|
|
Linux kernel stack overflow when mounting ISO9660 image, including via a USB stick | |
| Reported by cevans@google.com, Aug 16 2014 | Back to list | |
I've attached a couple of ISO images which exhibit the problem:
- deadlock.iso: causes a deadlock in the mount process in "inode_wait"
- recurse.iso: crashes / reboots a kernel due to kernel stack overflow / corruption.
You can either mount these images directly with mount, e.g.
mount -t iso9660 recurse.iso /mountpoint
Or "dd" them to a USB stick to create a USB stick that causes trouble when plugged in.
The problem is due to unchecked recursion in the parse_rock_ridge_inode_internal() function in fs/isofs/rock.c:
---
case SIG('C', 'L'):
ISOFS_I(inode)->i_first_extent =
isonum_733(rr->u.CL.location);
reloc =
isofs_iget(inode->i_sb,
ISOFS_I(inode)->i_first_extent,
0);
---
In the case of deadlock.iso, we point an inode to itself, leading to deadlock. In the case of recurse.iso, we use a long chain of unique inode references (100+). Because the resolution of the chain is implemented via recursive functions, we explode the kernel stack.
---
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
---
,
Aug 28 2014
Hey, thank you for this research and thnx to Jan for quick bugfix. Does anybody know, why this bug doesn't work with SELinux? It's quite interesting for me, but I can't understand why. Actually, with SELinux Enforcing mode (MLS) deadlock.iso is just mounting. I can see *hello* file and so on. recursive.iso just doesn't mount because of wrong fs type. And /var/log/messages says: kernel: ISOFS: Unable to identify CD-ROM format. But, as far as i understand it is wrong actually :) kernel: 2.6.32 |
||
| ► Sign in to add a comment | ||
Status: Fixed