diff options
author | Stian Skjelstad <stian.skjelstad@gmail.com> | 2021-08-22 11:33:32 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-09-22 11:47:50 +0200 |
commit | f08721ee2b387cc0ba93f8c27e2e3a6be80db2e4 (patch) | |
tree | 6b49856f95480cf96f29be12e35b062aa887c1fa | |
parent | 64dd1fbb0bb743ccd2fb420c441f4ca9732f598f (diff) | |
download | linux-stable-f08721ee2b387cc0ba93f8c27e2e3a6be80db2e4.tar.gz linux-stable-f08721ee2b387cc0ba93f8c27e2e3a6be80db2e4.tar.bz2 linux-stable-f08721ee2b387cc0ba93f8c27e2e3a6be80db2e4.zip |
udf_get_extendedattr() had no boundary checks.
[ Upstream commit 58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb ]
When parsing the ExtendedAttr data, malicous or corrupt attribute length
could cause kernel hangs and buffer overruns in some special cases.
Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com
Signed-off-by: Stian Skjelstad <stian.skjelstad@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | fs/udf/misc.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/fs/udf/misc.c b/fs/udf/misc.c index 401e64cde1be..853bcff51043 100644 --- a/fs/udf/misc.c +++ b/fs/udf/misc.c @@ -173,13 +173,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type, else offset = le32_to_cpu(eahd->appAttrLocation); - while (offset < iinfo->i_lenEAttr) { + while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) { + uint32_t attrLength; + gaf = (struct genericFormat *)&ea[offset]; + attrLength = le32_to_cpu(gaf->attrLength); + + /* Detect undersized elements and buffer overflows */ + if ((attrLength < sizeof(*gaf)) || + (attrLength > (iinfo->i_lenEAttr - offset))) + break; + if (le32_to_cpu(gaf->attrType) == type && gaf->attrSubtype == subtype) return gaf; else - offset += le32_to_cpu(gaf->attrLength); + offset += attrLength; } } |