Linux kernel stack overflow when mounting ISO9660 image, including via a USB stick

[GoogleCodeExporter]

I've attached a couple of ISO images which exhibit the problem:

- deadlock.iso: causes a deadlock in the mount process in "inode_wait"
- recurse.iso: crashes / reboots a kernel due to kernel stack overflow / 
corruption.

You can either mount these images directly with mount, e.g.
mount -t iso9660 recurse.iso /mountpoint

Or "dd" them to a USB stick to create a USB stick that causes trouble when 
plugged in.

The problem is due to unchecked recursion in the 
parse_rock_ridge_inode_internal() function in fs/isofs/rock.c:

---
                case SIG('C', 'L'):
                        ISOFS_I(inode)->i_first_extent =
                            isonum_733(rr->u.CL.location);
                        reloc =
                            isofs_iget(inode->i_sb,
                                       ISOFS_I(inode)->i_first_extent,
                                       0);

---

In the case of deadlock.iso, we point an inode to itself, leading to deadlock. 
In the case of recurse.iso, we use a long chain of unique inode references 
(100+). Because the resolution of the chain is implemented via recursive 
functions, we explode the kernel stack.

---
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without 
a broadly available patch, then the bug report will automatically become 
visible to the public.

---

Original issue reported on code.google.com by cev...@google.com on 16 Aug 2014 at 6:42

Attachments:

• deadlock.iso
• recurse.iso

[GoogleCodeExporter]

Fixed in Linus' git tree: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=410dd3
cf4c9b36f27ed4542ee18b1af5e68645a4

Awesome fast fix from Jan Kara <jack@suse.cz>.

Already noted on Twitter by the sharp eyes of @grsecurity: 
https://twitter.com/grsecurity/status/502580229156925441

So may as well open up the bug.

Original comment by cev...@google.com on 22 Aug 2014 at 5:57

• Changed state: Fixed
• Added labels: Fixed-2014-Aug-19
• Removed labels: Restrict-View-Commit

[GoogleCodeExporter]

Hey, thank you for this research and thnx to Jan for quick bugfix.

Does anybody know, why this bug doesn't work with SELinux? It's quite 
interesting for me, but I can't understand why.
Actually, with SELinux Enforcing mode (MLS)
deadlock.iso is just mounting. I can see *hello* file and so on.
recursive.iso just doesn't mount because of wrong fs type. And 
/var/log/messages says: kernel: ISOFS: Unable to identify CD-ROM format.
But, as far as i understand it is wrong actually :)
kernel: 2.6.32

Original comment by Vitaly.R...@gmail.com on 28 Aug 2014 at 1:01