Bug 896689 – VUL-0: CVE-2014-6410: kernel: udf: Avoid infinite loop when processing indirect ICBs

Bug 896689 - (CVE-2014-6410) VUL-0: CVE-2014-6410: kernel: udf: Avoid infinite loop when processing indirect ICBs

(CVE-2014-6410)
Summary:	VUL-0: CVE-2014-6410: kernel: udf: Avoid infinite loop when processing indire...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:59071 maint...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2014-09-15 11:46 UTC by Marcus Meissner
Modified:	2015-02-19 02:01 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2014-09-15 11:46:47 UTC

is public, via oss-sec (also earlier via grsecurity)

https://twitter.com/grsecurity/status/509861074175524864

commit c03aa9f6e1f938618e6db2e23afef0574efeeb65
Author: Jan Kara <jack@suse.cz>
Date:   Thu Sep 4 14:06:55 2014 +0200

    udf: Avoid infinite loop when processing indirect ICBs
    
    We did not implement any bound on number of indirect ICBs we follow when
    loading inode. Thus corrupted medium could cause kernel to go into an
    infinite loop, possibly causing a stack overflow.
    
    Fix the possible stack overflow by removing recursion from
    __udf_read_inode() and limit number of indirect ICBs we follow to avoid
    infinite loops.
    
    Signed-off-by: Jan Kara <jack@suse.cz>


CVE will be assigned

Comment 1 SMASH SMASH 2014-09-15 14:20:15 UTC

Affected packages:

SLE-10-SP3-TERADATA: kernel-source
SLE-11-SP1-TERADATA: kernel-source
SLE-11-SP3: kernel-source
SLE-11-SP3-PRODUCTS: kernel-source
SLE-11-SP3-UPTU: kernel-source

Comment 2 Swamp Workflow Management 2014-09-15 22:00:17 UTC

bugbot adjusting priority

Comment 3 Jan Kara 2014-09-17 20:39:52 UTC

OK, committed to SLES10_SP2_LTSS, SLES10_SP3_LTSS, SLES10-SP4-LTSS, SLE11-SP1-LTSS, SLE11-SP2-LTSS, SLE11-SP3, openSUSE 12.3, openSUSE 13.1 trees.

Since we are close to SLE12 GA and the problem isn't really severe, I didn't push the fix to SLE12 branch for now (and the kernel will get the fix through stable tree anyway).

Added Michal to CC for TD branches.

Comment 5 Michal Hocko 2014-09-22 08:42:47 UTC

pushed to SLE11-SP1-TD and SLES10-SP3-TD branches. Thanks Jack for CCing me.

Comment 6 Jan Kara 2014-09-22 09:07:12 UTC

Everything done, reassigning to security team.

Comment 9 Swamp Workflow Management 2014-09-25 09:08:27 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-10-02.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59070

Comment 10 Swamp Workflow Management 2014-10-22 23:25:33 UTC

SUSE-SU-2014:1319-1: An update that solves 13 vulnerabilities and has 75 fixes is now available.

Category: security (important)
Bug References: 774818,806990,816708,826486,832309,833820,849123,855657,859840,860441,860593,863586,866130,866615,866864,866911,869055,869934,870161,871134,871797,876017,876055,876114,876590,879304,879921,880344,880370,880892,881051,881759,882317,882639,882804,882900,883096,883376,883518,883724,884333,884582,884725,884767,885262,885382,885422,885509,886840,887082,887418,887503,887608,887645,887680,888058,888105,888591,888607,888847,888849,888968,889061,889173,889451,889614,889727,890297,890426,890513,890526,891087,891259,891281,891619,891746,892200,892490,892723,893064,893496,893596,894200,895221,895608,895680,895983,896689
CVE References: CVE-2013-1979,CVE-2014-1739,CVE-2014-2706,CVE-2014-3153,CVE-2014-4027,CVE-2014-4171,CVE-2014-4508,CVE-2014-4667,CVE-2014-4943,CVE-2014-5077,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-default-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-source-3.0.101-0.40.1, kernel-syms-3.0.101-0.40.1, kernel-trace-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-default-3.0.101-0.40.1, kernel-ec2-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-ppc64-3.0.101-0.40.1, kernel-source-3.0.101-0.40.1, kernel-syms-3.0.101-0.40.1, kernel-trace-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1, xen-4.2.4_04-0.7.3
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.27.99, drbd-kmp-8.4.4-0.22.65, iscsitarget-1.4.20-0.38.84, kernel-rt-3.0.101.rt130-0.28.1, kernel-rt_trace-3.0.101.rt130-0.28.1, kernel-source-rt-3.0.101.rt130-0.28.1, kernel-syms-rt-3.0.101.rt130-0.28.1, lttng-modules-2.1.1-0.11.75, ocfs2-1.6-0.20.99, ofed-1.5.4.1-0.13.90
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.27.98, gfs2-2-0.16.104, ocfs2-1.6-0.20.98
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-default-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-source-3.0.101-0.40.1, kernel-syms-3.0.101-0.40.1, kernel-trace-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1, xen-4.2.4_04-0.7.3
SLE 11 SERVER Unsupported Extras (src):    kernel-default-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-ppc64-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1

Comment 12 Swamp Workflow Management 2014-11-07 10:47:34 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2014-11-14.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/59589

Comment 13 Marcus Meissner 2014-12-19 17:20:30 UTC

i think we are largely good and released

Comment 14 Swamp Workflow Management 2014-12-19 18:08:18 UTC

openSUSE-SU-2014:1669-1: An update that solves 22 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 768714,818561,835839,853040,865882,882639,883518,883724,883948,887082,889173,890624,892490,896382,896385,896390,896391,896392,896689,899785,904013,904700,905100,905764,907818,909077,910251
CVE References: CVE-2013-2889,CVE-2013-2891,CVE-2014-3181,CVE-2014-3182,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-4171,CVE-2014-4508,CVE-2014-4608,CVE-2014-4943,CVE-2014-5077,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-8709,CVE-2014-8884,CVE-2014-9090,CVE-2014-9322
Sources used:
openSUSE 12.3 (src):    kernel-docs-3.7.10-1.45.2, kernel-source-3.7.10-1.45.1, kernel-syms-3.7.10-1.45.1

Comment 15 Swamp Workflow Management 2014-12-21 12:10:15 UTC

openSUSE-SU-2014:1677-1: An update that solves 31 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 818966,835839,853040,856659,864375,865882,873790,875051,881008,882639,882804,883518,883724,883948,883949,884324,887046,887082,889173,890114,891689,892490,893429,896382,896385,896390,896391,896392,896689,897736,899785,900392,902346,902349,902351,904013,904700,905100,905744,907818,908163,909077,910251
CVE References: CVE-2013-2891,CVE-2013-2898,CVE-2014-0181,CVE-2014-0206,CVE-2014-1739,CVE-2014-3181,CVE-2014-3182,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-4171,CVE-2014-4508,CVE-2014-4608,CVE-2014-4611,CVE-2014-4943,CVE-2014-5077,CVE-2014-5206,CVE-2014-5207,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410,CVE-2014-7826,CVE-2014-7841,CVE-2014-7975,CVE-2014-8133,CVE-2014-8709,CVE-2014-9090,CVE-2014-9322
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.16.1, crash-7.0.2-2.16.1, hdjmod-1.28-16.16.1, ipset-6.21.1-2.20.1, iscsitarget-1.4.20.3-13.16.1, kernel-docs-3.11.10-25.2, kernel-source-3.11.10-25.1, kernel-syms-3.11.10-25.1, ndiswrapper-1.58-16.1, pcfclock-0.44-258.16.1, vhba-kmp-20130607-2.17.1, virtualbox-4.2.18-2.21.1, xen-4.3.2_02-30.1, xtables-addons-2.3-2.16.1