| Message ID | 1421253991-23679-1-git-send-email-luis.henriques@canonical.com |
|---|---|
| State | New |
| Headers | show |
On 14/01/15 16:46, Luis Henriques wrote: > From: Jan Kara <jack@suse.cz> > > We didn't check length of rock ridge ER records before printing them. > Thus corrupted isofs image can cause us to access and print some memory > behind the buffer with obvious consequences. > > Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no> > CC: stable@vger.kernel.org > Signed-off-by: Jan Kara <jack@suse.cz> > (cherry picked from commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696) > CVE-2014-9584 > BugLink: http://bugs.launchpad.net/bugs/1409808 > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > fs/isofs/rock.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c > index 69c737d4b517..2ec72aeae9ca 100644 > --- a/fs/isofs/rock.c > +++ b/fs/isofs/rock.c > @@ -363,6 +363,9 @@ repeat: > rs.cont_size = isonum_733(rr->u.CE.size); > break; > case SIG('E', 'R'): > + /* Invalid length of ER tag id? */ > + if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) > + goto out; > ISOFS_SB(inode->i_sb)->s_rock = 1; > printk(KERN_DEBUG "ISO 9660 Extensions: "); > { > Looks sane to me
On Wed, Jan 14, 2015 at 04:46:31PM +0000, Luis Henriques wrote: > From: Jan Kara <jack@suse.cz> > > We didn't check length of rock ridge ER records before printing them. > Thus corrupted isofs image can cause us to access and print some memory > behind the buffer with obvious consequences. > > Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no> > CC: stable@vger.kernel.org > Signed-off-by: Jan Kara <jack@suse.cz> > (cherry picked from commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696) > CVE-2014-9584 > BugLink: http://bugs.launchpad.net/bugs/1409808 > Signed-off-by: Luis Henriques <luis.henriques@canonical.com> > --- > fs/isofs/rock.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c > index 69c737d4b517..2ec72aeae9ca 100644 > --- a/fs/isofs/rock.c > +++ b/fs/isofs/rock.c > @@ -363,6 +363,9 @@ repeat: > rs.cont_size = isonum_733(rr->u.CE.size); > break; > case SIG('E', 'R'): > + /* Invalid length of ER tag id? */ > + if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) > + goto out; > ISOFS_SB(inode->i_sb)->s_rock = 1; > printk(KERN_DEBUG "ISO 9660 Extensions: "); > { > -- > 2.1.4 > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Applied to Lucid and Precise mater-next
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 69c737d4b517..2ec72aeae9ca 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -363,6 +363,9 @@ repeat: rs.cont_size = isonum_733(rr->u.CE.size); break; case SIG('E', 'R'): + /* Invalid length of ER tag id? */ + if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) + goto out; ISOFS_SB(inode->i_sb)->s_rock = 1; printk(KERN_DEBUG "ISO 9660 Extensions: "); {