* [PATCH 3.14] udf: Check length of extended attributes and allocation descriptors
@ 2015-09-03 20:48 Charles (Chas) Williams
2015-09-29 14:13 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Charles (Chas) Williams @ 2015-09-03 20:48 UTC (permalink / raw)
To: stable
From: Jan Kara <jack@suse.cz>
commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
Check length of extended attributes and allocation descriptors when
loading inodes from disk. Otherwise corrupted filesystems could confuse
the code and make the kernel oops.
This fixes CVE-2015-4167.
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[Use make_bad_inode() instead of branching due to older implementation.]
Signed-off-by: Chas Williams <3chas3@gmail.com>
---
fs/udf/inode.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 287cd5f..142d29e 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
}
+ /*
+ * Sanity check length of allocation descriptors and extended attrs to
+ * avoid integer overflows
+ */
+ if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize
+ || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
+ make_bad_inode(inode);
+ return;
+ }
+ /* Now do exact checks */
+ if (udf_file_entry_alloc_offset(inode)
+ + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
+ make_bad_inode(inode);
+ return;
+ }
+
switch (fe->icbTag.fileType) {
case ICBTAG_FILE_TYPE_DIRECTORY:
inode->i_op = &udf_dir_inode_operations;
--
2.1.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH 3.14] udf: Check length of extended attributes and allocation descriptors
2015-09-03 20:48 [PATCH 3.14] udf: Check length of extended attributes and allocation descriptors Charles (Chas) Williams
@ 2015-09-29 14:13 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2015-09-29 14:13 UTC (permalink / raw)
To: Charles (Chas) Williams; +Cc: stable
On Thu, Sep 03, 2015 at 04:48:49PM -0400, Charles (Chas) Williams wrote:
> From: Jan Kara <jack@suse.cz>
>
> commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
>
> Check length of extended attributes and allocation descriptors when
> loading inodes from disk. Otherwise corrupted filesystems could confuse
> the code and make the kernel oops.
>
> This fixes CVE-2015-4167.
>
> Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
> Signed-off-by: Jan Kara <jack@suse.cz>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> [Use make_bad_inode() instead of branching due to older implementation.]
> Signed-off-by: Chas Williams <3chas3@gmail.com>
Thanks for this, now applied.
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-09-29 14:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-09-03 20:48 [PATCH 3.14] udf: Check length of extended attributes and allocation descriptors Charles (Chas) Williams
2015-09-29 14:13 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).