diff options
author | Josh Boyer <jwboyer@fedoraproject.org> | 2014-12-17 08:29:30 -0500 |
---|---|---|
committer | Josh Boyer <jwboyer@fedoraproject.org> | 2014-12-17 08:32:44 -0500 |
commit | 9c837c823f1ba6663c66e87def244af93adf5600 (patch) | |
tree | 1d22bf887252595e81d437305679c85c32d0f191 | |
parent | a581f99309c5c4480a9ebd804531f05523e7f68a (diff) | |
download | kernel-9c837c823f1ba6663c66e87def244af93adf5600.tar.gz kernel-9c837c823f1ba6663c66e87def244af93adf5600.tar.xz kernel-9c837c823f1ba6663c66e87def244af93adf5600.zip |
CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250)
-rw-r--r-- | isofs-Fix-infinite-looping-over-CE-entries.patch | 54 | ||||
-rw-r--r-- | kernel.spec | 9 |
2 files changed, 63 insertions, 0 deletions
diff --git a/isofs-Fix-infinite-looping-over-CE-entries.patch b/isofs-Fix-infinite-looping-over-CE-entries.patch new file mode 100644 index 00000000..bff25ac2 --- /dev/null +++ b/isofs-Fix-infinite-looping-over-CE-entries.patch @@ -0,0 +1,54 @@ +From: Jan Kara <jack@suse.cz> +Date: Mon, 15 Dec 2014 14:22:46 +0100 +Subject: [PATCH] isofs: Fix infinite looping over CE entries + +Rock Ridge extensions define so called Continuation Entries (CE) which +define where is further space with Rock Ridge data. Corrupted isofs +image can contain arbitrarily long chain of these, including a one +containing loop and thus causing kernel to end in an infinite loop when +traversing these entries. + +Limit the traversal to 32 entries which should be more than enough space +to store all the Rock Ridge data. + +Reported-by: P J P <ppandit@redhat.com> +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara <jack@suse.cz> +--- + fs/isofs/rock.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c +index f488bbae541a..bb63254ed848 100644 +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -30,6 +30,7 @@ struct rock_state { + int cont_size; + int cont_extent; + int cont_offset; ++ int cont_loops; + struct inode *inode; + }; + +@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode) + rs->inode = inode; + } + ++/* Maximum number of Rock Ridge continuation entries */ ++#define RR_MAX_CE_ENTRIES 32 ++ + /* + * Returns 0 if the caller should continue scanning, 1 if the scan must end + * and -ve on error. +@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs) + goto out; + } + ret = -EIO; ++ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES) ++ goto out; + bh = sb_bread(rs->inode->i_sb, rs->cont_extent); + if (bh) { + memcpy(rs->buffer, bh->b_data + rs->cont_offset, +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index fb42bd40..43d1768a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -645,6 +645,9 @@ Patch26101: powerpc-powernv-force-all-CPUs-to-be-bootable.patch Patch26098: move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch Patch26099: deal-with-deadlock-in-d_walk.patch +#CVE-2014-XXXX rhbz 1175235 1175250 +Patch26102: isofs-Fix-infinite-looping-over-CE-entries.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1399,6 +1402,9 @@ ApplyPatch powerpc-powernv-force-all-CPUs-to-be-bootable.patch ApplyPatch move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch ApplyPatch deal-with-deadlock-in-d_walk.patch +#CVE-2014-XXXX rhbz 1175235 1175250 +ApplyPatch isofs-Fix-infinite-looping-over-CE-entries.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2273,6 +2279,9 @@ fi # ||----w | # || || %changelog +* Wed Dec 17 2014 Josh Boyer <jwboyer@fedoraproject.org> +- CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250) + * Tue Dec 16 2014 Josh Boyer <jwboyer@fedoraproject.org> - Linux v3.17.7 - CVE-2014-8559 deadlock due to incorrect usage of rename_lock (rhbz 1159313 1173814) |