[3.13.y-ckt stable] Patch "udf: Check length of extended attributes and allocation descriptors" has been added to staging queue

Kamal Mostafa kamal at canonical.com
Tue Jun 9 19:51:28 UTC 2015 

This is a note to let you know that I have just added a patch titled

    udf: Check length of extended attributes and allocation descriptors

to the linux-3.13.y-queue branch of the 3.13.y-ckt extended stable tree 
which can be found at:

    http://kernel.ubuntu.com/git/ubuntu/linux.git/log/?h=linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11-ckt22.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

>From 133129467f23c6f7f32e4f90e7b0fcc1a1b9d247 Mon Sep 17 00:00:00 2001
From: Jan Kara <jack at suse.cz>
Date: Fri, 5 Jun 2015 14:09:56 +0100
Subject: udf: Check length of extended attributes and allocation descriptors

commit 23b133bdc452aa441fcb9b82cbf6dd05cfd342d0 upstream.

Check length of extended attributes and allocation descriptors when
loading inodes from disk. Otherwise corrupted filesystems could confuse
the code and make the kernel oops.

Reported-by: Carl Henrik Lunde <chlunde at ping.uio.no>
Signed-off-by: Jan Kara <jack at suse.cz>
Reference: CVE-2015-4167
BugLink: https://bugs.launchpad.net/bugs/1462173
[ luis: used Ben's backport to 3.16:
  - use make_bad_inode() instead of returning error ]
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
Signed-off-by: Kamal Mostafa <kamal at canonical.com>
---
 fs/udf/inode.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 8aa2b1b..cfdbbfd 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -1480,6 +1480,19 @@ reread:
 		iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint);
 	}

+	/*
+	 * Sanity check length of allocation descriptors and extended attrs to
+	 * avoid integer overflows
+	 */
+	if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) {
+		make_bad_inode(inode);
+		return;
+	}
+	/* Now do exact checks */
+	if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) {
+		make_bad_inode(inode);
+		return;
+	}
 	/* Sanity checks for files in ICB so that we don't get confused later */
 	if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) {
 		/*
--
1.9.1

More information about the kernel-team mailing list