Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 May 2016 10:28:37 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Subject: CVE Request: Linux: information leak in Rock Ridge Extensions to
 iso9660 -- fs/isofs/rock.c


The following commit in Linux v4.6 addresses an information leak
caused by not properly handling NM entries containing NUL. Quoting the
commit message:

> Subject: get_rock_ridge_filename(): handle malformed NM entries
> Payloads of NM entries are not supposed to contain NUL.  When we run
> into such, only the part prior to the first NUL goes into the
> concatenation (i.e. the directory entry name being encoded by a bunch
> of NM entries).  We do stop when the amount collected so far + the
> claimed amount in the current NM entry exceed 254.  So far, so good,
> but what we return as the total length is the sum of *claimed*
> sizes, not the actual amount collected.  And that can grow pretty
> large - not unlimited, since you'd need to put CE entries in
> between to be able to get more than the maximum that could be
> contained in one isofs directory entry / continuation chunk and
> we are stop once we'd encountered 32 CEs, but you can get about 8Kb
> easily.  And that's what will be passed to readdir callback as the
> name length.  8Kb __copy_to_user() from a buffer allocated by
> __get_free_page()
> Cc: # 0.98pl6+ (yes, really)
> Signed-off-by: Al Viro <>

Upstream commit: (v4.6)

Can you please assign a CVE for this issue?


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ