CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250)
This commit is contained in:
Josh Boyer
parent
fe93140cb9
commit
910d932b3c
54
isofs-Fix-infinite-looping-over-CE-entries.patch
Normal file
54
isofs-Fix-infinite-looping-over-CE-entries.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Mon, 15 Dec 2014 14:22:46 +0100
|
||||
Subject: [PATCH] isofs: Fix infinite looping over CE entries
|
||||
|
||||
Rock Ridge extensions define so called Continuation Entries (CE) which
|
||||
define where is further space with Rock Ridge data. Corrupted isofs
|
||||
image can contain arbitrarily long chain of these, including a one
|
||||
containing loop and thus causing kernel to end in an infinite loop when
|
||||
traversing these entries.
|
||||
|
||||
Limit the traversal to 32 entries which should be more than enough space
|
||||
to store all the Rock Ridge data.
|
||||
|
||||
Reported-by: P J P <ppandit@redhat.com>
|
||||
CC: stable@vger.kernel.org
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
---
|
||||
fs/isofs/rock.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
|
||||
index f488bbae541a..bb63254ed848 100644
|
||||
--- a/fs/isofs/rock.c
|
||||
+++ b/fs/isofs/rock.c
|
||||
@@ -30,6 +30,7 @@ struct rock_state {
|
||||
int cont_size;
|
||||
int cont_extent;
|
||||
int cont_offset;
|
||||
+ int cont_loops;
|
||||
struct inode *inode;
|
||||
};
|
||||
|
||||
@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
|
||||
rs->inode = inode;
|
||||
}
|
||||
|
||||
+/* Maximum number of Rock Ridge continuation entries */
|
||||
+#define RR_MAX_CE_ENTRIES 32
|
||||
+
|
||||
/*
|
||||
* Returns 0 if the caller should continue scanning, 1 if the scan must end
|
||||
* and -ve on error.
|
||||
@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
|
||||
goto out;
|
||||
}
|
||||
ret = -EIO;
|
||||
+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
|
||||
+ goto out;
|
||||
bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
|
||||
if (bh) {
|
||||
memcpy(rs->buffer, bh->b_data + rs->cont_offset,
|
||||
--
|
||||
2.1.0
|
||||
|
||||
@ -759,6 +759,9 @@ Patch26101: powerpc-powernv-force-all-CPUs-to-be-bootable.patch
|
||||
Patch26098: move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch
|
||||
Patch26099: deal-with-deadlock-in-d_walk.patch
|
||||
|
||||
#CVE-2014-XXXX rhbz 1175235 1175250
|
||||
Patch26102: isofs-Fix-infinite-looping-over-CE-entries.patch
|
||||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
|
||||
@ -1488,6 +1491,9 @@ ApplyPatch powerpc-powernv-force-all-CPUs-to-be-bootable.patch
|
||||
ApplyPatch move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch
|
||||
ApplyPatch deal-with-deadlock-in-d_walk.patch
|
||||
|
||||
#CVE-2014-XXXX rhbz 1175235 1175250
|
||||
ApplyPatch isofs-Fix-infinite-looping-over-CE-entries.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
@ -2306,6 +2312,9 @@ fi
|
||||
# ||----w |
|
||||
# || ||
|
||||
%changelog
|
||||
* Wed Dec 17 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250)
|
||||
|
||||
* Tue Dec 16 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.17.7-200
|
||||
- Linux v3.17.7
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user