[Acked] [Lucid][Precise][CVE-2014-9420] isofs: Fix infinite looping over CE entries

Andy Whitcroft apw at canonical.com
Wed Jan 7 18:14:00 UTC 2015 

On Wed, Jan 07, 2015 at 05:32:15PM +0000, Luis Henriques wrote:
> From: Jan Kara <jack at suse.cz>
> 
> Rock Ridge extensions define so called Continuation Entries (CE) which
> define where is further space with Rock Ridge data. Corrupted isofs
> image can contain arbitrarily long chain of these, including a one
> containing loop and thus causing kernel to end in an infinite loop when
> traversing these entries.
> 
> Limit the traversal to 32 entries which should be more than enough space
> to store all the Rock Ridge data.
> 
> Reported-by: P J P <ppandit at redhat.com>
> CC: stable at vger.kernel.org
> Signed-off-by: Jan Kara <jack at suse.cz>
> (cherry picked from commit f54e18f1b831c92f6512d2eedb224cd63d607d3d)
> CVE-2014-9420
> BugLink: http://bugs.launchpad.net/bugs/1407947
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  fs/isofs/rock.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
> index 6fa4a86f73bf..69c737d4b517 100644
> --- a/fs/isofs/rock.c
> +++ b/fs/isofs/rock.c
> @@ -31,6 +31,7 @@ struct rock_state {
>  	int cont_size;
>  	int cont_extent;
>  	int cont_offset;
> +	int cont_loops;
>  	struct inode *inode;
>  };
>  
> @@ -74,6 +75,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
>  	rs->inode = inode;
>  }
>  
> +/* Maximum number of Rock Ridge continuation entries */
> +#define RR_MAX_CE_ENTRIES 32
> +
>  /*
>   * Returns 0 if the caller should continue scanning, 1 if the scan must end
>   * and -ve on error.
> @@ -106,6 +110,8 @@ static int rock_continue(struct rock_state *rs)
>  			goto out;
>  		}
>  		ret = -EIO;
> +		if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
> +			goto out;
>  		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
>  		if (bh) {
>  			memcpy(rs->buffer, bh->b_data + rs->cont_offset,
> -- 

Looks reasonable, simple and self contained.

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw

More information about the kernel-team mailing list