ACK: [CVE-2014-9584][Precise][Lucid] isofs: Fix unchecked printing of ER records
Colin Ian King
colin.king at canonical.com
Wed Jan 14 17:24:22 UTC 2015
On 14/01/15 16:46, Luis Henriques wrote:
> From: Jan Kara <jack at suse.cz>
>
> We didn't check length of rock ridge ER records before printing them.
> Thus corrupted isofs image can cause us to access and print some memory
> behind the buffer with obvious consequences.
>
> Reported-and-tested-by: Carl Henrik Lunde <chlunde at ping.uio.no>
> CC: stable at vger.kernel.org
> Signed-off-by: Jan Kara <jack at suse.cz>
> (cherry picked from commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696)
> CVE-2014-9584
> BugLink: http://bugs.launchpad.net/bugs/1409808
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
> fs/isofs/rock.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
> index 69c737d4b517..2ec72aeae9ca 100644
> --- a/fs/isofs/rock.c
> +++ b/fs/isofs/rock.c
> @@ -363,6 +363,9 @@ repeat:
> rs.cont_size = isonum_733(rr->u.CE.size);
> break;
> case SIG('E', 'R'):
> + /* Invalid length of ER tag id? */
> + if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
> + goto out;
> ISOFS_SB(inode->i_sb)->s_rock = 1;
> printk(KERN_DEBUG "ISO 9660 Extensions: ");
> {
>
Looks sane to me
More information about the kernel-team
mailing list