From 3f29767ddff09c1a5b8b75ca3bf8e7cfb1291c75 Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Fri, 12 Oct 2018 08:13:02 +0200 Subject: hfsplus: CVE-2018-14617 hfsplus: fix NULL dereference in hfsplus_lookup() References: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=1cedd72d0f688b9c169836649ac9ec07a3c601d6 https://bugzilla.kernel.org/show_bug.cgi?id=200297 Change-Id: I03bfdffcb6e4fe3f525a2dbfe2177f131ac95ff2 Signed-off-by: Andreas Wellving --- patches/cve/4.9.x.scc | 3 +- ...us-fix-NULL-dereference-in-hfsplus_lookup.patch | 60 ++++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc index d730f9d..26926f0 100644 --- a/patches/cve/4.9.x.scc +++ b/patches/cve/4.9.x.scc @@ -14,4 +14,5 @@ patch CVE-2018-9363-Bluetooth-hidp-buffer-overflow-in-hidp_process_repor.patch patch CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch #CVEs fixed in 4.9.127: -patch CVE-2018-14609-btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch \ No newline at end of file +patch CVE-2018-14609-btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch +patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch diff --git a/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch b/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch new file mode 100644 index 0000000..7117557 --- /dev/null +++ b/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch @@ -0,0 +1,60 @@ +From a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?= + +Date: Thu, 23 Aug 2018 17:00:25 -0700 +Subject: [PATCH] hfsplus: fix NULL dereference in hfsplus_lookup() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +An HFS+ filesystem can be mounted read-only without having a metadata +directory, which is needed to support hardlinks. But if the catalog +data is corrupted, a directory lookup may still find dentries claiming +to be hardlinks. + +hfsplus_lookup() does check that ->hidden_dir is not NULL in such a +situation, but mistakenly does so after dereferencing it for the first +time. Reorder this check to prevent a crash. + +This happens when looking up corrupted catalog data (dentry) on a +filesystem with no metadata directory (this could only ever happen on a +read-only mount). Wen Xu sent the replication steps in detail to the +fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297 + +CVE: CVE-2018-14617 +Upstream-Status: Backport + +Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf +Signed-off-by: Ernesto A. Fernández +Reported-by: Wen Xu +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Andreas Wellving +--- + fs/hfsplus/dir.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c +index c5a70f8..f376626 100644 +--- a/fs/hfsplus/dir.c ++++ b/fs/hfsplus/dir.c +@@ -77,13 +77,13 @@ static struct dentry *hfsplus_lookup(struct inode *dir, struct dentry *dentry, + cpu_to_be32(HFSP_HARDLINK_TYPE) && + entry.file.user_info.fdCreator == + cpu_to_be32(HFSP_HFSPLUS_CREATOR) && ++ HFSPLUS_SB(sb)->hidden_dir && + (entry.file.create_date == + HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)-> + create_date || + entry.file.create_date == + HFSPLUS_I(d_inode(sb->s_root))-> +- create_date) && +- HFSPLUS_SB(sb)->hidden_dir) { ++ create_date)) { + struct qstr str; + char name[32]; + +-- +2.7.4 + -- cgit v1.2.3-54-g00ecf