Linux v3.14.21
This commit is contained in:
parent
1d97dbe44d
commit
deaf6ef52a
11
kernel.spec
11
kernel.spec
|
@ -74,7 +74,7 @@ Summary: The Linux kernel
|
|||
%if 0%{?released_kernel}
|
||||
|
||||
# Do we have a -stable update to apply?
|
||||
%define stable_update 20
|
||||
%define stable_update 21
|
||||
# Is it a -stable RC?
|
||||
%define stable_rc 0
|
||||
# Set rpm version accordingly
|
||||
|
@ -753,9 +753,6 @@ Patch25109: revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pa
|
|||
Patch25110: 0001-ideapad-laptop-Blacklist-rfkill-control-on-the-Lenov.patch
|
||||
Patch25111: 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
|
||||
|
||||
#CVE-2014-6410 rhbz 1141809 1141810
|
||||
Patch26026: udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
|
||||
|
||||
# END OF PATCH DEFINITIONS
|
||||
|
||||
%endif
|
||||
|
@ -1451,9 +1448,6 @@ ApplyPatch revert-input-wacom-testing-result-shows-get_report-is-unnecessary.pat
|
|||
ApplyPatch 0001-ideapad-laptop-Blacklist-rfkill-control-on-the-Lenov.patch
|
||||
ApplyPatch 0002-ideapad-laptop-Change-Lenovo-Yoga-2-series-rfkill-ha.patch
|
||||
|
||||
#CVE-2014-6410 rhbz 1141809 1141810
|
||||
ApplyPatch udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2266,6 +2260,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Thu Oct 09 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.21-100
|
||||
- Linux v3.14.21
|
||||
|
||||
* Mon Oct 06 2014 Justin M. Forbes <jforbes@fedoraproject.org> - 3.14.20-100
|
||||
- Linux v3.14.20
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
b621207b3f6ecbb67db18b13258f8ea8 linux-3.14.tar.xz
|
||||
e581089540b747c39d528fc4c47b70b6 patch-3.14.20.xz
|
||||
25debf3b5652cdd94df176cd4e36a9ed patch-3.14.21.xz
|
||||
|
|
|
@ -1,92 +0,0 @@
|
|||
From a45318b5ff8c505afcbf04a1c5fa7dbe426d9588 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Kara <jack@suse.cz>
|
||||
Date: Thu, 4 Sep 2014 14:06:55 +0200
|
||||
Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs
|
||||
|
||||
We did not implement any bound on number of indirect ICBs we follow when
|
||||
loading inode. Thus corrupted medium could cause kernel to go into an
|
||||
infinite loop, possibly causing a stack overflow.
|
||||
|
||||
Fix the possible stack overflow by removing recursion from
|
||||
__udf_read_inode() and limit number of indirect ICBs we follow to avoid
|
||||
infinite loops.
|
||||
|
||||
Bugzilla: 1141810
|
||||
Upstream-status: 3.17
|
||||
|
||||
Signed-off-by: Jan Kara <jack@suse.cz>
|
||||
---
|
||||
fs/udf/inode.c | 35 +++++++++++++++++++++--------------
|
||||
1 file changed, 21 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
|
||||
index 236cd48184c2..a932f7740b51 100644
|
||||
--- a/fs/udf/inode.c
|
||||
+++ b/fs/udf/inode.c
|
||||
@@ -1271,13 +1271,22 @@ update_time:
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
|
||||
+ * arbitrary - just that we hopefully don't limit any real use of rewritten
|
||||
+ * inode on write-once media but avoid looping for too long on corrupted media.
|
||||
+ */
|
||||
+#define UDF_MAX_ICB_NESTING 1024
|
||||
+
|
||||
static void __udf_read_inode(struct inode *inode)
|
||||
{
|
||||
struct buffer_head *bh = NULL;
|
||||
struct fileEntry *fe;
|
||||
uint16_t ident;
|
||||
struct udf_inode_info *iinfo = UDF_I(inode);
|
||||
+ unsigned int indirections = 0;
|
||||
|
||||
+reread:
|
||||
/*
|
||||
* Set defaults, but the inode is still incomplete!
|
||||
* Note: get_new_inode() sets the following on a new inode:
|
||||
@@ -1314,28 +1323,26 @@ static void __udf_read_inode(struct inode *inode)
|
||||
ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
|
||||
&ident);
|
||||
if (ident == TAG_IDENT_IE && ibh) {
|
||||
- struct buffer_head *nbh = NULL;
|
||||
struct kernel_lb_addr loc;
|
||||
struct indirectEntry *ie;
|
||||
|
||||
ie = (struct indirectEntry *)ibh->b_data;
|
||||
loc = lelb_to_cpu(ie->indirectICB.extLocation);
|
||||
|
||||
- if (ie->indirectICB.extLength &&
|
||||
- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
|
||||
- &ident))) {
|
||||
- if (ident == TAG_IDENT_FE ||
|
||||
- ident == TAG_IDENT_EFE) {
|
||||
- memcpy(&iinfo->i_location,
|
||||
- &loc,
|
||||
- sizeof(struct kernel_lb_addr));
|
||||
- brelse(bh);
|
||||
- brelse(ibh);
|
||||
- brelse(nbh);
|
||||
- __udf_read_inode(inode);
|
||||
+ if (ie->indirectICB.extLength) {
|
||||
+ brelse(bh);
|
||||
+ brelse(ibh);
|
||||
+ memcpy(&iinfo->i_location, &loc,
|
||||
+ sizeof(struct kernel_lb_addr));
|
||||
+ if (++indirections > UDF_MAX_ICB_NESTING) {
|
||||
+ udf_err(inode->i_sb,
|
||||
+ "too many ICBs in ICB hierarchy"
|
||||
+ " (max %d supported)\n",
|
||||
+ UDF_MAX_ICB_NESTING);
|
||||
+ make_bad_inode(inode);
|
||||
return;
|
||||
}
|
||||
- brelse(nbh);
|
||||
+ goto reread;
|
||||
}
|
||||
}
|
||||
brelse(ibh);
|
||||
--
|
||||
2.1.0
|
||||
|
Loading…
Reference in New Issue