hfsplus: CVE-2018-14617

hfsplus: fix NULL dereference in hfsplus_lookup() Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-14617 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=68e787c3c80059c776d1d7afb20f5eb9f20237a5 Change-Id: I2ab75ad510122bc96604f50c10b8daf9ba007f13 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-05-22 12:17:54 +0200
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-05-22 13:16:35 +0200
commit: 743fc9d0c856712ddec620d35e930d3d202f83d1 (patch)
tree: 9dddd897367e89ef30d1e5a27d9ec317f571fa8f
parent: 59cd0ba424d3cb9a4e5ccd0af96bfec5875ac574 (diff)
download: enea-kernel-cache-743fc9d0c856712ddec620d35e930d3d202f83d1.tar.gz
1 files changed, 64 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch b/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
new file mode 100644
index 0000000..a9ad131
--- /dev/null
+++ b/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
@@ -0,0 +1,64 @@
+From 68e787c3c80059c776d1d7afb20f5eb9f20237a5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?=
+ <ernesto.mnd.fernandez@gmail.com>
+Date: Thu, 23 Aug 2018 17:00:25 -0700
+Subject: [PATCH] hfsplus: fix NULL dereference in hfsplus_lookup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+[ Upstream commit a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 ]
+An HFS+ filesystem can be mounted read-only without having a metadata
+directory, which is needed to support hardlinks.  But if the catalog
+data is corrupted, a directory lookup may still find dentries claiming
+to be hardlinks.
+hfsplus_lookup() does check that ->hidden_dir is not NULL in such a
+situation, but mistakenly does so after dereferencing it for the first
+time.  Reorder this check to prevent a crash.
+This happens when looking up corrupted catalog data (dentry) on a
+filesystem with no metadata directory (this could only ever happen on a
+read-only mount).  Wen Xu sent the replication steps in detail to the
+fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297
+CVE: CVE-2018-14617
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=68e787c3c80059c776d1d7afb20f5eb9f20237a5]
+Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/hfsplus/dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
+index e8120a282435..1a44c4621e74 100644
+--- a/fs/hfsplus/dir.c
+++ b/fs/hfsplus/dir.c
+@@ -78,13 +78,13 @@ static struct dentry *hfsplus_lookup(struct inode *dir, struct dentry *dentry,
+                                cpu_to_be32(HFSP_HARDLINK_TYPE) &&
+                                entry.file.user_info.fdCreator ==
+                                cpu_to_be32(HFSP_HFSPLUS_CREATOR) &&
+                               HFSPLUS_SB(sb)->hidden_dir &&
+                                (entry.file.create_date ==
+                                        HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)->
+                                                create_date ||
+                                entry.file.create_date ==
+                                        HFSPLUS_I(d_inode(sb->s_root))->
+-                                               create_date) &&
+-                               HFSPLUS_SB(sb)->hidden_dir) {
+                                               create_date)) {
+                        struct qstr str;
+                        char name[32];
+ 
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-05-22 12:17:54 +0200
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-05-22 13:16:35 +0200
commit	743fc9d0c856712ddec620d35e930d3d202f83d1 (patch)
tree	9dddd897367e89ef30d1e5a27d9ec317f571fa8f
parent	59cd0ba424d3cb9a4e5ccd0af96bfec5875ac574 (diff)
download	enea-kernel-cache-743fc9d0c856712ddec620d35e930d3d202f83d1.tar.gz

diff --git a/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch b/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch new file mode 100644 index 0000000..a9ad131 --- /dev/null +++ b/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
@@ -0,0 +1,64 @@
	1	From 68e787c3c80059c776d1d7afb20f5eb9f20237a5 Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?=
	3	<ernesto.mnd.fernandez@gmail.com>
	4	Date: Thu, 23 Aug 2018 17:00:25 -0700
	5	Subject: [PATCH] hfsplus: fix NULL dereference in hfsplus_lookup()
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	[ Upstream commit a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 ]
	11
	12	An HFS+ filesystem can be mounted read-only without having a metadata
	13	directory, which is needed to support hardlinks. But if the catalog
	14	data is corrupted, a directory lookup may still find dentries claiming
	15	to be hardlinks.
	16
	17	hfsplus_lookup() does check that ->hidden_dir is not NULL in such a
	18	situation, but mistakenly does so after dereferencing it for the first
	19	time. Reorder this check to prevent a crash.
	20
	21	This happens when looking up corrupted catalog data (dentry) on a
	22	filesystem with no metadata directory (this could only ever happen on a
	23	read-only mount). Wen Xu sent the replication steps in detail to the
	24	fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297
	25
	26	CVE: CVE-2018-14617
	27	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=68e787c3c80059c776d1d7afb20f5eb9f20237a5]
	28
	29	Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf
	30	Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
	31	Reported-by: Wen Xu <wen.xu@gatech.edu>
	32	Cc: Viacheslav Dubeyko <slava@dubeyko.com>
	33	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	34	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	35	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	36	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	37	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	38	---
	39	fs/hfsplus/dir.c \| 4 ++--
	40	1 file changed, 2 insertions(+), 2 deletions(-)
	41
	42	diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
	43	index e8120a282435..1a44c4621e74 100644
	44	--- a/fs/hfsplus/dir.c
	45	+++ b/fs/hfsplus/dir.c
	46	@@ -78,13 +78,13 @@ static struct dentry hfsplus_lookup(struct inode dir, struct dentry *dentry,
	47	cpu_to_be32(HFSP_HARDLINK_TYPE) &&
	48	entry.file.user_info.fdCreator ==
	49	cpu_to_be32(HFSP_HFSPLUS_CREATOR) &&
	50	+ HFSPLUS_SB(sb)->hidden_dir &&
	51	(entry.file.create_date ==
	52	HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)->
	53	create_date \|\|
	54	entry.file.create_date ==
	55	HFSPLUS_I(d_inode(sb->s_root))->
	56	- create_date) &&
	57	- HFSPLUS_SB(sb)->hidden_dir) {
	58	+ create_date)) {
	59	struct qstr str;
	60	char name[32];
	61
	62	--
	63	2.20.1
	64