tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
udf_get_extendedattr() had no boundary checks.
When parsing the ExtendedAttr data, malicous or corrupt attribute length
could cause kernel hangs and buffer overruns in some special cases.
Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com
Signed-off-by: Stian Skjelstad <stian.skjelstad@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
authored by
Stian Skjelstad
and committed by
Jan Kara
58bc6d1b
28ce50f8
+11
-2
+11
-2
fs/udf/misc.c
+11
-2
fs/udf/misc.c
···
173
173
else
174
174
offset = le32_to_cpu(eahd->appAttrLocation);
175
175
176
-
while (offset < iinfo->i_lenEAttr) {
176
+
while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) {
177
+
uint32_t attrLength;
178
+
177
179
gaf = (struct genericFormat *)&ea[offset];
180
+
attrLength = le32_to_cpu(gaf->attrLength);
181
+
182
+
/* Detect undersized elements and buffer overflows */
183
+
if ((attrLength < sizeof(*gaf)) ||
184
+
(attrLength > (iinfo->i_lenEAttr - offset)))
185
+
break;
186
+
178
187
if (le32_to_cpu(gaf->attrType) == type &&
179
188
gaf->attrSubtype == subtype)
180
189
return gaf;
181
190
else
182
-
offset += le32_to_cpu(gaf->attrLength);
191
+
offset += attrLength;
183
192
}
184
193
}
185
194