From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 6 Jan 2015 23:25:56 +0000 (-0800)
Subject: 3.10-stable patches
X-Git-Tag: v3.10.64~18
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0e91b6be6882806ea7a8fbb502a1b3590eb276d3;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	isofs-fix-unchecked-printing-of-er-records.patch
---

diff --git a/queue-3.10/isofs-fix-unchecked-printing-of-er-records.patch b/queue-3.10/isofs-fix-unchecked-printing-of-er-records.patch
new file mode 100644
index 00000000000..f57a3660f3a
--- /dev/null
+++ b/queue-3.10/isofs-fix-unchecked-printing-of-er-records.patch
@@ -0,0 +1,33 @@
+From 4e2024624e678f0ebb916e6192bd23c1f9fdf696 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Thu, 18 Dec 2014 17:26:10 +0100
+Subject: isofs: Fix unchecked printing of ER records
+
+From: Jan Kara <jack@suse.cz>
+
+commit 4e2024624e678f0ebb916e6192bd23c1f9fdf696 upstream.
+
+We didn't check length of rock ridge ER records before printing them.
+Thus corrupted isofs image can cause us to access and print some memory
+behind the buffer with obvious consequences.
+
+Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/isofs/rock.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -362,6 +362,9 @@ repeat:
+ 			rs.cont_size = isonum_733(rr->u.CE.size);
+ 			break;
+ 		case SIG('E', 'R'):
++			/* Invalid length of ER tag id? */
++			if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
++				goto out;
+ 			ISOFS_SB(inode->i_sb)->s_rock = 1;
+ 			printk(KERN_DEBUG "ISO 9660 Extensions: ");
+ 			{
diff --git a/queue-3.10/series b/queue-3.10/series
index e049d64f43e..5763a259cd0 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -11,3 +11,4 @@ nfs41-fix-nfs4_proc_layoutget-error-handling.patch
 dm-bufio-fix-memleak-when-using-a-dm_buffer-s-inline-bio.patch
 dm-space-map-metadata-fix-sm_bootstrap_get_nr_blocks.patch
 x86-tls-don-t-validate-lm-in-set_thread_area-after-all.patch
+isofs-fix-unchecked-printing-of-er-records.patch