fs-isofs: CVE-2014-9420

Fixes infinite loop in CE record entries References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9420 https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-09-09 13:55:31 +0200
committer: Zhenhua Luo <zhenhua.luo@freescale.com> 2015-09-16 13:40:14 +0800
commit: 81e39add0400ac7ad547799ada09f5c7475bce95 (patch)
tree: 888a1e5698a2f046b1c009eb0ed61b5f05acb3cd
parent: 370ed8508ce37071ff9b4626bb5826d702813754 (diff)
download: meta-fsl-ppc-81e39add0400ac7ad547799ada09f5c7475bce95.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch
new file mode 100644
index 0000000..360e75b
--- /dev/null
+++ b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch
@@ -0,0 +1,58 @@
+From 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 15 Dec 2014 14:22:46 +0100
+Subject: [PATCH] isofs: Fix infinite looping over CE entries
+commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream.
+Rock Ridge extensions define so called Continuation Entries (CE) which
+define where is further space with Rock Ridge data. Corrupted isofs
+image can contain arbitrarily long chain of these, including a one
+containing loop and thus causing kernel to end in an infinite loop when
+traversing these entries.
+Limit the traversal to 32 entries which should be more than enough space
+to store all the Rock Ridge data.
+Reported-by: P J P <ppandit@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/isofs/rock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index f488bba..bb63254 100644
+--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
+@@ -30,6 +30,7 @@ struct rock_state {
+        int cont_size;
+        int cont_extent;
+        int cont_offset;
+       int cont_loops;
+        struct inode *inode;
+ };
+ 
+@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
+        rs->inode = inode;
+ }
+ 
+/* Maximum number of Rock Ridge continuation entries */
+#define RR_MAX_CE_ENTRIES 32
+
+ /*
+  * Returns 0 if the caller should continue scanning, 1 if the scan must end
+  * and -ve on error.
+@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
+                        goto out;
+                }
+                ret = -EIO;
+               if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
+                       goto out;
+                bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
+                if (bh) {
+                        memcpy(rs->buffer, bh->b_data + rs->cont_offset,
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index e3b604b..0a2883f 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -31,6 +31,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://0002-ALSA-CVE-2014-4656.patch \
    file://futex-CVE-2014-3153.patch \
    file://target-CVE-2014-4027.patch \
+    file://fs-isofs-CVE-2014-9420.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-09-09 13:55:31 +0200
committer	Zhenhua Luo <zhenhua.luo@freescale.com>	2015-09-16 13:40:14 +0800
commit	81e39add0400ac7ad547799ada09f5c7475bce95 (patch)
tree	888a1e5698a2f046b1c009eb0ed61b5f05acb3cd
parent	370ed8508ce37071ff9b4626bb5826d702813754 (diff)
download	meta-fsl-ppc-81e39add0400ac7ad547799ada09f5c7475bce95.tar.gz

diff --git a/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch new file mode 100644 index 0000000..360e75b --- /dev/null +++ b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch
@@ -0,0 +1,58 @@
		1	From 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 Mon Sep 17 00:00:00 2001
		2	From: Jan Kara <jack@suse.cz>
		3	Date: Mon, 15 Dec 2014 14:22:46 +0100
		4	Subject: [PATCH] isofs: Fix infinite looping over CE entries
		5
		6	commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream.
		7
		8	Rock Ridge extensions define so called Continuation Entries (CE) which
		9	define where is further space with Rock Ridge data. Corrupted isofs
		10	image can contain arbitrarily long chain of these, including a one
		11	containing loop and thus causing kernel to end in an infinite loop when
		12	traversing these entries.
		13
		14	Limit the traversal to 32 entries which should be more than enough space
		15	to store all the Rock Ridge data.
		16
		17	Reported-by: P J P <ppandit@redhat.com>
		18	Signed-off-by: Jan Kara <jack@suse.cz>
		19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		20	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		21	---
		22	fs/isofs/rock.c \| 6 ++++++
		23	1 file changed, 6 insertions(+)
		24
		25	diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
		26	index f488bba..bb63254 100644
		27	--- a/fs/isofs/rock.c
		28	+++ b/fs/isofs/rock.c
		29	@@ -30,6 +30,7 @@ struct rock_state {
		30	int cont_size;
		31	int cont_extent;
		32	int cont_offset;
		33	+ int cont_loops;
		34	struct inode *inode;
		35	};
		36
		37	@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state rs, struct inode inode)
		38	rs->inode = inode;
		39	}
		40
		41	+/* Maximum number of Rock Ridge continuation entries */
		42	+#define RR_MAX_CE_ENTRIES 32
		43	+
		44	/*
		45	* Returns 0 if the caller should continue scanning, 1 if the scan must end
		46	* and -ve on error.
		47	@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
		48	goto out;
		49	}
		50	ret = -EIO;
		51	+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
		52	+ goto out;
		53	bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
		54	if (bh) {
		55	memcpy(rs->buffer, bh->b_data + rs->cont_offset,
		56	--
		57	1.9.1
		58


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index e3b604b..0a2883f 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -31,6 +31,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
31	file://0002-ALSA-CVE-2014-4656.patch \	31	file://0002-ALSA-CVE-2014-4656.patch \
32	file://futex-CVE-2014-3153.patch \	32	file://futex-CVE-2014-3153.patch \
33	file://target-CVE-2014-4027.patch \	33	file://target-CVE-2014-4027.patch \
		34	file://fs-isofs-CVE-2014-9420.patch \
34	"	35	"
35	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	36	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
36		37