hfsplus: Add additional range check to handle on-disk corruptions

'recoff' is read from disk and used for an argument to memcpy, so if the value read from disk is larger than the page size, it result to "general protection fault". This patch add additional range check for the value, so that disk fuzz won't cause such fault. Signed-off-by: N Naohiro Aota <naota@elisp.net> Signed-off-by: N Christoph Hellwig <hch@lst.de>

hfsplus: Add additional range check to handle on-disk corruptions
'recoff' is read from disk and used for an argument to memcpy, so if the value read from disk is larger than the page size, it result to "general protection fault". This patch add additional range check for the value, so that disk fuzz won't cause such fault. Signed-off-by: N Naohiro Aota <naota@elisp.net> Signed-off-by: N Christoph Hellwig <hch@lst.de>
aac4e419 · Naohiro Aota · Christoph Hellwig · dd7f3d54 · aac4e419
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

fs/hfsplus/brec.c fs/hfsplus/brec.c +4 -0

未找到文件。
--- a/fs/hfsplus/brec.c
+++ b/fs/hfsplus/brec.c
@@ -43,6 +43,10 @@ u16 hfs_brec_keylen(struct hfs_bnode *node, u16 rec)
 			node->tree->node_size - (rec + 1) * 2);
 		if (!recoff)
 			return 0;
+		if (recoff > node->tree->node_size - 2) {
+			printk(KERN_ERR "hfs: recoff %d too large\n", recoff);
+			return 0;
+		}
 		retval = hfs_bnode_read_u16(node, recoff) + 2;
 		if (retval > node->tree->max_key_len + 2) {