stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Jan Kara <jack@suse.cz>,
	syzbot+6fc7fb214625d82af7d1@syzkaller.appspotmail.com
Subject: [PATCH 4.9 14/22] isofs: Fix out of bound access for corrupted isofs image
Date: Wed, 10 Nov 2021 19:43:21 +0100	[thread overview]
Message-ID: <20211110182002.047574878@linuxfoundation.org> (raw)
In-Reply-To: <20211110182001.579561273@linuxfoundation.org>

From: Jan Kara <jack@suse.cz>

commit e96a1866b40570b5950cda8602c2819189c62a48 upstream.

When isofs image is suitably corrupted isofs_read_inode() can read data
beyond the end of buffer. Sanity-check the directory entry length before
using it.

Reported-and-tested-by: syzbot+6fc7fb214625d82af7d1@syzkaller.appspotmail.com
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/isofs/inode.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/isofs/inode.c
+++ b/fs/isofs/inode.c
@@ -1265,6 +1265,8 @@ static int isofs_read_inode(struct inode
 
 	de = (struct iso_directory_record *) (bh->b_data + offset);
 	de_len = *(unsigned char *) de;
+	if (de_len < sizeof(struct iso_directory_record))
+		goto fail;
 
 	if (offset + de_len > bufsize) {
 		int frag1 = bufsize - offset;



  parent reply	other threads:[~2021-11-10 18:45 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-10 18:43 [PATCH 4.9 00/22] 4.9.290-rc1 review Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 01/22] scsi: core: Put LLD module refcnt after SCSI device is released Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 02/22] mm/zsmalloc: Prepare to variable MAX_PHYSMEM_BITS Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 03/22] arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 04/22] ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 05/22] net: hso: register netdev later to avoid a race condition Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 06/22] usb: hso: fix error handling code of hso_create_net_device Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 07/22] Revert "x86/kvm: fix vcpu-id indexed array sizes" Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 08/22] IB/qib: Use struct_size() helper Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 09/22] IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 10/22] usb: gadget: Mark USB_FSL_QE broken on 64-bit Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 11/22] usb: musb: Balance list entry in musb_gadget_queue Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 12/22] usb-storage: Add compatibility quirk flags for iODD 2531/2541 Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 13/22] printk/console: Allow to disable console output by using console="" or console=null Greg Kroah-Hartman
2021-11-10 18:43 ` Greg Kroah-Hartman [this message]
2021-11-10 18:43 ` [PATCH 4.9 15/22] comedi: dt9812: fix DMA buffers on stack Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 16/22] comedi: ni_usb6501: fix NULL-deref in command paths Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 17/22] comedi: vmk80xx: fix transfer-buffer overflows Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 18/22] comedi: vmk80xx: fix bulk-buffer overflow Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 19/22] comedi: vmk80xx: fix bulk and interrupt message timeouts Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 20/22] staging: r8712u: fix control-message timeout Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 21/22] staging: rtl8192u: fix control-message timeouts Greg Kroah-Hartman
2021-11-10 18:43 ` [PATCH 4.9 22/22] rsi: fix control-message timeout Greg Kroah-Hartman
2021-11-10 19:26 ` [PATCH 4.9 00/22] 4.9.290-rc1 review Florian Fainelli
2021-11-11 18:28 ` Naresh Kamboju
2021-11-11 19:06 ` Shuah Khan
2021-11-12  0:58 ` Guenter Roeck
2021-11-12 15:40 ` Jon Hunter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211110182002.047574878@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=jack@suse.cz \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+6fc7fb214625d82af7d1@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).