[meta-freescale] [meta-fsl-ppc][PATCH] udf: CVE-2014-6410

Sona Sarmadi sona.sarmadi at enea.com
Mon Jan 19 05:37:06 PST 2015 

Avoid infinite loop when processing indirect ICBs

References:
http://seclists.org/oss-sec/2014/q3/600
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6410

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 recipes-kernel/linux/files/udf-CVE-2014-6410.patch | 96 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_3.12.bb           |  1 +
 2 files changed, 97 insertions(+)
 create mode 100644 recipes-kernel/linux/files/udf-CVE-2014-6410.patch

diff --git a/recipes-kernel/linux/files/udf-CVE-2014-6410.patch b/recipes-kernel/linux/files/udf-CVE-2014-6410.patch
new file mode 100644
index 0000000..9086e0a
--- /dev/null
+++ b/recipes-kernel/linux/files/udf-CVE-2014-6410.patch
@@ -0,0 +1,96 @@
+From 07d209bd092d023976fdb881ba6d4b30fe18aebe Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack at suse.cz>
+Date: Thu, 4 Sep 2014 14:06:55 +0200
+Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs
+
+commit c03aa9f6e1f938618e6db2e23afef0574efeeb65 upstream.
+
+We did not implement any bound on number of indirect ICBs we follow when
+loading inode. Thus corrupted medium could cause kernel to go into an
+infinite loop, possibly causing a stack overflow.
+
+Fix the possible stack overflow by removing recursion from
+__udf_read_inode() and limit number of indirect ICBs we follow to avoid
+infinite loops.
+
+Upstream-Status: Backport
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+Cc: Chuck Ebbert <cebbert.lkml at gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ fs/udf/inode.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index b6d15d3..aa02328 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1270,13 +1270,22 @@ update_time:
+ 	return 0;
+ }
+ 
++/*
++ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
++ * arbitrary - just that we hopefully don't limit any real use of rewritten
++ * inode on write-once media but avoid looping for too long on corrupted media.
++ */
++#define UDF_MAX_ICB_NESTING 1024
++
+ static void __udf_read_inode(struct inode *inode)
+ {
+ 	struct buffer_head *bh = NULL;
+ 	struct fileEntry *fe;
+ 	uint16_t ident;
+ 	struct udf_inode_info *iinfo = UDF_I(inode);
++	unsigned int indirections = 0;
+ 
++reread:
+ 	/*
+ 	 * Set defaults, but the inode is still incomplete!
+ 	 * Note: get_new_inode() sets the following on a new inode:
+@@ -1313,28 +1322,26 @@ static void __udf_read_inode(struct inode *inode)
+ 		ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
+ 					&ident);
+ 		if (ident == TAG_IDENT_IE && ibh) {
+-			struct buffer_head *nbh = NULL;
+ 			struct kernel_lb_addr loc;
+ 			struct indirectEntry *ie;
+ 
+ 			ie = (struct indirectEntry *)ibh->b_data;
+ 			loc = lelb_to_cpu(ie->indirectICB.extLocation);
+ 
+-			if (ie->indirectICB.extLength &&
+-				(nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
+-							&ident))) {
+-				if (ident == TAG_IDENT_FE ||
+-					ident == TAG_IDENT_EFE) {
+-					memcpy(&iinfo->i_location,
+-						&loc,
+-						sizeof(struct kernel_lb_addr));
+-					brelse(bh);
+-					brelse(ibh);
+-					brelse(nbh);
+-					__udf_read_inode(inode);
++			if (ie->indirectICB.extLength) {
++				brelse(bh);
++				brelse(ibh);
++				memcpy(&iinfo->i_location, &loc,
++				       sizeof(struct kernel_lb_addr));
++				if (++indirections > UDF_MAX_ICB_NESTING) {
++					udf_err(inode->i_sb,
++						"too many ICBs in ICB hierarchy"
++						" (max %d supported)\n",
++						UDF_MAX_ICB_NESTING);
++					make_bad_inode(inode);
+ 					return;
+ 				}
+-				brelse(nbh);
++				goto reread;
+ 			}
+ 		}
+ 		brelse(ibh);
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 12fa2a6..48a67c0 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -11,6 +11,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://0003-mnt-CVE-2014-5206_CVE-2014-5207.patch \
     file://0004-mnt-CVE-2014-5206_CVE-2014-5207.patch \
     file://0005-mnt-CVE-2014-5206_CVE-2014-5207.patch \
+    file://udf-CVE-2014-6410.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
 
-- 
1.9.1

More information about the meta-freescale mailing list