From 0b64cd33374cca4353872ccc0b17531176c0d696 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Thu, 7 Jan 2016 13:15:34 +0100 Subject: fs-udf: CVE-2015-4167 Fixes an inode data validation error in the Linux kernel built with UDF file system (CONFIG_UDF_FS) support. An attacker able to mount a corrupted/malicious UDF file system image could cause the kernel to crash. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4167 Upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=34820fc89c5e635b7381e4060931ca30a63d110a Signed-off-by: Sona Sarmadi Signed-off-by: Tudor Florea --- recipes-kernel/linux/files/udf-CVE-2015-4167.patch | 55 ++++++++++++++++++++++ recipes-kernel/linux/linux-yocto_3.14.bbappend | 1 + 2 files changed, 56 insertions(+) create mode 100644 recipes-kernel/linux/files/udf-CVE-2015-4167.patch diff --git a/recipes-kernel/linux/files/udf-CVE-2015-4167.patch b/recipes-kernel/linux/files/udf-CVE-2015-4167.patch new file mode 100644 index 0000000..4172ce7 --- /dev/null +++ b/recipes-kernel/linux/files/udf-CVE-2015-4167.patch @@ -0,0 +1,55 @@ +From 34820fc89c5e635b7381e4060931ca30a63d110a Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 7 Jan 2015 13:49:08 +0100 +Subject: [PATCH] udf: Check length of extended attributes and allocation + descriptors + +commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream. + +Check length of extended attributes and allocation descriptors when +loading inodes from disk. Otherwise corrupted filesystems could confuse +the code and make the kernel oops. + +This fixes CVE-2015-4167. +Upstream-Status: Backport + +Reported-by: Carl Henrik Lunde +Signed-off-by: Jan Kara +[Use make_bad_inode() instead of branching due to older implementation.] +Signed-off-by: Chas Williams <3chas3@gmail.com> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + fs/udf/inode.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 287cd5f..142d29e 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) + iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint); + } + ++ /* ++ * Sanity check length of allocation descriptors and extended attrs to ++ * avoid integer overflows ++ */ ++ if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize ++ || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { ++ make_bad_inode(inode); ++ return; ++ } ++ /* Now do exact checks */ ++ if (udf_file_entry_alloc_offset(inode) ++ + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { ++ make_bad_inode(inode); ++ return; ++ } ++ + switch (fe->icbTag.fileType) { + case ICBTAG_FILE_TYPE_DIRECTORY: + inode->i_op = &udf_dir_inode_operations; +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-yocto_3.14.bbappend b/recipes-kernel/linux/linux-yocto_3.14.bbappend index ebf515d..56b8288 100644 --- a/recipes-kernel/linux/linux-yocto_3.14.bbappend +++ b/recipes-kernel/linux/linux-yocto_3.14.bbappend @@ -15,4 +15,5 @@ SRC_URI += "file://HID_CVE_patches/0005-HID-steelseries-validate-output-report-d file://net-rds-CVE-2015-2042.patch \ file://ipv6-CVE-2015-2922.patch \ file://ipv4-CVE-2015-3636.patch \ + file://udf-CVE-2015-4167.patch \ " -- cgit v1.2.3-54-g00ecf