From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 6 Jan 2015 23:26:04 +0000 (-0800)
Subject: 3.17-stable patches
X-Git-Tag: v3.10.64~16
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=da317224e3be940b681e5729fd4b10e08daa3300;p=thirdparty%2Fkernel%2Fstable-queue.git

3.17-stable patches

added patches:
	isofs-fix-unchecked-printing-of-er-records.patch
---

diff --git a/queue-3.17/isofs-fix-unchecked-printing-of-er-records.patch b/queue-3.17/isofs-fix-unchecked-printing-of-er-records.patch
new file mode 100644
index 00000000000..f57a3660f3a
--- /dev/null
+++ b/queue-3.17/isofs-fix-unchecked-printing-of-er-records.patch
@@ -0,0 +1,33 @@
+From 4e2024624e678f0ebb916e6192bd23c1f9fdf696 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 18 Dec 2014 17:26:10 +0100
+Subject: isofs: Fix unchecked printing of ER records
+
+From: Jan Kara <jack@suse.cz>
+
+commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696 upstream.
+
+We didn't check length of rock ridge ER records before printing them.
+Thus corrupted isofs image can cause us to access and print some memory
+behind the buffer with obvious consequences.
+
+Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/rock.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -362,6 +362,9 @@ repeat:
+ 			rs.cont_size = isonum_733(rr->u.CE.size);
+ 			break;
+ 		case SIG('E', 'R'):
++			/* Invalid length of ER tag id? */
++			if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
++				goto out;
+ 			ISOFS_SB(inode->i_sb)->s_rock = 1;
+ 			printk(KERN_DEBUG "ISO 9660 Extensions: ");
+ 			{
diff --git a/queue-3.17/series b/queue-3.17/series
index 5164179630c..f1e2cc8259c 100644
--- a/queue-3.17/series
+++ b/queue-3.17/series
@@ -34,3 +34,4 @@ arm-mvebu-disable-i-o-coherency-on-non-smp-situations-on-armada-370-375-38x-xp.p
 arm-mvebu-fix-ordering-in-armada-370-.dtsi.patch
 x86-asm-traps-disable-tracing-and-kprobes-in-fixup_bad_iret-and-sync_regs.patch
 x86-tls-don-t-validate-lm-in-set_thread_area-after-all.patch
+isofs-fix-unchecked-printing-of-er-records.patch