Commit 58bc6d1b authored by Stian Skjelstad's avatar Stian Skjelstad Committed by Jan Kara

udf_get_extendedattr() had no boundary checks.

When parsing the ExtendedAttr data, malicous or corrupt attribute length
could cause kernel hangs and buffer overruns in some special cases.

Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.comSigned-off-by: default avatarStian Skjelstad <stian.skjelstad@gmail.com>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent 28ce50f8
...@@ -173,13 +173,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type, ...@@ -173,13 +173,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type,
else else
offset = le32_to_cpu(eahd->appAttrLocation); offset = le32_to_cpu(eahd->appAttrLocation);
while (offset < iinfo->i_lenEAttr) { while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) {
uint32_t attrLength;
gaf = (struct genericFormat *)&ea[offset]; gaf = (struct genericFormat *)&ea[offset];
attrLength = le32_to_cpu(gaf->attrLength);
/* Detect undersized elements and buffer overflows */
if ((attrLength < sizeof(*gaf)) ||
(attrLength > (iinfo->i_lenEAttr - offset)))
break;
if (le32_to_cpu(gaf->attrType) == type && if (le32_to_cpu(gaf->attrType) == type &&
gaf->attrSubtype == subtype) gaf->attrSubtype == subtype)
return gaf; return gaf;
else else
offset += le32_to_cpu(gaf->attrLength); offset += attrLength;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment