diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-09-09 13:55:31 +0200 |
---|---|---|
committer | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-02-09 08:34:01 +0100 |
commit | b97bb0c7e61223260f7b4ac7b754bd437186361a (patch) | |
tree | 81009be7bc7f869d94deafc55bae7b9efaf108a6 | |
parent | bd3ce1b94bbab0d1978692d0d66e3d21e094090e (diff) | |
download | meta-fsl-ppc-b97bb0c7e61223260f7b4ac7b754bd437186361a.tar.gz |
fs-isofs: CVE-2014-9420
Fixes infinite loop in CE record entries
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9420
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=1fe5620fcd6c2f0a4a927ee10c8e53196da392f3
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch | 58 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bb | 1 |
2 files changed, 59 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch new file mode 100644 index 0000000..360e75b --- /dev/null +++ b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch | |||
@@ -0,0 +1,58 @@ | |||
1 | From 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jan Kara <jack@suse.cz> | ||
3 | Date: Mon, 15 Dec 2014 14:22:46 +0100 | ||
4 | Subject: [PATCH] isofs: Fix infinite looping over CE entries | ||
5 | |||
6 | commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream. | ||
7 | |||
8 | Rock Ridge extensions define so called Continuation Entries (CE) which | ||
9 | define where is further space with Rock Ridge data. Corrupted isofs | ||
10 | image can contain arbitrarily long chain of these, including a one | ||
11 | containing loop and thus causing kernel to end in an infinite loop when | ||
12 | traversing these entries. | ||
13 | |||
14 | Limit the traversal to 32 entries which should be more than enough space | ||
15 | to store all the Rock Ridge data. | ||
16 | |||
17 | Reported-by: P J P <ppandit@redhat.com> | ||
18 | Signed-off-by: Jan Kara <jack@suse.cz> | ||
19 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
20 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
21 | --- | ||
22 | fs/isofs/rock.c | 6 ++++++ | ||
23 | 1 file changed, 6 insertions(+) | ||
24 | |||
25 | diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c | ||
26 | index f488bba..bb63254 100644 | ||
27 | --- a/fs/isofs/rock.c | ||
28 | +++ b/fs/isofs/rock.c | ||
29 | @@ -30,6 +30,7 @@ struct rock_state { | ||
30 | int cont_size; | ||
31 | int cont_extent; | ||
32 | int cont_offset; | ||
33 | + int cont_loops; | ||
34 | struct inode *inode; | ||
35 | }; | ||
36 | |||
37 | @@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode) | ||
38 | rs->inode = inode; | ||
39 | } | ||
40 | |||
41 | +/* Maximum number of Rock Ridge continuation entries */ | ||
42 | +#define RR_MAX_CE_ENTRIES 32 | ||
43 | + | ||
44 | /* | ||
45 | * Returns 0 if the caller should continue scanning, 1 if the scan must end | ||
46 | * and -ve on error. | ||
47 | @@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs) | ||
48 | goto out; | ||
49 | } | ||
50 | ret = -EIO; | ||
51 | + if (++rs->cont_loops >= RR_MAX_CE_ENTRIES) | ||
52 | + goto out; | ||
53 | bh = sb_bread(rs->inode->i_sb, rs->cont_extent); | ||
54 | if (bh) { | ||
55 | memcpy(rs->buffer, bh->b_data + rs->cont_offset, | ||
56 | -- | ||
57 | 1.9.1 | ||
58 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index e3b604b..0a2883f 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb | |||
@@ -31,6 +31,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ | |||
31 | file://0002-ALSA-CVE-2014-4656.patch \ | 31 | file://0002-ALSA-CVE-2014-4656.patch \ |
32 | file://futex-CVE-2014-3153.patch \ | 32 | file://futex-CVE-2014-3153.patch \ |
33 | file://target-CVE-2014-4027.patch \ | 33 | file://target-CVE-2014-4027.patch \ |
34 | file://fs-isofs-CVE-2014-9420.patch \ | ||
34 | " | 35 | " |
35 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" | 36 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" |
36 | 37 | ||