summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJosh Boyer <jwboyer@fedoraproject.org>2014-12-17 08:29:30 -0500
committerJosh Boyer <jwboyer@fedoraproject.org>2014-12-17 08:32:44 -0500
commit9c837c823f1ba6663c66e87def244af93adf5600 (patch)
tree1d22bf887252595e81d437305679c85c32d0f191
parenta581f99309c5c4480a9ebd804531f05523e7f68a (diff)
downloadkernel-9c837c823f1ba6663c66e87def244af93adf5600.tar.gz
kernel-9c837c823f1ba6663c66e87def244af93adf5600.tar.xz
kernel-9c837c823f1ba6663c66e87def244af93adf5600.zip
CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250)
Diffstat
-rw-r--r--isofs-Fix-infinite-looping-over-CE-entries.patch54
-rw-r--r--kernel.spec9
2 files changed, 63 insertions, 0 deletions
diff --git a/isofs-Fix-infinite-looping-over-CE-entries.patch b/isofs-Fix-infinite-looping-over-CE-entries.patch
new file mode 100644
index 00000000..bff25ac2
--- /dev/null
+++ b/isofs-Fix-infinite-looping-over-CE-entries.patch
@@ -0,0 +1,54 @@
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 15 Dec 2014 14:22:46 +0100
+Subject: [PATCH] isofs: Fix infinite looping over CE entries
+
+Rock Ridge extensions define so called Continuation Entries (CE) which
+define where is further space with Rock Ridge data. Corrupted isofs
+image can contain arbitrarily long chain of these, including a one
+containing loop and thus causing kernel to end in an infinite loop when
+traversing these entries.
+
+Limit the traversal to 32 entries which should be more than enough space
+to store all the Rock Ridge data.
+
+Reported-by: P J P <ppandit@redhat.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jan Kara <jack@suse.cz>
+---
+ fs/isofs/rock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index f488bbae541a..bb63254ed848 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -30,6 +30,7 @@ struct rock_state {
+ int cont_size;
+ int cont_extent;
+ int cont_offset;
++ int cont_loops;
+ struct inode *inode;
+ };
+
+@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
+ rs->inode = inode;
+ }
+
++/* Maximum number of Rock Ridge continuation entries */
++#define RR_MAX_CE_ENTRIES 32
++
+ /*
+ * Returns 0 if the caller should continue scanning, 1 if the scan must end
+ * and -ve on error.
+@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
+ goto out;
+ }
+ ret = -EIO;
++ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
++ goto out;
+ bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
+ if (bh) {
+ memcpy(rs->buffer, bh->b_data + rs->cont_offset,
+--
+2.1.0
+
diff --git a/kernel.spec b/kernel.spec
index fb42bd40..43d1768a 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -645,6 +645,9 @@ Patch26101: powerpc-powernv-force-all-CPUs-to-be-bootable.patch
Patch26098: move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch
Patch26099: deal-with-deadlock-in-d_walk.patch
+#CVE-2014-XXXX rhbz 1175235 1175250
+Patch26102: isofs-Fix-infinite-looping-over-CE-entries.patch
+
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
@@ -1399,6 +1402,9 @@ ApplyPatch powerpc-powernv-force-all-CPUs-to-be-bootable.patch
ApplyPatch move-d_rcu-from-overlapping-d_child-to-overlapping-d.patch
ApplyPatch deal-with-deadlock-in-d_walk.patch
+#CVE-2014-XXXX rhbz 1175235 1175250
+ApplyPatch isofs-Fix-infinite-looping-over-CE-entries.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2273,6 +2279,9 @@ fi
# ||----w |
# || ||
%changelog
+* Wed Dec 17 2014 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250)
+
* Tue Dec 16 2014 Josh Boyer <jwboyer@fedoraproject.org>
- Linux v3.17.7
- CVE-2014-8559 deadlock due to incorrect usage of rename_lock (rhbz 1159313 1173814)
generated by cgit (git 2.34.1) at 2024-05-20 21:23:40 +0000