[PATCH v2] udf: validate extent partition references in udf_current_aext()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kyle Zeng <kylebot@openai.com>
To: linux-kernel@vger.kernel.org
Cc: Jan Kara <jack@suse.com>,
	outbounddisclosures@openai.com, Kyle Zeng <kylebot@openai.com>
Subject: [PATCH v2] udf: validate extent partition references in udf_current_aext()
Date: Fri, 12 Jun 2026 15:58:46 -0700	[thread overview]
Message-ID: <20260612225846.97678-1-kylebot@openai.com> (raw)

Long allocation descriptors carry an on-disk
extLocation.partitionReferenceNum. udf_current_aext() copies that value
into a kernel_lb_addr and returns it to several consumers.

If the partition reference is outside s_partitions, callers can later
index s_partmaps out of bounds. The truncate/free path can pass such an
extent to udf_free_blocks(), where the invalid partition reference
causes a slab out-of-bounds read.

Validate eloc->partitionReferenceNum in udf_current_aext() before
returning a decoded extent. This rejects invalid file extents and
indirect allocation descriptor extents in the common parser, so callers
do not need to duplicate the partition-map bounds check.

Assisted-by: Codex:gpt-5.5
Signed-off-by: Kyle Zeng <kylebot@openai.com>
---
 fs/udf/inode.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 67bcf83..3a65b95 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -2151,6 +2151,7 @@ void udf_write_aext(struct inode *inode, struct extent_position *epos,
 	struct short_ad *sad;
 	struct long_ad *lad;
 	struct udf_inode_info *iinfo = UDF_I(inode);
+	struct udf_sb_info *sbi = UDF_SB(inode->i_sb);

 	if (!epos->bh)
 		ptr = iinfo->i_data + epos->offset -
@@ -2299,6 +2300,12 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos,
 		return -EINVAL;
 	}

+	if (eloc->partitionReferenceNum >= sbi->s_partitions) {
+		udf_debug("invalid partition reference %u (partitions %u)\n",
+			  eloc->partitionReferenceNum, sbi->s_partitions);
+		return -EFSCORRUPTED;
+	}
+
 	return 1;
 }

-- 
2.54.0

next             reply	other threads:[~2026-06-12 22:59 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-12 22:58 Kyle Zeng [this message]
2026-06-13  6:44 ` [PATCH v2] udf: validate extent partition references in udf_current_aext() kernel test robot
2026-06-13  7:06 ` kernel test robot
2026-06-13  8:46 ` kernel test robot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:67bcf83 dfblob:3a65b95 )
 OR (
bs:"[PATCH v2] udf: validate extent partition references in udf_current_aext()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260612225846.97678-1-kylebot@openai.com \
    --to=kylebot@openai.com \
    --cc=jack@suse.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=outbounddisclosures@openai.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.