[kernel] r22743 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Sun Jun 14 19:50:58 UTC 2015
Author: benh
Date: Sun Jun 14 19:50:58 2015
New Revision: 22743
Log:
udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
dists/wheezy-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Sun Jun 14 19:45:15 2015 (r22742)
+++ dists/wheezy-security/linux/debian/changelog Sun Jun 14 19:50:58 2015 (r22743)
@@ -2,6 +2,9 @@
* pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
(CVE-2015-1805)
+ * udf: Remove repeated loads blocksize
+ * udf: Check length of extended attributes and allocation descriptors
+ (CVE-2015-4167)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 14 Jun 2015 20:44:48 +0100
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch Sun Jun 14 19:50:58 2015 (r22743)
@@ -0,0 +1,43 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:49:08 +0100
+Subject: udf: Check length of extended attributes and allocation descriptors
+Origin: https://git.kernel.org/linus/925cab7b6a683f791644dfde345f91e87017a023
+
+commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
+
+Check length of extended attributes and allocation descriptors when
+loading inodes from disk. Otherwise corrupted filesystems could confuse
+the code and make the kernel oops.
+
+Reported-by: Carl Henrik Lunde <chlunde at ping.uio.no>
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Backported to 3.16: use make_bad_inode() instead of returning error]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/inode.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 5c996c1..e081440 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1401,6 +1401,19 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ iinfo->i_lenEAttr;
+ }
+
++ /*
++ * Sanity check length of allocation descriptors and extended attrs to
++ * avoid integer overflows
++ */
++ if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) {
++ make_bad_inode(inode);
++ return;
++ }
++ /* Now do exact checks */
++ if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) {
++ make_bad_inode(inode);
++ return;
++ }
+ /* Sanity checks for files in ICB so that we don't get confused later */
+ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
+ /*
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/udf-remove-repeated-loads-blocksize.patch Sun Jun 14 19:50:58 2015 (r22743)
@@ -0,0 +1,85 @@
+From: Jan Kara <jack at suse.cz>
+Date: Wed, 7 Jan 2015 13:46:16 +0100
+Subject: udf: Remove repeated loads blocksize
+Origin: https://git.kernel.org/linus/79144954278d4bb5989f8b903adcac7a20ff2a5a
+
+Store blocksize in a local variable in udf_fill_inode() since it is used
+a lot of times.
+
+Signed-off-by: Jan Kara <jack at suse.cz>
+[bwh: Needed for the following fix. Backported to 3.16: adjust context.]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/udf/inode.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+diff --git a/fs/udf/inode.c b/fs/udf/inode.c
+index 2a706bb..5c996c1 100644
+--- a/fs/udf/inode.c
++++ b/fs/udf/inode.c
+@@ -1271,6 +1271,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ struct udf_sb_info *sbi = UDF_SB(inode->i_sb);
+ struct udf_inode_info *iinfo = UDF_I(inode);
+ unsigned int link_count;
++ int bs = inode->i_sb->s_blocksize;
+
+ fe = (struct fileEntry *)bh->b_data;
+ efe = (struct extendedFileEntry *)bh->b_data;
+@@ -1291,41 +1292,38 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_EFE)) {
+ iinfo->i_efe = 1;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ if (udf_alloc_i_data(inode, bs -
+ sizeof(struct extendedFileEntry))) {
+ make_bad_inode(inode);
+ return;
+ }
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct extendedFileEntry),
+- inode->i_sb->s_blocksize -
+- sizeof(struct extendedFileEntry));
++ bs - sizeof(struct extendedFileEntry));
+ } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_FE)) {
+ iinfo->i_efe = 0;
+ iinfo->i_use = 0;
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
+- sizeof(struct fileEntry))) {
++ if (udf_alloc_i_data(inode, bs - sizeof(struct fileEntry))) {
+ make_bad_inode(inode);
+ return;
+ }
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct fileEntry),
+- inode->i_sb->s_blocksize - sizeof(struct fileEntry));
++ bs - sizeof(struct fileEntry));
+ } else if (fe->descTag.tagIdent == cpu_to_le16(TAG_IDENT_USE)) {
+ iinfo->i_efe = 0;
+ iinfo->i_use = 1;
+ iinfo->i_lenAlloc = le32_to_cpu(
+ ((struct unallocSpaceEntry *)bh->b_data)->
+ lengthAllocDescs);
+- if (udf_alloc_i_data(inode, inode->i_sb->s_blocksize -
++ if (udf_alloc_i_data(inode, bs -
+ sizeof(struct unallocSpaceEntry))) {
+ make_bad_inode(inode);
+ return;
+ }
+ memcpy(iinfo->i_ext.i_data,
+ bh->b_data + sizeof(struct unallocSpaceEntry),
+- inode->i_sb->s_blocksize -
+- sizeof(struct unallocSpaceEntry));
++ bs - sizeof(struct unallocSpaceEntry));
+ return;
+ }
+
+@@ -1414,8 +1412,7 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
+ return;
+ }
+ /* File in ICB has to fit in there... */
+- if (inode->i_size > inode->i_sb->s_blocksize -
+- udf_file_entry_alloc_offset(inode)) {
++ if (inode->i_size > bs - udf_file_entry_alloc_offset(inode)) {
+ make_bad_inode(inode);
+ return;
+ }
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Sun Jun 14 19:45:15 2015 (r22742)
+++ dists/wheezy-security/linux/debian/patches/series Sun Jun 14 19:50:58 2015 (r22743)
@@ -1167,3 +1167,5 @@
bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
+bugfix/all/udf-remove-repeated-loads-blocksize.patch
+bugfix/all/udf-check-length-of-extended-attributes-and-allocati.patch
More information about the Kernel-svn-changes
mailing list