fs-isofs: CVE-2014-9420

Fixes infinite loop in CE record entries References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9420 https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2015-09-09 13:55:31 +0200
committer: Sona Sarmadi <sona.sarmadi@enea.com> 2016-02-09 08:34:01 +0100
commit: b97bb0c7e61223260f7b4ac7b754bd437186361a (patch)
tree: 81009be7bc7f869d94deafc55bae7b9efaf108a6
parent: bd3ce1b94bbab0d1978692d0d66e3d21e094090e (diff)
download: meta-fsl-ppc-b97bb0c7e61223260f7b4ac7b754bd437186361a.tar.gz
2 files changed, 59 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch
new file mode 100644
index 0000000..360e75b
--- /dev/null
+++ b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch
@@ -0,0 +1,58 @@
+From 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 15 Dec 2014 14:22:46 +0100
+Subject: [PATCH] isofs: Fix infinite looping over CE entries
+commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream.
+Rock Ridge extensions define so called Continuation Entries (CE) which
+define where is further space with Rock Ridge data. Corrupted isofs
+image can contain arbitrarily long chain of these, including a one
+containing loop and thus causing kernel to end in an infinite loop when
+traversing these entries.
+Limit the traversal to 32 entries which should be more than enough space
+to store all the Rock Ridge data.
+Reported-by: P J P <ppandit@redhat.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ fs/isofs/rock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index f488bba..bb63254 100644
+--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
+@@ -30,6 +30,7 @@ struct rock_state {
+        int cont_size;
+        int cont_extent;
+        int cont_offset;
+       int cont_loops;
+        struct inode *inode;
+ };
+ 
+@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
+        rs->inode = inode;
+ }
+ 
+/* Maximum number of Rock Ridge continuation entries */
+#define RR_MAX_CE_ENTRIES 32
+
+ /*
+  * Returns 0 if the caller should continue scanning, 1 if the scan must end
+  * and -ve on error.
+@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
+                        goto out;
+                }
+                ret = -EIO;
+               if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
+                       goto out;
+                bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
+                if (bh) {
+                        memcpy(rs->buffer, bh->b_data + rs->cont_offset,
+-- 
+1.9.1
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index e3b604b..0a2883f 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -31,6 +31,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
    file://0002-ALSA-CVE-2014-4656.patch \
    file://futex-CVE-2014-3153.patch \
    file://target-CVE-2014-4027.patch \
+    file://fs-isofs-CVE-2014-9420.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2015-09-09 13:55:31 +0200
committer	Sona Sarmadi <sona.sarmadi@enea.com>	2016-02-09 08:34:01 +0100
commit	b97bb0c7e61223260f7b4ac7b754bd437186361a (patch)
tree	81009be7bc7f869d94deafc55bae7b9efaf108a6
parent	bd3ce1b94bbab0d1978692d0d66e3d21e094090e (diff)
download	meta-fsl-ppc-b97bb0c7e61223260f7b4ac7b754bd437186361a.tar.gz

diff --git a/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch new file mode 100644 index 0000000..360e75b --- /dev/null +++ b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch
@@ -0,0 +1,58 @@
		1	From 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 Mon Sep 17 00:00:00 2001
		2	From: Jan Kara <jack@suse.cz>
		3	Date: Mon, 15 Dec 2014 14:22:46 +0100
		4	Subject: [PATCH] isofs: Fix infinite looping over CE entries
		5
		6	commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream.
		7
		8	Rock Ridge extensions define so called Continuation Entries (CE) which
		9	define where is further space with Rock Ridge data. Corrupted isofs
		10	image can contain arbitrarily long chain of these, including a one
		11	containing loop and thus causing kernel to end in an infinite loop when
		12	traversing these entries.
		13
		14	Limit the traversal to 32 entries which should be more than enough space
		15	to store all the Rock Ridge data.
		16
		17	Reported-by: P J P <ppandit@redhat.com>
		18	Signed-off-by: Jan Kara <jack@suse.cz>
		19	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
		20	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		21	---
		22	fs/isofs/rock.c \| 6 ++++++
		23	1 file changed, 6 insertions(+)
		24
		25	diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
		26	index f488bba..bb63254 100644
		27	--- a/fs/isofs/rock.c
		28	+++ b/fs/isofs/rock.c
		29	@@ -30,6 +30,7 @@ struct rock_state {
		30	int cont_size;
		31	int cont_extent;
		32	int cont_offset;
		33	+ int cont_loops;
		34	struct inode *inode;
		35	};
		36
		37	@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state rs, struct inode inode)
		38	rs->inode = inode;
		39	}
		40
		41	+/* Maximum number of Rock Ridge continuation entries */
		42	+#define RR_MAX_CE_ENTRIES 32
		43	+
		44	/*
		45	* Returns 0 if the caller should continue scanning, 1 if the scan must end
		46	* and -ve on error.
		47	@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
		48	goto out;
		49	}
		50	ret = -EIO;
		51	+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
		52	+ goto out;
		53	bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
		54	if (bh) {
		55	memcpy(rs->buffer, bh->b_data + rs->cont_offset,
		56	--
		57	1.9.1
		58


diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index e3b604b..0a2883f 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -31,6 +31,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
31	file://0002-ALSA-CVE-2014-4656.patch \	31	file://0002-ALSA-CVE-2014-4656.patch \
32	file://futex-CVE-2014-3153.patch \	32	file://futex-CVE-2014-3153.patch \
33	file://target-CVE-2014-4027.patch \	33	file://target-CVE-2014-4027.patch \
		34	file://fs-isofs-CVE-2014-9420.patch \
34	"	35	"
35	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"	36	SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
36		37