Bug 87951
| Summary: | isofs: unbound recursion when processing 'CE' entry | ||
|---|---|---|---|
| Product: | File System | Reporter: | longpanda (longpanda) |
| Component: | Other | Assignee: | Alan (alan) |
| Status: | NEW --- | ||
| Severity: | normal | CC: | alan, loic-kernel |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 2.6.32 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
| Attachments: | test.iso | ||
It looks like this has been fixed by f54e18f1b831c92f6512d2eedb224cd63d607d3d: Author: Jan Kara <jack@suse.cz> Date: Mon Dec 15 14:22:46 2014 +0100 isofs: Fix infinite looping over CE entries Rock Ridge extensions define so called Continuation Entries (CE) which define where is further space with Rock Ridge data. Corrupted isofs image can contain arbitrarily long chain of these, including a one containing loop and thus causing kernel to end in an infinite loop when traversing these entries. Limit the traversal to 32 entries which should be more than enough space to store all the Rock Ridge data. Reported-by: P J P <ppandit@redhat.com> CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> With 4.2.0-next-20150902 I can mount the provided iso without any problem. |
Created attachment 157021 [details] test.iso This is similar to CVE-2014-5471 and CVE-2014-5472. In that case, it's about process of "CL" entry of Rock Ridge extension. And now it's about "CE" entry. I made an ISO9660 file with Rock Ridge extension, and set the "CE" point to it self. Then, the kernel will go to unbound recursion when i mount the file. I test it in ubuntu-14.10 with kernel 2.6.32. The bug in CVE-2014-5471 and CVE-2014-5472 has been fixed, but this bug is still exist. I add the test.iso in the attachment.