Issue metadata
Sign in to add a comment
|
Security: CVE-2014-9420 |
||||||||||||||||||||||
Issue descriptionAdvisory: CVE-2014-9420 Details: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9420 CVSS severity score: 4.9 Description: The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image.
,
Jan 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/a7619de06a3ef1a818d29d7343092bdaa08a2286 commit a7619de06a3ef1a818d29d7343092bdaa08a2286 Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 13:22:46 2014 UPSTREAM: isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. BUG= chromium:679492 TEST=Build and run basic tests Change-Id: I33dbee0d22bd8c6b02a918d4432301785e4e0cf0 Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit f54e18f1b831) Reviewed-on: https://chromium-review.googlesource.com/426361 Reviewed-by: Bernie Thompson <bhthompson@chromium.org> [modify] https://crrev.com/a7619de06a3ef1a818d29d7343092bdaa08a2286/fs/isofs/rock.c
,
Jan 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/10940b16a12beec189a329afc8a561a76a03d194 commit 10940b16a12beec189a329afc8a561a76a03d194 Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 13:22:46 2014 UPSTREAM: isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. BUG= chromium:679492 TEST=Build and run basic tests Change-Id: I33dbee0d22bd8c6b02a918d4432301785e4e0cf0 Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit f54e18f1b831) Reviewed-on: https://chromium-review.googlesource.com/426065 Reviewed-by: Bernie Thompson <bhthompson@chromium.org> [modify] https://crrev.com/10940b16a12beec189a329afc8a561a76a03d194/fs/isofs/rock.c
,
Jan 11 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/18f05be112fe58fee784e6da05aa28cc4b04ea01 commit 18f05be112fe58fee784e6da05aa28cc4b04ea01 Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 13:22:46 2014 UPSTREAM: isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. BUG= chromium:679492 TEST=Build and run basic tests Change-Id: I33dbee0d22bd8c6b02a918d4432301785e4e0cf0 Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit f54e18f1b831) Reviewed-on: https://chromium-review.googlesource.com/426360 Reviewed-by: Bernie Thompson <bhthompson@chromium.org> [modify] https://crrev.com/18f05be112fe58fee784e6da05aa28cc4b04ea01/fs/isofs/rock.c
,
Jan 11 2017
,
Jan 12 2017
Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d1133c770cb848c3622c02f53a378e646d615508 commit d1133c770cb848c3622c02f53a378e646d615508 Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 13:22:46 2014 UPSTREAM: isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. BUG= chromium:679492 TEST=Build and run basic tests Change-Id: I33dbee0d22bd8c6b02a918d4432301785e4e0cf0 Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit f54e18f1b831) Reviewed-on: https://chromium-review.googlesource.com/426362 Reviewed-by: Bernie Thompson <bhthompson@chromium.org> [modify] https://crrev.com/d1133c770cb848c3622c02f53a378e646d615508/fs/isofs/rock.c
,
Jan 13 2017
,
Jan 13 2017
,
Jan 13 2017
,
Jan 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/686b65ecc49e89c471cde195ce9bcb5db75130f3 commit 686b65ecc49e89c471cde195ce9bcb5db75130f3 Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 13:22:46 2014 UPSTREAM: isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. BUG= chromium:679492 TEST=Build and run basic tests Change-Id: I33dbee0d22bd8c6b02a918d4432301785e4e0cf0 Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit f54e18f1b831) Reviewed-on: https://chromium-review.googlesource.com/426065 Reviewed-by: Bernie Thompson <bhthompson@chromium.org> (cherry picked from commit 10940b16a12beec189a329afc8a561a76a03d194) Reviewed-on: https://chromium-review.googlesource.com/428145 [modify] https://crrev.com/686b65ecc49e89c471cde195ce9bcb5db75130f3/fs/isofs/rock.c
,
Jan 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/6f7fde53f09bb8814d92b72b3080e10cf79edc8d commit 6f7fde53f09bb8814d92b72b3080e10cf79edc8d Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 13:22:46 2014 UPSTREAM: isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. BUG= chromium:679492 TEST=Build and run basic tests Change-Id: I33dbee0d22bd8c6b02a918d4432301785e4e0cf0 Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit f54e18f1b831) Reviewed-on: https://chromium-review.googlesource.com/426360 Reviewed-by: Bernie Thompson <bhthompson@chromium.org> (cherry picked from commit 18f05be112fe58fee784e6da05aa28cc4b04ea01) Reviewed-on: https://chromium-review.googlesource.com/428146 [modify] https://crrev.com/6f7fde53f09bb8814d92b72b3080e10cf79edc8d/fs/isofs/rock.c
,
Jan 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/dde96a05aa6bbf09cefd8da47b380b0b419d7c1c commit dde96a05aa6bbf09cefd8da47b380b0b419d7c1c Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 13:22:46 2014 UPSTREAM: isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. BUG= chromium:679492 TEST=Build and run basic tests Change-Id: I33dbee0d22bd8c6b02a918d4432301785e4e0cf0 Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit f54e18f1b831) Reviewed-on: https://chromium-review.googlesource.com/426361 Reviewed-by: Bernie Thompson <bhthompson@chromium.org> (cherry picked from commit a7619de06a3ef1a818d29d7343092bdaa08a2286) Reviewed-on: https://chromium-review.googlesource.com/428147 [modify] https://crrev.com/dde96a05aa6bbf09cefd8da47b380b0b419d7c1c/fs/isofs/rock.c
,
Jan 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/b896e6bf7f7d7b7e6d46ec6bd968665778693c3e commit b896e6bf7f7d7b7e6d46ec6bd968665778693c3e Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 13:22:46 2014 UPSTREAM: isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. BUG= chromium:679492 TEST=Build and run basic tests Change-Id: I33dbee0d22bd8c6b02a918d4432301785e4e0cf0 Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Guenter Roeck <groeck@chromium.org> (cherry picked from commit f54e18f1b831) Reviewed-on: https://chromium-review.googlesource.com/426362 Reviewed-by: Bernie Thompson <bhthompson@chromium.org> (cherry picked from commit d1133c770cb848c3622c02f53a378e646d615508) Reviewed-on: https://chromium-review.googlesource.com/428148 [modify] https://crrev.com/b896e6bf7f7d7b7e6d46ec6bd968665778693c3e/fs/isofs/rock.c
,
Jan 13 2017
,
Apr 21 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by groeck@chromium.org
, Jan 9 2017