From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Colin Ian King <colin.king@canonical.com>,
"Ernesto A . Fernndez" <ernesto.mnd.fernandez@gmail.com>,
David Howells <dhowells@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Hin-Tak Leung <htl10@users.sourceforge.net>,
Vyacheslav Dubeyko <slava@dubeyko.com>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Sasha Levin <sashal@kernel.org>,
linux-fsdevel@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 67/99] fs/hfs/extent.c: fix array out of bounds read of array extent
Date: Sat, 16 Nov 2019 10:50:30 -0500 [thread overview]
Message-ID: <20191116155103.10971-67-sashal@kernel.org> (raw)
In-Reply-To: <20191116155103.10971-1-sashal@kernel.org>
From: Colin Ian King <colin.king@canonical.com>
[ Upstream commit 6c9a3f843a29d6894dfc40df338b91dbd78f0ae3 ]
Currently extent and index i are both being incremented causing an array
out of bounds read on extent[i]. Fix this by removing the extraneous
increment of extent.
Ernesto said:
: This is only triggered when deleting a file with a resource fork. I
: may be wrong because the documentation isn't clear, but I don't think
: you can create those under linux. So I guess nobody was testing them.
:
: > A disk space leak, perhaps?
:
: That's what it looks like in general. hfs_free_extents() won't do
: anything if the block count doesn't add up, and the error will be
: ignored. Now, if the block count randomly does add up, we could see
: some corruption.
Detected by CoverityScan, CID#711541 ("Out of bounds read")
Link: http://lkml.kernel.org/r/20180831140538.31566-1-colin.king@canonical.com
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Ernesto A. Fernndez <ernesto.mnd.fernandez@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
Cc: Vyacheslav Dubeyko <slava@dubeyko.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfs/extent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
index 16819d2a978b4..cbe4fca96378a 100644
--- a/fs/hfs/extent.c
+++ b/fs/hfs/extent.c
@@ -304,7 +304,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type)
return 0;
blocks = 0;
- for (i = 0; i < 3; extent++, i++)
+ for (i = 0; i < 3; i++)
blocks += be16_to_cpu(extent[i].count);
res = hfs_free_extents(sb, extent, blocks, blocks);
--
2.20.1
next prev parent reply other threads:[~2019-11-16 15:52 UTC|newest]
Thread overview: 102+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-16 15:49 [PATCH AUTOSEL 4.9 01/99] ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 02/99] printk: fix integer overflow in setup_log_buf() Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 03/99] gfs2: Fix marking bitmaps non-full Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 04/99] synclink_gt(): fix compat_ioctl() Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 05/99] powerpc: Fix signedness bug in update_flash_db() Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 06/99] powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 07/99] brcmsmac: AP mode: update beacon when TIM changes Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 08/99] ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 09/99] spi: sh-msiof: fix deferred probing Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 10/99] mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 11/99] btrfs: handle error of get_old_root Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 12/99] gsmi: Fix bug in append_to_eventlog sysfs handler Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 13/99] misc: mic: fix a DMA pool free failure Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 14/99] m68k: fix command-line parsing when passed from u-boot Sasha Levin
2019-11-16 15:49 ` Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 15/99] amiflop: clean up on errors during setup Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 16/99] scsi: ips: fix missing break in switch Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 17/99] KVM/x86: Fix invvpid and invept register operand size in 64-bit mode Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 18/99] scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 19/99] scsi: isci: Change sci_controller_start_task's return type to sci_status Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 20/99] scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 21/99] clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 22/99] ASoC: tegra_sgtl5000: fix device_node refcounting Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 23/99] scsi: dc395x: fix dma API usage in srb_done Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 24/99] scsi: dc395x: fix DMA API usage in sg_update_list Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 25/99] net: fix warning in af_unix Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 26/99] net: ena: Fix Kconfig dependency on X86 Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 27/99] xfs: fix use-after-free race in xfs_buf_rele Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 28/99] kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 29/99] ALSA: i2c/cs8427: Fix int to char conversion Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 30/99] macintosh/windfarm_smu_sat: Fix debug output Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 31/99] USB: misc: appledisplay: fix backlight update_status return code Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 32/99] usbip: tools: fix atoi() on non-null terminated string Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 33/99] SUNRPC: Fix a compile warning for cmpxchg64() Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 34/99] sunrpc: safely reallow resvport min/max inversion Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 35/99] atm: zatm: Fix empty body Clang warnings Sasha Levin
2019-11-16 15:49 ` [PATCH AUTOSEL 4.9 36/99] s390/perf: Return error when debug_register fails Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 37/99] spi: omap2-mcspi: Set FIFO DMA trigger level to word length Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 38/99] sparc: Fix parport build warnings Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 39/99] ceph: fix dentry leak in ceph_readdir_prepopulate Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 40/99] rtc: s35390a: Change buf's type to u8 in s35390a_init Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 41/99] f2fs: fix to spread clear_cold_data() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 42/99] mISDN: Fix type of switch control variable in ctrl_teimanager Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 43/99] qlcnic: fix a return in qlcnic_dcb_get_capability() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 44/99] net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 45/99] mfd: arizona: Correct calling of runtime_put_sync Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 46/99] mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 47/99] mfd: max8997: Enale irq-wakeup unconditionally Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 48/99] selftests/ftrace: Fix to test kprobe $comm arg only if available Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 49/99] thermal: rcar_thermal: Prevent hardware access during system suspend Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 50/99] powerpc/process: Fix flush_all_to_thread for SPE Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 51/99] sparc64: Rework xchg() definition to avoid warnings Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 52/99] fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 53/99] mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 54/99] macsec: update operstate when lower device changes Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 55/99] macsec: let the administrator set UP state even if lowerdev is down Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 56/99] um: Make line/tty semantics use true write IRQ Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 57/99] linux/bitmap.h: handle constant zero-size bitmaps correctly Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 58/99] linux/bitmap.h: fix type of nbits in bitmap_shift_right() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 59/99] hfsplus: fix BUG on bnode parent update Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 60/99] hfs: " Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 61/99] hfsplus: prevent btree data loss on ENOSPC Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 62/99] hfs: " Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 63/99] hfsplus: fix return value of hfsplus_get_block() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 64/99] hfs: fix return value of hfs_get_block() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 65/99] hfsplus: update timestamps on truncate() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 66/99] hfs: update timestamp " Sasha Levin
2019-11-16 15:50 ` Sasha Levin [this message]
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 68/99] mm/memory_hotplug: make add_memory() take the device_hotplug_lock Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 69/99] igb: shorten maximum PHC timecounter update interval Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 70/99] ntb_netdev: fix sleep time mismatch Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 71/99] ntb: intel: fix return value for ndev_vec_mask() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 72/99] arm64: makefile fix build of .i file in external module case Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 73/99] ocfs2: don't put and assigning null to bh allocated outside Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 74/99] ocfs2: fix clusters leak in ocfs2_defrag_extent() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 75/99] net: do not abort bulk send on BQL status Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 76/99] sched/fair: Don't increase sd->balance_interval on newidle balance Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 77/99] audit: print empty EXECVE args Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 78/99] wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 79/99] rtl8xxxu: Fix missing break in switch Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 80/99] brcmsmac: never log "tid x is not agg'able" by default Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 81/99] wireless: airo: potential buffer overflow in sprintf() Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 82/99] rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 83/99] scsi: mpt3sas: Fix Sync cache command failure during driver unload Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 84/99] scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11 Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 85/99] scsi: megaraid_sas: Fix msleep granularity Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 86/99] scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 87/99] dlm: fix invalid free Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 88/99] dlm: don't leak kernel pointer to userspace Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 89/99] vrf: mark skb for multicast or link-local as enslaved to VRF Sasha Levin
2019-11-17 16:44 ` David Ahern
2019-11-25 14:35 ` Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 90/99] ACPICA: Use %d for signed int print formatting instead of %u Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 91/99] net: bcmgenet: return correct value 'ret' from bcmgenet_power_down Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 92/99] sock: Reset dst when changing sk_mark via setsockopt Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 93/99] pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 94/99] pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 95/99] pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD Sasha Levin
2019-11-16 15:50 ` [PATCH AUTOSEL 4.9 96/99] PCI: keystone: Use quirk to limit MRRS for K2G Sasha Levin
2019-11-16 15:51 ` [PATCH AUTOSEL 4.9 97/99] spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch Sasha Levin
2019-11-16 15:51 ` [PATCH AUTOSEL 4.9 98/99] mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock Sasha Levin
2019-11-16 15:51 ` [PATCH AUTOSEL 4.9 99/99] ipv6: Fix handling of LLA with VRF and sockets bound to VRF Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191116155103.10971-67-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=colin.king@canonical.com \
--cc=dhowells@redhat.com \
--cc=ernesto.mnd.fernandez@gmail.com \
--cc=htl10@users.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=slava@dubeyko.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).