From 70840a10bade2ba89705cabd1d370762675707c8 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Mon, 19 Jan 2015 14:37:06 +0100 Subject: udf: CVE-2014-6410 Avoid infinite loop when processing indirect ICBs References: http://seclists.org/oss-sec/2014/q3/600 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6410 Signed-off-by: Sona Sarmadi --- recipes-kernel/linux/files/udf-CVE-2014-6410.patch | 96 ++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq_3.12.bb | 1 + 2 files changed, 97 insertions(+) create mode 100644 recipes-kernel/linux/files/udf-CVE-2014-6410.patch (limited to 'recipes-kernel/linux') diff --git a/recipes-kernel/linux/files/udf-CVE-2014-6410.patch b/recipes-kernel/linux/files/udf-CVE-2014-6410.patch new file mode 100644 index 0000000..9086e0a --- /dev/null +++ b/recipes-kernel/linux/files/udf-CVE-2014-6410.patch @@ -0,0 +1,96 @@ +From 07d209bd092d023976fdb881ba6d4b30fe18aebe Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 4 Sep 2014 14:06:55 +0200 +Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs + +commit c03aa9f6e1f938618e6db2e23afef0574efeeb65 upstream. + +We did not implement any bound on number of indirect ICBs we follow when +loading inode. Thus corrupted medium could cause kernel to go into an +infinite loop, possibly causing a stack overflow. + +Fix the possible stack overflow by removing recursion from +__udf_read_inode() and limit number of indirect ICBs we follow to avoid +infinite loops. + +Upstream-Status: Backport + +Signed-off-by: Jan Kara +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sona Sarmadi +--- + fs/udf/inode.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index b6d15d3..aa02328 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1270,13 +1270,22 @@ update_time: + return 0; + } + ++/* ++ * Maximum length of linked list formed by ICB hierarchy. The chosen number is ++ * arbitrary - just that we hopefully don't limit any real use of rewritten ++ * inode on write-once media but avoid looping for too long on corrupted media. ++ */ ++#define UDF_MAX_ICB_NESTING 1024 ++ + static void __udf_read_inode(struct inode *inode) + { + struct buffer_head *bh = NULL; + struct fileEntry *fe; + uint16_t ident; + struct udf_inode_info *iinfo = UDF_I(inode); ++ unsigned int indirections = 0; + ++reread: + /* + * Set defaults, but the inode is still incomplete! + * Note: get_new_inode() sets the following on a new inode: +@@ -1313,28 +1322,26 @@ static void __udf_read_inode(struct inode *inode) + ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1, + &ident); + if (ident == TAG_IDENT_IE && ibh) { +- struct buffer_head *nbh = NULL; + struct kernel_lb_addr loc; + struct indirectEntry *ie; + + ie = (struct indirectEntry *)ibh->b_data; + loc = lelb_to_cpu(ie->indirectICB.extLocation); + +- if (ie->indirectICB.extLength && +- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0, +- &ident))) { +- if (ident == TAG_IDENT_FE || +- ident == TAG_IDENT_EFE) { +- memcpy(&iinfo->i_location, +- &loc, +- sizeof(struct kernel_lb_addr)); +- brelse(bh); +- brelse(ibh); +- brelse(nbh); +- __udf_read_inode(inode); ++ if (ie->indirectICB.extLength) { ++ brelse(bh); ++ brelse(ibh); ++ memcpy(&iinfo->i_location, &loc, ++ sizeof(struct kernel_lb_addr)); ++ if (++indirections > UDF_MAX_ICB_NESTING) { ++ udf_err(inode->i_sb, ++ "too many ICBs in ICB hierarchy" ++ " (max %d supported)\n", ++ UDF_MAX_ICB_NESTING); ++ make_bad_inode(inode); + return; + } +- brelse(nbh); ++ goto reread; + } + } + brelse(ibh); +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index 12fa2a6..48a67c0 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -11,6 +11,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ file://0003-mnt-CVE-2014-5206_CVE-2014-5207.patch \ file://0004-mnt-CVE-2014-5206_CVE-2014-5207.patch \ file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \ + file://udf-CVE-2014-6410.patch \ " SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" -- cgit v1.2.3-54-g00ecf