2.4.36-stable kernel tree
Revision | 38d832aa48ab51df8192511ffdcaea031a2cc0d1 (tree) |
---|---|
Time | 2008-02-04 00:37:46 |
Author | dann frazier <dannf@debi...> |
Commiter | Willy Tarreau |
ext2: skip pages past number of blocks in ext2_find_entry
This is a 2.4 backport of a linux-2.6 change by Eric Sandeen
(commit d8adb9cef7e406a9a82881695097c702bc98422f)
CVE-2006-6054 was assigned for this issue, which is easily reproducible in 2.4.
However, this changeset alone does not resolve the issue for 2.4 - two earlier
backports for ext2_readdir() are required.
Commit log from 2.6 follows.
Signed-off-by: dann frazier <dannf@hp.com>
@@ -343,7 +343,16 @@ struct ext2_dir_entry_2 * ext2_find_entry (struct inode * dir, | ||
343 | 343 | } |
344 | 344 | if (++n >= npages) |
345 | 345 | n = 0; |
346 | + /* next page is past the blocks we've got */ | |
347 | + if (unlikely(n > (dir->i_blocks >> (PAGE_CACHE_SHIFT - 9)))) { | |
348 | + ext2_error(dir->i_sb, __FUNCTION__, | |
349 | + "dir %lu size %lld exceeds block count %llu", | |
350 | + dir->i_ino, dir->i_size, | |
351 | + (unsigned long long)dir->i_blocks); | |
352 | + goto out; | |
353 | + } | |
346 | 354 | } while (n != start); |
355 | +out: | |
347 | 356 | return NULL; |
348 | 357 | |
349 | 358 | found: |