CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529)
This commit is contained in:
Josh Boyer
parent
35e58915f0
commit
2b03673893
|
|
@ -0,0 +1,63 @@
|
|||
From 99d825822eade8d827a1817357cbf3f889a552d6 Mon Sep 17 00:00:00 2001
|
||||
From: Al Viro <viro@zeniv.linux.org.uk>
|
||||
Date: Thu, 5 May 2016 16:25:35 -0400
|
||||
Subject: [PATCH] get_rock_ridge_filename(): handle malformed NM entries
|
||||
|
||||
Payloads of NM entries are not supposed to contain NUL. When we run
|
||||
into such, only the part prior to the first NUL goes into the
|
||||
concatenation (i.e. the directory entry name being encoded by a bunch
|
||||
of NM entries). We do stop when the amount collected so far + the
|
||||
claimed amount in the current NM entry exceed 254. So far, so good,
|
||||
but what we return as the total length is the sum of *claimed*
|
||||
sizes, not the actual amount collected. And that can grow pretty
|
||||
large - not unlimited, since you'd need to put CE entries in
|
||||
between to be able to get more than the maximum that could be
|
||||
contained in one isofs directory entry / continuation chunk and
|
||||
we are stop once we'd encountered 32 CEs, but you can get about 8Kb
|
||||
easily. And that's what will be passed to readdir callback as the
|
||||
name length. 8Kb __copy_to_user() from a buffer allocated by
|
||||
__get_free_page()
|
||||
|
||||
Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really)
|
||||
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||||
---
|
||||
fs/isofs/rock.c | 13 ++++++++++---
|
||||
1 file changed, 10 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
|
||||
index 5384ceb35b1c..98b3eb7d8eaf 100644
|
||||
--- a/fs/isofs/rock.c
|
||||
+++ b/fs/isofs/rock.c
|
||||
@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
|
||||
int retnamlen = 0;
|
||||
int truncate = 0;
|
||||
int ret = 0;
|
||||
+ char *p;
|
||||
+ int len;
|
||||
|
||||
if (!ISOFS_SB(inode->i_sb)->s_rock)
|
||||
return 0;
|
||||
@@ -267,12 +269,17 @@ repeat:
|
||||
rr->u.NM.flags);
|
||||
break;
|
||||
}
|
||||
- if ((strlen(retname) + rr->len - 5) >= 254) {
|
||||
+ len = rr->len - 5;
|
||||
+ if (retnamlen + len >= 254) {
|
||||
truncate = 1;
|
||||
break;
|
||||
}
|
||||
- strncat(retname, rr->u.NM.name, rr->len - 5);
|
||||
- retnamlen += rr->len - 5;
|
||||
+ p = memchr(rr->u.NM.name, '\0', len);
|
||||
+ if (unlikely(p))
|
||||
+ len = p - rr->u.NM.name;
|
||||
+ memcpy(retname + retnamlen, rr->u.NM.name, len);
|
||||
+ retnamlen += len;
|
||||
+ retname[retnamlen] = '\0';
|
||||
break;
|
||||
case SIG('R', 'E'):
|
||||
kfree(rs.buffer);
|
||||
--
|
||||
2.5.5
|
||||
|
||||
|
|
@ -669,6 +669,9 @@ Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
|
|||
#CVE-2016-3713 rhbz 1332139 1336410
|
||||
Patch718: KVM-MTRR-remove-MSR-0x2f8.patch
|
||||
|
||||
#CVE-2016-4913 rhbz 1337528 1337529
|
||||
Patch719: get_rock_ridge_filename-handle-malformed-NM-entries.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
|
@ -2190,6 +2193,9 @@ fi
|
|||
#
|
||||
#
|
||||
%changelog
|
||||
* Thu May 19 2016 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529)
|
||||
|
||||
* Mon May 16 2016 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Disable CONFIG_DEBUG_VM_PGFLAGS on non debug kernels (rhbz 1335173)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue