CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529)

2 files changed, 69 insertions, 0 deletions

diff --git a/get_rock_ridge_filename-handle-malformed-NM-entries.patch b/get_rock_ridge_filename-handle-malformed-NM-entries.patch
new file mode 100644
index 000000000..3f5db6c8a
--- /dev/null
+++ b/get_rock_ridge_filename-handle-malformed-NM-entries.patch
@@ -0,0 +1,63 @@
+From 99d825822eade8d827a1817357cbf3f889a552d6 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Thu, 5 May 2016 16:25:35 -0400
+Subject: [PATCH] get_rock_ridge_filename(): handle malformed NM entries
+
+Payloads of NM entries are not supposed to contain NUL.  When we run
+into such, only the part prior to the first NUL goes into the
+concatenation (i.e. the directory entry name being encoded by a bunch
+of NM entries).  We do stop when the amount collected so far + the
+claimed amount in the current NM entry exceed 254.  So far, so good,
+but what we return as the total length is the sum of *claimed*
+sizes, not the actual amount collected.  And that can grow pretty
+large - not unlimited, since you'd need to put CE entries in
+between to be able to get more than the maximum that could be
+contained in one isofs directory entry / continuation chunk and
+we are stop once we'd encountered 32 CEs, but you can get about 8Kb
+easily.  And that's what will be passed to readdir callback as the
+name length.  8Kb __copy_to_user() from a buffer allocated by
+__get_free_page()
+
+Cc: stable@vger.kernel.org # 0.98pl6+ (yes, really)
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+---
+ fs/isofs/rock.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
+index 5384ceb35b1c..98b3eb7d8eaf 100644
+--- a/fs/isofs/rock.c
++++ b/fs/isofs/rock.c
+@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
+ 	int retnamlen = 0;
+ 	int truncate = 0;
+ 	int ret = 0;
++	char *p;
++	int len;
+ 
+ 	if (!ISOFS_SB(inode->i_sb)->s_rock)
+ 		return 0;
+@@ -267,12 +269,17 @@ repeat:
+ 					rr->u.NM.flags);
+ 				break;
+ 			}
+-			if ((strlen(retname) + rr->len - 5) >= 254) {
++			len = rr->len - 5;
++			if (retnamlen + len >= 254) {
+ 				truncate = 1;
+ 				break;
+ 			}
+-			strncat(retname, rr->u.NM.name, rr->len - 5);
+-			retnamlen += rr->len - 5;
++			p = memchr(rr->u.NM.name, '\0', len);
++			if (unlikely(p))
++				len = p - rr->u.NM.name;
++			memcpy(retname + retnamlen, rr->u.NM.name, len);
++			retnamlen += len;
++			retname[retnamlen] = '\0';
+ 			break;
+ 		case SIG('R', 'E'):
+ 			kfree(rs.buffer);
+-- 
+2.5.5
+
diff --git a/kernel.spec b/kernel.spec
index 0fb7bdfa4..472349979 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -669,6 +669,9 @@ Patch717: KEYS-Fix-ASN.1-indefinite-length-object-parsing.patch
 #CVE-2016-3713 rhbz 1332139 1336410
 Patch718: KVM-MTRR-remove-MSR-0x2f8.patch
 
+#CVE-2016-4913 rhbz 1337528 1337529
+Patch719: get_rock_ridge_filename-handle-malformed-NM-entries.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2190,6 +2193,9 @@ fi
 #
 # 
 %changelog
+* Thu May 19 2016 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2016-4913 isofs: info leak with malformed NM entries (rhbz 1337528 1337529)
+
 * Mon May 16 2016 Justin M. Forbes <jforbes@fedoraproject.org>
 - Disable CONFIG_DEBUG_VM_PGFLAGS on non debug kernels (rhbz 1335173)