From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>, jack@suse.com
Subject: [PATCH AUTOSEL 4.19 07/14] udf: Avoid excessive partition lengths
Date: Wed, 31 Jul 2024 20:40:15 -0400 [thread overview]
Message-ID: <20240801004037.3939932-7-sashal@kernel.org> (raw)
In-Reply-To: <20240801004037.3939932-1-sashal@kernel.org>
From: Jan Kara <jack@suse.cz>
[ Upstream commit ebbe26fd54a9621994bc16b14f2ba8f84c089693 ]
Avoid mounting filesystems where the partition would overflow the
32-bits used for block number. Also refuse to mount filesystems where
the partition length is so large we cannot safely index bits in a
block bitmap.
Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/super.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/fs/udf/super.c b/fs/udf/super.c
index bce48a07790cb..077bc40df130e 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1047,12 +1047,19 @@ static int udf_fill_partdesc_info(struct super_block *sb,
struct udf_part_map *map;
struct udf_sb_info *sbi = UDF_SB(sb);
struct partitionHeaderDesc *phd;
+ u32 sum;
int err;
map = &sbi->s_partmaps[p_index];
map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */
map->s_partition_root = le32_to_cpu(p->partitionStartingLocation);
+ if (check_add_overflow(map->s_partition_root, map->s_partition_len,
+ &sum)) {
+ udf_err(sb, "Partition %d has invalid location %u + %u\n",
+ p_index, map->s_partition_root, map->s_partition_len);
+ return -EFSCORRUPTED;
+ }
if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY))
map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY;
@@ -1108,6 +1115,14 @@ static int udf_fill_partdesc_info(struct super_block *sb,
bitmap->s_extPosition = le32_to_cpu(
phd->unallocSpaceBitmap.extPosition);
map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP;
+ /* Check whether math over bitmap won't overflow. */
+ if (check_add_overflow(map->s_partition_len,
+ sizeof(struct spaceBitmapDesc) << 3,
+ &sum)) {
+ udf_err(sb, "Partition %d is too long (%u)\n", p_index,
+ map->s_partition_len);
+ return -EFSCORRUPTED;
+ }
udf_debug("unallocSpaceBitmap (part %d) @ %u\n",
p_index, bitmap->s_extPosition);
}
--
2.43.0
next prev parent reply other threads:[~2024-08-01 0:40 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-01 0:40 [PATCH AUTOSEL 4.19 01/14] drm/amdgpu: fix overflowed array index read warning Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 02/14] drm/amdgpu: fix ucode out-of-bounds " Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 03/14] drm/amdgpu: fix mc_data " Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 04/14] drm/amdkfd: Reconcile the definition and use of oem_id in struct kfd_topology_device Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 05/14] smack: tcp: ipv4, fix incorrect labeling Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 06/14] ELF: fix kernel.randomize_va_space double read Sasha Levin
2024-08-27 12:18 ` Pavel Machek
2024-08-01 0:40 ` Sasha Levin [this message]
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 08/14] cgroup: Protect css->cgroup write under css_set_lock Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 09/14] um: line: always fill *error_out in setup_one_line() Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 10/14] devres: Initialize an uninitialized struct member Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 11/14] pci/hotplug/pnv_php: Fix hotplug driver crash on Powernv Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 12/14] hwmon: (lm95234) Fix underflows seen when writing limit attributes Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 13/14] hwmon: (w83627ehf) " Sasha Levin
2024-08-01 0:40 ` [PATCH AUTOSEL 4.19 14/14] wifi: mwifiex: Do not return unused priv in mwifiex_get_priv_by_id() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240801004037.3939932-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jack@suse.com \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox