3.17-stable patches

author Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 6 Jan 2015 23:26:04 +0000 (15:26 -0800)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 6 Jan 2015 23:26:04 +0000 (15:26 -0800)
author Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 6 Jan 2015 23:26:04 +0000 (15:26 -0800)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 6 Jan 2015 23:26:04 +0000 (15:26 -0800)
diff --git a/queue-3.17/isofs-fix-unchecked-printing-of-er-records.patch b/queue-3.17/isofs-fix-unchecked-printing-of-er-records.patch

new file mode 100644 (file)

index 0000000..f57a366
--- /dev/null
+++ b/queue-3.17/isofs-fix-unchecked-printing-of-er-records.patch
@@ -0,0 +1,33 @@
+From 4e2024624e678f0ebb916e6192bd23c1f9fdf696 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 18 Dec 2014 17:26:10 +0100
+Subject: isofs: Fix unchecked printing of ER records
+
+From: Jan Kara <jack@suse.cz>
+
+commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696 upstream.
+
+We didn't check length of rock ridge ER records before printing them.
+Thus corrupted isofs image can cause us to access and print some memory
+behind the buffer with obvious consequences.
+
+Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/rock.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -362,6 +362,9 @@ repeat:
+                       rs.cont_size = isonum_733(rr->u.CE.size);
+                       break;
+               case SIG('E', 'R'):
++                      /* Invalid length of ER tag id? */
++                      if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
++                              goto out;
+                       ISOFS_SB(inode->i_sb)->s_rock = 1;
+                       printk(KERN_DEBUG "ISO 9660 Extensions: ");
+                       {
diff --git a/queue-3.17/series b/queue-3.17/series

index 5164179630ca161338da1d28663b89cce672a6f1..f1e2cc8259c4abc757c2f7e6d76e3a85d73f13a4 100644 (file)
--- a/queue-3.17/series
+++ b/queue-3.17/series
@@ -34,3 +34,4 @@ arm-mvebu-disable-i-o-coherency-on-non-smp-situations-on-armada-370-375-38x-xp.p
  arm-mvebu-fix-ordering-in-armada-370-.dtsi.patch
  x86-asm-traps-disable-tracing-and-kprobes-in-fixup_bad_iret-and-sync_regs.patch
  x86-tls-don-t-validate-lm-in-set_thread_area-after-all.patch
+isofs-fix-unchecked-printing-of-er-records.patch
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 6 Jan 2015 23:26:04 +0000 (15:26 -0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 6 Jan 2015 23:26:04 +0000 (15:26 -0800)
queue-3.17/isofs-fix-unchecked-printing-of-er-records.patch	[new file with mode: 0644]	patch \| blob
queue-3.17/series		patch \| blob \| blame \| history