tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
udf: Avoid excessive partition lengths
Avoid mounting filesystems where the partition would overflow the
32-bits used for block number. Also refuse to mount filesystems where
the partition length is so large we cannot safely index bits in a
block bitmap.
Link: https://patch.msgid.link/20240620130403.14731-1-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
+15
+15
fs/udf/super.c
+15
fs/udf/super.c
···
1111
1111
struct udf_part_map *map;
1112
1112
struct udf_sb_info *sbi = UDF_SB(sb);
1113
1113
struct partitionHeaderDesc *phd;
1114
+
u32 sum;
1114
1115
int err;
1115
1116
1116
1117
map = &sbi->s_partmaps[p_index];
1117
1118
1118
1119
map->s_partition_len = le32_to_cpu(p->partitionLength); /* blocks */
1119
1120
map->s_partition_root = le32_to_cpu(p->partitionStartingLocation);
1121
+
if (check_add_overflow(map->s_partition_root, map->s_partition_len,
1122
+
&sum)) {
1123
+
udf_err(sb, "Partition %d has invalid location %u + %u\n",
1124
+
p_index, map->s_partition_root, map->s_partition_len);
1125
+
return -EFSCORRUPTED;
1126
+
}
1120
1127
1121
1128
if (p->accessType == cpu_to_le32(PD_ACCESS_TYPE_READ_ONLY))
1122
1129
map->s_partition_flags |= UDF_PART_FLAG_READ_ONLY;
···
1179
1172
bitmap->s_extPosition = le32_to_cpu(
1180
1173
phd->unallocSpaceBitmap.extPosition);
1181
1174
map->s_partition_flags |= UDF_PART_FLAG_UNALLOC_BITMAP;
1175
+
/* Check whether math over bitmap won't overflow. */
1176
+
if (check_add_overflow(map->s_partition_len,
1177
+
sizeof(struct spaceBitmapDesc) << 3,
1178
+
&sum)) {
1179
+
udf_err(sb, "Partition %d is too long (%u)\n", p_index,
1180
+
map->s_partition_len);
1181
+
return -EFSCORRUPTED;
1182
+
}
1182
1183
udf_debug("unallocSpaceBitmap (part %d) @ %u\n",
1183
1184
p_index, bitmap->s_extPosition);
1184
1185
}