Commit 34820fc8 authored by Jan Kara's avatar Jan Kara Committed by Greg Kroah-Hartman

udf: Check length of extended attributes and allocation descriptors

commit 23b133bd upstream.

Check length of extended attributes and allocation descriptors when
loading inodes from disk. Otherwise corrupted filesystems could confuse
the code and make the kernel oops.

This fixes CVE-2015-4167.
Reported-by: default avatarCarl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
[Use make_bad_inode() instead of branching due to older implementation.]
Signed-off-by: default avatarChas Williams <3chas3@gmail.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 5f521316
......@@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
}
/*
* Sanity check length of allocation descriptors and extended attrs to
* avoid integer overflows
*/
if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize
|| iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
make_bad_inode(inode);
return;
}
/* Now do exact checks */
if (udf_file_entry_alloc_offset(inode)
+ iinfo->i_lenAlloc > inode->i_sb->s_blocksize) {
make_bad_inode(inode);
return;
}
switch (fe->icbTag.fileType) {
case ICBTAG_FILE_TYPE_DIRECTORY:
inode->i_op = &udf_dir_inode_operations;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment