[linux] 01/01: get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu May 19 20:23:39 UTC 2016
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit 0da28d4833d05f2a74b5ab9a09461d757d5d8080
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu May 19 22:20:37 2016 +0200
get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)
---
debian/changelog | 1 +
...idge_filename-handle-malformed-NM-entries.patch | 63 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 65 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index ba711c7..c8b1e4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -21,6 +21,7 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
* [x86] xen: suppress hugetlbfs in PV guests (CVE-2016-3961)
+ * get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)
-- Ben Hutchings <ben at decadent.org.uk> Wed, 30 Mar 2016 16:32:07 +0100
diff --git a/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch
new file mode 100644
index 0000000..063a5a5
--- /dev/null
+++ b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch
@@ -0,0 +1,63 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Thu, 5 May 2016 16:25:35 -0400
+Subject: get_rock_ridge_filename(): handle malformed NM entries
+Origin: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6
+
+Payloads of NM entries are not supposed to contain NUL. When we run
+into such, only the part prior to the first NUL goes into the
+concatenation (i.e. the directory entry name being encoded by a bunch
+of NM entries). We do stop when the amount collected so far + the
+claimed amount in the current NM entry exceed 254. So far, so good,
+but what we return as the total length is the sum of *claimed*
+sizes, not the actual amount collected. And that can grow pretty
+large - not unlimited, since you'd need to put CE entries in
+between to be able to get more than the maximum that could be
+contained in one isofs directory entry / continuation chunk and
+we are stop once we'd encountered 32 CEs, but you can get about 8Kb
+easily. And that's what will be passed to readdir callback as the
+name length. 8Kb __copy_to_user() from a buffer allocated by
+__get_free_page()
+
+Cc: stable at vger.kernel.org # 0.98pl6+ (yes, really)
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/isofs/rock.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index 5384ceb..98b3eb7 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
+ int retnamlen = 0;
+ int truncate = 0;
+ int ret = 0;
++ char *p;
++ int len;
+
+ if (!ISOFS_SB(inode->i_sb)->s_rock)
+ return 0;
+@@ -267,12 +269,17 @@ repeat:
+ rr->u.NM.flags);
+ break;
+ }
+- if ((strlen(retname) + rr->len - 5) >= 254) {
++ len = rr->len - 5;
++ if (retnamlen + len >= 254) {
+ truncate = 1;
+ break;
+ }
+- strncat(retname, rr->u.NM.name, rr->len - 5);
+- retnamlen += rr->len - 5;
++ p = memchr(rr->u.NM.name, '\0', len);
++ if (unlikely(p))
++ len = p - rr->u.NM.name;
++ memcpy(retname + retnamlen, rr->u.NM.name, len);
++ retnamlen += len;
++ retname[retnamlen] = '\0';
+ break;
+ case SIG('R', 'E'):
+ kfree(rs.buffer);
+--
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 6b0d4b3..4f79419 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -674,3 +674,4 @@ bugfix/all/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
bugfix/all/usbnet-cleanup-after-bind-in-probe.patch
bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
+bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list