.c block: improve the bio_add_page() and bio_add_pc_page() descriptions 2011-05-28 14:44:46 +02:00
block_dev.c Avoid dereferencing a 'request_queue' after last close. 2011-09-10 17:20:21 +10:00
buffer.c fs/buffer.c: add device information for error output in __find_get_block_slow() 2011-10-31 17:30:49 -07:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c compat_ioctl: add compat handler for PPPIOCGL2TPSTATS 2011-08-07 22:24:41 -07:00
compat.c Cross Memory Attach 2011-10-31 17:30:44 -07:00
dcache.c vfs: renumber DCACHE_xyz flags, remove some stale ones 2011-08-06 22:52:40 -07:00
dcookies.c oprofile, dcookies: Fix possible circular locking dependency 2011-05-31 16:33:35 +02:00
direct-io.c direct-io: merge direct_io_walker into __blockdev_direct_IO 2011-10-28 14:58:58 +02:00
drop_caches.c vmscan: change shrinker API by passing shrink_control struct 2011-05-25 08:39:26 -07:00
eventfd.c
eventpoll.c epoll: fix spurious lockdep warnings 2011-10-31 17:30:57 -07:00
exec.c oom: remove oom_disable_count 2011-10-31 17:30:45 -07:00
fcntl.c userns: rename is_owner_or_cap to inode_owner_or_capable 2011-03-23 19:47:13 -07:00
fhandle.c fs/fhandle.c: add <linux/personality.h> for ia64 2011-04-14 16:06:56 -07:00
fifo.c Filesystem: fifo: Fixed coding style issue. 2011-03-21 00:16:09 -04:00
file_table.c atomic: use <linux/atomic.h> 2011-07-26 16:49:47 -07:00
file.c vfs: avoid large kmalloc()s for the fdtable 2011-04-28 11:28:20 -07:00
filesystems.c fs: synchronize_rcu when unregister_filesystem success not failure 2011-04-17 10:42:01 -07:00
fs_struct.c
fs-writeback.c don't busy retry the inode on failed grab_super_passive() 2011-07-31 22:52:08 +08:00
generic_acl.c switch posix_acl_equiv_mode() to umode_t * 2011-08-01 02:10:06 -04:00
inode.c vfs: fix spinning prevention in prune_icache_sb 2011-10-28 14:58:55 +02:00
internal.h superblock: move pin_sb_for_writeback() to fs/super.c 2011-07-20 01:44:38 -04:00
ioctl.c vfs: cleanup do_vfs_ioctl() 2011-03-21 00:16:08 -04:00
ioprio.c
Kconfig tmpfs: add "tmpfs" to the Kconfig prompt to make it obvious. 2011-10-31 17:30:45 -07:00
Kconfig.binfmt
libfs.c fix IN_DELETE_SELF on overwriting rename() on ramfs et.al. 2011-07-22 19:42:11 -04:00
locks.c Merge branch 'for-3.2' of git://linux-nfs.org/~bfields/linux 2011-10-25 15:42:01 +02:00
Makefile fs/Makefile: Stupid typo breakage of exofs inclusion 2011-10-27 08:36:51 +02:00
mbcache.c vmscan: change shrinker API by passing shrink_control struct 2011-05-25 08:39:26 -07:00
mpage.c mm/fs: add hooks to support cleancache 2011-05-26 10:01:43 -06:00
namei.c leases: fix write-open/read-lease race 2011-10-28 14:59:00 +02:00
namespace.c vfs: add "device" tag to /proc/self/mountstats 2011-10-28 13:55:08 +02:00
no-block.c
open.c leases: fix write-open/read-lease race 2011-10-28 14:59:00 +02:00
pipe.c fs/pipe.c: add ->statfs callback for pipefs 2011-10-31 17:30:51 -07:00
pnode.c
pnode.h
posix_acl.c vfs: pass all mask flags check_acl and posix_acl_permission 2011-10-28 14:58:54 +02:00
read_write.c Cross Memory Attach 2011-10-31 17:30:44 -07:00
read_write.h
readdir.c
select.c select: remove unused MAX_SELECT_SECONDS 2011-03-21 00:16:08 -04:00
seq_file.c
signalfd.c
splice.c tmpfs: clone shmem_file_splice_read() 2011-07-25 20:57:11 -07:00
stack.c mm: a few small updates for radix-swap 2011-08-03 14:25:24 -10:00
stat.c vfs: remove LOOKUP_NO_AUTOMOUNT flag 2011-09-27 08:12:33 -07:00
statfs.c
super.c vmscan: fix shrinker callback bug in fs/super.c 2011-10-31 17:30:49 -07:00
sync.c fs: push i_mutex and filemap_write_and_wait down into ->fsync() handlers 2011-07-20 20:47:59 -04:00
timerfd.c timerfd: Fix wakeup of processes when timer is cancelled on clock change 2011-06-14 11:46:14 +02:00
utimes.c userns: rename is_owner_or_cap to inode_owner_or_capable 2011-03-23 19:47:13 -07:00
xattr_acl.c
xattr.c evm: evm_inode_post_removexattr 2011-07-18 12:29:43 -04:00