APPLIED: [CVE-2014-9584][Precise][Lucid] isofs: Fix unchecked printing of ER records

[Brad Figg]

On Wed, Jan 14, 2015 at 04:46:31PM +0000, Luis Henriques wrote:
> From: Jan Kara <jack at suse.cz>
> 
> We didn't check length of rock ridge ER records before printing them.
> Thus corrupted isofs image can cause us to access and print some memory
> behind the buffer with obvious consequences.
> 
> Reported-and-tested-by: Carl Henrik Lunde <chlunde at ping.uio.no>
> CC: stable at vger.kernel.org
> Signed-off-by: Jan Kara <jack at suse.cz>
> (cherry picked from commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696)
> CVE-2014-9584
> BugLink: http://bugs.launchpad.net/bugs/1409808
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  fs/isofs/rock.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
> index 69c737d4b517..2ec72aeae9ca 100644
> --- a/fs/isofs/rock.c
> +++ b/fs/isofs/rock.c
> @@ -363,6 +363,9 @@ repeat:
>  			rs.cont_size = isonum_733(rr->u.CE.size);
>  			break;
>  		case SIG('E', 'R'):
> +			/* Invalid length of ER tag id? */
> +			if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
> +				goto out;
>  			ISOFS_SB(inode->i_sb)->s_rock = 1;
>  			printk(KERN_DEBUG "ISO 9660 Extensions: ");
>  			{
> -- 
> 2.1.4
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Applied to Lucid and Precise mater-next

-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com