[PATCH 0/3 STABLE] udf: Do not crash on corrupted media

[PATCH 0/3 STABLE] udf: Do not crash on corrupted media

[Jan Kara]

  Hi,

  these patches went upstream recently and they improve UDF handling of
corrupted media. These patches are adjusted to work with 3.0 kernel (udf_err()
is called udf_error() in that kernel).

									Honza

[PATCH 1/3] udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol()

[Jan Kara]

Signed-off-by: Jan Kara <jack@suse.cz>

---
 fs/udf/super.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/fs/udf/super.c b/fs/udf/super.c
index ac8a348..9da6f4e 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1233,11 +1233,9 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
 	BUG_ON(ident != TAG_IDENT_LVD);
 	lvd = (struct logicalVolDesc *)bh->b_data;
 
-	i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
-	if (i != 0) {
-		ret = i;
+	ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
+	if (ret)
 		goto out_bh;
-	}
 
 	for (i = 0, offset = 0;
 	     i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
-- 
1.7.1

[PATCH 2/3] udf: Avoid run away loop when partition table length is corrupted

[Jan Kara]

Check provided length of partition table so that (possibly maliciously)
corrupted partition table cannot cause accessing data beyond current buffer.

Signed-off-by: Jan Kara <jack@suse.cz>

---
 fs/udf/super.c |   10 +++++++++-
 1 files changed, 9 insertions(+), 1 deletions(-)

Index: linux-3.0-SLE11-SP2/fs/udf/super.c
===================================================================
--- linux-3.0-SLE11-SP2.orig/fs/udf/super.c
+++ linux-3.0-SLE11-SP2/fs/udf/super.c
@@ -1254,6 +1254,7 @@ static int udf_load_logicalvol(struct su
 	struct genericPartitionMap *gpm;
 	uint16_t ident;
 	struct buffer_head *bh;
+	unsigned int table_len;
 	int ret = 0;
 
 	bh = udf_read_tagged(sb, block, block, &ident);
@@ -1261,13 +1262,20 @@ static int udf_load_logicalvol(struct su
 		return 1;
 	BUG_ON(ident != TAG_IDENT_LVD);
 	lvd = (struct logicalVolDesc *)bh->b_data;
+	table_len = le32_to_cpu(lvd->mapTableLength);
+	if (sizeof(*lvd) + table_len > sb->s_blocksize) {
+		udf_error(sb, __func__, "error loading logical volume descriptor: "
+			"Partition table too long (%u > %lu)\n", table_len,
+			sb->s_blocksize - sizeof(*lvd));
+		goto out_bh;
+	}
 
 	ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
 	if (ret)
 		goto out_bh;
 
 	for (i = 0, offset = 0;
-	     i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
+	     i < sbi->s_partitions && offset < table_len;
 	     i++, offset += gpm->partitionMapLength) {
 		struct udf_part_map *map = &sbi->s_partmaps[i];
 		gpm = (struct genericPartitionMap *)

[PATCH 3/3] udf: Fortify loading of sparing table

[Jan Kara]

Add sanity checks when loading sparing table from disk to avoid accessing
unallocated memory or writing to it.

Signed-off-by: Jan Kara <jack@suse.cz>

---
 fs/udf/super.c |   86 ++++++++++++++++++++++++++++++++++---------------------
 1 files changed, 53 insertions(+), 33 deletions(-)

Index: linux-3.0-SLE11-SP2/fs/udf/super.c
===================================================================
--- linux-3.0-SLE11-SP2.orig/fs/udf/super.c
+++ linux-3.0-SLE11-SP2/fs/udf/super.c
@@ -56,6 +56,7 @@
 #include <linux/seq_file.h>
 #include <linux/bitmap.h>
 #include <linux/crc-itu-t.h>
+#include <linux/log2.h>
 #include <asm/byteorder.h>
 
 #include "udf_sb.h"
@@ -1244,11 +1245,59 @@ out_bh:
 	return ret;
 }
 
+static int udf_load_sparable_map(struct super_block *sb,
+				 struct udf_part_map *map,
+				 struct sparablePartitionMap *spm)
+{
+	uint32_t loc;
+	uint16_t ident;
+	struct sparingTable *st;
+	struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing;
+	int i;
+	struct buffer_head *bh;
+
+	map->s_partition_type = UDF_SPARABLE_MAP15;
+	sdata->s_packet_len = le16_to_cpu(spm->packetLength);
+	if (!is_power_of_2(sdata->s_packet_len)) {
+		udf_error(sb, __func__, "error loading logical volume descriptor: "
+			"Invalid packet length %u\n",
+			(unsigned)sdata->s_packet_len);
+		return -EIO;
+	}
+	if (spm->numSparingTables > 4) {
+		udf_error(sb, __func__, "error loading logical volume descriptor: "
+			"Too many sparing tables (%d)\n",
+			(int)spm->numSparingTables);
+		return -EIO;
+	}
+
+	for (i = 0; i < spm->numSparingTables; i++) {
+		loc = le32_to_cpu(spm->locSparingTable[i]);
+		bh = udf_read_tagged(sb, loc, loc, &ident);
+		if (!bh)
+			continue;
+
+		st = (struct sparingTable *)bh->b_data;
+		if (ident != 0 ||
+		    strncmp(st->sparingIdent.ident, UDF_ID_SPARING,
+			    strlen(UDF_ID_SPARING)) ||
+		    sizeof(*st) + le16_to_cpu(st->reallocationTableLen) >
+							sb->s_blocksize) {
+			brelse(bh);
+			continue;
+		}
+
+		sdata->s_spar_map[i] = bh;
+	}
+	map->s_partition_func = udf_get_pblock_spar15;
+	return 0;
+}
+
 static int udf_load_logicalvol(struct super_block *sb, sector_t block,
 			       struct kernel_lb_addr *fileset)
 {
 	struct logicalVolDesc *lvd;
-	int i, j, offset;
+	int i, offset;
 	uint8_t type;
 	struct udf_sb_info *sbi = UDF_SB(sb);
 	struct genericPartitionMap *gpm;
@@ -1310,38 +1359,9 @@ static int udf_load_logicalvol(struct su
 			} else if (!strncmp(upm2->partIdent.ident,
 						UDF_ID_SPARABLE,
 						strlen(UDF_ID_SPARABLE))) {
-				uint32_t loc;
-				struct sparingTable *st;
-				struct sparablePartitionMap *spm =
-					(struct sparablePartitionMap *)gpm;
-
-				map->s_partition_type = UDF_SPARABLE_MAP15;
-				map->s_type_specific.s_sparing.s_packet_len =
-						le16_to_cpu(spm->packetLength);
-				for (j = 0; j < spm->numSparingTables; j++) {
-					struct buffer_head *bh2;
-
-					loc = le32_to_cpu(
-						spm->locSparingTable[j]);
-					bh2 = udf_read_tagged(sb, loc, loc,
-							     &ident);
-					map->s_type_specific.s_sparing.
-							s_spar_map[j] = bh2;
-
-					if (bh2 == NULL)
-						continue;
-
-					st = (struct sparingTable *)bh2->b_data;
-					if (ident != 0 || strncmp(
-						st->sparingIdent.ident,
-						UDF_ID_SPARING,
-						strlen(UDF_ID_SPARING))) {
-						brelse(bh2);
-						map->s_type_specific.s_sparing.
-							s_spar_map[j] = NULL;
-					}
-				}
-				map->s_partition_func = udf_get_pblock_spar15;
+				if (udf_load_sparable_map(sb, map,
+				    (struct sparablePartitionMap *)gpm) < 0)
+					goto out_bh;
 			} else if (!strncmp(upm2->partIdent.ident,
 						UDF_ID_METADATA,
 						strlen(UDF_ID_METADATA))) {

Re: [PATCH 0/3 STABLE] udf: Do not crash on corrupted media

[Greg KH]

On Wed, Jul 04, 2012 at 01:01:36PM +0200, Jan Kara wrote:
> 
>   Hi,
> 
>   these patches went upstream recently and they improve UDF handling of
> corrupted media. These patches are adjusted to work with 3.0 kernel (udf_err()
> is called udf_error() in that kernel).

What are the git commit ids of them?

thanks,

greg k-h

Re: [PATCH 0/3 STABLE] udf: Do not crash on corrupted media

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 774 bytes --]

On Wed, 2012-07-04 at 13:01 +0200, Jan Kara wrote:
> Hi,
> 
>   these patches went upstream recently and they improve UDF handling of
> corrupted media. These patches are adjusted to work with 3.0 kernel (udf_err()
> is called udf_error() in that kernel).

All submissions to stable should include an upstream commit reference,
but it looks like these are:

cb14d34 udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol()
adee11b udf: Avoid run away loop when partition table length is corrupted
1df2ae3 udf: Fortify loading of sparing table

I found that they apply to 3.2 without the logging change needed for
3.0, so I've added them to the queue as-is.

Ben.

-- 
Ben Hutchings
No political challenge can be met by shopping. - George Monbiot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

Re: [PATCH 0/3 STABLE] udf: Do not crash on corrupted media

[Jan Kara]

On Mon 09-07-12 01:22:05, Ben Hutchings wrote:
> On Wed, 2012-07-04 at 13:01 +0200, Jan Kara wrote:
> > Hi,
> > 
> >   these patches went upstream recently and they improve UDF handling of
> > corrupted media. These patches are adjusted to work with 3.0 kernel (udf_err()
> > is called udf_error() in that kernel).
> 
> All submissions to stable should include an upstream commit reference,
> but it looks like these are:
> 
> cb14d34 udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol()
> adee11b udf: Avoid run away loop when partition table length is corrupted
> 1df2ae3 udf: Fortify loading of sparing table
  Yes. Sorry for messing this up. I had the references there but git
send-email hid them in mail headers...

> I found that they apply to 3.2 without the logging change needed for
> 3.0, so I've added them to the queue as-is.
  Great thanks.

								Honza
-- 
Jan Kara <jack@suse.cz>
SUSE Labs, CR

[PATCH 0/3 STABLE] udf: Do not crash on corrupted media

[Jan Kara]

  Hi,

  these patches went upstream recently and they improve UDF handling of
corrupted media. These patches are adjusted to work with 3.0 kernel (udf_err()
is called udf_error() in that kernel).

								Honza