DivestOS/Patches/Linux_CVEs/CVE-2014-9420/^3.18/0.patch

From f54e18f1b831c92f6512d2eedb224cd63d607d3d Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Mon, 15 Dec 2014 14:22:46 +0100
Subject: [PATCH] isofs: Fix infinite looping over CE entries

Rock Ridge extensions define so called Continuation Entries (CE) which
define where is further space with Rock Ridge data. Corrupted isofs
image can contain arbitrarily long chain of these, including a one
containing loop and thus causing kernel to end in an infinite loop when
traversing these entries.

Limit the traversal to 32 entries which should be more than enough space
to store all the Rock Ridge data.

Reported-by: P J P <ppandit@redhat.com>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/isofs/rock.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index f488bbae541ac..bb63254ed8486 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -30,6 +30,7 @@ struct rock_state {
 	int cont_size;
 	int cont_extent;
 	int cont_offset;
+	int cont_loops;
 	struct inode *inode;
 };
 
@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state *rs, struct inode *inode)
 	rs->inode = inode;
 }
 
+/* Maximum number of Rock Ridge continuation entries */
+#define RR_MAX_CE_ENTRIES 32
+
 /*
  * Returns 0 if the caller should continue scanning, 1 if the scan must end
  * and -ve on error.
@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)
 			goto out;
 		}
 		ret = -EIO;
+		if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)
+			goto out;
 		bh = sb_bread(rs->inode->i_sb, rs->cont_extent);
 		if (bh) {
 			memcpy(rs->buffer, bh->b_data + rs->cont_offset,
Overhaul CVE patches 2017-10-29 14:23:02 -04:00			`From f54e18f1b831c92f6512d2eedb224cd63d607d3d Mon Sep 17 00:00:00 2001`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From: Jan Kara <jack@suse.cz>`
			`Date: Mon, 15 Dec 2014 14:22:46 +0100`
Overhaul CVE patches 2017-10-29 14:23:02 -04:00			`Subject: [PATCH] isofs: Fix infinite looping over CE entries`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00
			`Rock Ridge extensions define so called Continuation Entries (CE) which`
			`define where is further space with Rock Ridge data. Corrupted isofs`
			`image can contain arbitrarily long chain of these, including a one`
			`containing loop and thus causing kernel to end in an infinite loop when`
			`traversing these entries.`

			`Limit the traversal to 32 entries which should be more than enough space`
			`to store all the Rock Ridge data.`

			`Reported-by: P J P <ppandit@redhat.com>`
Overhaul CVE patches 2017-10-29 14:23:02 -04:00			`CC: stable@vger.kernel.org`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`Signed-off-by: Jan Kara <jack@suse.cz>`
			`---`
			`fs/isofs/rock.c \| 6 ++++++`
			`1 file changed, 6 insertions(+)`

			`diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c`
Overhaul CVE patches 2017-10-29 14:23:02 -04:00			`index f488bbae541ac..bb63254ed8486 100644`
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`--- a/fs/isofs/rock.c`
			`+++ b/fs/isofs/rock.c`
			`@@ -30,6 +30,7 @@ struct rock_state {`
			`int cont_size;`
			`int cont_extent;`
			`int cont_offset;`
			`+ int cont_loops;`
			`struct inode *inode;`
			`};`

			`@@ -73,6 +74,9 @@ static void init_rock_state(struct rock_state rs, struct inode inode)`
			`rs->inode = inode;`
			`}`

			`+/* Maximum number of Rock Ridge continuation entries */`
			`+#define RR_MAX_CE_ENTRIES 32`
			`+`
			`/*`
			`* Returns 0 if the caller should continue scanning, 1 if the scan must end`
			`* and -ve on error.`
			`@@ -105,6 +109,8 @@ static int rock_continue(struct rock_state *rs)`
			`goto out;`
			`}`
			`ret = -EIO;`
			`+ if (++rs->cont_loops >= RR_MAX_CE_ENTRIES)`
			`+ goto out;`
			`bh = sb_bread(rs->inode->i_sb, rs->cont_extent);`
			`if (bh) {`
			`memcpy(rs->buffer, bh->b_data + rs->cont_offset,`