From d0d74143fe7988adacd711cc360a029e628ebdb6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: May 19 2016 12:08:13 +0000 Subject: CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529) --- diff --git a/get_rock_ridge_filename-handle-malformed-NM-entries.patch b/get_rock_ridge_filename-handle-malformed-NM-entries.patch new file mode 100644 index 0000000..3f5db6c --- /dev/null +++ b/get_rock_ridge_filename-handle-malformed-NM-entries.patch @@ -0,0 +1,63 @@ +From 99d825822eade8d827a1817357cbf3f889a552d6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 5 May 2016 16:25:35 -0400 +Subject: [PATCH] get_rock_ridge_filename(): handle malformed NM entries + +Payloads of NM entries are not supposed to contain NUL. When we run +into such, only the part prior to the first NUL goes into the +concatenation (i.e. the directory entry name being encoded by a bunch +of NM entries). We do stop when the amount collected so far + the +claimed amount in the current NM entry exceed 254. So far, so good, +but what we return as the total length is the sum of *claimed* +sizes, not the actual amount collected. And that can grow pretty +large - not unlimited, since you'd need to put CE entries in +between to be able to get more than the maximum that could be +contained in one isofs directory entry / continuation chunk and +we are stop once we'd encountered 32 CEs, but you can get about 8Kb +easily. And that's what will be passed to readdir callback as the +name length. 8Kb __copy_to_user() from a buffer allocated by +__get_free_page() + +Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really) +Signed-off-by: Al Viro +--- + fs/isofs/rock.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c +index 5384ceb35b1c..98b3eb7d8eaf 100644 +--- a/fs/isofs/rock.c ++++ b/fs/isofs/rock.c +@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de, + int retnamlen = 0; + int truncate = 0; + int ret = 0; ++ char *p; ++ int len; + + if (!ISOFS_SB(inode->i_sb)->s_rock) + return 0; +@@ -267,12 +269,17 @@ repeat: + rr->u.NM.flags); + break; + } +- if ((strlen(retname) + rr->len - 5) >= 254) { ++ len = rr->len - 5; ++ if (retnamlen + len >= 254) { + truncate = 1; + break; + } +- strncat(retname, rr->u.NM.name, rr->len - 5); +- retnamlen += rr->len - 5; ++ p = memchr(rr->u.NM.name, '\0', len); ++ if (unlikely(p)) ++ len = p - rr->u.NM.name; ++ memcpy(retname + retnamlen, rr->u.NM.name, len); ++ retnamlen += len; ++ retname[retnamlen] = '\0'; + break; + case SIG('R', 'E'): + kfree(rs.buffer); +-- +2.5.5 + diff --git a/kernel.spec b/kernel.spec index 0fb7bdf..4723499 100644 --- a/kernel.spec +++ b/kernel.spec @@ -669,6 +669,9 @@ Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch #CVE-2016-3713 rhbz 1332139 1336410 Patch718: KVM-MTRR-remove-MSR-0x2f8.patch +#CVE-2016-4913 rhbz 1337528 1337529 +Patch719: get_rock_ridge_filename-handle-malformed-NM-entries.patch + # END OF PATCH DEFINITIONS %endif @@ -2190,6 +2193,9 @@ fi # # %changelog +* Thu May 19 2016 Josh Boyer +- CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529) + * Mon May 16 2016 Justin M. Forbes - Disable CONFIG_DEBUG_VM_PGFLAGS on non debug kernels (rhbz 1335173)