31 lines
1.0 KiB
Diff
31 lines
1.0 KiB
Diff
From: Jan Kara <jack@suse.cz>
|
|
Date: Thu, 18 Dec 2014 17:26:10 +0100
|
|
Subject: isofs: Fix unchecked printing of ER records
|
|
Origin: https://git.kernel.org/linus/4e2024624e678f0ebb916e6192bd23c1f9fdf696
|
|
|
|
We didn't check length of rock ridge ER records before printing them.
|
|
Thus corrupted isofs image can cause us to access and print some memory
|
|
behind the buffer with obvious consequences.
|
|
|
|
Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
|
|
CC: stable@vger.kernel.org
|
|
Signed-off-by: Jan Kara <jack@suse.cz>
|
|
---
|
|
fs/isofs/rock.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
|
|
index bb63254..735d752 100644
|
|
--- a/fs/isofs/rock.c
|
|
+++ b/fs/isofs/rock.c
|
|
@@ -362,6 +362,9 @@ repeat:
|
|
rs.cont_size = isonum_733(rr->u.CE.size);
|
|
break;
|
|
case SIG('E', 'R'):
|
|
+ /* Invalid length of ER tag id? */
|
|
+ if (rr->u.ER.len_id + offsetof(struct rock_ridge, u.ER.data) > rr->len)
|
|
+ goto out;
|
|
ISOFS_SB(inode->i_sb)->s_rock = 1;
|
|
printk(KERN_DEBUG "ISO 9660 Extensions: ");
|
|
{
|