CVE-2014-XXXX udf: avoid infinite loop on indirect ICBs (rhbz 1141809 1141810)
This commit is contained in:
parent
80242f8df8
commit
ad8337e450
|
@ -643,6 +643,9 @@ Patch26024: HID-magicmouse-sanity-check-report-size-in-raw_event.patch
|
|||
#CVE-2014-3186 rhbz 1141407 1141410
|
||||
Patch26025: HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
|
||||
|
||||
#CVE-2014-XXXX rhbz 1141809 1141810
|
||||
Patch26026: udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
|
||||
|
||||
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
|
||||
Patch30000: kernel-arm64.patch
|
||||
|
||||
|
@ -1379,6 +1382,9 @@ ApplyPatch HID-magicmouse-sanity-check-report-size-in-raw_event.patch
|
|||
#CVE-2014-3186 rhbz 1141407 1141410
|
||||
ApplyPatch HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
|
||||
|
||||
#CVE-2014-XXXX rhbz 1141809 1141810
|
||||
ApplyPatch udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
|
||||
|
||||
%if 0%{?aarch64patches}
|
||||
ApplyPatch kernel-arm64.patch
|
||||
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
|
||||
|
@ -2256,6 +2262,7 @@ fi
|
|||
# || ||
|
||||
%changelog
|
||||
* Mon Sep 15 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
- CVE-2014-XXXX udf: avoid infinite loop on indirect ICBs (rhbz 1141809 1141810)
|
||||
- CVE-2014-3186 HID: memory corruption via OOB write (rhbz 1141407 1141410)
|
||||
|
||||
* Fri Sep 12 2014 Josh Boyer <jwboyer@fedoraproject.org>
|
||||
|
|
|
@ -0,0 +1,92 @@
|
|||
From a45318b5ff8c505afcbf04a1c5fa7dbe426d9588 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Thu, 4 Sep 2014 14:06:55 +0200
|
||||
Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs
|
||||
|
||||
We did not implement any bound on number of indirect ICBs we follow when
|
||||
loading inode. Thus corrupted medium could cause kernel to go into an
|
||||
infinite loop, possibly causing a stack overflow.
|
||||
|
||||
Fix the possible stack overflow by removing recursion from
|
||||
__udf_read_inode() and limit number of indirect ICBs we follow to avoid
|
||||
infinite loops.
|
||||
|
||||
Bugzilla: 1141810
|
||||
Upstream-status: 3.17
|
||||
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
---
|
||||
fs/udf/inode.c | 35 +++++++++++++++++++++--------------
|
||||
1 file changed, 21 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
|
||||
index 236cd48184c2..a932f7740b51 100644
|
||||
--- a/fs/udf/inode.c
|
||||
+++ b/fs/udf/inode.c
|
||||
@@ -1271,13 +1271,22 @@ update_time:
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
|
||||
+ * arbitrary - just that we hopefully don't limit any real use of rewritten
|
||||
+ * inode on write-once media but avoid looping for too long on corrupted media.
|
||||
+ */
|
||||
+#define UDF_MAX_ICB_NESTING 1024
|
||||
+
|
||||
static void __udf_read_inode(struct inode *inode)
|
||||
{
|
||||
struct buffer_head *bh = NULL;
|
||||
struct fileEntry *fe;
|
||||
uint16_t ident;
|
||||
struct udf_inode_info *iinfo = UDF_I(inode);
|
||||
+ unsigned int indirections = 0;
|
||||
|
||||
+reread:
|
||||
/*
|
||||
* Set defaults, but the inode is still incomplete!
|
||||
* Note: get_new_inode() sets the following on a new inode:
|
||||
@@ -1314,28 +1323,26 @@ static void __udf_read_inode(struct inode *inode)
|
||||
ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
|
||||
&ident);
|
||||
if (ident == TAG_IDENT_IE && ibh) {
|
||||
- struct buffer_head *nbh = NULL;
|
||||
struct kernel_lb_addr loc;
|
||||
struct indirectEntry *ie;
|
||||
|
||||
ie = (struct indirectEntry *)ibh->b_data;
|
||||
loc = lelb_to_cpu(ie->indirectICB.extLocation);
|
||||
|
||||
- if (ie->indirectICB.extLength &&
|
||||
- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
|
||||
- &ident))) {
|
||||
- if (ident == TAG_IDENT_FE ||
|
||||
- ident == TAG_IDENT_EFE) {
|
||||
- memcpy(&iinfo->i_location,
|
||||
- &loc,
|
||||
- sizeof(struct kernel_lb_addr));
|
||||
- brelse(bh);
|
||||
- brelse(ibh);
|
||||
- brelse(nbh);
|
||||
- __udf_read_inode(inode);
|
||||
+ if (ie->indirectICB.extLength) {
|
||||
+ brelse(bh);
|
||||
+ brelse(ibh);
|
||||
+ memcpy(&iinfo->i_location, &loc,
|
||||
+ sizeof(struct kernel_lb_addr));
|
||||
+ if (++indirections > UDF_MAX_ICB_NESTING) {
|
||||
+ udf_err(inode->i_sb,
|
||||
+ "too many ICBs in ICB hierarchy"
|
||||
+ " (max %d supported)\n",
|
||||
+ UDF_MAX_ICB_NESTING);
|
||||
+ make_bad_inode(inode);
|
||||
return;
|
||||
}
|
||||
- brelse(nbh);
|
||||
+ goto reread;
|
||||
}
|
||||
}
|
||||
brelse(ibh);
|
||||
--
|
||||
2.1.0
|
||||
|
Loading…
Reference in New Issue