summaryrefslogtreecommitdiff
path: root/fs/udf
diff options
context:
space:
mode:
authorStian Skjelstad <stian.skjelstad@gmail.com>2021-08-22 12:33:32 +0300
committerJan Kara <jack@suse.cz>2021-08-23 14:35:19 +0300
commit58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb (patch)
tree35c805c134c52f71af8a014a90c7e626412e4c4c /fs/udf
parent28ce50f8d96ec9035f60c9348294ea26b94db944 (diff)
downloadlinux-58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb.tar.xz
udf_get_extendedattr() had no boundary checks.
When parsing the ExtendedAttr data, malicous or corrupt attribute length could cause kernel hangs and buffer overruns in some special cases. Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com Signed-off-by: Stian Skjelstad <stian.skjelstad@gmail.com> Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs/udf')
-rw-r--r--fs/udf/misc.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/fs/udf/misc.c b/fs/udf/misc.c
index eab94527340d..1614d308d0f0 100644
--- a/fs/udf/misc.c
+++ b/fs/udf/misc.c
@@ -173,13 +173,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type,
else
offset = le32_to_cpu(eahd->appAttrLocation);
- while (offset < iinfo->i_lenEAttr) {
+ while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) {
+ uint32_t attrLength;
+
gaf = (struct genericFormat *)&ea[offset];
+ attrLength = le32_to_cpu(gaf->attrLength);
+
+ /* Detect undersized elements and buffer overflows */
+ if ((attrLength < sizeof(*gaf)) ||
+ (attrLength > (iinfo->i_lenEAttr - offset)))
+ break;
+
if (le32_to_cpu(gaf->attrType) == type &&
gaf->attrSubtype == subtype)
return gaf;
else
- offset += le32_to_cpu(gaf->attrLength);
+ offset += attrLength;
}
}