From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f173.google.com (mail-qt1-f173.google.com [209.85.160.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B34C35F199 for ; Fri, 12 Jun 2026 22:59:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305145; cv=none; b=UdRv/6muh3ldux6lsjvNVQ4n0t02kAteyLYe5c3Z9h8+qKezXvY+Khj3aJ2onEHx0JrTbnZk2ZByRyBwsX+MzYTAQoI/w0nRtbW+/tuIys689Uws7Y/KZyv4P8myJQaDTIha6UohW9JM6dhd/iGDG2PMFa43RyHiRhCOCR3o3TE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781305145; c=relaxed/simple; bh=QcPI+kRtMDA9yX/sur8R76jhdwUn1uuyTAeH6VF39mw=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=fhBUd1iQD1UCOeyN/KrT1RAMdv4xBrWDgKPluTE3SvnjozhsUs4SL19EE2g/jYaZ5qvZRGn2Wh8JCVNn8YSRlO8kk2vzdP0xiNxDey6RgDwntm3+XlnLmRC5wVb3dv6mRzKf/kn7I3o4MQH0n20jyF5mWJpo1abYJ9TUiLcOzwg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=openai.com; spf=pass smtp.mailfrom=openai.com; dkim=pass (1024-bit key) header.d=openai.com header.i=@openai.com header.b=OcQZ/zbc; arc=none smtp.client-ip=209.85.160.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=openai.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=openai.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=openai.com header.i=@openai.com header.b="OcQZ/zbc" Received: by mail-qt1-f173.google.com with SMTP id d75a77b69052e-5177ad0cc67so12057511cf.0 for ; Fri, 12 Jun 2026 15:59:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openai.com; s=google; t=1781305143; x=1781909943; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Q5jhgYqWofts/xFTVMQlwmzRHNlO+jQVMIf+HaTmJxU=; b=OcQZ/zbcH4RdGjlBWC8l5wFf6B6dW74aYsbBvTn9RpEmOZTxIiSA7HD5GO07OXnKPx yJ13cmLPq5VZW+pEDWm2Ild4OqXrWYvI92NO6RZIn4fCwcnBnZzxgFwSKQCXXiSwfhkg Zho35DlcCX0N7hP9Db4Rb9pTO75wIWfQA8UGc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781305143; x=1781909943; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Q5jhgYqWofts/xFTVMQlwmzRHNlO+jQVMIf+HaTmJxU=; b=G/RmCpaO7XQteixhRZZpRTVxMPK4kOQ3pwgJ4wA/Z2sawLcIOxLakDR45Et/MeK4Tl 8taBM/4wZKQuFe/IiqQijH8jzi9MuP2XiTx1ZV8AB6l5sqzkiBhNA1eeKEx6lTlj6XqW SDSlOWR/fWNmRqaMeFrsct8tgxeakS29qLPurb2WnYFza38KBjgblDh5D7xr21eZzzSM LTsC9OnCduILMFnI3R9P2UNvyWqX65zo7/h6i/13i+BYfg2OoHRsnUXt0tfEi7B2UXdj FJR75vtttrhp46LP6UGdmzwx/AzF/4aOLz20AlObwyXTlVPlNlyXsUNC+SiRJt/PWAqU 714w== X-Gm-Message-State: AOJu0YzUE2KcOzaQWpzyhUhtCOdEfG+rJUpsTupuOF9lS/VXoT+qoFHX 4eM2jEIo6bAy/hke+O4KY2OlVpnu463/udbbx0KlxtoRYtWMB5aUWBChxKg4M3kNvfajt53H5Yd BQxCskUI= X-Gm-Gg: Acq92OGnVxtteEVqi5Qi++JFF7ISQP7UQO15CHEFKBqZcmiTGialRGGE2k8Mx+xUYUR srCWNZurrdwdQ903Q/8yMTT0UJ5Oxp6AQ1uLIqq0fL/VHzO62Yi3G6KehhFFSnoDQYZzhvsYAMi cAEPUxmtFdHuDKP6g12mpUREtJr+vQb0EhHUbUEk5W/LcwLi/FX06PSgha3MLQ2gzvo//rEYBhA BdTvV5StlhLxHLDg58oFRXq2VnNdo0fxnfzD5KTC12RFQI+dTcoQsmuiNn/KDvhnQanGf2bQbPu DwPcpuzy6tSWUUYFaOZ1jmqzTxh0zhWL7VYTgA00niJNpm3S84Q8w+GBEXyK3z4x9RHAP2uiy+R CcLfZdqPlYQRZkZ75fuMsodRhb4pVl6cR4VVG7vFFiPmX4DFpZml+yiMqhDe+dzfwD0J76FKyf8 K+kywlbtMyO5JiSyFoJVBE5BuacPBx7wWcsg0d8v2rC2I+GVcNzjAjyhX17k3evwxA2YugcyhGq 9a7T5bOy1a8/WPCKPVjRCZP8fN9AnCbGjEvTwoS/lH4Eg== X-Received: by 2002:ac8:7f85:0:b0:517:6ef7:f6e0 with SMTP id d75a77b69052e-517fe54f480mr73572771cf.46.1781305143123; Fri, 12 Jun 2026 15:59:03 -0700 (PDT) Received: from com-75606.node.ndb.openai.org ([209.249.37.149]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8d30105fd8fsm36393136d6.4.2026.06.12.15.59.02 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Fri, 12 Jun 2026 15:59:02 -0700 (PDT) From: Kyle Zeng To: linux-kernel@vger.kernel.org Cc: Jan Kara , outbounddisclosures@openai.com, Kyle Zeng Subject: [PATCH v2] udf: validate extent partition references in udf_current_aext() Date: Fri, 12 Jun 2026 15:58:46 -0700 Message-ID: <20260612225846.97678-1-kylebot@openai.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Long allocation descriptors carry an on-disk extLocation.partitionReferenceNum. udf_current_aext() copies that value into a kernel_lb_addr and returns it to several consumers. If the partition reference is outside s_partitions, callers can later index s_partmaps out of bounds. The truncate/free path can pass such an extent to udf_free_blocks(), where the invalid partition reference causes a slab out-of-bounds read. Validate eloc->partitionReferenceNum in udf_current_aext() before returning a decoded extent. This rejects invalid file extents and indirect allocation descriptor extents in the common parser, so callers do not need to duplicate the partition-map bounds check. Assisted-by: Codex:gpt-5.5 Signed-off-by: Kyle Zeng --- fs/udf/inode.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 67bcf83..3a65b95 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -2151,6 +2151,7 @@ void udf_write_aext(struct inode *inode, struct extent_position *epos, struct short_ad *sad; struct long_ad *lad; struct udf_inode_info *iinfo = UDF_I(inode); + struct udf_sb_info *sbi = UDF_SB(inode->i_sb); if (!epos->bh) ptr = iinfo->i_data + epos->offset - @@ -2299,6 +2300,12 @@ int udf_current_aext(struct inode *inode, struct extent_position *epos, return -EINVAL; } + if (eloc->partitionReferenceNum >= sbi->s_partitions) { + udf_debug("invalid partition reference %u (partitions %u)\n", + eloc->partitionReferenceNum, sbi->s_partitions); + return -EFSCORRUPTED; + } + return 1; } -- 2.54.0