From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Stian Skjelstad <stian.skjelstad@gmail.com>,
Jan Kara <jack@suse.cz>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.4 9/9] udf_get_extendedattr() had no boundary checks.
Date: Sun, 5 Sep 2021 21:24:34 -0400 [thread overview]
Message-ID: <20210906012435.931318-9-sashal@kernel.org> (raw)
In-Reply-To: <20210906012435.931318-1-sashal@kernel.org>
From: Stian Skjelstad <stian.skjelstad@gmail.com>
[ Upstream commit 58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb ]
When parsing the ExtendedAttr data, malicous or corrupt attribute length
could cause kernel hangs and buffer overruns in some special cases.
Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com
Signed-off-by: Stian Skjelstad <stian.skjelstad@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/udf/misc.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index 71d1c25f360d..8c7f9ea251e5 100644
--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -175,13 +175,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type,
else
offset = le32_to_cpu(eahd->appAttrLocation);
- while (offset < iinfo->i_lenEAttr) {
+ while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) {
+ uint32_t attrLength;
+
gaf = (struct genericFormat *)&ea[offset];
+ attrLength = le32_to_cpu(gaf->attrLength);
+
+ /* Detect undersized elements and buffer overflows */
+ if ((attrLength < sizeof(*gaf)) ||
+ (attrLength > (iinfo->i_lenEAttr - offset)))
+ break;
+
if (le32_to_cpu(gaf->attrType) == type &&
gaf->attrSubtype == subtype)
return gaf;
else
- offset += le32_to_cpu(gaf->attrLength);
+ offset += attrLength;
}
}
--
2.30.2
prev parent reply other threads:[~2021-09-06 1:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-06 1:24 [PATCH AUTOSEL 4.4 1/9] regulator: tps65910: Silence deferred probe error Sasha Levin
2021-09-06 1:24 ` [PATCH AUTOSEL 4.4 2/9] crypto: mxs-dcp - Check for DMA mapping errors Sasha Levin
2021-09-06 1:24 ` Sasha Levin
2021-09-06 1:24 ` [PATCH AUTOSEL 4.4 3/9] crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() Sasha Levin
2021-09-06 1:24 ` [PATCH AUTOSEL 4.4 4/9] power: supply: max17042_battery: fix typo in MAx17042_TOFF Sasha Levin
2021-09-06 1:24 ` [PATCH AUTOSEL 4.4 5/9] libata: fix ata_host_start() Sasha Levin
2021-09-06 1:24 ` [PATCH AUTOSEL 4.4 6/9] crypto: qat - do not ignore errors from enable_vf2pf_comms() Sasha Levin
2021-09-06 1:24 ` [PATCH AUTOSEL 4.4 7/9] crypto: qat - fix reuse of completion variable Sasha Levin
2021-09-06 1:24 ` [PATCH AUTOSEL 4.4 8/9] crypto: qat - do not export adf_iov_putmsg() Sasha Levin
2021-09-06 1:24 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210906012435.931318-9-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stian.skjelstad@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.