Bug 87951

Summary: isofs: unbound recursion when processing 'CE' entry
Product: File System Reporter: longpanda (longpanda)
Component: OtherAssignee: Alan (alan)
Status: NEW ---    
Severity: normal CC: alan, loic-kernel
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.32 Subsystem:
Regression: No Bisected commit-id:
Attachments: test.iso

Description longpanda 2014-11-08 05:44:01 UTC
Created attachment 157021 [details]
test.iso

This is similar to CVE-2014-5471 and CVE-2014-5472.
In that case, it's about process of "CL" entry of Rock Ridge extension.
And now it's about "CE" entry.

I made an ISO9660 file with Rock Ridge extension, and set the "CE" point to it self.
Then, the kernel will go to unbound recursion when i mount the file.

I test it in ubuntu-14.10 with kernel 2.6.32.
The bug in CVE-2014-5471 and CVE-2014-5472 has been fixed, but this bug is still exist.

I add the test.iso in the attachment.
Comment 1 Loic P 2015-09-03 17:27:48 UTC
It looks like this has been fixed by f54e18f1b831c92f6512d2eedb224cd63d607d3d:

Author: Jan Kara <jack@suse.cz>
Date:   Mon Dec 15 14:22:46 2014 +0100

    isofs: Fix infinite looping over CE entries
    
    Rock Ridge extensions define so called Continuation Entries (CE) which
    define where is further space with Rock Ridge data. Corrupted isofs
    image can contain arbitrarily long chain of these, including a one
    containing loop and thus causing kernel to end in an infinite loop when
    traversing these entries.
    
    Limit the traversal to 32 entries which should be more than enough space
    to store all the Rock Ridge data.
    
    Reported-by: P J P <ppandit@redhat.com>
    CC: stable@vger.kernel.org
    Signed-off-by: Jan Kara <jack@suse.cz>

With 4.2.0-next-20150902 I can mount the provided iso without any problem.