[meta-freescale] [meta-fsl-ppc][dizzy][PATCH 3/3] fs-isofs: CVE-2014-9420

Sona Sarmadi sona.sarmadi at enea.com
Wed Sep 9 04:55:31 PDT 2015 

Fixes infinite loop in CE record entries

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9420
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=1fe5620fcd6c2f0a4a927ee10c8e53196da392f3

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 .../linux/files/fs-isofs-CVE-2014-9420.patch       | 58 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_3.12.bb           |  1 +
 2 files changed, 59 insertions(+)
 create mode 100644 recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch

diff --git a/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch
new file mode 100644
index 0000000..360e75b
--- /dev/null
+++ b/recipes-kernel/linux/files/fs-isofs-CVE-2014-9420.patch
@@ -0,0 +1,58 @@
+From 1fe5620fcd6c2f0a4a927ee10c8e53196da392f3 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack at suse.cz>
+Date: Mon, 15 Dec 2014 14:22:46 +0100
+Subject: [PATCH] isofs: Fix infinite looping over CE entries
+
+commit f54e18f1b831c92f6512d2eedb224cd63d607d3d upstream.
+
+Rock Ridge extensions define so called Continuation Entries (CE) which
+define where is further space with Rock Ridge data. Corrupted isofs
+image can contain arbitrarily long chain of these, including a one
+containing loop and thus causing kernel to end in an infinite loop when
+traversing these entries.
+
+Limit the traversal to 32 entries which should be more than enough space
+to store all the Rock Ridge data.
+
+Reported-by: P J P <ppandit at redhat.com>
+Signed-off-by: Jan Kara <jack at suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ fs/isofs/rock.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index f488bba..bb63254 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -30,6 +30,7 @@ struct rock_state {
+ 	int cont_size;
+ 	int cont_extent;
+ 	int cont_offset;
++	int cont_loops;
+ 	struct inode *inode;
+ };
+ 
+@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
+ 	rs->inode = inode;
+ }
+ 
++/* Maximum number of Rock Ridge continuation entries */
++#define RR_MAX_CE_ENTRIES 32
++
+ /*
+  * Returns 0 if the caller should continue scanning, 1 if the scan must end
+  * and -ve on error.
+@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
+ 			goto out;
+ 		}
+ 		ret = -EIO;
++		if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
++			goto out;
+ 		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
+ 		if (bh) {
+ 			memcpy(rs->buffer, bh->b_data + rs->cont_offset,
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index e3b604b..0a2883f 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -31,6 +31,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://0002-ALSA-CVE-2014-4656.patch \
     file://futex-CVE-2014-3153.patch \
     file://target-CVE-2014-4027.patch \
+    file://fs-isofs-CVE-2014-9420.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
 
-- 
1.9.1

More information about the meta-freescale mailing list