From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Carl Henrik Lunde , Jan Kara , Chas Williams <3chas3@gmail.com> Subject: [PATCH 3.14 83/84] udf: Check length of extended attributes and allocation descriptors Date: Tue, 29 Sep 2015 17:19:15 +0200 Message-Id: <20150929145334.660594555@linuxfoundation.org> In-Reply-To: <20150929145330.924730721@linuxfoundation.org> References: <20150929145330.924730721@linuxfoundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jan Kara commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream. Check length of extended attributes and allocation descriptors when loading inodes from disk. Otherwise corrupted filesystems could confuse the code and make the kernel oops. This fixes CVE-2015-4167. Reported-by: Carl Henrik Lunde Signed-off-by: Jan Kara [Use make_bad_inode() instead of branching due to older implementation.] Signed-off-by: Chas Williams <3chas3@gmail.com> Signed-off-by: Greg Kroah-Hartman --- fs/udf/inode.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint); } + /* + * Sanity check length of allocation descriptors and extended attrs to + * avoid integer overflows + */ + if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize + || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { + make_bad_inode(inode); + return; + } + /* Now do exact checks */ + if (udf_file_entry_alloc_offset(inode) + + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { + make_bad_inode(inode); + return; + } + switch (fe->icbTag.fileType) { case ICBTAG_FILE_TYPE_DIRECTORY: inode->i_op = &udf_dir_inode_operations;