From: Greg Kroah-Hartman Date: Tue, 6 Jan 2015 23:26:00 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.64~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f75dd56b8d7ad5faf1355f5b00496abf654a4a3c;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: isofs-fix-unchecked-printing-of-er-records.patch --- diff --git a/queue-3.14/isofs-fix-unchecked-printing-of-er-records.patch b/queue-3.14/isofs-fix-unchecked-printing-of-er-records.patch new file mode 100644 index 00000000000..f57a3660f3a --- /dev/null +++ b/queue-3.14/isofs-fix-unchecked-printing-of-er-records.patch @@ -0,0 +1,33 @@ +From 4e2024624e678f0ebb916e6192bd23c1f9fdf696 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 18 Dec 2014 17:26:10 +0100 +Subject: isofs: Fix unchecked printing of ER records + +From: Jan Kara + +commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696 upstream. + +We didn't check length of rock ridge ER records before printing them. +Thus corrupted isofs image can cause us to access and print some memory +behind the buffer with obvious consequences. + +Reported-and-tested-by: Carl Henrik Lunde +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/isofs/rock.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -362,6 +362,9 @@ repeat: + rs.cont_size = isonum_733(rr->u.CE.size); + break; + case SIG('E', 'R'): ++ /* Invalid length of ER tag id? */ ++ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len) ++ goto out; + ISOFS_SB(inode->i_sb)->s_rock = 1; + printk(KERN_DEBUG "ISO 9660 Extensions: "); + { diff --git a/queue-3.14/series b/queue-3.14/series index e906d780abf..eef73ffe912 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -22,3 +22,4 @@ arm64-add-compat_hwcap_lpae.patch arm-tegra-re-add-removed-soc-id-macro-to-tegra_resume.patch arm-mvebu-fix-ordering-in-armada-370-.dtsi.patch x86-tls-don-t-validate-lm-in-set_thread_area-after-all.patch +isofs-fix-unchecked-printing-of-er-records.patch