From 2a55bcd41483c4dbca1f63c6b2787d2dc0383032 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 5 Oct 2014 16:38:01 -0700 Subject: [PATCH] 3.16-stable patches added patches: udf-avoid-infinite-loop-when-processing-indirect-icbs.patch --- ...e-loop-when-processing-indirect-icbs.patch | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 queue-3.16/udf-avoid-infinite-loop-when-processing-indirect-icbs.patch diff --git a/queue-3.16/udf-avoid-infinite-loop-when-processing-indirect-icbs.patch b/queue-3.16/udf-avoid-infinite-loop-when-processing-indirect-icbs.patch new file mode 100644 index 00000000000..5e948c5d3db --- /dev/null +++ b/queue-3.16/udf-avoid-infinite-loop-when-processing-indirect-icbs.patch @@ -0,0 +1,91 @@ +From c03aa9f6e1f938618e6db2e23afef0574efeeb65 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 4 Sep 2014 14:06:55 +0200 +Subject: udf: Avoid infinite loop when processing indirect ICBs + +From: Jan Kara + +commit c03aa9f6e1f938618e6db2e23afef0574efeeb65 upstream. + +We did not implement any bound on number of indirect ICBs we follow when +loading inode. Thus corrupted medium could cause kernel to go into an +infinite loop, possibly causing a stack overflow. + +Fix the possible stack overflow by removing recursion from +__udf_read_inode() and limit number of indirect ICBs we follow to avoid +infinite loops. + +Signed-off-by: Jan Kara +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/inode.c | 35 +++++++++++++++++++++-------------- + 1 file changed, 21 insertions(+), 14 deletions(-) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1271,13 +1271,22 @@ update_time: + return 0; + } + ++/* ++ * Maximum length of linked list formed by ICB hierarchy. The chosen number is ++ * arbitrary - just that we hopefully don't limit any real use of rewritten ++ * inode on write-once media but avoid looping for too long on corrupted media. ++ */ ++#define UDF_MAX_ICB_NESTING 1024 ++ + static void __udf_read_inode(struct inode *inode) + { + struct buffer_head *bh = NULL; + struct fileEntry *fe; + uint16_t ident; + struct udf_inode_info *iinfo = UDF_I(inode); ++ unsigned int indirections = 0; + ++reread: + /* + * Set defaults, but the inode is still incomplete! + * Note: get_new_inode() sets the following on a new inode: +@@ -1314,28 +1323,26 @@ static void __udf_read_inode(struct inod + ibh = udf_read_ptagged(inode->i_sb, &iinfo->i_location, 1, + &ident); + if (ident == TAG_IDENT_IE && ibh) { +- struct buffer_head *nbh = NULL; + struct kernel_lb_addr loc; + struct indirectEntry *ie; + + ie = (struct indirectEntry *)ibh->b_data; + loc = lelb_to_cpu(ie->indirectICB.extLocation); + +- if (ie->indirectICB.extLength && +- (nbh = udf_read_ptagged(inode->i_sb, &loc, 0, +- &ident))) { +- if (ident == TAG_IDENT_FE || +- ident == TAG_IDENT_EFE) { +- memcpy(&iinfo->i_location, +- &loc, +- sizeof(struct kernel_lb_addr)); +- brelse(bh); +- brelse(ibh); +- brelse(nbh); +- __udf_read_inode(inode); ++ if (ie->indirectICB.extLength) { ++ brelse(bh); ++ brelse(ibh); ++ memcpy(&iinfo->i_location, &loc, ++ sizeof(struct kernel_lb_addr)); ++ if (++indirections > UDF_MAX_ICB_NESTING) { ++ udf_err(inode->i_sb, ++ "too many ICBs in ICB hierarchy" ++ " (max %d supported)\n", ++ UDF_MAX_ICB_NESTING); ++ make_bad_inode(inode); + return; + } +- brelse(nbh); ++ goto reread; + } + } + brelse(ibh); -- 2.47.3