From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from szxga02-in.huawei.com ([119.145.14.65]:9166 "EHLO szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751924AbbHQCLZ (ORCPT ); Sun, 16 Aug 2015 22:11:25 -0400 Message-ID: <55D142AF.30608@huawei.com> Date: Mon, 17 Aug 2015 10:10:55 +0800 From: Zhang Zhen MIME-Version: 1.0 To: CC: Jan Kara , Subject: [PATCH] udf: Check length of extended attributes and allocation descriptors References: <55C847E2.2020807@huawei.com> In-Reply-To: <55C847E2.2020807@huawei.com> Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Sender: stable-owner@vger.kernel.org List-ID: commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream. Check length of extended attributes and allocation descriptors when loading inodes from disk. Otherwise corrupted filesystems could confuse the code and make the kernel oops. Reported-by: Carl Henrik Lunde Cc: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Jiri Slaby [Jan and Jiri fixed it in 3.12 stable, i ported it to 3.10 stable, replaced bs by inode->i_sb->s_blocksize] Signed-off-by: Zhang Zhen --- fs/udf/inode.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index aa02328..789814f 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1495,6 +1495,16 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint); } + /* + * Sanity check length of allocation descriptors and extended attrs to + * avoid integer overflows + */ + if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) + return; + /* Now do exact checks */ + if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) + return; + switch (fe->icbTag.fileType) { case ICBTAG_FILE_TYPE_DIRECTORY: inode->i_op = &udf_dir_inode_operations; -- 1.8.3.4 .