[kernel/f20] CVE-2014-XXXX udf: avoid infinite loop on indirect ICBs (rhbz 1141809 1141810)
Josh Boyer
jwboyer at fedoraproject.org
Mon Sep 15 16:56:09 UTC 2014
commit 52720ac370a759fa09dcd86768a5413a5ed3f9cf
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date: Mon Sep 15 11:28:40 2014 -0400
CVE-2014-XXXX udf: avoid infinite loop on indirect ICBs (rhbz 1141809 1141810)
kernel.spec | 7 ++
...nfinite-loop-when-processing-indirect-ICB.patch | 92 ++++++++++++++++++++
2 files changed, 99 insertions(+), 0 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 697df11..06bf5b8 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -727,6 +727,9 @@ Patch26024: HID-magicmouse-sanity-check-report-size-in-raw_event.patch
#CVE-2014-3186 rhbz 1141407 1141410
Patch26025: HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
+#CVE-2014-XXXX rhbz 1141809 1141810
+Patch26026: udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
+
# git clone ssh://git.fedorahosted.org/git/kernel-arm64.git, git diff master...devel
Patch30000: kernel-arm64.patch
@@ -1422,6 +1425,9 @@ ApplyPatch HID-magicmouse-sanity-check-report-size-in-raw_event.patch
#CVE-2014-3186 rhbz 1141407 1141410
ApplyPatch HID-picolcd-sanity-check-report-size-in-raw_event-ca.patch
+#CVE-2014-XXXX rhbz 1141809 1141810
+ApplyPatch udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
+
%if 0%{?aarch64patches}
ApplyPatch kernel-arm64.patch
%ifnarch aarch64 # this is stupid, but i want to notice before secondary koji does.
@@ -2241,6 +2247,7 @@ fi
# || ||
%changelog
* Mon Sep 15 2014 Josh Boyer <jwboyer at fedoraproject.org>
+- CVE-2014-XXXX udf: avoid infinite loop on indirect ICBs (rhbz 1141809 1141810)
- CVE-2014-3186 HID: memory corruption via OOB write (rhbz 1141407 1141410)
* Fri Sep 12 2014 Josh Boyer <jwboyer at fedoraproject.org>
diff --git a/udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch b/udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
new file mode 100644
index 0000000..a883966
--- /dev/null
+++ b/udf-Avoid-infinite-loop-when-processing-indirect-ICB.patch
@@ -0,0 +1,92 @@
+From a45318b5ff8c505afcbf04a1c5fa7dbe426d9588 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack at suse.cz>
+Date: Thu, 4 Sep 2014 14:06:55 +0200
+Subject: [PATCH] udf: Avoid infinite loop when processing indirect ICBs
+
+We did not implement any bound on number of indirect ICBs we follow when
+loading inode. Thus corrupted medium could cause kernel to go into an
+infinite loop, possibly causing a stack overflow.
+
+Fix the possible stack overflow by removing recursion from
+__udf_read_inode() and limit number of indirect ICBs we follow to avoid
+infinite loops.
+
+Bugzilla: 1141810
+Upstream-status: 3.17
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+---
+ fs/udf/inode.c | 35 +++++++++++++++++++++--------------
+ 1 file changed, 21 insertions(+), 14 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 236cd48184c2..a932f7740b51 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1271,13 +1271,22 @@ update_time:
+ return 0;
+ }
+
++/*
++ * Maximum length of linked list formed by ICB hierarchy. The chosen number is
++ * arbitrary - just that we hopefully don't limit any real use of rewritten
++ * inode on write-once media but avoid looping for too long on corrupted media.
++ */
++#define UDF_MAX_ICB_NESTING 1024
++
+ static void __udf_read_inode(struct inode *inode)
+ {
+ struct buffer_head *bh = NULL;
+ struct fileEntry *fe;
+ uint16_t ident;
+ struct udf_inode_info *iinfo = UDF_I(inode);
++ unsigned int indirections = 0;
+
++reread:
+ /*
+ * Set defaults, but the inode is still incomplete!
+ * Note: get_new_inode() sets the following on a new inode:
+@@ -1314,28 +1323,26 @@ static void __udf_read_inode(struct inode *inode)
+ ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1,
+ &ident);
+ if (ident == TAG_IDENT_IE && ibh) {
+- struct buffer_head *nbh = NULL;
+ struct kernel_lb_addr loc;
+ struct indirectEntry *ie;
+
+ ie = (struct indirectEntry *)ibh->b_data;
+ loc = lelb_to_cpu(ie->indirectICB.extLocation);
+
+- if (ie->indirectICB.extLength &&
+- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0,
+- &ident))) {
+- if (ident == TAG_IDENT_FE ||
+- ident == TAG_IDENT_EFE) {
+- memcpy(&iinfo->i_location,
+- &loc,
+- sizeof(struct kernel_lb_addr));
+- brelse(bh);
+- brelse(ibh);
+- brelse(nbh);
+- __udf_read_inode(inode);
++ if (ie->indirectICB.extLength) {
++ brelse(bh);
++ brelse(ibh);
++ memcpy(&iinfo->i_location, &loc,
++ sizeof(struct kernel_lb_addr));
++ if (++indirections > UDF_MAX_ICB_NESTING) {
++ udf_err(inode->i_sb,
++ "too many ICBs in ICB hierarchy"
++ " (max %d supported)\n",
++ UDF_MAX_ICB_NESTING);
++ make_bad_inode(inode);
+ return;
+ }
+- brelse(nbh);
++ goto reread;
+ }
+ }
+ brelse(ibh);
+--
+2.1.0
+
More information about the scm-commits
mailing list