Red Hat Bugzilla – Bug 214288
CVE-2006-5757 ISO9660 __find_get_block_slow() denial of service
Last modified: 2007-11-30 17:07:27 EST
Reported as MOKB-05-11-2006: http://projects.info-pull.com/mokb/MOKB-05-11-2006.html The ISO9660 filesystem handling code of the Linux 2.6.x kernel fails to properly handle corrupted data structures, leading to an exploitable denial of service condition. This particular vulnerability seems to be caused by a race condition and a signedness issue. When performing a read operation on a corrupted ISO9660 fs stream, the isofs_get_blocks() function will enter an infinite loop when __find_get_block_slow() callback from sb_getblk() fails ("due to various races between file io on the block device and getblk").
This upstream patch resolves the issue: http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e5657933863f43cc6bb76a54d659303dafaa9e58;hp=e0ab2928cc2202f13f0574d4c6f567f166d307eb
committed in stream U5 build 42.24. A test kernel with this patch is available from http://people.redhat.com/~jbaron/rhel4/
verified with the mokb image and numerous runs of fsfuzz have not reproduced similar behavior.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0014.html