Linux Kernel Rock Ridge CE Continuation Extent Validation Vulnerability

A vulnerability exists in the Linux kernel's ISO 9660 file system handling, specifically within the Rock Ridge extension. The issue arises because the 'rock_continue()' function reads the continuation extent directly from the Rock Ridge Common Extension (CE) record and sends it to 'sb_bread()' without verifying that the block number is within the limits of the mounted ISO 9660 volume. This flaw can lead to improper handling of directory entries, potentially allowing a crafted ISO to be exploited. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to improper validation of Rock Ridge CE continuation extents, allowing for potential information leaks from adjacent filesystems.

Reproduction

To reproduce this vulnerability, mount a crafted ISO image that exploits the Rock Ridge CE continuation extent validation flaw. This can be done using 'udisks2' for desktop optical auto-mounting or by manually mounting the ISO with 'CAP_SYS_ADMIN' privileges. The crafted ISO should be designed to include a Rock Ridge CE record that points to an out-of-range block or a block belonging to an adjacent filesystem on the same block device.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.