hfsplus: CVE-2018-14617

hfsplus: fix NULL dereference in hfsplus_lookup()

References:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=1cedd72d0f688b9c169836649ac9ec07a3c601d6
https://bugzilla.kernel.org/show_bug.cgi?id=200297

Change-Id: Ifc245db8a6f5a5d41674ea3861dbbe096d61ed24
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>

2 files changed, 61 insertions, 0 deletions

diff --git a/patches/cve/4.9.x.scc b/patches/cve/4.9.x.scc
index 9c3d920..fe717bb 100644
--- a/patches/cve/4.9.x.scc
+++ b/patches/cve/4.9.x.scc
@@ -52,3 +52,4 @@ patch CVE-2018-10938-Cipso-cipso_v4_optptr-enter-infinite-loop.patch
 
 #CVEs fixed in 4.9.127:
 patch CVE-2018-14609-btrfs-relocation-Only-remove-reloc-rb_trees-if-reloc.patch
+patch CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
diff --git a/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch b/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
new file mode 100644
index 0000000..496b201
--- /dev/null
+++ b/patches/cve/CVE-2018-14617-hfsplus-fix-NULL-dereference-in-hfsplus_lookup.patch
@@ -0,0 +1,60 @@
+From a7ec7a4193a2eb3b5341243fc0b621c1ac9e4ec4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?=
+ <ernesto.mnd.fernandez@gmail.com>
+Date: Thu, 23 Aug 2018 17:00:25 -0700
+Subject: [PATCH] hfsplus: fix NULL dereference in hfsplus_lookup()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+An HFS+ filesystem can be mounted read-only without having a metadata
+directory, which is needed to support hardlinks.  But if the catalog
+data is corrupted, a directory lookup may still find dentries claiming
+to be hardlinks.
+
+hfsplus_lookup() does check that ->hidden_dir is not NULL in such a
+situation, but mistakenly does so after dereferencing it for the first
+time.  Reorder this check to prevent a crash.
+
+This happens when looking up corrupted catalog data (dentry) on a
+filesystem with no metadata directory (this could only ever happen on a
+read-only mount).  Wen Xu sent the replication steps in detail to the
+fsdevel list: https://bugzilla.kernel.org/show_bug.cgi?id=200297
+
+CVE: CVE-2018-14617   
+Upstream-Status: Backport  
+
+Link: http://lkml.kernel.org/r/20180712215344.q44dyrhymm4ajkao@eaf
+Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
+Reported-by: Wen Xu <wen.xu@gatech.edu>
+Cc: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ fs/hfsplus/dir.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/hfsplus/dir.c b/fs/hfsplus/dir.c
+index c5a70f8..f376626 100644
+--- a/fs/hfsplus/dir.c
++++ b/fs/hfsplus/dir.c
+@@ -77,13 +77,13 @@ static struct dentry *hfsplus_lookup(struct inode *dir, struct dentry *dentry,
+                                cpu_to_be32(HFSP_HARDLINK_TYPE) &&
+                                entry.file.user_info.fdCreator ==
+                                cpu_to_be32(HFSP_HFSPLUS_CREATOR) &&
++                               HFSPLUS_SB(sb)->hidden_dir &&
+                                (entry.file.create_date ==
+                                        HFSPLUS_I(HFSPLUS_SB(sb)->hidden_dir)->
+                                                create_date ||
+                                entry.file.create_date ==
+                                        HFSPLUS_I(d_inode(sb->s_root))->
+-                                               create_date) &&
+-                               HFSPLUS_SB(sb)->hidden_dir) {
++                                               create_date)) {
+                        struct qstr str;
+                        char name[32];
+ 
+-- 
+
+