From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from wtarreau.pck.nerim.net ([62.212.114.60]:36257 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934725AbbEOIQJ (ORCPT ); Fri, 15 May 2015 04:16:09 -0400 Message-Id: <20150515080531.059504205@1wt.eu> Date: Fri, 15 May 2015 10:05:48 +0200 From: Willy Tarreau To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jan Kara , Willy Tarreau Subject: [ 18/48] isofs: Fix unchecked printing of ER records MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 In-Reply-To: <9c2783dfae10ef2d1e9b08bcc1e562c5@local> Sender: stable-owner@vger.kernel.org List-ID: 2.6.32-longterm review patch. If anyone has any objections, please let me know. ------------------ From: Jan Kara commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696 upstream We didn't check length of rock ridge ER records before printing them. Thus corrupted isofs image can cause us to access and print some memory behind the buffer with obvious consequences. Reported-and-tested-by: Carl Henrik Lunde CC: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Willy Tarreau --- fs/isofs/rock.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c index 69c737d..2ec72ae 100644 --- a/fs/isofs/rock.c +++ b/fs/isofs/rock.c @@ -363,6 +363,9 @@ repeat: rs.cont_size = isonum_733(rr->u.CE.size); break; case SIG('E', 'R'): + /* Invalid length of ER tag id? */ + if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) + goto out; ISOFS_SB(inode->i_sb)->s_rock = 1; printk(KERN_DEBUG "ISO 9660 Extensions: "); { -- 1.7.12.2.21.g234cd45.dirty