[3.16.y-ckt stable] Patch "udf: Check length of extended attributes and allocation descriptors" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Fri Jun 5 13:11:30 UTC 2015 

This is a note to let you know that I have just added a patch titled

    udf: Check length of extended attributes and allocation descriptors

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.16.y-queue

This patch is scheduled to be released in version 3.16.7-ckt13.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 24a10af7859205540358f2f58bfbd89b0962027a Mon Sep 17 00:00:00 2001
From: Jan Kara <jack at suse.cz>
Date: Wed, 7 Jan 2015 13:49:08 +0100
Subject: udf: Check length of extended attributes and allocation descriptors

commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.

Check length of extended attributes and allocation descriptors when
loading inodes from disk. Otherwise corrupted filesystems could confuse
the code and make the kernel oops.

Reported-by: Carl Henrik Lunde <chlunde at ping.uio.no>
Signed-off-by: Jan Kara <jack at suse.cz>
[bwh: Backported to 3.16: use make_bad_inode() instead of returning error]
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 fs/udf/inode.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index c7a5753dc4ec..9a46e23cb769 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1494,6 +1494,19 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh)
 		iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
 	}

+	/*
+	 * Sanity check length of allocation descriptors and extended attrs to
+	 * avoid integer overflows
+	 */
+	if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) {
+		make_bad_inode(inode);
+		return;
+	}
+	/* Now do exact checks */
+	if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) {
+		make_bad_inode(inode);
+		return;
+	}
 	/* Sanity checks for files in ICB so that we don't get confused later */
 	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
 		/*

More information about the kernel-team mailing list