From patchwork Fri Aug 31 14:05:38 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Colin King X-Patchwork-Id: 10583823 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A53661709 for ; Fri, 31 Aug 2018 14:05:48 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8D4132BF3B for ; Fri, 31 Aug 2018 14:05:48 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7EC492BEB3; Fri, 31 Aug 2018 14:05:48 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0FA392BEB3 for ; Fri, 31 Aug 2018 14:05:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727856AbeHaSNT (ORCPT ); Fri, 31 Aug 2018 14:13:19 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:59819 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727404AbeHaSNT (ORCPT ); Fri, 31 Aug 2018 14:13:19 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fvk3P-0003X9-7Q; Fri, 31 Aug 2018 14:05:39 +0000 From: Colin King To: linux-fsdevel@vger.kernel.org, dhowells@redhat.com, viro@zeniv.linux.org.uk Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] hfs: fix array out of bounds read of array extent Date: Fri, 31 Aug 2018 15:05:38 +0100 Message-Id: <20180831140538.31566-1-colin.king@canonical.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Colin Ian King Currently extent and index i are both being incremented causing an array out of bounds read on extent[i]. Fix this by removing the extraneous increment of extent. Detected by CoverityScan, CID#711541 ("Out of bounds read") Fixes: d1081202f1d0 ("HFS rewrite") Signed-off-by: Colin Ian King Reviewed-by: Ernesto A. Fernández --- fs/hfs/extent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c index 5d0182654580..636cdfcecb26 100644 --- a/fs/hfs/extent.c +++ b/fs/hfs/extent.c @@ -300,7 +300,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type) return 0; blocks = 0; - for (i = 0; i < 3; extent++, i++) + for (i = 0; i < 3; i++) blocks += be16_to_cpu(extent[i].count); res = hfs_free_extents(sb, extent, blocks, blocks);