diff options
| author | Jan Kara <jack@suse.cz> | 2015-01-07 13:49:08 +0100 |
|---|---|---|
| committer | Zefan Li <lizefan@huawei.com> | 2015-09-18 09:20:45 +0800 |
| commit | 97186c0935bcdf8b9a72d1d7063577c845c25ef9 (patch) | |
| tree | 6c59e36eca02be59ce3528c2b93367629f2050f6 | |
| parent | ea1e8ee07cdf7405111cfa9236935b3da1075f56 (diff) | |
| download | lwn-97186c0935bcdf8b9a72d1d7063577c845c25ef9.tar.gz lwn-97186c0935bcdf8b9a72d1d7063577c845c25ef9.zip | |
udf: Check length of extended attributes and allocation descriptors
commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.
Check length of extended attributes and allocation descriptors when
loading inodes from disk. Otherwise corrupted filesystems could confuse
the code and make the kernel oops.
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
[lizf: Backported to 3.4:
- call make_bad_inode() and then return
- relace bs with inode->i_sb->s_blocksize]
Signed-off-by: Zefan Li <lizefan@huawei.com>
| -rw-r--r-- | fs/udf/inode.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 8053ee75d297..330ec8cfeb63 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1392,6 +1392,19 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) iinfo->i_lenEAttr; } + /* + * Sanity check length of allocation descriptors and extended attrs to + * avoid integer overflows + */ + if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { + make_bad_inode(inode); + return; + } + /* Now do exact checks */ + if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { + make_bad_inode(inode); + return; + } /* Sanity checks for files in ICB so that we don't get confused later */ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { /* |