fs-udf: CVE-2015-4167

Fixes an inode data validation error in the Linux kernel
built with UDF file system (CONFIG_UDF_FS) support.
An attacker able to mount a corrupted/malicious UDF file
system image could cause the kernel to crash.

Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4167

Upstream fix:
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
patch/?id=34820fc89c5e635b7381e4060931ca30a63d110a

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>

2 files changed, 56 insertions, 0 deletions

diff --git a/recipes-kernel/linux/files/udf-CVE-2015-4167.patch b/recipes-kernel/linux/files/udf-CVE-2015-4167.patch
new file mode 100644
index 0000000..4172ce7
--- /dev/null
+++ b/recipes-kernel/linux/files/udf-CVE-2015-4167.patch
@@ -0,0 +1,55 @@
+From 34820fc89c5e635b7381e4060931ca30a63d110a Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: [PATCH] udf: Check length of extended attributes and allocation
+ descriptors
+
+commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+This fixes CVE-2015-4167.
+Upstream-Status: Backport
+
+Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Signed-off-by: Jan Kara <jack@suse.cz>
+[Use make_bad_inode() instead of branching due to older implementation.]
+Signed-off-by: Chas Williams <3chas3@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/udf/inode.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 287cd5f..142d29e 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+                iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
+        }
+ 
++       /*
++        * Sanity check length of allocation descriptors and extended attrs to
++        * avoid integer overflows
++        */
++       if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize
++                       || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
++               make_bad_inode(inode);
++               return;
++       }
++       /* Now do exact checks */
++       if (udf_file_entry_alloc_offset(inode)
++                       + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
++               make_bad_inode(inode);
++               return;
++       }
++
+        switch (fe->icbTag.fileType) {
+        case ICBTAG_FILE_TYPE_DIRECTORY:
+                inode->i_op = &udf_dir_inode_operations;
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend
index ebf515d..56b8288 100644
--- a/recipes-kernel/linux/linux-yocto_3.14.bbappend
+++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend
@@ -15,4 +15,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d
             file://net-rds-CVE-2015-2042.patch \
             file://ipv6-CVE-2015-2922.patch \
             file://ipv4-CVE-2015-3636.patch \
+            file://udf-CVE-2015-4167.patch \
            "