From: Jan Kara <jack@suse.cz>
To: stable@kernel.org
Cc: <linux-fsdevel@vger.kernel.org>, Jan Kara <jack@suse.cz>
Subject: [PATCH 2/3] udf: Avoid run away loop when partition table length is corrupted
Date: Wed, 4 Jul 2012 12:55:17 +0200 [thread overview]
Message-ID: <1341399318-13744-3-git-send-email-jack@suse.cz> (raw)
In-Reply-To: <1341399318-13744-1-git-send-email-jack@suse.cz>
Check provided length of partition table so that (possibly maliciously)
corrupted partition table cannot cause accessing data beyond current buffer.
Signed-off-by: Jan Kara <jack@suse.cz>
---
fs/udf/super.c | 10 +++++++++-
1 files changed, 9 insertions(+), 1 deletions(-)
Index: linux-3.0-SLE11-SP2/fs/udf/super.c
===================================================================
--- linux-3.0-SLE11-SP2.orig/fs/udf/super.c
+++ linux-3.0-SLE11-SP2/fs/udf/super.c
@@ -1254,6 +1254,7 @@ static int udf_load_logicalvol(struct su
struct genericPartitionMap *gpm;
uint16_t ident;
struct buffer_head *bh;
+ unsigned int table_len;
int ret = 0;
bh = udf_read_tagged(sb, block, block, &ident);
@@ -1261,13 +1262,20 @@ static int udf_load_logicalvol(struct su
return 1;
BUG_ON(ident != TAG_IDENT_LVD);
lvd = (struct logicalVolDesc *)bh->b_data;
+ table_len = le32_to_cpu(lvd->mapTableLength);
+ if (sizeof(*lvd) + table_len > sb->s_blocksize) {
+ udf_error(sb, __func__, "error loading logical volume descriptor: "
+ "Partition table too long (%u > %lu)\n", table_len,
+ sb->s_blocksize - sizeof(*lvd));
+ goto out_bh;
+ }
ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
if (ret)
goto out_bh;
for (i = 0, offset = 0;
- i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
+ i < sbi->s_partitions && offset < table_len;
i++, offset += gpm->partitionMapLength) {
struct udf_part_map *map = &sbi->s_partmaps[i];
gpm = (struct genericPartitionMap *)
next prev parent reply other threads:[~2012-07-04 10:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-04 10:55 [PATCH 0/3 STABLE] udf: Do not crash on corrupted media Jan Kara
2012-07-04 10:55 ` [PATCH 1/3] udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol() Jan Kara
2012-07-04 10:55 ` Jan Kara [this message]
2012-07-04 10:55 ` [PATCH 3/3] udf: Fortify loading of sparing table Jan Kara
-- strict thread matches above, loose matches on Subject: below --
2012-07-04 11:01 [PATCH 0/3 STABLE] udf: Do not crash on corrupted media Jan Kara
2012-07-04 11:01 ` [PATCH 2/3] udf: Avoid run away loop when partition table length is corrupted Jan Kara
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1341399318-13744-3-git-send-email-jack@suse.cz \
--to=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).