From a98a8d22b001a9aa08d4b9484a7e8feedd833da7 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 17 Dec 2014 08:29:30 -0500 Subject: [PATCH] CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250) --- ...Fix-infinite-looping-over-CE-entries.patch | 54 +++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 61 insertions(+) create mode 100644 isofs-Fix-infinite-looping-over-CE-entries.patch diff --git a/isofs-Fix-infinite-looping-over-CE-entries.patch b/isofs-Fix-infinite-looping-over-CE-entries.patch new file mode 100644 index 000000000..bff25ac27 --- /dev/null +++ b/isofs-Fix-infinite-looping-over-CE-entries.patch @@ -0,0 +1,54 @@ +From: Jan Kara +Date: Mon, 15 Dec 2014 14:22:46 +0100 +Subject: [PATCH] isofs: Fix infinite looping over CE entries + +Rock Ridge extensions define so called Continuation Entries (CE) which +define where is further space with Rock Ridge data. Corrupted isofs +image can contain arbitrarily long chain of these, including a one +containing loop and thus causing kernel to end in an infinite loop when +traversing these entries. + +Limit the traversal to 32 entries which should be more than enough space +to store all the Rock Ridge data. + +Reported-by: P J P +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +--- + fs/isofs/rock.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c +index f488bbae541a..bb63254ed848 100644 +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -30,6 +30,7 @@ struct rock_state { + int cont_size; + int cont_extent; + int cont_offset; ++ int cont_loops; + struct inode *inode; + }; + +@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode) + rs->inode = inode; + } + ++/* Maximum number of Rock Ridge continuation entries */ ++#define RR_MAX_CE_ENTRIES 32 ++ + /* + * Returns 0 if the caller should continue scanning, 1 if the scan must end + * and -ve on error. +@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs) + goto out; + } + ret = -EIO; ++ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES) ++ goto out; + bh = sb_bread(rs->inode->i_sb, rs->cont_extent); + if (bh) { + memcpy(rs->buffer, bh->b_data + rs->cont_offset, +-- +2.1.0 + diff --git a/kernel.spec b/kernel.spec index dd9e4b66c..da1fc2961 100644 --- a/kernel.spec +++ b/kernel.spec @@ -632,6 +632,9 @@ Patch26100: x86-tls-Validate-TLS-entries-to-protect-espfix.patch #rhbz 1173806 Patch26101: powerpc-powernv-force-all-CPUs-to-be-bootable.patch +#CVE-2014-XXXX rhbz 1175235 1175250 +Patch26102: isofs-Fix-infinite-looping-over-CE-entries.patch + # git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel Patch30000: kernel-arm64.patch @@ -1372,6 +1375,9 @@ ApplyPatch x86-tls-Validate-TLS-entries-to-protect-espfix.patch #rhbz 1173806 ApplyPatch powerpc-powernv-force-all-CPUs-to-be-bootable.patch +#CVE-2014-XXXX rhbz 1175235 1175250 +ApplyPatch isofs-Fix-infinite-looping-over-CE-entries.patch + %if 0%{?aarch64patches} ApplyPatch kernel-arm64.patch %ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does. @@ -2242,6 +2248,7 @@ fi %changelog * Wed Dec 17 2014 Josh Boyer - 3.18.1-1 - Linux v3.18.1 +- CVE-2014-XXXX isofs: infinite loop in CE record entries (rhbz 1175235 1175250) * Tue Dec 16 2014 Josh Boyer - 3.18.0-2 - Add patch from Josh Stone to restore var-tracking via Kconfig (rhbz 1126580)