CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250)

This commit is contained in:
Josh Boyer 2014-12-17 08:29:30 -05:00
parent a6cbe7f978
commit a98a8d22b0
2 changed files with 61 additions and 0 deletions

View File

@ -0,0 +1,54 @@
From: Jan Kara <jack@suse.cz>
Date: Mon, 15 Dec 2014 14:22:46 +0100
Subject: [PATCH] isofs: Fix infinite looping over CE entries
Rock Ridge extensions define so called Continuation Entries (CE) which
define where is further space with Rock Ridge data. Corrupted isofs
image can contain arbitrarily long chain of these, including a one
containing loop and thus causing kernel to end in an infinite loop when
traversing these entries.
Limit the traversal to 32 entries which should be more than enough space
to store all the Rock Ridge data.
Reported-by: P J P <ppandit@redhat.com>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
---
fs/isofs/rock.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index f488bbae541a..bb63254ed848 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -30,6 +30,7 @@ struct rock_state {
int cont_size;
int cont_extent;
int cont_offset;
+ int cont_loops;
struct inode *inode;
};
@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
rs->inode = inode;
}
+/* Maximum number of Rock Ridge continuation entries */
+#define RR_MAX_CE_ENTRIES 32
+
/*
* Returns 0 if the caller should continue scanning, 1 if the scan must end
* and -ve on error.
@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
goto out;
}
ret = -EIO;
+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
+ goto out;
bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
if (bh) {
memcpy(rs->buffer, bh->b_data + rs->cont_offset,
--
2.1.0

View File

@ -632,6 +632,9 @@ Patch26100: x86-tls-Validate-TLS-entries-to-protect-espfix.patch
#rhbz 1173806
Patch26101: powerpc-powernv-force-all-CPUs-to-be-bootable.patch
#CVE-2014-XXXX rhbz 1175235 1175250
Patch26102: isofs-Fix-infinite-looping-over-CE-entries.patch
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
@ -1372,6 +1375,9 @@ ApplyPatch x86-tls-Validate-TLS-entries-to-protect-espfix.patch
#rhbz 1173806
ApplyPatch powerpc-powernv-force-all-CPUs-to-be-bootable.patch
#CVE-2014-XXXX rhbz 1175235 1175250
ApplyPatch isofs-Fix-infinite-looping-over-CE-entries.patch
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@ -2242,6 +2248,7 @@ fi
%changelog
* Wed Dec 17 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.18.1-1
- Linux v3.18.1
- CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250)
* Tue Dec 16 2014 Josh Boyer <jwboyer@fedoraproject.org> - 3.18.0-2
- Add patch from Josh Stone to restore var-tracking via Kconfig (rhbz 1126580)