[kernel] r22741 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Sun Jun 14 18:17:19 UTC 2015

Author: benh
Date: Sun Jun 14 18:17:19 2015
New Revision: 22741

Log:
udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================

--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Jun 14 18:04:32 2015	(r22740)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Jun 14 18:17:19 2015	(r22741)
@@ -54,6 +54,9 @@
     (CVE-2014-9728, CVE-2014-9730)
   * pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
     (CVE-2015-1805)
+  * udf: Remove repeated loads blocksize
+  * udf: Check length of extended attributes and allocation descriptors
+    (CVE-2015-4167)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 12 Apr 2015 17:12:31 +0100
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch	Sun Jun 14 18:17:19 2015	(r22741)
@@ -0,0 +1,39 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: udf: Check length of extended attributes and allocation descriptors
+Origin: https://git.kernel.org/linus/23b133bdc452aa441fcb9b82cbf6dd05cfd342d0
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+Reported-by: Carl Henrik Lunde <chlunde at ping.uio.no>
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Backported to 3.16: use make_bad_inode() instead of returning error]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/inode.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1284,6 +1284,19 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 							iinfo->i_lenEAttr;
+ 	}
+ 
++	/*
++	 * Sanity check length of allocation descriptors and extended attrs to
++	 * avoid integer overflows
++	 */
++	if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) {
++		make_bad_inode(inode);
++		return;
++	}
++	/* Now do exact checks */
++	if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) {
++		make_bad_inode(inode);
++		return;
++	}
+ 	/* Sanity checks for files in ICB so that we don't get confused later */
+ 	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ 		/*

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch	Sun Jun 14 18:17:19 2015	(r22741)
@@ -0,0 +1,84 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:46:16 +0100
+Subject: [PATCH] udf: Remove repeated loads blocksize
+Origin: https://git.kernel.org/linus/79144954278d4bb5989f8b903adcac7a20ff2a5a
+
+Store blocksize in a local variable in udf_fill_inode() since it is used
+a lot of times.
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Needed for the following fix. Backported to 2.6.32: adjust context.]
+---
+ fs/udf/inode.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 2a706bb..5c996c1 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1157,6 +1157,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 	int offset;
+ 	struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
+ 	struct udf_inode_info *iinfo = UDF_I(inode);
++	int bs = inode->i_sb->s_blocksize;
+ 
+ 	fe = (struct fileEntry *)bh->b_data;
+ 	efe = (struct extendedFileEntry *)bh->b_data;
+@@ -1177,41 +1178,38 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 	if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
+ 		iinfo->i_efe = 1;
+ 		iinfo->i_use = 0;
+-		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++		if (udf_alloc_i_data(inode, bs -
+ 					sizeof(struct extendedFileEntry))) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct extendedFileEntry),
+-		       inode->i_sb->s_blocksize -
+-					sizeof(struct extendedFileEntry));
++		       bs - sizeof(struct extendedFileEntry));
+ 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
+ 		iinfo->i_efe = 0;
+ 		iinfo->i_use = 0;
+-		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+-						sizeof(struct fileEntry))) {
++		if (udf_alloc_i_data(inode, bs - sizeof(struct fileEntry))) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct fileEntry),
+-		       inode->i_sb->s_blocksize - sizeof(struct fileEntry));
++		       bs - sizeof(struct fileEntry));
+ 	} else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) {
+ 		iinfo->i_efe = 0;
+ 		iinfo->i_use = 1;
+ 		iinfo->i_lenAlloc = le32_to_cpu(
+ 				((struct unallocSpaceEntry *)bh->b_data)->
+ 				 lengthAllocDescs);
+-		if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++		if (udf_alloc_i_data(inode, bs -
+ 					sizeof(struct unallocSpaceEntry))) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}
+ 		memcpy(iinfo->i_ext.i_data,
+ 		       bh->b_data + sizeof(struct unallocSpaceEntry),
+-		       inode->i_sb->s_blocksize -
+-					sizeof(struct unallocSpaceEntry));
++		       bs - sizeof(struct unallocSpaceEntry));
+ 		return;
+ 	}
+ 
+@@ -1297,8 +1295,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ 			return;
+ 		}
+ 		/* File in ICB has to fit in there... */
+-		if (inode->i_size > inode->i_sb->s_blocksize -
+-					udf_file_entry_alloc_offset(inode)) {
++		if (inode->i_size > bs - udf_file_entry_alloc_offset(inode)) {
+ 			make_bad_inode(inode);
+ 			return;
+ 		}

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Jun 14 18:04:32 2015	(r22740)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Jun 14 18:17:19 2015	(r22741)
@@ -27,3 +27,5 @@
 + bugfix/all/udf-check-path-length-when-reading-symlink.patch
 + bugfix/all/udf-check-component-length-before-reading-it.patch
 + bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
++ bugfix/all/udf-remove-repeated-loads-blocksize.patch
++ bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch

