All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 0/1] Fix for CID 314037
@ 2022-11-17  0:17 Jagannathan Raman
  2022-11-17  0:17 ` [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block() Jagannathan Raman
  0 siblings, 1 reply; 5+ messages in thread
From: Jagannathan Raman @ 2022-11-17  0:17 UTC (permalink / raw)
  To: grub-devel; +Cc: daniel.kiper, darren.kenny, ross.philipson, alec.r.brown

Hi,

This patch confirms that Allocation Extent Descriptor length
is with limits based on section "2.3.11 Allocation Extent
Descriptor" in the following UDF spec:
http://www.osta.org/specs/pdf/udf201.pdf

The above document describes the limit for the length of extent
of allocation descriptors, and the limit is the logical block size.

Ran Coverity test to confirm the CID was fixed, and ran "make check"
to confirm that the UDF test passed.

Thank you!

Jagannathan Raman (1):
  fs/udf: validate length of AED in grub_udf_read_block()

 grub-core/fs/udf.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

-- 
2.20.1



^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block()
  2022-11-17  0:17 [PATCH 0/1] Fix for CID 314037 Jagannathan Raman
@ 2022-11-17  0:17 ` Jagannathan Raman
  2022-11-23 14:52   ` Daniel Kiper
  0 siblings, 1 reply; 5+ messages in thread
From: Jagannathan Raman @ 2022-11-17  0:17 UTC (permalink / raw)
  To: grub-devel; +Cc: daniel.kiper, darren.kenny, ross.philipson, alec.r.brown

Validate the length of Allocation Extent Descriptor in
grub_udf_read_block(), based on the details in UDF spec. v2.01 section
2.3.11

Fixes: CID 314037

Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
---
 grub-core/fs/udf.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index 12e88ab62..d19fa3987 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -510,6 +510,20 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
 		}
 
 	      len = U32 (extension->ae_len);
+              /*
+               * Ensure AE length is less than block size
+               * per UDF spec v2.01 section 2.3.11
+               *
+               * node->data->lbshift is initialized by
+               * grub_udf_mount(). lbshift has a maximum value
+               * of 3 and it does not cause an overflow here.
+               */
+              if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift))
+                {
+                  grub_error (GRUB_ERR_BAD_FS, "invalid ae length");
+                  goto fail;
+                }
+
 	      ad = (struct grub_udf_short_ad *)
 		    (buf + sizeof (struct grub_udf_aed));
 	      continue;
@@ -563,6 +577,20 @@ grub_udf_read_block (grub_fshelp_node_t node, grub_disk_addr_t fileblock)
 		}
 
 	      len = U32 (extension->ae_len);
+              /*
+               * Ensure AE length is less than block size
+               * per UDF spec v2.01 section 2.3.11
+               *
+               * node->data->lbshift is initialized by
+               * grub_udf_mount(). lbshift has a maximum value
+               * of 3 and it does not cause an overflow here.
+               */
+              if (len < 0 || len > ((grub_ssize_t) 1 << node->data->lbshift))
+                {
+                  grub_error (GRUB_ERR_BAD_FS, "invalid ae length");
+                  goto fail;
+                }
+
 	      ad = (struct grub_udf_long_ad *)
 		    (buf + sizeof (struct grub_udf_aed));
 	      continue;
-- 
2.20.1



^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block()
  2022-11-17  0:17 ` [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block() Jagannathan Raman
@ 2022-11-23 14:52   ` Daniel Kiper
  2022-11-23 15:20     ` Jag Raman
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel Kiper @ 2022-11-23 14:52 UTC (permalink / raw)
  To: Jagannathan Raman; +Cc: grub-devel, darren.kenny, ross.philipson, alec.r.brown

On Thu, Nov 17, 2022 at 12:17:52AM +0000, Jagannathan Raman wrote:
> Validate the length of Allocation Extent Descriptor in
> grub_udf_read_block(), based on the details in UDF spec. v2.01 section
> 2.3.11
>
> Fixes: CID 314037
>
> Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Daniel


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block()
  2022-11-23 14:52   ` Daniel Kiper
@ 2022-11-23 15:20     ` Jag Raman
  2022-11-23 16:10       ` Daniel Kiper
  0 siblings, 1 reply; 5+ messages in thread
From: Jag Raman @ 2022-11-23 15:20 UTC (permalink / raw)
  To: Daniel Kiper; +Cc: grub-devel, Darren Kenny, Ross Philipson, Alec Brown



> On Nov 23, 2022, at 9:52 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> 
> On Thu, Nov 17, 2022 at 12:17:52AM +0000, Jagannathan Raman wrote:
>> Validate the length of Allocation Extent Descriptor in
>> grub_udf_read_block(), based on the details in UDF spec. v2.01 section
>> 2.3.11
>> 
>> Fixes: CID 314037
>> 
>> Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
> 
> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Thank you!

> 
> Daniel



^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block()
  2022-11-23 15:20     ` Jag Raman
@ 2022-11-23 16:10       ` Daniel Kiper
  0 siblings, 0 replies; 5+ messages in thread
From: Daniel Kiper @ 2022-11-23 16:10 UTC (permalink / raw)
  To: Jag Raman; +Cc: grub-devel, Darren Kenny, Ross Philipson, Alec Brown

On Wed, Nov 23, 2022 at 04:20:02PM +0100, Jag Raman wrote:
> > On Nov 23, 2022, at 9:52 AM, Daniel Kiper <daniel.kiper@oracle.com> wrote:
> > On Thu, Nov 17, 2022 at 12:17:52AM +0000, Jagannathan Raman wrote:
> >> Validate the length of Allocation Extent Descriptor in
> >> grub_udf_read_block(), based on the details in UDF spec. v2.01 section
> >> 2.3.11
> >>
> >> Fixes: CID 314037
> >>
> >> Signed-off-by: Jagannathan Raman <jag.raman@oracle.com>
> >
> > Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
>
> Thank you!

My pleasure!

And thank you for fixing this issue!

Daniel


^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-23 16:11 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-11-17  0:17 [PATCH 0/1] Fix for CID 314037 Jagannathan Raman
2022-11-17  0:17 ` [PATCH 1/1] fs/udf: validate length of AED in grub_udf_read_block() Jagannathan Raman
2022-11-23 14:52   ` Daniel Kiper
2022-11-23 15:20     ` Jag Raman
2022-11-23 16:10       ` Daniel Kiper

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.