diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-01-07 13:15:34 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-01-08 00:45:04 +0100 |
commit | 0b64cd33374cca4353872ccc0b17531176c0d696 (patch) | |
tree | 77db18bd2b517c965825fff1253f5334a51506d7 | |
parent | d92c06ddc2bb66673c4fa94d19467ae97746f5f7 (diff) | |
download | meta-enea-0b64cd33374cca4353872ccc0b17531176c0d696.tar.gz |
fs-udf: CVE-2015-4167
Fixes an inode data validation error in the Linux kernel
built with UDF file system (CONFIG_UDF_FS) support.
An attacker able to mount a corrupted/malicious UDF file
system image could cause the kernel to crash.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4167
Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=34820fc89c5e635b7381e4060931ca30a63d110a
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/udf-CVE-2015-4167.patch | 55 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 |
2 files changed, 56 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/udf-CVE-2015-4167.patch b/recipes-kernel/linux/files/udf-CVE-2015-4167.patch new file mode 100644 index 0000000..4172ce7 --- /dev/null +++ b/recipes-kernel/linux/files/udf-CVE-2015-4167.patch | |||
@@ -0,0 +1,55 @@ | |||
1 | From 34820fc89c5e635b7381e4060931ca30a63d110a Mon Sep 17 00:00:00 2001 | ||
2 | From: Jan Kara <jack@suse.cz> | ||
3 | Date: Wed, 7 Jan 2015 13:49:08 +0100 | ||
4 | Subject: [PATCH] udf: Check length of extended attributes and allocation | ||
5 | descriptors | ||
6 | |||
7 | commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream. | ||
8 | |||
9 | Check length of extended attributes and allocation descriptors when | ||
10 | loading inodes from disk. Otherwise corrupted filesystems could confuse | ||
11 | the code and make the kernel oops. | ||
12 | |||
13 | This fixes CVE-2015-4167. | ||
14 | Upstream-Status: Backport | ||
15 | |||
16 | Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no> | ||
17 | Signed-off-by: Jan Kara <jack@suse.cz> | ||
18 | [Use make_bad_inode() instead of branching due to older implementation.] | ||
19 | Signed-off-by: Chas Williams <3chas3@gmail.com> | ||
20 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
21 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
22 | --- | ||
23 | fs/udf/inode.c | 16 ++++++++++++++++ | ||
24 | 1 file changed, 16 insertions(+) | ||
25 | |||
26 | diff --git a/fs/udf/inode.c b/fs/udf/inode.c | ||
27 | index 287cd5f..142d29e 100644 | ||
28 | --- a/fs/udf/inode.c | ||
29 | +++ b/fs/udf/inode.c | ||
30 | @@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) | ||
31 | iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint); | ||
32 | } | ||
33 | |||
34 | + /* | ||
35 | + * Sanity check length of allocation descriptors and extended attrs to | ||
36 | + * avoid integer overflows | ||
37 | + */ | ||
38 | + if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize | ||
39 | + || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { | ||
40 | + make_bad_inode(inode); | ||
41 | + return; | ||
42 | + } | ||
43 | + /* Now do exact checks */ | ||
44 | + if (udf_file_entry_alloc_offset(inode) | ||
45 | + + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { | ||
46 | + make_bad_inode(inode); | ||
47 | + return; | ||
48 | + } | ||
49 | + | ||
50 | switch (fe->icbTag.fileType) { | ||
51 | case ICBTAG_FILE_TYPE_DIRECTORY: | ||
52 | inode->i_op = &udf_dir_inode_operations; | ||
53 | -- | ||
54 | 1.9.1 | ||
55 | |||
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index ebf515d..56b8288 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend | |||
@@ -15,4 +15,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d | |||
15 | file://net-rds-CVE-2015-2042.patch \ | 15 | file://net-rds-CVE-2015-2042.patch \ |
16 | file://ipv6-CVE-2015-2922.patch \ | 16 | file://ipv6-CVE-2015-2922.patch \ |
17 | file://ipv4-CVE-2015-3636.patch \ | 17 | file://ipv4-CVE-2015-3636.patch \ |
18 | file://udf-CVE-2015-4167.patch \ | ||
18 | " | 19 | " |