Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp544087imm; Fri, 31 Aug 2018 07:08:11 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaJkAjoiHDvvjzOE0q+zhpfRceLLnPbAav0DInJ3d6/pYffmx1sxVXNWOPdN00bvp63LVGh X-Received: by 2002:a17:902:6b83:: with SMTP id p3-v6mr15761885plk.133.1535724491449; Fri, 31 Aug 2018 07:08:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535724491; cv=none; d=google.com; s=arc-20160816; b=ykqj0zsrQvUcatqWgFRt7MXpxaC5QDqTf6zhVsSTy+g8UkXKG7ewDdkzSb9YPuQBu9 +MYVHR0DgxQ3s9Ew8cB1+nN3fd//QTqEg+MtcJMez4oyDeK399LuM2AjR0efCxeJeBGJ abOVzdzpZxJFrTM07VBSHu0pcLz2n1Ph0L1o5I1UVdQpfLPnFeiOfxoSeThkcSiQ4CbN q8wl+3dXHRnpwsGe2nryHKuenRUysiMzBWnA88YFTbzN5hVXPCuci16rsWACBbb4qT+O OMkIMCEwypcTkta7k7JXRXEX8qp4aqTd4iDxmXaetOdJdeCuYm70vw5qSF9AYzmWIdcD Q/cA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:arc-authentication-results; bh=K8BXzhLE6T27tU2G/wZPs9KFqtWeP6kibluaLw30JZ8=; b=yP5RafuOnCcN4FMyGGlnw0QTB6DPvzU70h7KG6/M70lrnvCOMKXqGwplhjrnS0FfxQ sqxsL/Iq7NDI3uhYv500etePxpvcfQ3IeYP183KQr7TUoc+S6L+CDLjTysKScacu/5Kb oNPjlOinhMt5Ccv+QG+EVWDML4N6Mi8G9FXouvgREEQ/Jdk5CuOOMU0E2WquFBGhqhgX zcvj+AnLCGoQ1Y1rag4kp1535CNGSJrP2RnJtaFqwa/PbOwdJeCKdYvjrWj2fBz21ye6 NLsdERJFSjuhs3O9J2fT9uzRV+uY/hp3i33B/TlYKfpxbyoCzFC13bTbjAK1xxd/wbIc wh/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a23-v6si2711489pgd.235.2018.08.31.07.07.56; Fri, 31 Aug 2018 07:08:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728123AbeHaSNT (ORCPT + 99 others); Fri, 31 Aug 2018 14:13:19 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:59819 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727404AbeHaSNT (ORCPT ); Fri, 31 Aug 2018 14:13:19 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fvk3P-0003X9-7Q; Fri, 31 Aug 2018 14:05:39 +0000 From: Colin King To: linux-fsdevel@vger.kernel.org, dhowells@redhat.com, viro@zeniv.linux.org.uk Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] hfs: fix array out of bounds read of array extent Date: Fri, 31 Aug 2018 15:05:38 +0100 Message-Id: <20180831140538.31566-1-colin.king@canonical.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Colin Ian King Currently extent and index i are both being incremented causing an array out of bounds read on extent[i]. Fix this by removing the extraneous increment of extent. Detected by CoverityScan, CID#711541 ("Out of bounds read") Fixes: d1081202f1d0 ("HFS rewrite") Signed-off-by: Colin Ian King --- fs/hfs/extent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c index 5d0182654580..636cdfcecb26 100644 --- a/fs/hfs/extent.c +++ b/fs/hfs/extent.c @@ -300,7 +300,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type) return 0; blocks = 0; - for (i = 0; i < 3; extent++, i++) + for (i = 0; i < 3; i++) blocks += be16_to_cpu(extent[i].count); res = hfs_free_extents(sb, extent, blocks, blocks); -- 2.17.1