From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from szxga02-in.huawei.com ([119.145.14.65]:58439 "EHLO szxga02-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753208AbbIGDJX (ORCPT ); Sun, 6 Sep 2015 23:09:23 -0400 Message-ID: <55ECFFCC.8000907@huawei.com> Date: Mon, 7 Sep 2015 11:09:00 +0800 From: Zhang Zhen MIME-Version: 1.0 To: CC: Greg KH Subject: [PATCH for stable 3.10] udf: Check length of extended attributes and allocation descriptors References: <55ECF951.6070003@huawei.com> In-Reply-To: <55ECF951.6070003@huawei.com> Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Sender: stable-owner@vger.kernel.org List-ID: From: Jan Kara commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream. Check length of extended attributes and allocation descriptors when loading inodes from disk. Otherwise corrupted filesystems could confuse the code and make the kernel oops. Reported-by: Carl Henrik Lunde Cc: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Jiri Slaby [Jan and Jiri fixed it in 3.12 stable, i ported it to 3.10 stable, replaced bs by inode->i_sb->s_blocksize] Signed-off-by: Zhang Zhen --- fs/udf/inode.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fs/udf/inode.c b/fs/udf/inode.c index aa02328..789814f 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1495,6 +1495,16 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint); } + /* + * Sanity check length of allocation descriptors and extended attrs to + * avoid integer overflows + */ + if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) + return; + /* Now do exact checks */ + if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) + return; + switch (fe->icbTag.fileType) { case ICBTAG_FILE_TYPE_DIRECTORY: inode->i_op = &udf_dir_inode_operations; -- 1.8.3.4 .