From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 4 Mar 2015 04:23:10 +0000 (-0800)
Subject: 3.19-stable patches
X-Git-Tag: v3.10.71~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=235c711b62c6f143821add093416df9abdf59f86;p=thirdparty%2Fkernel%2Fstable-queue.git

3.19-stable patches

added patches:
	udf-check-length-of-extended-attributes-and-allocation-descriptors.patch
	udf-remove-repeated-loads-blocksize.patch
---

diff --git a/queue-3.19/series b/queue-3.19/series
index ddf9779f386..01313994bd9 100644
--- a/queue-3.19/series
+++ b/queue-3.19/series
@@ -139,3 +139,5 @@ serial-fsl_lpuart-delete-timer-on-shutdown.patch
 serial-fsl_lpuart-avoid-new-transfer-while-dma-is-running.patch
 arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch
 mips-htw-prevent-accidental-htw-start-due-to-nested-htw_-start-stop.patch
+udf-remove-repeated-loads-blocksize.patch
+udf-check-length-of-extended-attributes-and-allocation-descriptors.patch
diff --git a/queue-3.19/udf-check-length-of-extended-attributes-and-allocation-descriptors.patch b/queue-3.19/udf-check-length-of-extended-attributes-and-allocation-descriptors.patch
new file mode 100644
index 00000000000..95a5188e7dd
--- /dev/null
+++ b/queue-3.19/udf-check-length-of-extended-attributes-and-allocation-descriptors.patch
@@ -0,0 +1,39 @@
+From 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: udf: Check length of extended attributes and allocation descriptors
+
+From: Jan Kara <jack@suse.cz>
+
+commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/inode.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1487,6 +1487,15 @@ reread:
+ 	}
+ 	inode->i_generation = iinfo->i_unique;
+ 
++	/*
++	 * Sanity check length of allocation descriptors and extended attrs to
++	 * avoid integer overflows
++	 */
++	if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs)
++		goto out;
++	/* Now do exact checks */
++	if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs)
++		goto out;
+ 	/* Sanity checks for files in ICB so that we don't get confused later */
+ 	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ 		/*
diff --git a/queue-3.19/udf-remove-repeated-loads-blocksize.patch b/queue-3.19/udf-remove-repeated-loads-blocksize.patch
new file mode 100644
index 00000000000..abdc1738f1a
--- /dev/null
+++ b/queue-3.19/udf-remove-repeated-loads-blocksize.patch
@@ -0,0 +1,84 @@
+From 79144954278d4bb5989f8b903adcac7a20ff2a5a Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Wed, 7 Jan 2015 13:46:16 +0100
+Subject: udf: Remove repeated loads blocksize
+
+From: Jan Kara <jack@suse.cz>
+
+commit 79144954278d4bb5989f8b903adcac7a20ff2a5a upstream.
+
+Store blocksize in a local variable in udf_fill_inode() since it is used
+a lot of times.
+
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/inode.c |   19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1288,6 +1288,7 @@ static int udf_read_inode(struct inode *
+ 	struct kernel_lb_addr *iloc = &iinfo->i_location;
+ 	unsigned int link_count;
+ 	unsigned int indirections = 0;
++	int bs = inode->i_sb->s_blocksize;
+ 	int ret = -EIO;
+ 
+ reread:
+@@ -1374,38 +1375,35 @@ reread:
+ 	if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
+ 		iinfo->i_efe = 1;
+ 		iinfo->i_use = 0;
+-		ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++		ret = udf_alloc_i_data(inode, bs -
+ 					sizeof(struct extendedFileEntry));
+ 		if (ret)
+ 			goto out;
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct extendedFileEntry),
+-		       inode->i_sb->s_blocksize -
+-					sizeof(struct extendedFileEntry));
++		       bs - sizeof(struct extendedFileEntry));
+ 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
+ 		iinfo->i_efe = 0;
+ 		iinfo->i_use = 0;
+-		ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+-						sizeof(struct fileEntry));
++		ret = udf_alloc_i_data(inode, bs - sizeof(struct fileEntry));
+ 		if (ret)
+ 			goto out;
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct fileEntry),
+-		       inode->i_sb->s_blocksize - sizeof(struct fileEntry));
++		       bs - sizeof(struct fileEntry));
+ 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) {
+ 		iinfo->i_efe = 0;
+ 		iinfo->i_use = 1;
+ 		iinfo->i_lenAlloc = le32_to_cpu(
+ 				((struct unallocSpaceEntry *)bh->b_data)->
+ 				 lengthAllocDescs);
+-		ret = udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++		ret = udf_alloc_i_data(inode, bs -
+ 					sizeof(struct unallocSpaceEntry));
+ 		if (ret)
+ 			goto out;
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct unallocSpaceEntry),
+-		       inode->i_sb->s_blocksize -
+-					sizeof(struct unallocSpaceEntry));
++		       bs - sizeof(struct unallocSpaceEntry));
+ 		return 0;
+ 	}
+ 
+@@ -1498,8 +1496,7 @@ reread:
+ 		if (iinfo->i_lenAlloc != inode->i_size)
+ 			goto out;
+ 		/* File in ICB has to fit in there... */
+-		if (inode->i_size > inode->i_sb->s_blocksize -
+-					udf_file_entry_alloc_offset(inode))
++		if (inode->i_size > bs - udf_file_entry_alloc_offset(inode))
+ 			goto out;
+ 	}
+