From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Carl Henrik Lunde <chlunde@ping.uio.no>,
Jan Kara <jack@suse.cz>
Subject: [PATCH 3.18 74/84] udf: Check path length when reading symlink
Date: Tue, 6 Jan 2015 17:50:17 -0800 [thread overview]
Message-ID: <20150107014031.372183714@linuxfoundation.org> (raw)
In-Reply-To: <20150107014029.012974975@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
commit 0e5cc9a40ada6046e6bc3bdfcd0c0d7e4b706b14 upstream.
Symlink reading code does not check whether the resulting path fits into
the page provided by the generic code. This isn't as easy as just
checking the symlink size because of various encoding conversions we
perform on path. So we have to check whether there is still enough space
in the buffer on the fly.
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/udf/dir.c | 3 ++-
fs/udf/namei.c | 3 ++-
fs/udf/symlink.c | 31 ++++++++++++++++++++++++++-----
fs/udf/udfdecl.h | 3 ++-
fs/udf/unicode.c | 28 ++++++++++++++++------------
5 files changed, 48 insertions(+), 20 deletions(-)
--- a/fs/udf/dir.c
+++ b/fs/udf/dir.c
@@ -167,7 +167,8 @@ static int udf_readdir(struct file *file
continue;
}
- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
+ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
+ UDF_NAME_LEN);
if (!flen)
continue;
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -233,7 +233,8 @@ static struct fileIdentDesc *udf_find_en
if (!lfi)
continue;
- flen = udf_get_filename(dir->i_sb, nameptr, fname, lfi);
+ flen = udf_get_filename(dir->i_sb, nameptr, lfi, fname,
+ UDF_NAME_LEN);
if (flen && udf_match(flen, fname, child->len, child->name))
goto out_ok;
}
--- a/fs/udf/symlink.c
+++ b/fs/udf/symlink.c
@@ -30,13 +30,16 @@
#include <linux/buffer_head.h>
#include "udf_i.h"
-static void udf_pc_to_char(struct super_block *sb, unsigned char *from,
- int fromlen, unsigned char *to)
+static int udf_pc_to_char(struct super_block *sb, unsigned char *from,
+ int fromlen, unsigned char *to, int tolen)
{
struct pathComponent *pc;
int elen = 0;
+ int comp_len;
unsigned char *p = to;
+ /* Reserve one byte for terminating \0 */
+ tolen--;
while (elen < fromlen) {
pc = (struct pathComponent *)(from + elen);
switch (pc->componentType) {
@@ -49,22 +52,37 @@ static void udf_pc_to_char(struct super_
break;
/* Fall through */
case 2:
+ if (tolen == 0)
+ return -ENAMETOOLONG;
p = to;
*p++ = '/';
+ tolen--;
break;
case 3:
+ if (tolen < 3)
+ return -ENAMETOOLONG;
memcpy(p, "../", 3);
p += 3;
+ tolen -= 3;
break;
case 4:
+ if (tolen < 2)
+ return -ENAMETOOLONG;
memcpy(p, "./", 2);
p += 2;
+ tolen -= 2;
/* that would be . - just ignore */
break;
case 5:
- p += udf_get_filename(sb, pc->componentIdent, p,
- pc->lengthComponentIdent);
+ comp_len = udf_get_filename(sb, pc->componentIdent,
+ pc->lengthComponentIdent,
+ p, tolen);
+ p += comp_len;
+ tolen -= comp_len;
+ if (tolen == 0)
+ return -ENAMETOOLONG;
*p++ = '/';
+ tolen--;
break;
}
elen += sizeof(struct pathComponent) + pc->lengthComponentIdent;
@@ -73,6 +91,7 @@ static void udf_pc_to_char(struct super_
p[-1] = '\0';
else
p[0] = '\0';
+ return 0;
}
static int udf_symlink_filler(struct file *file, struct page *page)
@@ -100,8 +119,10 @@ static int udf_symlink_filler(struct fil
symlink = bh->b_data;
}
- udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p);
+ err = udf_pc_to_char(inode->i_sb, symlink, inode->i_size, p, PAGE_SIZE);
brelse(bh);
+ if (err)
+ goto out_unlock_inode;
up_read(&iinfo->i_data_sem);
SetPageUptodate(page);
--- a/fs/udf/udfdecl.h
+++ b/fs/udf/udfdecl.h
@@ -211,7 +211,8 @@ udf_get_lb_pblock(struct super_block *sb
}
/* unicode.c */
-extern int udf_get_filename(struct super_block *, uint8_t *, uint8_t *, int);
+extern int udf_get_filename(struct super_block *, uint8_t *, int, uint8_t *,
+ int);
extern int udf_put_filename(struct super_block *, const uint8_t *, uint8_t *,
int);
extern int udf_build_ustr(struct ustr *, dstring *, int);
--- a/fs/udf/unicode.c
+++ b/fs/udf/unicode.c
@@ -28,7 +28,8 @@
#include "udf_sb.h"
-static int udf_translate_to_linux(uint8_t *, uint8_t *, int, uint8_t *, int);
+static int udf_translate_to_linux(uint8_t *, int, uint8_t *, int, uint8_t *,
+ int);
static int udf_char_to_ustr(struct ustr *dest, const uint8_t *src, int strlen)
{
@@ -333,8 +334,8 @@ try_again:
return u_len + 1;
}
-int udf_get_filename(struct super_block *sb, uint8_t *sname, uint8_t *dname,
- int flen)
+int udf_get_filename(struct super_block *sb, uint8_t *sname, int slen,
+ uint8_t *dname, int dlen)
{
struct ustr *filename, *unifilename;
int len = 0;
@@ -347,7 +348,7 @@ int udf_get_filename(struct super_block
if (!unifilename)
goto out1;
- if (udf_build_ustr_exact(unifilename, sname, flen))
+ if (udf_build_ustr_exact(unifilename, sname, slen))
goto out2;
if (UDF_QUERY_FLAG(sb, UDF_FLAG_UTF8)) {
@@ -366,7 +367,8 @@ int udf_get_filename(struct super_block
} else
goto out2;
- len = udf_translate_to_linux(dname, filename->u_name, filename->u_len,
+ len = udf_translate_to_linux(dname, dlen,
+ filename->u_name, filename->u_len,
unifilename->u_name, unifilename->u_len);
out2:
kfree(unifilename);
@@ -403,10 +405,12 @@ int udf_put_filename(struct super_block
#define EXT_MARK '.'
#define CRC_MARK '#'
#define EXT_SIZE 5
+/* Number of chars we need to store generated CRC to make filename unique */
+#define CRC_LEN 5
-static int udf_translate_to_linux(uint8_t *newName, uint8_t *udfName,
- int udfLen, uint8_t *fidName,
- int fidNameLen)
+static int udf_translate_to_linux(uint8_t *newName, int newLen,
+ uint8_t *udfName, int udfLen,
+ uint8_t *fidName, int fidNameLen)
{
int index, newIndex = 0, needsCRC = 0;
int extIndex = 0, newExtIndex = 0, hasExt = 0;
@@ -439,7 +443,7 @@ static int udf_translate_to_linux(uint8_
newExtIndex = newIndex;
}
}
- if (newIndex < 256)
+ if (newIndex < newLen)
newName[newIndex++] = curr;
else
needsCRC = 1;
@@ -467,13 +471,13 @@ static int udf_translate_to_linux(uint8_
}
ext[localExtIndex++] = curr;
}
- maxFilenameLen = 250 - localExtIndex;
+ maxFilenameLen = newLen - CRC_LEN - localExtIndex;
if (newIndex > maxFilenameLen)
newIndex = maxFilenameLen;
else
newIndex = newExtIndex;
- } else if (newIndex > 250)
- newIndex = 250;
+ } else if (newIndex > newLen - CRC_LEN)
+ newIndex = newLen - CRC_LEN;
newName[newIndex++] = CRC_MARK;
valueCRC = crc_itu_t(0, fidName, fidNameLen);
newName[newIndex++] = hex_asc_upper_hi(valueCRC >> 8);
next prev parent reply other threads:[~2015-01-07 1:50 UTC|newest]
Thread overview: 90+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-07 1:49 [PATCH 3.18 00/84] 3.18.2-stable review Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 01/84] isofs: Fix infinite looping over CE entries Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 02/84] x86/tls: Validate TLS entries to protect espfix Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 03/84] x86/tls: Disallow unusual TLS segments Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 04/84] x86_64, switch_to(): Load TLS descriptors before switching DS and ES Greg Kroah-Hartman
2015-01-07 15:26 ` Jiri Slaby
2015-01-08 1:27 ` Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 05/84] x86, kvm: Clear paravirt_enabled on KVM guests for espfix32s benefit Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 06/84] brcmfmac: Fix bitmap malloc bug in msgbuf Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 07/84] clocksource: arch_timer: Fix code to use physical timers when requested Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 08/84] mfd: twl4030-power: Fix regression with missing compatible flag Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 09/84] mfd: tc6393xb: Fail ohci suspend if full state restore is required Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 10/84] mmc: dw_mmc: avoid write to CDTHRCTL on older versions Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 11/84] mmc: omap_hsmmc: Fix UHS card with DDR50 support Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 12/84] mmc: block: add newline to sysfs display of force_ro Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 13/84] mmc: sdhci-pci-o2micro: Fix Dell E5440 issue Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 14/84] megaraid_sas: corrected return of wait_event from abort frame path Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 15/84] megaraid_sas: dndinaness related bug fixes Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 16/84] regulator: anatop: Set default voltage selector for vddpu Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 17/84] scsi: correct return values for .eh_abort_handler implementations Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 18/84] f2fs: avoid returning uninitialized value to userspace from f2fs_trim_fs() Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 19/84] f2fs: fix possible data corruption in f2fs_write_begin() Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 20/84] nfs41: fix nfs4_proc_layoutget error handling Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 21/84] dcache: fix kmemcheck warning in switch_names Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 22/84] dm bufio: fix memleak when using a dm_buffers inline bio Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 23/84] dm crypt: use memzero_explicit for on-stack buffer Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 24/84] dm cache: only use overwrite optimisation for promotion when in writeback mode Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 25/84] dm cache: dirty flag was mistakenly being cleared when promoting via overwrite Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 26/84] dm cache: fix spurious cell_defer when dealing with partial block at end of device Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 27/84] dm space map metadata: fix sm_bootstrap_get_nr_blocks() Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 28/84] dm thin: fix inability to discard blocks when in out-of-data-space mode Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 29/84] dm thin: fix missing out-of-data-space to write mode transition if blocks are released Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 30/84] dm thin: fix a race in thin_dtr Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 31/84] arm64: Add COMPAT_HWCAP_LPAE Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 32/84] arm64: bpf: lift restriction on last instruction Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 33/84] drm/tegra: gem: dumb: pitch and size are outputs Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 34/84] ARM: tegra: Re-add removed SoC id macro to tegra_resume() Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 35/84] ARM: mvebu: make the coherency_ll.S functions work with no coherency fabric Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 36/84] ARM: mvebu: disable I/O coherency on non-SMP situations on Armada 370/375/38x/XP Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 37/84] ARM: mvebu: remove conflicting muxing on Armada 370 DB Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 39/84] x86/asm/traps: Disable tracing and kprobes in fixup_bad_iret and sync_regs Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 40/84] x86/tls: Dont validate lm in set_thread_area() after all Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 41/84] isofs: Fix unchecked printing of ER records Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 42/84] x86, microcode, AMD: Do not use smp_processor_id() in preemtible context Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 43/84] x86, microcode, intel: Drop unused parameter Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 44/84] x86, microcode: Dont initialize microcode code on paravirt Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 45/84] x86, microcode: Reload microcode on resume Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 46/84] x86/microcode/intel: Fish out the stashed microcode for the BSP Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 47/84] KEYS: Fix stale key registration at error path Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 48/84] mac80211: copy chandef from AP vif to VLANs Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 49/84] mac80211: avoid using uninitialized stack data Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 51/84] mac80211: free management frame keys when removing station Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 52/84] mnt: Fix a memory stomp in umount Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 53/84] thermal: Fix error path in thermal_init() Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 54/84] mnt: Implicitly add MNT_NODEV on remount when it was implicitly added by mount Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 55/84] mnt: Update unprivileged remount test Greg Kroah-Hartman
2015-01-07 1:49 ` [PATCH 3.18 56/84] umount: Disallow unprivileged mount force Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 57/84] groups: Consolidate the setgroups permission checks Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 58/84] userns: Document what the invariant required for safe unprivileged mappings Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 59/84] userns: Dont allow setgroups until a gid mapping has been setablished Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 60/84] userns: Dont allow unprivileged creation of gid mappings Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 61/84] userns: Check euid no fsuid when establishing an unprivileged uid mapping Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 62/84] userns: Only allow the creator of the userns unprivileged mappings Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 63/84] userns: Rename id_map_mutex to userns_state_mutex Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 64/84] userns: Add a knob to disable setgroups on a per user namespace basis Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 65/84] userns: Allow setting gid_maps without privilege when setgroups is disabled Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 66/84] userns: Unbreak the unprivileged remount tests Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 67/84] audit: use supplied gfp_mask from audit_buffer in kauditd_send_multicast_skb Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 68/84] audit: dont attempt to lookup PIDs when changing PID filtering audit rules Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 69/84] audit: restore AUDIT_LOGINUID unset ABI Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 70/84] crypto: af_alg - fix backlog handling Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 71/84] ncpfs: return proper error from NCP_IOC_SETROOT ioctl Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 72/84] mm/CMA: fix boot regression due to physical address of high_memory Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 73/84] exit: pidns: alloc_pid() leaks pid_namespace if child_reaper is exiting Greg Kroah-Hartman
2015-01-07 1:50 ` Greg Kroah-Hartman [this message]
2015-01-07 1:50 ` [PATCH 3.18 75/84] udf: Verify i_size when loading inode Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 76/84] udf: Verify symlink size before loading it Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 77/84] udf: Check component length before reading it Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 78/84] eCryptfs: Force RO mount when encrypted view is enabled Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 79/84] eCryptfs: Remove buggy and unnecessary write in file name decode routine Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 80/84] Btrfs: make sure we wait on logged extents when fsycning two subvols Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 81/84] btrfs: fix wrong accounting of raid1 data profile in statfs Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 82/84] Btrfs: do not move em to modified list when unpinning Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 83/84] Btrfs: make sure logged extents complete in the current transaction V3 Greg Kroah-Hartman
2015-01-07 1:50 ` [PATCH 3.18 84/84] Btrfs: fix fs corruption on transaction abort if device supports discard Greg Kroah-Hartman
2015-01-07 13:47 ` [PATCH 3.18 00/84] 3.18.2-stable review Guenter Roeck
2015-01-07 23:33 ` Shuah Khan
2015-01-07 23:45 ` Greg Kroah-Hartman
2015-01-08 10:20 ` Satoru Takeuchi
2015-01-08 16:33 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150107014031.372183714@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chlunde@ping.uio.no \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).