tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
udf: Verify partition map count
Verify that number of partition maps isn't insanely high which can lead
to large allocation in udf_sb_alloc_partition_maps(). All partition maps
have to fit in the LVD which is in a single block.
Reported-by: syzbot+478f2c1a6f0f447a46bb@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
+11
-2
+11
-2
fs/udf/super.c
+11
-2
fs/udf/super.c
···
1440
1440
struct genericPartitionMap *gpm;
1441
1441
uint16_t ident;
1442
1442
struct buffer_head *bh;
1443
-
unsigned int table_len;
1443
+
unsigned int table_len, part_map_count;
1444
1444
int ret;
1445
1445
1446
1446
bh = udf_read_tagged(sb, block, block, &ident);
···
1461
1461
"logical volume");
1462
1462
if (ret)
1463
1463
goto out_bh;
1464
-
ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
1464
+
1465
+
part_map_count = le32_to_cpu(lvd->numPartitionMaps);
1466
+
if (part_map_count > table_len / sizeof(struct genericPartitionMap1)) {
1467
+
udf_err(sb, "error loading logical volume descriptor: "
1468
+
"Too many partition maps (%u > %u)\n", part_map_count,
1469
+
table_len / (unsigned)sizeof(struct genericPartitionMap1));
1470
+
ret = -EIO;
1471
+
goto out_bh;
1472
+
}
1473
+
ret = udf_sb_alloc_partition_maps(sb, part_map_count);
1465
1474
if (ret)
1466
1475
goto out_bh;
1467
1476