[linux] 01/01: get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu May 19 20:23:39 UTC 2016 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit 0da28d4833d05f2a74b5ab9a09461d757d5d8080
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Thu May 19 22:20:37 2016 +0200

    get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)
---
 debian/changelog                                   |  1 +
 ...idge_filename-handle-malformed-NM-entries.patch | 63 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 65 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ba711c7..c8b1e4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -21,6 +21,7 @@ linux (3.16.7-ckt25-2+deb8u1) UNRELEASED; urgency=medium
   [ Salvatore Bonaccorso ]
   * [x86] USB: usbip: fix potential out-of-bounds write (CVE-2016-3955)
   * [x86] xen: suppress hugetlbfs in PV guests (CVE-2016-3961)
+  * get_rock_ridge_filename(): handle malformed NM entries (CVE-2016-4913)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 30 Mar 2016 16:32:07 +0100
 
diff --git a/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch
new file mode 100644
index 0000000..063a5a5
--- /dev/null
+++ b/debian/patches/bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch
@@ -0,0 +1,63 @@
+From: Al Viro <viro at zeniv.linux.org.uk>
+Date: Thu, 5 May 2016 16:25:35 -0400
+Subject: get_rock_ridge_filename(): handle malformed NM entries
+Origin: https://git.kernel.org/linus/99d825822eade8d827a1817357cbf3f889a552d6
+
+Payloads of NM entries are not supposed to contain NUL.  When we run
+into such, only the part prior to the first NUL goes into the
+concatenation (i.e. the directory entry name being encoded by a bunch
+of NM entries).  We do stop when the amount collected so far + the
+claimed amount in the current NM entry exceed 254.  So far, so good,
+but what we return as the total length is the sum of *claimed*
+sizes, not the actual amount collected.  And that can grow pretty
+large - not unlimited, since you'd need to put CE entries in
+between to be able to get more than the maximum that could be
+contained in one isofs directory entry / continuation chunk and
+we are stop once we'd encountered 32 CEs, but you can get about 8Kb
+easily.  And that's what will be passed to readdir callback as the
+name length.  8Kb __copy_to_user() from a buffer allocated by
+__get_free_page()
+
+Cc: stable at vger.kernel.org # 0.98pl6+ (yes, really)
+Signed-off-by: Al Viro <viro at zeniv.linux.org.uk>
+---
+ fs/isofs/rock.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index 5384ceb..98b3eb7 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
+ 	int retnamlen = 0;
+ 	int truncate = 0;
+ 	int ret = 0;
++	char *p;
++	int len;
+ 
+ 	if (!ISOFS_SB(inode->i_sb)->s_rock)
+ 		return 0;
+@@ -267,12 +269,17 @@ repeat:
+ 					rr->u.NM.flags);
+ 				break;
+ 			}
+-			if ((strlen(retname) + rr->len - 5) >= 254) {
++			len = rr->len - 5;
++			if (retnamlen + len >= 254) {
+ 				truncate = 1;
+ 				break;
+ 			}
+-			strncat(retname, rr->u.NM.name, rr->len - 5);
+-			retnamlen += rr->len - 5;
++			p = memchr(rr->u.NM.name, '\0', len);
++			if (unlikely(p))
++				len = p - rr->u.NM.name;
++			memcpy(retname + retnamlen, rr->u.NM.name, len);
++			retnamlen += len;
++			retname[retnamlen] = '\0';
+ 			break;
+ 		case SIG('R', 'E'):
+ 			kfree(rs.buffer);
+-- 
+2.8.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 6b0d4b3..4f79419 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -674,3 +674,4 @@ bugfix/all/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_.patch
 bugfix/all/usbnet-cleanup-after-bind-in-probe.patch
 bugfix/all/atl2-disable-unimplemented-scatter-gather-feature.patch
 bugfix/x86/x86-mm-xen-Suppress-hugetlbfs-in-PV-guests.patch
+bugfix/all/get_rock_ridge_filename-handle-malformed-NM-entries.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list